Author: Beijing Haitai Fangyuan Technology Co., Ltd.
General Manager of IoT and Terminal Security Product Line Jason Xu
GUIDE
Introduction
In the current context of advocating for “New Infrastructure”, “Made in China 2025”, and “Industry 4.0”, new technologies and business models such as industrial internet, IoT, intelligent manufacturing, and artificial intelligence are rapidly developing. The previously relatively closed industrial control systems are gradually adopting common communication protocols and hardware/software systems. The integration of information technology (IT) and industrial control systems (ICS) is deepening, and more and more industrial control systems are exposed to the internet, leading to increasing information security threats faced by control systems.
In recent years, major information security incidents in the industrial sector have been continuously exposed, making the protection of information security in industrial control systems a current key focus of the nation. As the core foundation of information security, cryptographic technology can provide confidentiality, integrity, authenticity, and non-repudiation protection for important data in industrial control systems, making it the most effective, reliable, and economical core technology for ensuring network and information security.Systematic Cryptographic Application Solutions for Industrial Control Systems – Typical Business Architecture of Control SystemsThe typical industrial control system is divided into five layers, as shown in the figure below:

Figure 1 Typical Business Architecture of Control SystemsThe first layer is the Field Execution Layer, mainly including sensors and actuators, which consist of various instruments such as temperature sensors, pressure sensors, relays, motors, and indicator lights.The second layer is the Field Control Layer, mainly including protection and field control devices, which consist of various industrial controllers such as RTU (Remote Terminal Unit), DCS (Distributed Control System), PLC (Programmable Logic Controller), and PCS (Process Control System), achieving logical operations, arithmetic operations, position control, timing/counting, etc., for controlling the field layer.The third layer is the Production Control Layer or Production Monitoring Layer, mainly including engineer stations, operator stations, database servers, etc., which serve as the core part of the control system, achieving monitoring functions for the field execution layer, field detection, and display.The fourth layer is the Management Layer, mainly including various database server systems related to production, such as implementation servers and historical servers, completing system management and monitoring control tasks.The fifth layer is the Strategic Decision Layer, mainly including enterprise IT systems such as OA office automation systems, web servers, email servers, MES, and PLM. Cryptographic Application Requirements for Control SystemsBased on the typical business application needs of industrial control systems and current cryptographic application standards, it is necessary to analyze the cryptographic application characteristics of various business scenarios in industrial control systems, systematically sort out common cryptographic application scenarios, and clarify the cryptographic application needs in various scenarios such as the field execution layer, control layer, monitoring layer, information layer (management layer), and application layer (strategic decision layer). Key technologies for protecting confidentiality, integrity, authenticity, and non-repudiation in cryptographic applications at different levels should be studied, and a basic framework for cryptographic applications in control systems should be proposed to build a cryptographic application technology system for industrial control systems, making the construction and use of cryptographic systems more targeted and operable, and promoting the comprehensive application of domestic cryptography in the control field.According to the requirements for information security in graded protection, cryptographic application needs for industrial control systems are mainly reflected in the following aspects:
1
Cryptographic Management and Service Needs
The cryptographic management needs in control systems involve cryptographic devices, key management, and cryptographic usage.Cryptographic services in control systems need to ensure the compliance, effectiveness, and correctness of cryptographic usage.
2
Physical and Environmental Security Needs
The area where the control system is located needs to establish a complete physical environment security mechanism, optimizing operational management in the physical environment to ensure the availability, confidentiality, and integrity of data, and standardizing the safety of the physical environment where the devices are located to prevent unauthorized physical access, damage, and interference with organizational sites and information.Security measures such as area division, physical isolation, access control, video surveillance, and dedicated personnel monitoring need to be implemented in the area where the industrial control system is located.
3
Network and Communication Security Needs
Network and communication security for control systems mainly involves securing information systems when communicating with entities connected via external networks. Cryptographic application needs mainly include:Using cryptographic technology for identity authentication of network entities before communication to ensure the authenticity of network entity identities;Using cryptographic technology to ensure the integrity and confidentiality of communication messages during communication;Using cryptographic technology to ensure the integrity of access control information at network boundaries and the authenticity of access device identities.
4
Device and Computing Security Needs
Device and computing security in control systems mainly involves securing various devices and computing environments. Cryptographic application needs involve device access control, device access management, authentication of physical identities of devices, authentication of user identities logging into devices, establishment of remote management channels, establishment of trusted computing environments, and authenticity of sources for important executable programs.
5
Application and Data Security Needs
Application and data security in control systems mainly ensures the security of sensitive information resources and application data generated during operation.For industrial applications, the greatest risk comes from security vulnerabilities.Application security needs include user identity authentication, access control, compliance testing, application management, application source assurance, and security auditing.Data security in control systems covers all lifecycle stages, including data collection, transmission, storage, and processing.
