Security Issues on Industrial Internet of Things: Overview and Challenges

Abstract

The Industrial Internet of Things (IIoT), where numerous smart devices associated with sensors, actuators, computers, and people communicate with shared networks, has gained advantages in many fields, such as smart manufacturing, intelligent transportation, and smart grids. However, security is becoming increasingly challenging due to the vulnerability of the IIoT to various malicious attacks. In this paper, the security issues of the IIoT are reviewed from the following three aspects: (1) security threats and their attack mechanisms are presented to illustrate the vulnerability of the IIoT; (2) the intrusion detection methods are listed from the attack identification perspectives; and (3) some defense strategies are comprehensively summarized. Several concluding remarks and promising future directions are provided at the end of this paper.

1. Introduction

Communication technology, big data, and edge computing, which are deeply integrated with the industrial economy, promote the booming development of the IIoT (Industrial Internet of Things). Industrial networks, especially Industrial Control Systems (ICSs) and the IIoT, are no longer isolated environments [1]. The introduction of the communication network and advanced computing technology has brought many benefits to the IIoT, such as low costs, easy maintenance, and high efficiency. However, the spread of network security threats is also accelerating in the industrial field, which harms the operation of the IIoT [2]. Because many new and complex attacks are being distributed in all physical and cyber spaces, the existing security mechanisms in the current IIoT are not sufficient for addressing the increasing security demands, allowing multiple security problems to emerge in various industrial application scenarios [3]. A large amount of industrial equipment can be easily threatened or damaged by illegal intruders, which can even lead to large-scale security incidents. In 2018, the CICS-CERT conducted research and evaluation based on relevant collected data and found that a total of 432 security vulnerabilities existed in the industrial control systems, smart devices, and IoT fields. These vulnerabilities were primarily distributed in the key manufacturing, energy, water, and chemical industries. Out of these vulnerabilities, 276 were high-risk, and 151 were medium-risk, accounting for 99% of the total. Buffer overflow vulnerabilities were the most common type, accounting for as much as 20% of the total. The five most common types of vulnerabilities were authentication error vulnerabilities, permission control vulnerabilities, information disclosure vulnerabilities, and input validation vulnerabilities. According to the report by the CICS-CERT, the number of identifiable industrial control systems and smart devices on the Internet in China currently exceeds 10,000, and approximately 89% of the devices and systems are still not using effective security measures. The number of industrial control system vulnerabilities has exploded, and industrial control system attacks have exhibited an upward trend [4]. The top six vulnerability impact areas are key manufacturing, energy, water, healthcare, food, and agriculture, which encompass 74% of the total vulnerabilities [5]. To effectively address malicious attacks externally, the IIoT must continuously improve its security protection technology to ensure its own security.

Preliminary findings on Industry 4.0 security indicate that IIoT devices are equally affected by vulnerabilities [6,7,8] and that security deployment in the IIoT needs further enhancement. To establish security in the IIoT, one should first gain a deeper understanding of the security flaws and weaknesses that exist in current networks. Although confidentiality is considered secondary in industry, it is becoming increasingly important in the IIoT as an increasing number of processes are being digitized, and IT infrastructures must be shielded against customer data theft and industrial espionage. In addition, authenticity, authorization, and nonrepudiation are closely related to each other, which will further reduce the risk of intrusion and sabotage [9]. Smart facilities as well as devices, such as those with embedded access to the IoT, help provide a digital environment for increasing global connectivity and simplifying life. However, security still cannot be guaranteed [10]. When signals are interrupted or intercepted, users’ privacy may be compromised or even leaked. For the IoT to be widely adopted, this issue should be addressed to provide users with confidence in their privacy and control of personal information [11]. Security issues impact the development of the IoT to some extent [12]. Moreover, IoT security issues likewise hinger the adoption of the IIoT. Since IoT devices are usually poorly secured, they are easy targets for malware to utilize in destructive cyberattacks, such as distributed denial of service (DDoS) [13,14] or sabotage attacks. Indeed, traditional industrial environments have been attacked in the past, sometimes with devastating consequences. It is therefore clear that without security the IIoT will never be able to realize its full potential. As a result, research in the IIoT security field domain has seen unprecedented growth in recent years. Various types of computer viruses have regularly emerged one after another. These viruses are usually employed to obtain users’ private data to make enormous profits. However, industrial data are far more valuable than personal data. Once the industrial Local Area Network (LAN) is attacked by viruses, other computers will also be infected by viruses, causing data loss, destruction, and tampering in areas with no strong protection capabilities. In fact, the data transmission speed of the LAN is very fast due to its real-time demands [15]. Detecting and identifying security problems in a timely manner, or proactively responding to security threats and taking preemptive defensive measures to reduce or even eliminate the damage caused by security threats, is an important measure for effectively mitigating security threats. However, the characteristics of the IIoT make implementing perfect security protection in the IIoT difficult. Moreover, the control system has high vulnerability, poor boundary protection, and issues with mobile media and data security. The core of industrial networking is industrial data collection, but inconsistent data interfaces and data format standards make data collection rather difficult. In addition, IIoT data have large volumes, many types, complex structures, and a lack of encryption authentication. Security risks exist in data storage, transmission, analysis, and sharing [16]. Therefore, as security threats emerge, more comprehensive and reliable detection and defense schemes must be studied in depth.

Considering the above observations, in this paper, the security issues in the IIoT are comprehensively reviewed, and a better understanding of defense strategies is pursued. The main contributions of this paper are summarized below and shown in

Table 1. The key contributions.

Number	Key Contributions
1	Demonstrates the four-layer IIoT architecture
2	Describes potential issues that an attacker could exploit to threaten IIoT security, as well as weaknesses introduced in each layer
3	Summarizes intrusion threat detection methods and defense measures
4	Identifies the main security challenges and potential directions for the future development of the IIoT

:

• The potential problems that may be exploited by attackers to threaten IIoT security and the introduced weak links in each layer are described in detail using the four basic layers of IIoT architecture as a foundation.
• Intrusion threat detection methods and defense measures, which are utilized to enable the real-time monitoring and detection of internal and external security threats in IIoT networks and to identify and handle potential threats for multiple security threats in a timely manner, are summarized.
• Based on the analysis of security threats, intrusion detection, and threat prevention, the main security challenges in the future development of the IIoT are identified, and several potential directions are suggested.

The remainder of this paper is organized as follows. In Section 2, IIoT security issues are introduced considering their background, characteristics, and safety requirements. In Section 2, the weak points at each structure level are detailed based on the basic four-layer architecture of the IIoT, and the possible problems in these areas are described in detail. In Section 3, state-of-the-art solutions are presented for IIoT security. In Section 4, the challenges and opportunities for future IIoT security measures are analyzed based on the security issues and solutions described in the previous two sections. In Section 5, the paper and relevant contributions of it to IIoT security are discussed.

