Shulou(Shulou.com)06/01 Report--

1. The present situation of industrial control enterprises in the field of information security:

1) at present, in the industrial control safety construction of industrial enterprises, there is no specific corresponding enterprise grading construction guidelines or standards, enterprises have no way to know the critical point of safety construction, and the safety management functions of various ministries and commissions cross each other, and the evaluation standards are different. as a result, enterprises are basically in a passive state, and only rely on the purchase of professional safety equipment to ensure some basic safety framework. Therefore, it is necessary for enterprises to build and write practical guidelines and standards. In the protection guide, there should be the safety level of the industrial control enterprise, as well as the level of safety protection that each grade needs to achieve.

2) the internal neglect and fluke mentality of information security in industrial enterprises. The enterprise itself thinks that it has no meaning and little value to the person after being * *, or if there are many industrial enterprises on the market, it may not necessarily come to itself. Therefore, the internal neglect and existence of fluke mentality, safety system and investigation are not in place.

3) the system of industrial enterprises themselves. Enterprise managers are not equipped with full-time information security personnel or there are no managers with security skills among IT technical personnel, resulting in the need to rely on third parties to provide security services within the enterprise. Because third parties cannot seamlessly integrate internal business systems, there are always loopholes in advice and evaluation. Moreover, in order to meet the needs of inspection and evaluation, most of the industrial control safety equipment purchased by the enterprise itself is just a device and is not really used in production. Even if it is used in the production environment, its security policy is not configured or only part of it is configured. Did not play a real protective effect.

4) Industrial IT managers do not have much say. In terms of the production process of the whole industrial enterprise, the production department is the most powerful department with the most voice, and all those that affect production as the premise will be strongly restricted or rejected by the production department. Therefore, in order to do a good job of enterprise safety as a whole, the safety management of industrial enterprises needs to promote industrial control safety to the highest management and realize the first leader responsibility system in order to do a good job in the safety management and construction of industrial control enterprises.

5) the main responsibility of industrial enterprises is production, and there is a perfect production safety management system. Production safety management system is a series of provisions formulated to ensure production safety. The main purpose of its establishment is to control the risk and minimize the harm. At present, the production safety management system is relatively in place because of the strict implementation provisions and punishment system. However, industrial control safety is in an awkward position. Only when industrial control safety is integrated into industrial production safety management and becomes a part of industrial production safety management, can the information security of industrial control enterprises reverse the existing fragile state.

2. The safety awareness of the whole industry:

The main contents are as follows: 1) the safety awareness of the implementers is not in place. After the industrial control safety equipment of a domestic manufacturer is deployed to an industrial control enterprise, part of the security policy is configured, but the most important default password and the security permission to enter the equipment are ignored. Once * * enters the private network and logs in to the security device with the default password, all protective measures will become invalid immediately. Therefore, in the process of implementing a project online, first, the implementation personnel must have security awareness and the necessary security configuration baseline, and the most basic security awareness such as the default password should be effectively prevented and controlled at the implementation level. Second, when enterprises carry out project acceptance, they need to emphasize safe testing and safe configuration baselines in the terms of acceptance. From the system to ensure the implementation of the project security configuration baseline.

2) the security awareness of software developers is not strong. The major application systems developed by software companies for enterprises use database passwords and application system passwords for convenience and convenience, such as database SA account password sa, etc., and the system goes online after development, which leads to the problem that even if the system finds this weak password problem in the later stage, it can no longer be modified unless the system is upgraded or developed again. At the same time, due to the non-upgradeability and subsequent maintenance of the software system, the security risks caused by its own vulnerabilities can not be protected effectively. As above, software developers must also conduct security baseline configuration verification and acceptance testing.

3. In addition, there is no evaluation standard or no evaluation standard for whether the protective equipment of industrial control safety equipment manufacturers deploy to the site for real protection. According to the existing evaluation standards, most of them focus on functional evaluation, and only a few of them focus on the simple evaluation of known safety, which is completely unable to meet the needs of real resistance.

The above is for most industrial control enterprises, industrial control safety similar to the State Grid, of course, is in front of all industrial control enterprises, but only a small number of them; the safety situation of most industrial control enterprises is still very embarrassing.

Information security is a relative process, and relative security can be achieved only if every link in the ecological chain of the whole industry pays attention to security baselines and standards.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.