Systematic Cryptographic Application Solutions for Control SystemsFrom a technical perspective, a cryptographic security system for the industrial control field is constructed to ensure the security of information systems in the control industry, comprehensively safeguarding the security of business applications in the control industry. The overall framework of cryptographic applications in the control industry consists of several layers including support for cryptographic basic devices, support for cryptographic basic services, monitoring and early warning, cryptographic applications for control business systems, boundary cryptographic applications, network communication cryptographic applications, terminal device cryptographic applications, and cryptographic application simulation verification platforms. The overall architecture is shown in the figure below.

Figure 2 Overall Architecture of Systematic Cryptographic Application Solutions for Industrial Control SystemsSupport for Cryptographic Basic DevicesIncludes server cryptographic machines, PLC cryptographic modules, industrial host cryptographic cards, and security gateways, providing a basic device support environment for cryptographic applications in the control industry.Support for Cryptographic Basic ServicesRefers to providing unified authentication, authorization management, access control, single sign-on, and other trust services based on the support of cryptographic basic devices, including data encryption and decryption service systems, identity authentication systems, data trust service systems, key management systems, middleware for PLC cryptographic modules, middleware for industrial host cryptographic cards, and security SCADA cryptographic application service systems.Monitoring and Early WarningSituational Awareness PlatformCan collect and analyze security and device information in real-time from encryption devices, decryption devices, network devices, host devices, security devices, etc. Through big data modeling analysis and a core knowledge base, risk assessments and situational awareness can be conducted to predict and prevent potential risks of related devices.
Cryptographic Applications for Control Business SystemsMainly include identity authentication, authorization management, data storage security, data sharing security when users or devices access business applications; the security SCADA system can achieve secure communication based on domestic cryptography, static trust chains, dynamic measurements, etc. The cryptographic application basic support platform can realize functions such as management of cryptographic devices in the system, key management, certificate management, identity authentication, data encryption and decryption, and data trust services, while providing basic cryptographic support services for business system applications.
Cryptographic Applications for Control Area BoundariesAre used to achieve boundary isolation and identity recognition. The cryptographic applications mainly reflect the credibility of visitor identities, legality of access permissions, and credibility of resource nodes.Cryptographic Applications for Network Communication in Control SystemsRefer to ensuring the confidentiality and integrity of data during remote transmission.Cryptographic Applications for Terminal Devices in Control SystemsMainly refer to control devices, management devices, and various wireless collection devices. Based on embedded cryptographic modules and cryptographic middleware, secure cryptographic application foundations and environments can be provided for various terminal devices in control systems, achieving the application of domestic cryptography in terminal devices.Cryptographic Application Simulation Verification PlatformCan provide effectiveness and reliability verification for various cryptographic products and systems in the system, ensuring reliable and secure operation through comprehensive testing and verification for various scenarios in control systems. Advantages of Cryptographic Application Solutions for Control SystemsBy enhancing the security capabilities of control systems through the support of cryptographic basic devices, support platforms for cryptographic basic services, and monitoring and early warning situational awareness platforms from aspects such as cryptographic services, cryptographic products, cryptographic applications, and cryptographic supervision.In the control layer network, by deploying security gateway products, confidentiality and integrity protection of network communication data can be achieved. Security gateway products can support industrial control network communication protocols such as Modbus RTU, Modbus TCP, RS485, RS232.Business system applications in control can achieve security functions such as identity authentication, access control, data encryption and decryption by calling cryptographic service interfaces. The security SCADA system can achieve authentication for devices and security protection for communication links by calling various cryptographic middleware.The cryptographic application basic support platform includes identity authentication systems, data encryption and decryption service systems, and data trust service systems, providing cryptographic services such as key management, signature verification, encryption and decryption, digital envelopes, hash computation, and certificate management to business systems through cryptographic service interfaces.Cryptography is a vital strategic resource for the nation, the core technology and foundational support for network security, and an essential cornerstone for building a network trust system. Cryptography directly relates to national political security, economic security, national defense security, and network security, directly affecting the legitimate rights and interests of citizens, playing an irreplaceable role in cyberspace.Industrial control systems involve important national critical infrastructure and face complex security threats, urgently requiring the establishment of a cryptographic application system based on domestic cryptography with data security as the core goal, enhancing autonomous control and security protection capabilities, effectively ensuring the stable, reliable, and secure operation of control systems and infrastructure, laying a solid foundation for achieving the goal of “manageable, controllable, and trustworthy” data in the control field. [References][1]. “Cyber Space Research” (February 15, 2017, Issue 1), China Academy of Information and Communications Technology, 2017.[2]. “Industrial Internet Architecture (Version 2.0)”, Industrial Internet Industry Alliance, 2019.