With the development of computer technology, communication technology and control technology, industrial automation control has begun to develop towards networking, from the initial CCS (Computer Centralized Control System) to the second generation of DCS (Decentralized Control System), to the present The popular FCS (Fieldbus Control System). At this stage, many popular technologies such as embedded technology, multi-standard industrial control network interconnection, and wireless technology have been integrated, thus expanding the development space in the field of industrial control and bringing new development opportunities.
But at the same time, it also brings new challenges. In the current fierce competition environment, how to maintain their own competitive advantages, especially how to safely and effectively use the core source code and technical documents of the control system, has become a must for industrial control organizations. An important topic of concern, core information security leak prevention has also become an important business requirement.
2. The status quo of confidentiality of industrial automation and control equipment research and development institutions
In the current general environment, the mobility of R&D personnel is very high, which requires enterprises to establish a mechanism to control the security of their own knowledge base, project source code, technical documents, etc., not only to control the active leaking behavior of employees , It is even more necessary to prevent resigned personnel from taking away the company's core information, so as to avoid losses to the company due to leaks. But the reality is that these R&D personnel basically back up a copy of the source code and technical documents by themselves during the R&D process, and even back up a copy at home. These source codes and technical drawings are extremely easy to cause leaks. Common ways of disclosure:
Ø Confidential electronic files are copied and brought out from the computer through mobile storage devices such as USB flash drives
Ø Internal personnel will bring their own laptops to connect to the company network, and copy and take away confidential electronic documents
Ø Send confidential electronic documents via email, QQ, MSN, etc. via the Internet
Ø Internal personnel preview confidential electronic files, burn the preview files to CDs, and take screenshots out of the company
Ø Internal personnel print and copy confidential electronic documents and take them out of the company
Ø Save through internet network storage
Ø Insiders take computers or computer hard drives containing confidential electronic documents out of the company
Ø Computers containing confidential electronic files fall into the hands of external personnel due to loss, maintenance and other reasons
Many companies are also aware of the importance of information security and have taken some measures. Common methods include closing USB ports, not allowing Internet access, behavior monitoring, etc., but the effect is not good and the negative impact is relatively large. :
Ø The Internet is a huge knowledge base, discarding it is putting the cart before the horse
Ø Excessive monitoring can affect employees' work emotions and even cause legal disputes;
Ø Increase enterprise operating costs and reduce work efficiency
Ø Software developers know more about computers, but they may still leak secrets
Ø It is impossible to cure internal leaks, and at the same time, there is a suspicion of giving up food because of choking
Ø If you use a notebook on a business trip, you must bring the source code data to the site for debugging, which is out of control
Obviously, the traditional information security management system can no longer meet the security requirements. Therefore, according to the characteristics of industrial control research and development institutions, it is necessary to establish a new and complete intranet information security management system to minimize enterprise information security risks.
3. The development and debugging environment of industrial control equipment research and development institutions
The development environment of industrial control enterprises is also relatively complicated. Servers generally coexist with Windows and Linux. Employee PCs are mainly Windows, a small amount of Linux, and some use virtual machines. Debugging devices include PLC devices, emulators, USB devices, etc. Debugging methods include Ethernet, serial port (PC serial port and USB to serial port), and USB emulator direct debugging, etc.
Development language: C/C++, assembly, dedicated SDK library
Development tools: IRSLINX.EXE, emulator, CCS (Code Composer Studio), Eclipus
VC,GVIM,UltraEdit,Source Insight,Tornado
Drawing class: AutoCAD/SolidWoks/3DMax/Pro.e
Version management: SVN, VSS, GIT
Compile: gcc, java, cl (embedded)
Debugging: Visual Studio, Tornado, GDB
4. Anti-leakage requirements of industrial control equipment research and development institutions
1) The leak prevention system must have extremely high stability
Since industrial control equipment is the brain of industrial equipment, no deviation can be allowed in industrial production, which requires that it is best not to perform any encryption processing on a single file to avoid accidents caused by file content damage;
2) Developers in the enterprise cannot leak secrets through mobile storage, network, email, screenshots, etc. without affecting the efficiency of development and debugging. Any secret-related documents must go through a strict approval process and have traceable log records.
3) It is best to keep the source code document in plain text on the server and in cipher text on the employee's development machine, so as to reduce the dependence on encryption software and prevent security accidents.
two. Solution - use SDC sandbox anti-leakage system for anti-leakage
The SDC sandbox anti-leakage solution adopts the world's leading third-generation transparent encryption technology-kernel depth sandbox encryption, based on the bottom layer of the operating system, absorbing the concept of cloud, and encrypting and controlling the environment, independent of software, file type, file size, High reliability anti-leakage solution. It is a highly scalable and customizable solution. The system itself integrates network verification, file encryption, printing control, program control, Internet access control, non-certified PC network access restriction, anti-mobile storage, CD burning, anti-screen capture and other anti-leakage functions in one, and truly achieves:
Ø Fully transparent encryption, does not affect the work efficiency and habits of employees
Ø Can protect all file formats, including all document formats, all source code formats, drawing formats
Ø No control over files, safe and stable, no damage to files
Ø The data on the server is encrypted when it is not dropped or dropped during use
Ø Outgoing document audit, encryption, anti-leakage processing
Ø Outgoing email application, audit business flow
Ø No need to do any control on the PC to prevent leakage
When an employee is working, an encrypted sandbox will be started locally, and the sandbox will connect with the server authentication to form a confidential and encrypted workspace. Employees work in the sandbox:
--The data on the server is encrypted when it is not landed or landed during use.
--All development results must be stored on the server, or in a local encrypted sandbox.
--The sand table is isolated from the outside world, so it will not leak secrets.
--According to the policy, employees can be set to enter the sandbox mode immediately after booting.
--PCs that do not start the sandbox are isolated, and cannot access the server and employee PCs that enter the sandbox.
-- Even if you log in to the server directly, you cannot copy the data of the application system from the server.
The encrypted sandbox is a container that can hold anything; it encrypts the environment and does not care what the individual is; so it has nothing to do with the process, the file format, or the file size, and will not destroy the file. Unlike other encryption software, modify the content of the file itself. Therefore, it does not affect software compilation and debugging, version management, and version comparison.