[TechWeb] At two o’clock at midnight, an attacking organization used a 0day vulnerability to break into the corporate intranet. When it was about to penetrate horizontally, it triggered an alarm. It was quickly blocked and intercepted by firewalls, terminal EDRs, etc., and was traced to the source. The protection was airtight in one go, and the attack was declared defeated!
Such intelligent network security protection that does not require human intervention to respond is the overall defense system currently being constructed by Power China (China Power Construction Group Co., Ltd.). In the view of PowerChina, network security requires the simultaneous use of “eyes, brains, and hands”, and should have a certain level of AI. It can even quickly complete detection and discovery, block interception, traceability analysis, and other protective measures without relying on people.
Established in 2011, PowerChina is a global leader in the field of clean and low-carbon energy, water resources, and environmental construction, and a leading enterprise serving the “Belt and Road” construction. Ranked 107 among Fortune Global 500 companies in 2021.
PowerChina has 63 secondary units, and its business involves water conservancy and power engineering and infrastructure investment and financing, planning and design, engineering construction, equipment manufacturing, operation management, etc., to quote a sentence from PowerChina Chairman Ding Yanzhang: ” Understand water and electricity, be good at planning and design, long-term construction and construction, and be able to invest and operate”.
In the digital age where new technologies such as “Cloud Big Things Move Smart” are surging, POWERCHINA’s digital transformation is at the forefront of its peers, with the help of digital technology to continuously improve the company’s lean production, digital construction, modern management, and intelligent decision-making capabilities. In this process, the importance of network security has become increasingly prominent. China Power Construction has always regarded network security as the backplane project of digital transformation, including the deployment of “Power Construction Eyes” based on Qi’anxin Situational Awareness and Operation Platform (NGSOC). , Has realized the leap from traditional protection to active countermeasure detection, laying the cornerstone for building an integrated network security guarantee system for state-owned assets and state-owned enterprises.
A domain name incident pushed Power China from basic security to defense-in-depth
Looking back on the history of China Power Construction’s network security construction, it can be said that since the establishment of the group in 2011, network security has been advancing simultaneously. According to Wang Haitao, deputy director of the Information Management Department of POWERCHINA, the network security construction of POWERCHINA can be divided into four stages. The first stage is from 2011 to 2013, which aims to build basic network security capabilities for the group. At this stage, by the principle of “Urgent Use First”, Power Construction carried out the construction of security capabilities such as host security, anti-virus, host reinforcement, and anti-tampering around network terminals.
These protections can be said to be easy to deal with some daily hacker and virus attacks, but they are still a little weak in the face of organized and premeditated complex attacks.
“Cyber-attacks have caused us personal pain.” Wang Haitao recalled. “About the 2014 APEC meeting in Beijing, I was on a business trip in Xi’an and suddenly received a call saying that the website had been tampered with and replaced with bad pictures. The impact was very bad. That night, I changed my schedule and flew back to Beijing for emergency treatment.”
“After investigation, the reason was that a domain name was tampered with by hackers, which caused the website under that domain name to malfunction. Due to various factors, various measures could not be solved, and finally found the Qi’an Xin Anfu team, with the help of the latter provided The DNS resolution failure repair program ensures that the domain name is not contaminated. The official website quickly returned to normal and the problem was completely resolved.”
“It can be seen from this matter that network security is a very professional job, and it is not enough to rely on passive defensive measures and one’s security forces.”
From 2014 to 2016, POWERCHINA entered the second stage, the large-scale construction stage: on the one hand, it is from a management perspective to improve the organization, including the establishment of a leading organization, and personnel awareness training and management enhancement; on the other hand, Is to build a defense-in-depth technical defense system from a technical point of view, including system security, application security, identity security, data security, border security, and decentralization and domain separation.
Since then, PowerChina has built a deep defense system from management to technology, which has greatly improved the network security capabilities of the group’s information platform.
Defense-in-depth is difficult to deal with advanced threats, “Electric Construction Eyes” came into being
“The road is one foot high, and the magic is high.” Since the domestic security agency captured the attack of the OceanLotus APT organization, since 2016, various APTs (Advanced Sustainable Threats) have been discovered repeatedly, posing a great threat to the government and central enterprises. , It also brings new challenges to the passive defense-based defense-in-depth system.
According to Wang Haitao’s recollection, at that time, PowerChina had completed the deployment of defense-in-depth and its security capabilities were significantly improved. However, there were still five major problems in actual operation: a large number of assets and difficult management, huge operation and maintenance data, insufficient threat detection capabilities, and insufficient security threats. Visible, lack of linkage defense, etc. In addition, the “Thirteenth Five-Year National Informatization Plan” emphasizes the comprehensiveness of network security offenses and defenses, as well as the all-weather and all-weather situational awareness of dynamic network security. Therefore, the construction of a proactive defense system has been promoted by China Power Construction. On the agenda.
Starting in 2017, PowerChina has entered the third stage, which is the stage of refined management and operation and maintenance. At this stage, new technologies such as cloud computing, big data, situational awareness, and threat intelligence are fully adopted to strengthen the construction of security protection and situational awareness in the new IT environment and improve the level of refined management of network security.
To change from passive to active in the network attack and defense confrontation, PowerChina has established a big data early warning monitoring analysis and defense with known threats, detectable threats, emergency and controllable, reliable services, and visible management and control under the premise of meeting national requirements and group planning. The system is the “Electricity Eyes” platform.