2. The Security Problems in the IIoT

As one of the mainstream reference architectures in the new generation of the industrial revolution, the IIoT architecture is the cohesion of consensus from all sectors of governments, industry, universities, and research. This architecture guides the IIoT’s technology innovation, standard development, test verification, application practice, ecological creation, international cooperation, and other multilevel work. In 2010, Atzori et al. and Weber [17] conducted research on the security issues existing in the IoT. Atzori et al. briefly discussed the main challenges and potential issues of IoT security. Miorandi et al. [18] outlined the data confidentiality, authenticity, and privacy aspects of the IoT. Subsequently, Zigeldorf et al. [19] analyzed the privacy threats and challenges faced by the IoT in detail. Zhao and Ge [20] divided the IoT architecture into three layers, namely the perception layer, the transport layer, and the application layer. Xiao R. et al. proposed a Hybrid Internet of Things (H-IoT) platform framework in [21], which consists of five layers: an intelligent device layer, communication protocol layer, edge computing layer, IoT control layer, and application layer. In order to enable machine learning to be deployed in smart manufacturing, Romulo Gonçalves Lins et al. [22] created a decentralized network for the manufacturing system. This network architecture consists of six layers, an asset layer, integration layer, communication layer, information layer, function layer, and business layer. The communication layer uses standard protocols for data communication to ensure deterministic data exchanges and the complete implementation of information security. Shahid Latif et al. demonstrated a seven-layer IIoT framework in [23], in which the security layer mainly performs three main functions: device security, cloud security, and connection security. Jing et al. [24] further analyzed the characteristics, security issues, and corresponding solutions of each layer of the architecture in detail. Later, Fremantle and Scott [25] analyzed the impact of middleware on IoT security. Granjal et al. [26] focused on the security of IoT communication protocols. Nguyen et al. [27] discussed the applicability and limitations of existing IP-based Internet security protocols and other security protocols used in wireless sensor networks. Airehour et al. [28] further analyzed the threat of secure routing in the IoT, existing methods for ensuring secure routing in the IoT, open challenges, and strategies for future research. Then, Qin et al. [29] reviewed the main technologies and the most advanced research work in the IoT from a data-centric perspective, including data flow processing, a data storage model, complex event processing, and searching in the IoT. Zhang et al. [30,31] investigated a novel bandwidth reservation solution based on distributed traffic monitoring and control that effectively eliminates potential congestion from bursts of traffic and uses content caching to improve on-demand delivery performance. Loi et al. [32] tested consumers’ IoT devices and revealed their security or privacy status. Fernndez-Carams et al. [33] and Lao et al. [34] reviewed the adaptability of blockchain in maintaining the applications and architecture of the IoT. Hassija et al. [35] detailed security-related challenges and threats in IoT applications. Berkay et al. [36] and Tabrizi and Pattabiraman [37] analyzed the security of IoT devices from the perspectives of programming platforms and code levels. Amanullah et al. [38] discussed the relationship between deep learning, IoT security, and big data technology. Joao et al. [39] reviewed the threat model and attack path of the overall IoT. As the IoT achieves intelligent goals without human participation by connecting real world applications [40], the IIoT has further promoted the development of the manufacturing process by addressing the requirements of key tasks better than the IoT [41]. Tan et al. [42] summarized the differences between IoT and IIoT security issues and proposed a new IIoT four-tier architecture. A comparison of previous studies was made, as shown in

Table 2. Different studies for IoT and IIoT.

Author	Comparison
Zhao and Ge [20]	Divided the IoT architecture into three layers
Tan et al. [42]	Proposed a new IIoT four-tier architecture.
Xiao R. et al. [21]	Proposed a five-layer framework for hybrid Internet of Things (H-IoT) platforms
Romulo Gonçalves Lins et al. [22]	Created a decentralized network with a six-tier architecture for manufacturing systems
Shahid Latif et al. [23]	Demonstrated a seven-layer IIoT framework
Weber [17]	Outlined security issues existing in the IoT
Atzori et al. [11]	Described the main challenges and potential issues of IoT security
Zigeldorf et al. [19]	Investigated the privacy threats and challenges faced by the IoT in detail
Fremantle and Scott [25]	Analyzed the impact of middleware on the security of the IoT
Berkay et al. [36]	Analyzed the security of IoT devices from the perspective of the programming platform and code level
Joao et al. [39]	Reviewed the threat model and attack path of the IoT in general

.

In this section, the basic architecture of the IIoT and the security issues corresponding to each structure level are discussed. As shown in Figure 1, the general architecture of the IIoT is divided into four main parts: the device layer, application layer, transport layer, and processing layer.

The device layer consists of many devices distributed in the IIoT infrastructure field. Because the devices connected to the IIoT are relatively fragile and vulnerable to network attacks, managing the security of the IIoT is extremely difficult. The baseband chip is one of the most critical components in the wireless communication module, which incurs a high cost. In addition, the industry is relatively concentrated, and the materials are usually provided by foreign manufacturers. Driven by their own interests, some overseas manufacturers often arrange “connected households”. Once exposed, these manufacturers hide, steal, or destroy important data under the pretext of product defects. With the popularization and application of smart factories, many previously relatively closed devices or systems have been connected to networks, which exposes the distribution and use of industrial equipment to the network. Devices produced solely to complete operations are very fragile. While production is becoming more efficient, these devices may also be manipulated by illegal molecules, which poses a great threat to the security of the devices or systems in the industrial network [43]. Supervisory Control and Data Acquisition (SCADA) networks provide interconnection for field devices on the factory floor. These field devices, such as sensors and actuators, are monitored and controlled via a SCADA network by a PC or programmable logic controller (PLC). SCADA networks are IT systems designed to oversee technical or production processes. The specific functions of a production process monitoring system include collecting current data from measuring elements, visualizing the data, controlling the production process, alerting to errors or deviations, and archiving data using a comprehensive database. SCADA systems play an excellent role in PLCs and other equipment that directly affects the production process. However, multiple access points are available in the SCADA network, and attackers can enter any machine in the IIoT through these access points. Additionally, SCADA networks use commercial off-the-shelf (COTS) hardware and software for equipment development [44]. The use of COTS equipment has resulted in many SCADA development protocols needing to run over traditional Ethernet and TCP/IP. These protocols are usually serial line-based protocols that are placed in TCP packets through standard process encapsulation, and these protocols usually provide additional application layer interfaces. When incorporated with an enterprise network, production information can be easily collected for higher-level management. However, these services also make devices on the SCADA network vulnerable to application layer and TCP/IP-based attacks.

The application layer mainly uses transport layer protocols (such as the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)) to support the transfer and exchange of data between host-to-host, client–server, or peer-to-peer models. Because the TCP/IP used by the IIoT is open and transparent, the IIoT is vulnerable to intrusion attacks by third parties. Network attack measures are gradually maturing, which greatly increases the probability of network security problems [45]. As the first industrial bus protocol to play a role in industrial fieldbuses in the last century, the Modbus protocol has epoch-making significance. The Modbus protocol enables simple communication between various devices within different network architectures. However, because the Modbus protocol is designed for programmable controllers and is thus programmable, attackers can use this feature to inject malicious code into RTUs (Remote Terminal Units) or PLCs (Programmable Logic Controllers). However, developers can accurately prevent attackers by constructing logical ports. The TCP is used for network connectivity. The communication connection can only be initiated and established via the default port of the Modbus protocol, port 502, provided that the target IP address is known. A legitimate Modbus session can be established if the function code carried by the application data unit is supported by Modbus. Since the Modbus TCP has no message checking, in some Modbus TCP implementations, checksums are generated at the transport layer rather than the application layer, making it easier to fake commands. To address the security issues of the Modbus protocol, Wang Jingran et al. [46] implemented a secure version of the Modbus TCP using the transport security layer (TLS) protocol as the transport layer to create the Modbus/TLS protocol. By using TLS to protect the transport layer, attacks that rely on packet injectors and sniffers can be flexibly addressed. Furthermore, the TLS protocol has multiple cipher suites to meet different security level requirements and computational complexity constraints. If a cipher becomes insecure, the application can use another cipher without changing anything in the application layer. In addition to the Modbus protocol, message queuing telemetry transport (MQTT) is the de facto standard messaging protocol for many M2M communications in the IIoT due to its lightweight overhead, publish–subscribe model, and bidirectional capabilities [47]. MQTT consists of one or more publishers and one or more subscribers that communicate through a proxy node that dispatches messages. However, these solutions require manual configuration, which hampers scalability; moreover, they do not provide standard security mechanisms to handle highly dynamic and variable IIoT scenarios. Moreover, with the continuous incorporations of IT (Information Technology) and OT (Operational Technology), the scope of network intrusion attacks has been expanded [48], and the current APT (Advanced Persistent Threat) attack detection technology is impacted, so network security is still an enormous threat.

The transport layer transmits the generated data to the processing layer mainly through a heterogenous collection of networks. Capillary networks in the transport layer use short-range wireless technology to provide local connectivity and then connect to the global communications infrastructure through capillary gateways. Communication technologies based on wireless and radio waves are usually vulnerable to wireless network threats. In distributed cognitive radio networks, cognitive users negotiate spectrum idle state information through public channels to obtain idle spectrum resources without the assistance of spectrum management base stations. In this type of denial of service attack, the public channel is flooded by many useless data packets, making legitimate cognitive users unable to transmit information through the public channel. In the specific attack implementation process, the attacker saturates the public control channel by sending a malicious control frame, thus seriously blocking the channel usage and allocation of the cognitive user [49]. In addition, communication technologies based on wireless and radio waves are also vulnerable to man-in-the-middle (MITM) attacks, which intercept normal network communication data and tamper with and sniff data without the knowledge of both parties. The main attack modes of MITM attacks include SMB (Server Message Block) session hijacking and DNS spoofing.

The processing layer mainly performs some preprocessing on the data, converts the network data into valuable information, and ensures the integrity and quality of the data collected from the lower layer. However, the data information collected by the lower layer often contains a large amount of sensitive information, and the collection, analysis, and utilization of this information will directly or indirectly risk user privacy, bringing great threats and problems. Subsequently, collected data are stored in the data warehouse, and advanced data processing is performed. Due to the difficulty of internal big data processing, data are generally stored and processed by third-party service providers, but this outsourcing solution introduces many security and privacy issues. Finally, the processed data are applied to the client application. In addition to the security problems in the data preprocessing process, many security threats arise in the data transmission and conversion process. During data transmission, even if the receiver receives the information sent by the sender, the attacker may tamper with the information during the transmission process or damage the data through communication failure. Security risks, such as process information disclosure [50], commercial information disclosure, and confidential information disclosure, yield irreversible losses.

As the value density brought by the IIoT increases, an increasing number of methods for maliciously attacking the IIoT arise. The IIoT is a key integrated information infrastructure for the development of industrial intelligence, the essence of which is based on the network interconnection between machines, raw materials, control systems, information systems, products, and people. Operation optimization and production organization changes are achieved through a comprehensive deep perception of industrial data, real-time transmission and exchange, rapid calculation and processing, advanced modeling and analysis, and intelligent control. Therefore, the security of raw materials is crucial for the IIoT. In an IIoT environment, once a system is connected to the network, machines and devices can be attacked; production processes can be damaged, disrupted, or even stopped; and an attack can pass through the entire manufacturing production process of collecting, transmitting, storing, and analyzing data. Therefore, securing systems and networks and ensuring the security and trustworthiness of data in complex and changing industrial environments are enormous challenges.

3. The Solutions to Security Protection of IIoT

3.1. Intrusion Detection

Intrusion detection technology monitors and detects internal and external network attacks and internal error operations in real time through intrusion detection systems (IDSs). The IDS is generally deployed in the local computer or the key node of the computer network. It collects, detects, and analyzes the activity status of users, systems, networks, etc., without affecting normal operations [51]. Its detection objects and scope of operation are shown in Figure 2.

In 1987, Denning D. E. of Georgetown University and others first proposed the abstract model of intrusion detection and constructed an intrusion detection model [52], laying the foundation for the development of intrusion technology. Technology developments have constantly improved intrusion detection technology. In this paper, the following three commonly used intrusion detection methods are introduced.

3.1.1. Intrusion Detection Based on Data Mining

In 1999, Wenke Lee et al. first proposed applying data mining techniques to intrusion detection [53]. Applying data mining to the intrusion detection field can enable effective data preprocessing, such as classification, association analysis, and sequence analysis, and improve the accuracy and scalability of intrusion detection systems. Intrusion detection logs contain many redundant features, which can greatly reduce the data size while ensuring data integrity and can effectively improve the data processing efficiency. Intrusion detection technology based on data mining can be modeled and analyzed on static data sets according to different detection environments and requirements and can also be used in dynamic data flow environments. Intrusion detection based on static data sets plays an important role in intrusion detection technology research. This technology uses historical access data for analysis and can achieve high accuracy in data set experiments. However, intrusion detection technology based on a dynamic data flow can analyze continuously arriving mobile data, which better aligns with the real network environment and is a key research direction in the current intrusion detection field. Data mining is used to discover potential and relevant patterns or rules from many fuzzy, noisy, and irregular data. Data mining consists of three main stages: the first stage is data preparation, including data object acquisition, preprocessing and noise elimination of different types of data, data dimension reduction transformation, etc.; the second stage is data mining, in which matching mining algorithms are determined according to different data mining models and potentially relevant data are identified from a large amount of incomplete and irregular data to predict the results; and the third stage is data representation and evaluation. The results of data mining are obtained through association rules, sorting and classification, and clustering analysis of the information obtained from data mining and then expressed in the form of explicit analysis for data visualization.