In terms of a specific implementation, “Power Construction Eye” takes the situational awareness and security operation platform (NGSOC) as the core and collects all kinds of data, including original traffic logs, security equipment logs, system logs, terminal logs, etc., using traffic detection engines and correlation analysis Engines, threat intelligence and other technical means conduct continuous security monitoring of the internal networks of government and enterprises. After a security incident is discovered, research and judgment, and traceability can be carried out. At the same time, the incident can be responded to and handled promptly through the NGSOC and EDR/NDR linkage mechanism and expert services to achieve the landing of the safe operation capability.
It can be said that “Power Construction Eye” has completed the closed-loop of security business from threat discovery, research, and judgment, analysis, and traceability to response and disposal, thus helping Power China to move from defense in depth to active defense.
“Eye-brain-hand” linkage realizes the five major capabilities and popularizes them to the group’s branches
At present, the power construction eye based on NGSOC has been successfully implemented in the headquarters of POWERCHINA, gradually building IT asset management capabilities, security big data integration capabilities, intelligent analysis and retrospective capabilities, security threat visualization capabilities, collaborative defense linkage capabilities, etc. Five abilities. And at the 2018 Digital Expo, it won the “Excellent Case of Big Data Security” and the “Third Prize of Power Enterprise Information Security Management Innovation Achievement” issued by the China Information Association.
Wang Haitao uses “eyes, brains and hands” as a vivid metaphor for the technical protection system of China Power Construction. “Eye” mainly refers to all-around monitoring and detection capabilities. That is, you need to “see the six paths” and know the attacker “where”, “who is doing”, “what is doing”, and “what is the result”. For example, where is the production system, customer system, supply chain system, and the financial system being attacked, who is the identity and behavior of the attacker, and what results are caused. This work is mainly done by “Electric Construction Eyes”.
“Brain” mainly refers to multi-dimensional analysis. It is completed by the “smart hub”, which mainly completes user risk analysis, behavioral risk analysis, post-event investigation, and evidence collection, and realizes analysis and traceability, etc., to provide a command and decision-making basis for response and disposal. This work not only requires machines to automate analysis and processing, intuitive and visual display but also relies on security operation and maintenance, analysts’ daily disposal and analysis and judgment, as well as the command and decision-making of security leaders and leaders.
“Hand” reflects the fastest response and execution. Once an attack is discovered, after accurate analysis and positioning, the attack can be blocked in the shortest time, and emergency response can be achieved to minimize the loss. This work needs to be completed by an electrical shield composed of terminal security Tianqing and border security firewalls and realizes in-depth protection through coordinated linkage.
In a nutshell, the power-construction eye is responsible for seeing threats, and the brain uses analysis and judgment to identify the threats, and finally, the power-construction shield blocks the threats, realizing all-weather perception of the network security situation and forming an active defense of “human + machine + service” System to improve overall safety and comprehensive capabilities.
The realization of the “eye-brain-hand” linkage capability indicates that China Power Construction has completed the fourth stage of network security construction: situational awareness of security protection risks for the new IT environment.
PowerChina Group invited cyber security experts from five ministries and commissions, including the Cyber Security Bureau of the Ministry of Public Security, the Comprehensive Administration of the State-owned Assets Supervision and Administration Commission, the Safety Supervision Department of the National Energy Administration, the National Industrial Information Security Development Research Center of the Ministry of Industry and Information Technology, and a cyberattack and defense laboratory of the Ministry of Public Security. The “Power Construction Eye” project was reviewed. The expert group highly affirmed the results of the project and agreed that the construction mode and application effectiveness of the Power Construction Eye are typical and exemplary in the industry, and even within the scope of central enterprises, and agreed to pass the acceptance.
Since then, to fully implement the decisions and deployments of the Central Committee and the State Council on enhancing the anti-risk capabilities of state-owned enterprises and guaranteeing national security, PowerChina has gradually completed coverage by the principles of “member units’ perception, local data collection, group unified aggregation, and centralized monitoring and reporting”. The network security situational awareness system of the power construction eye of the member unit is established, and the locally collected data of the member unit is reported to the group “power construction eye” platform to achieve unified data collection. The “Electric Construction Eye” platform of the Group Headquarters has been modified by the interface standards required by the “Technical Specifications for the Enterprise Side of the State-owned State-owned Enterprise Network Information Security Online Supervision Platform”, and then integrated with the online supervision platform deployed locally at the Group Headquarters and reported to the State-owned Assets Supervision and Administration Commission of the Supervision Platform. Need data to realize information sharing. As a result, the “Power Construction Eye” platform has played a key role in the unified collection, unified reporting, and unified monitoring.
Integrated architecture diagram of online supervision platform for network information security of state-owned assets and state-owned enterprises
Electric Eye has repeatedly made outstanding achievements in actual combat. The focus of the future is to enhance AI capabilities
Actual combat is the best test of effect. In the actual offensive and defensive exercises in recent years, PowerChina has made great achievements, and 70%-80% of the attacks were detected and alerted by PowerChina’s eyes for the first time, and then coordinated with other products to intercept This has also enabled PowerChina to achieve excellent results in actual offensive and defensive exercises for three consecutive years.
“Safety work is always on the road.” Wang Haitao said, “In response to the severe external environment with ever-changing attack methods, POWERCHINA hopes that Power Construction will integrate more AI capabilities and gradually reduce its over-reliance on people in actual offensive and defensive operations. Especially in In terms of data analysis of traffic and logs, more machine learning, artificial intelligence, and other technologies are used to realize machine-based analysis and judgment”.
Regarding the current and future tasks of POWERCHINA’s network security construction, Wang Haitao said, “At present, the Power Construction Eye has completed the full coverage of secondary units, and will gradually drill down to more member units and project departments in the next 2-3 years. Form a group’s three-dimensional network security situational awareness system, complement the security shortcomings of branch units, improve the overall active defense capabilities of the entire group, and ensure stable and long-term digital transformation.