Wenke Lee noted that intrusion detection is a process of identifying and responding to malicious behaviors that endanger system security, namely, confidentiality, integrity, and availability. In view of the security problems of the TCP/IP [54], the basic assumption for this detection is that user and program behaviors are visible and normal, whereas intruders behave differently. Therefore, intrusion detection systems should have several basic elements: (1) system resources, such as network facilities, user accounts, and system cores; (2) a defined model of legal use behavior of system resources; (3) technology for behavior monitoring.

In this paper, mining technology is applied in the intrusion detection field to build an intrusion detection system based on data mining. The architecture of this system is shown in Figure 3. This system can automatically build concise and accurate feature profiles from a large amount of network data, which addresses the difficulties of extracting and coding the rules of traditional misuse-based intrusion detection systems. Because this scheme has universality, meaning that it can handle various structured data, and automatic processing functions, it can build corresponding intrusion detection systems in many different network environments.

A series of algorithms have been proposed for association rule mining, such as the classic association rule algorithm and the Apriori algorithm. Apriori is a width-first algorithm that discovers all frequent item sets by scanning a database D multiple times. In each scan, only the item sets with the same length l (i.e., the item sets containing the same number of items l) are considered. In the first scan, the Apriori algorithm calculates the support of all individual items in database D and generates all frequent item sets of length 1. In each subsequent scan, all new candidate item sets are generated based on all the frequent item sets found in the previous scan, i.e., the potential frequent item sets. The above process is repeated until no newer frequent item sets are found. The key to the efficiency of the algorithm is to generate smaller candidate item sets, i.e., to avoid generating and computing candidate item sets that are unlikely to become frequent item sets as much as possible.

The specific algorithm is described as follows: let the set of l-attribute sequences be a set with l attributes, $F\left(l\right)$ be the set of frequent k-attribute sequences, and $C\left(l\right)$ be the set of candidate foot-attribute sequences. The algorithm requires several iterations of database scanning, each of which consists of two steps:

$C\left(l\right)$ is generated using the $F(l-1)$ obtained from the l−1th iteration, and the candidate generation algorithm Apriori-gen ensures that $C\left(l\right)$ is a superset of all $F(l-1)$.

The database is traversed to determine which of the candidates in $C\left(l\right)$ each tuple supports, and the number of supports is accumulated. After the traversal, the candidate set $C\left(l\right)$ is examined to determine which candidates are frequent and thus constitute $F\left(l\right)$.

The algorithm is iterated until the time when $F\left(l\right)$ is empty. The specific Algorithm 1 describing Apriori is as follows:

The input is database D and the minimum support is $S_{min}$; the output is set I of large items present in database D.

An intrusion detection system that utilizes data mining technology to extract the features of a large amount of data can better automate intrusion detection and improve detection efficiency and detection accuracy. Intrusion detection based on data mining has developed rapidly, but it is still far from being implemented in practical applications, and no complete theoretical system exists. The current primary focuses are to address the real-time intrusion detection and correct detection and false alarm rates of data mining, as well as to enrich and develop the existing theory so that the intrusion detection system can be improved and practically implemented.

Algorithm 1 Algorithm of Apriori

Input: D, $S_{min}$ Output: I 1: { 2: $\mathrm{I}1=\{large1-itemsets\}$ 3: for$\{\mathrm{l}=2;\mathrm{I}[\mathrm{l}-1]<>\mathrm{nil};\mathrm{l}++\}$ do 4:   $c\left[l\right]=Apriori-gen\left(\mathrm{I}\right[\mathrm{l}-1\left]\right)$ 5:   for all transactions $\mathrm{t}\in \mathrm{D}$ do 6:    $\mathrm{c}\left[\mathrm{t}\right]=subset\left(\mathrm{c}\right[\mathrm{l}],\mathrm{t})$ 7:    for all candidates $\mathrm{c}\in \mathrm{c}\left[\mathrm{t}\right]$ do 8:     c.count++; 9:    end for 10:   end for 11:   $\mathrm{L}\left[\mathrm{l}\right]=\{\mathrm{c}\in \mathrm{c}[\mathrm{l}]\wedge \mathrm{c}.\mathrm{count}>=minsup\}$ 12: end for 13: gen-rules(I[l]); 14: }; 15: function apriori-gen(I[l−1]); 16: { 17: insert into $\mathrm{c}\left[\mathrm{l}\right]$; 18: select cp[1], cp[2], …, cp[l−2], cp[L−1], cq[l−1] 19: from $\mathrm{L}[\mathrm{k}-1]\mathrm{cp}\mathrm{I}[\mathrm{l}-1]\mathrm{cq}$ 20: where cp[1] = cq[1], cp[2] = cq[2], …, cp[k−2] = cq[l−2], cp[l−1] < cq[l−1]; 21: if (l−1)-subsets c of c[l], cL[l−1] then delete c from c[l] then 22:   return c[l] 23: end if 24: } 25: return Outputs

3.1.2. Intrusion Detection Based on a Neural Network

IIoT intrusion detection technology has become an important protection method in IIoT security. With increasingly serious security problems, many researchers are constantly incorporating new algorithms to improve the abilities of intrusion detection systems. As one of the classic methods in the artificial intelligence fields, neural networks have been widely used in various fields. Shao Lingwei proposed an intrusion detection model based on an M-DRN (Multiscale-Deep Residual Network) to address the low accuracy, long training time, and overfitting of traditional intrusion detection models [55]. First, the residual network structure is used as the core structure, and the multiscale feature extraction idea is incorporated to construct the MDR module for extracting the spatial features of the data. In this way, the extracted features are taken from different receptive fields to prevent the loss of feature details. Fusing the neural network and intrusion detection provides the IIoT intrusion detection model with improved detection accuracy and accelerates the learning speed of the network.

At present, at least 200 kinds of neural networks are used in applications and research, including more than a dozen representative networks, each of which has advantages and disadvantages and is suitable for different ranges. However, as neural networks, they have the following common characteristics: (1) The information sources are learning processes based on observation samples. The neural network uses the sample learning method to extract information directly from the input–output relationship of the process and reflects that information on the weights of the interaction between neurons. (2) The information of the neural network is distributed and stored in the entire network; that is, it is stored in the weight of each neuron, so it is in a distributed storage mode. (3) The network has a high fault tolerance. (4) The network has a unique information processing mode and is a parallel collaborative processing system. (5) It has a certain degree of intelligent characteristics and self-adaptation, self-learning, and self-organization abilities.

As shown in Figure 4, when neural networks are used for attack detection, as long as the audit data of the system are provided, the neural network can extract the characteristic patterns of normal user or system activities from the data through self-learning to obtain prediction abilities. It can show the newly discovered intrusion attack examples to the neural network without obtaining the characteristics that describe user behavior characteristics or the statistical distributions of user behavior characteristics. Through retraining, the neural network can react to new attack modes, so the intrusion detection system has adaptive abilities. After learning the normal working mode of the system, the neural network can react to events deviating from the normal working mode of the system and then identify new attack modes.

The above analysis shows that the intrusion detection system based on the neural network addresses the high false alarm rate, slow detection speed, and poor adaptive abilities of the traditional intrusion detection model. Furthermore, the intrusion detection system based on the neural network has the following advantages. First, the neural network is able to handle incomplete deformation information and to handle data nonlinearly. These two points are very important for the network environment because random errors often occur in the network. Second, once the neural network is trained, the pattern discrimination is converted into a numerical operation to allow the network to run at high speeds on the computer. For network intrusion detection systems with high real-time requirements, intrusions must be detected and the corresponding response triggered before the intrusion has a destructive effect. The high speed of neural network matching is highly advantageous for such systems. Third, the output of the neural network can be a numerical value of the intrusion possibility (or the danger level of the data). The network learns this value through nonlinear analysis, rather than solely mechanical matching, such as in a rule-based system, which enables the neural network to detect new intrusion types [56]. Furthermore, it exhibits good fault tolerance and robustness, parallelism, associative memory, and associative mapping.

The specific algorithm is as follows:

Let the input layer have n neurons, the input vector $\mathit{X}=\left(x_1,x_2,\dots ,x_n\right)$, the hidden layer have l neurons, the hidden layer vector $\mathit{H}=\left(h_1,h_2,\dots ,h_l\right)$, the output layer have m neurons, and the output vector $\mathit{Y}=\left(y_1,y_2,\dots ,y_m\right)$. Let the connection weight between the input layer and the hidden layer be the weighted ${\omega }_{ab}$ threshold ${\alpha }_b$ and the weight between the hidden layer and the output layer be the ${\omega }_{bc}$ threshold ${\beta }_c$. Then, each layer’s output of the neurons satisfies

$$\left\{\begin{array}{c}{h}_b={\sum }_{a=0}^l{\omega }_{ab}{x}_a\hfill \\ y_c={\sum }_{b=0}^m{\omega }_{bc}{h}_b\hfill \end{array}\right.$$

(1)

Let the activation function be the sigmoid function, i.e., $f\left(x\right)=\frac{1}{1+{\mathrm{e}}^{-x}}$. For each sample in the training set, the network input vector is $\mathit{X}=\left(x_1,x_2,\dots ,x_n\right)$, the actual output is $\mathit{Y}=\left(y_1,y_2,\dots ,y_m\right)$, and the desired output $\mathit{K}=\left(k_1,k_2,\dots ,k_m\right)$. The error function is defined as

$$E=\frac{1}{2}\sum _{m=1}^l{\left(k_m-y_m\right)}^2$$

(2)

For $\mathit{P}$ samples, the total error is

$$E_P=\frac{1}{2}\sum _{{\mathit{P}}_l=1}^{\mathit{P}}\sum _{m=1}^l{\left(k_m-y_m\right)}^2$$

(3)

Using the gradient most rapid descent method to find the minimum value of the error function, the update $\Delta {\omega }_{ab}$ of ${\omega }_{ab}$ can be expressed by the following equation:

$$\Delta {\omega }_{ab}\propto -\delta \frac{\partial E_{\mathrm{sum}}}{\partial {\omega }_{ab}}$$

(4)

where $\delta$ is the learning rate with a value greater than zero. The initial value of the weight coefficients greatly influences the convergence rate of the BP learning algorithm, and a random function can be used to generate the initial value of the weight coefficients.

The output values $y_1$ and $y_2$ indicate the probability of normal and abnormal behaviors with values between $0\sim 1$, and ${\beta }_1$ and ${\beta }_2$ are set to indicate the normal and abnormal thresholds, respectively. The following cases hold:

$y_1=1,y_2=0$ indicates normal behaviors;

$y_1=0,y_2=1$ indicates abnormal behaviors for additional processing;

$y_1>2$ and the values of $y_1$ and $y_2$ being between 0 and 1 where $y_1>{\beta }_1$ indicates that the behavior can be considered normal and necessary, and an alert message can be provided as needed;

$y_1<2$ and the values of $y_1$ and $y_2$ being between 0 and 1 where $y_2>{\beta }_2$ indicate alarming behaviors.

To reduce the false alarm rate, the uncertainty inference method can be used in the decision system. First, the theoretical domain framework of the problem and the relationship matrix are established, and then the probability of the intruder is derived using the calculation method of general evidence inference by combining the probability function of the detection system derived from the surveillance data.

Currently, intrusion detection technology primarily adopts BP neural network technology with back propagation capabilities to process the information obtained by network nodes. The packets are captured from the network through the data capture module, and the packets are analyzed and preprocessed following the protocol, at which time the outgoing data are of a type recognizable by the neural network. Then, the weights of the neural network are stabilized by training the network with a large amount of normal data so that known or unknown network intrusions can be effectively evaluated. BP neural networks generally have multiple layers of neural network nodes, with nodes in each layer connected to adjacent nodes. During the training process, the weights and threshold values in the BP neural network are sequentially corrected after the neural network is propagated forward and backward twice. Each neuron in the network can identify the security of the network data more accurately after training, thus reducing the false alarm rate of the intrusion detection system.

3.1.3. Intrusion Detection Based on Machine Learning

The original intrusion detection technology relies on the manual extraction of data characteristics to build the attack rule base. After machine learning is incorporated into intrusion detection technology, intrusion detection technology can automatically extract features, use marked data for training, train to obtain intrusion detection rule sets, establish intrusion detection models, automatically learn attack modes, generate rule sets and detectors, achieve malicious intrusion detection in the IIoT, and save considerable time. The structure of this technology is shown in Figure 5.

Traditional machine learning algorithms can be categorized into supervised learning and unsupervised learning methods. Shown in

Table 3. Machinelearning-based intrusion detection.

Reference	Comparison
[57]	The OCSVM unsupervised learning method was proposed.
[58,59,60,61,62]	A supervised learning algorithm was proposed for an SVM with a higher learning efficiency.
[67]	An SVM intrusion detection method based on multiclassification was proposed.
[68]	Cyber attacks were predicted using Bayesian network-based models.
[69]	A detection model based on the hidden Markov model (HMM) was proposed.

. At present, the most commonly used unsupervised learning methods in many industrial control system intrusion detection models are the OCSVM algorithm [57] and the K-means clustering algorithm. Supervised learning algorithms have a higher learning efficiency than unsupervised learning algorithms. The commonly used supervised learning methods in intrusion detection include the SVM [58,59,60,61,62], Bayesian network [63], Markov [64,65,66], etc. Similar to the OCSVM, the SVM can only distinguish between abnormal and normal data and cannot accurately detect attack types. Therefore, in [67], an SVM intrusion detection method based on multiclassification was proposed, and the ability to accurately detect multiple types of attacks was achieved by combining multiple SVM models. In [68], a model based on Bayesian networks was used to predict the impacts of network attacks on the system. Because this method does not consider the wear and tear of equipment and network delays in actual production and life, achieving ideal results in real environments using this method is difficult. Markov processes are often used to describe changes in equipment status; their algorithm can discover the rules and features in the sequence data to predict and classify the sequence. The Markov algorithm is good at processing sequence data. In [69], a detection model based on the hidden Markov model (HMM) was proposed. This model can be divided into two subsystems: the head subsystem and the data subsystem. These two subsystems are used to process the sequence data of the header and data segment, respectively, in the Modbus protocol. Each subsystem contains multiple HMM classifiers. When one of the classifiers detects an abnormal result, the model sends an alert to the SCADA system and reports the abnormal result. Although this decision-making mechanism can improve the detection rate, it also increases the false alarm rate.

The HMM is a type of Markov chain whose states cannot be observed directly but can be observed by a sequence of observation vectors, each of which is represented as various states by a probability density distribution, and each observation vector is generated by a sequence of states with the corresponding probability density distribution. Therefore, the HMM is a dual stochastic process: a hidden Markov chain with a certain number of states and a set of displayed stochastic functions. The basic elements of the HMM are specified by the characteristic parameters shown in

Table 4. Specification of characteristic parameters of basic elements of HMM.

Characteristic Parameters	Meaning
$\mathrm{S}=\left\{{\mathrm{s}}_{\mathrm{i}}\right\},1\le \mathrm{i}\le \mathrm{N}$	A finite set of hidden states
$\mathrm{O}=\left\{{\mathrm{o}}_{\mathrm{i}}\right\},1\le \mathrm{i}\le \mathrm{M}$	A finite set of observation symbols
$\mathrm{E}=\left\{{\mathrm{e}}_{\mathrm{ij}}\right\}$	A state transition probability matrix
${\theta }_{\mathrm{t}}$	The alerts generated from three detection components
$\mathrm{E}=\left\{{\mathrm{e}}_{\mathrm{ij}}\right\}$	An observation probability matri
$\pi =\left\{{\pi }_{\mathrm{i}}\right\}$	An initial state distribution vector
N	State number
r	The length of the sliding window of observations
${\eta }_t\left(i\right)$	The forward variables, respectively
${\varphi }_t\left(\mathrm{j}\right)$	The backward variables, respectively
$\lambda$	The predefined threshold

.

The anomaly detection states of the HMM consist of three main types: normal states, fault states, and attack states. The finite set of hidden states can be expressed as

$$S=\{s_1,s_2,s_3\},s_1=s_e,s_2=s_d,s_3=s_g$$

(5)

Thus, HMMs can be simply expressed as $\underset{k\in \{e,d,g\}}{{\epsilon }_k}=\left({\pi }^k,{\mathbf{E}}^k,{\mathbf{D}}^k\right)$, and the observation sequence is defined as follows, where ${\theta }_t=0$ when $t<r$: ${\mathrm{\Theta }}_{\left(t\right)}=\left({\theta }_t-r,{\theta }_t-r+1,\dots ,{\theta }_t\right)$$t=(r,r+1,\dots )$. The HMM is obtained by training using the Baum–Welch algorithm. To maximize the probability $P\left({\mathrm{\Theta }}_{\left(t\right)}\mid {\epsilon }_k\right)$, through the initial model ${\epsilon }_k=\left({\pi }^k,{\mathbf{E}}^k,{\mathbf{D}}^k\right)$ and the observation sequence ${\mathrm{\Theta }}_{\left(t\right)}t<r$, the Baum–Welch algorithm adjusts the parameters $\mathbf{E}$, $\mathbf{D}$, and $\pi$. The smooth state density is denoted as ${\delta }_t^k(i,j)$:

$${\delta }_t^k(i,j)=\frac{{\eta }_t^k\left(i\right)e_{ij}^k{d}_j\left({\theta }_{k,t+1}\right){\varphi }_{t+1}^k\left(j\right)}{{\sum }_{i=1}^N{\sum }_{j=1}^N{\eta }_t^k\left(i\right)e_{ij}^k{d}_j\left({\theta }_{k,t+1}\right){\varphi }_{t+1}^k\left(j\right)}$$

(6)

and the probability of state $s_i$ at time t is defined as ${\mu }_t^k\left(i\right)={\sum }_{j=1}^N{\delta }_t^k(i,j)$. ${\mathbf{E}}^k$ and ${\mathbf{D}}^k$ are then updated by $\left\{\begin{array}{c}{e}_{ij}^k=\frac{{\sum }_{t=1}^{T-1}{\delta }_t^k(i,j)}{{\sum }_{t=1}^{T-1}{\mu }_t^k\left(i\right)}\hfill \\ d_j\left({\theta }_k,t\right)=\frac{{\sum }_{t=1}^T{1}_{{\theta }_t=o_i}{\mu }_t^k\left(j\right)}{{\sum }_{t=1}^T{\mu }_t^k\left(j\right)}\hfill \end{array}\right.$, and $1_{{\theta }_t=o_i}=\left\{\begin{array}{c}1,\mathrm{if}{\theta }_t=o_i\hfill \\ 0,\mathrm{otherwise}\hfill \end{array}\right.$. The termination condition of the iterative algorithm is as follows:

$$\left|logP\left({\mathrm{\Theta }}^k\mid {\epsilon }^k\right)-logP\left({\mathrm{\Theta }}^k\mid {\epsilon }_0^k\right)\right|<\lambda$$

(7)

The HMM (${\epsilon }_e$, ${\epsilon }_d$, and ${\epsilon }_g$) is obtained from the offline training data through the above training process. The actual attacks and faults are then distinguished by an alert classifier. The introduction of machine learning technology into the traditional intrusion detection system improves the detection rate and can effectively respond to the current increasingly complex network environment. This is the mainstream trend of future network security technology, and deep learning technology should be taken as the main research focus. Combining deep learning with the existing algorithms of machine learning can effectively bridge the research gap and improve the accuracy detection.

3.1.4. Summary

This subsection compares different detection methods. Machine learning-based intrusion detection is the combination of intrusion detection techniques with machine learning to automatically extract features, using labeled data for training, and training to obtain the intrusion detection rule set for the intrusion detection model, greatly accelerating malicious intrusion detection. Data mining-based intrusion detection includes effective data preprocessing, such as classification, correlation analysis, and sequence analysis, to improve the data processing efficiency. This method can achieve a high degree of accuracy in data set experiments. Neural network-based intrusion detection improves on traditional intrusion detection methods by incorporating neural networks into intrusion detection, which improves the detection accuracy and accelerates the learning speed of the network.

3.2. Threat Defense

Aiming to address the security threats faced by the IIoT, targeted defense plans are proposed in this section.

3.2.1. Active Defense of IIoT Abnormal Data Based on Neural Networks

The active defense technology of IIoT abnormal data based on BP neural networks primarily achieves the distributed fusion of IIoT security abnormal data features through the association data mining method, establishes the graph model structure of IIoT abnormal data, obtains the abnormal state distribution feature set of IIoT abnormal data through the spatial spectrum feature clustering method, and establishes the feature distribution model of IIoT abnormal data. Data fusion and optimal scheduling are then conducted following the correlation of the abnormal state feature distributions of IIoT abnormal data [70]. Incorporating spatial reorganization technology, the data set structure is reorganized, and then the active defense control and detection of abnormal data are achieved through fuzzy feature matching and BP neural network control. This method exhibits high accuracy in abnormal data detection, which can improve the defense of the IIoT against abnormal data.

3.2.2. Security Defense System

The security defense system includes three parts: an information sharing platform, a security emergency command system, and a comprehensive analysis platform [71]. The information sharing and alarm platform can aggregate decentralized security equipment and information, avoid the originally isolated island of security defense, and conduct unified monitoring, analysis, and research on various security threats. It can also issue early warnings and form a security threat awareness and sharing mechanism. The security emergency command system encompasses an emergency dispatching platform, command process, etc. When the industrial production network is attacked, the emergency dispatching platform plan conducts a plan, urgently integrates relevant emergency forces, dynamically tracks the development of the situation, and builds a network security emergency command system so that security events can be comprehensively studied and handled [72]. The comprehensive analysis platform can display key basic information and provide standard interfaces at the same time, integrate the third-party situational awareness system, apply the second-generation firewall, deploy security detection probes in each factory to control the overall network security of the enterprise, detect and handle potential threats in a timely manner, and improve the safety level of the factory. In the production control network, by combining the industrial control flow monitoring engine with cloud detection [73], online monitoring is conducted based on the existing core platform to provide early warnings of OT security risks and effectively protect the OT operating environment. In the OT system, the access relationship between devices is determined, potential problems are located according to abnormal access analysis, and system working conditions are detected on the basis of flow analysis.

3.2.3. Immune Network

An immune network is a network topology structure built according to the idea of independent defense, which fully mobilizes network security defense resources; isolates network viruses or trojans by using routers, switches, and other network devices; and controls viruses from the source, thus achieving the function of group defense and group control of network security [74]. The immune network solution consists of a complete set of software and hardware, complete intranet protocol, and security policy components, mainly including an interrupt drive, access gateway, immune server, and immune communication protocol. The immune network addresses network attacks from the perspective of intranets and can be better applied to diverse and complex network topologies. The immune network is shown in Figure 6.

From the information processing perspective, the biological immune system exhibits good characteristics, such as robustness, memory, fault tolerance, dynamic stability, and anomaly detection, which are highly similar to the characteristics of a qualified network IDS. Therefore, the network system is regarded as a physiological system. The network attack detection system essentially achieves the immune and self-healing functions of this system. The biological immune system is primarily employed to recognize the “self” and “nonself”, which is achieved through z combination of antibodies and antigens. The immune system recognizes the “nonself” and forms self-tolerance to the “self” through the generation and evolution of antibodies, which is generally achieved through negative selection and clonal selection mechanisms. Similarly, simulating antibody generation processes, such as through gene pool updating, negative selection, and clonal selection, to establish a human intrusion detector is the key to establishing the IDS based on the principle of artificial immunity. According to the basic idea of biological immunity, a normal network connection is regarded as normal behavior, and an abnormal connection is regarded as alien behavior. This allows the system to distinguish between the “self” and “nonself” to identify human intrusion behavior, where the detector is generated by a negative selection algorithm and clonal selection algorithm.

The artificial immune network is a distributed dynamic adaptive system capable of adapting to changing network environments through learning mechanisms, i.e., through dynamic autologous tolerance and clonal selection algorithms. New antibodies are randomly generated, first through autotolerance, which prevents antibodies from matching with the self, calculates the affinity for the newly generated antibody k, and deletes the antibody it if it matches the self; otherwise, the antibody evolves into mature cells through autotolerance and is added to the set of detectors.

Table 5. The required characteristic parameters in the artificial immune network.

Characteristic Parameters	Meaning
$C_{num}$	Total number of clones of cells
$\lambda$	Parameter factor
M	Number of memory cells
a	Antibody
$ad$	Antibody d captured antigen
i	The i-th cell
F	Freeform collection
y	Binary string
t	Binary representation of antigen length

lists the characteristic parameters needed in the artificial immune network. The detector size is h, and the tolerance formula is as follows:

$$C_t\left(k\right)=\left\{\begin{array}{cc}0\hfill & \mathrm{if}\mathrm{C}\exists y\in F\wedge C_m(k,f,y)=1\hfill \\ 1\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(8)

Mature antibodies are prompted to evolve into memory cells when the affinity accumulation reaches a threshold value $\xi$ during the matching process with the antigen. The set N of memory antibodies is defined as

$$\begin{array}{c}N=\{<a,ad>|d\in U\wedge ad\in Ad\\ \left.\wedge \left(\forall y\in Self\wedge C_{\mathrm{match}}(a,y,t)>\xi \right)\right\}\end{array}$$

(9)

The detection process is then reversed. First, the invading antigen is detected by the memory antibody. If the memory antibody matches the antigen, that antigen is directly judged as an invasion in a process equivalent to a secondary immunity response. Otherwise, an immune response is performed, and the individual with a high affinity is cloned. Clonal selection also includes antibody variation. The antibody variation rate is inversely proportional to the affinity of the antibody for the antigen. The higher the affinity is, the lower the variation rate; conversely, the lower the affinity is, the higher the variation rate. The formula for the number of antibody clones is

$$C_{\mathrm{num}}=\sum _{i=1}^M⌈\frac{\lambda ·M}{i}⌉$$

(10)

The cloning process is shown in Algorithm 2:

Algorithm 2 Algorithm of clones

1: Procedure Clone_Select( ) 2: { 3: for every ad in Ad do 4:    if one ad match ad then 5:      ab.count ++; 6:      if ad ∈ R then 7:         clone ad add to N;/$C_{\mathrm{num}}$(ad)/ 8:      end if 9:    else if ad ∈ M then 10:      if ad. count >$\theta$ then 11:         ad become memory cells; 12:         clone ad add to N;/$C_{\mathrm{num}}$(ad)/; 13:      end if 14:    end if 15: end for 16: }

3.2.4. Blockchain

Data tampering has become a major hidden danger that affects the normal operations of enterprises. To prevent data from being deleted and tampered with, we must introduce blockchain technology to verify, store, update, and encrypt data to ensure safe data transmission [75]. Blockchain is a novel application model that combines distributed data processing and dynamic encryption algorithms [76,77,78]. It exhibits the characteristics of multiparty and bilateral transactions, recording the entire network, information sources, tamper resistance, etc. [79,80]. Currently, blockchain is still in its early stages of development. In Blockchain 1.0, [81], the first stage of [82] is the most representative of cryptocurrency, where Bitcoin [83] is the best representative. In the second phase, Blockchain 2.0, blockchain has been able to support the creation of advanced smart contracts [84,85] with implementable programs and commands. Blockchain is a decentralized system, which is divided into six layers: the data, network, consensus, contract, service, and application. The data and network layers are primarily responsible for data collection, verification, and processing [86,87,88,89,90]. The consensus and contract layer includes smart contracts, consensus protocols, and incentive mechanisms [91]. The service and application layers put blockchain-based activities into practice [92]. Contemporary industry has entered the new era, Industry 4.0 [93,94]. Blockchain technology will become a powerful tool in Industry 4.0 [95] because it integrates and interoperates architecture, technology, equipment, and other related things to provide high-quality products and services for society [96,97].

Blockchain can be divided into three types according to the degree of openness and object orientation: a public chain, alliance chain, and private chain. The earliest public chain is a chain open to everyone, which is the underlying technology of Bitcoin. The private chain is intended for a small number of individual users, and the alliance chain connects the public and private chains. According to the application scenarios and data characteristics, each chain can be responsible for traceability and rights confirmation, data protection, log data protection, IoT data protection, etc.

In terms of traceability data protection and traceability chain establishment, the current traditional methods of data traceability include data citation technology [98], labeling methods [99], and reverse query methods [100]. However, these traditional methods are insufficient for protecting the traceability data, and they must often rely on a centralized third party to store or verify the traceability data.

In a centralized storage system for traceability data, the higher the centrality of the storage system is, the lower its credibility. The centralized storage system is inherently driven by possible self-interests, especially when it is used to store traceability data, resulting in the tampering or forgery of traceability data. In addition, the single point of failure is very likely to lead to the paralysis of the entire system. The historical information of data usually exists in the form of logs in various decentralized devices, which easily form information islands, have low traceability efficiency, and allow data to be easily tampered with. The data owner is separated from the data, and the data are all hosted by a centralized third party, which may lead to data disclosure and threaten the data privacy.

The characteristics of the blockchain, such as decentralization, anti-tampering, and a consensus mechanism, are ideal for solving these problems. However, most application scenarios for traceability technology are centralized databases or trusted distributed environments of storage nodes, which cannot be directly used in blockchain applications [101]. Certain designs and adjustments are thus needed.

Another problem is the throughput of the protected data on the chain. If blockchain technology is combined with data traceability, the processing efficiency of blockchain transactions, that is, the throughput, must be urgently improved, and the transaction costs must be reduced. To solve these problems, blockchain expansion and cross-chain side chain technology have been developed [102,103,104,105]. Cross-chain side chain technology was first applied to Bitcoin. This protocol allows Bitcoin to be safely transferred to other blockchains and safely returned to the main chain of Bitcoin from other blockchains [106]. These technologies improve the throughput to a certain extent. However, due to the natural limitations of the blockchain chain structure, these capacity expansion technologies are very complex and have limited capacities for improving the throughput.

In terms of data right confirmation, the traditional means of data right confirmation include the submission of an ownership certificate, expert review, and digital watermarking. However, the first two methods lack technical credibility and require human participation, and they do not form a security loop. However, most digital watermarking technologies are aimed at static data sets, and a watermarking scheme that meets the enormous data volume and high update requirements is not yet mature. Applying blockchain technology to the protection of rights confirmation data can address these problems to some extent.

Blockchain is primarily employed in traceability and right confirmation to store the traceability data on the chain so that the traceability data cannot be tampered with. However, the blockchain can only ensure the integrity of the data on the chain and cannot ensure the reliability of the traceability data source or the authenticity of the data itself. Other data authenticity audits and verification methods must be incorporated under the chain.

Applying blockchain to log data integrity protection can ensure that log data are not tampered with, improve log reliability, and strengthen system security. However, due to the high overhead of storage space on the chain, most blockchain log applications store only the summary or hash of log data rather than the complete data. Although tampering can be detected, the nodes with damaged data must still rely on offline means to recover log data, and smart contract applications are insufficient. Therefore, the combination of the automatic log verification method with smart contracts should be studied.

In terms of IoT data protection, the blockchain used should be customized according to the characteristics of the IoT device where the data to be protected are located. For example, IoT devices are small and many, and a single device does not have strong computing power. This is insufficient for consensus algorithms with high computing power requirements, such as the proof of work (POW) algorithm. Moreover, the data storage capacity of IoT devices is also limited, so special storage devices must be combined under the chain for data storage. In recent years, Internet of Things Application (IoTA) has become an option for IoT blockchain application data protection, with the goal of applying it to IoT devices and establishing a machine economy so that transactions do not require fees and data can be quickly linked.

The applications of blockchain technology for data protection in other non-IT industries are in the initial exploration and pilot application stages. The common idea among these applications is to protect the data by storing it on the blockchain.

3.2.5. Summary

In this subsection, different defense methods, which have different focuses and different starting angles, are compared in

Table 6. Different studies for blockchain.

Reference	Comparison
[81]	Proposed Blockchain 1.0
[84,85]	Blockchain 2.0 with support for creating advanced smart contracts
[98,99,100]	Three different approaches to data traceability are proposed.
[102,103,104,105]	Proposed blockchain extensions and cross-chain sidechaining techniques

. In neural network-based active defense against abnormal data in the industrial Internet, abnormal data detection is achieved through establishing a feature distribution model of abnormal data in the industrial Internet according to the correlations of its distribution, data fusion, and optimal scheduling. This method of abnormal data detection is more accurate than other methods and can improve the defense of the industrial Internet against abnormal data. The security defense system conducts unified monitoring and analysis of research, comprehensive analysis, and global control of network security. It detects a variety of potential security threats and handles them. The immune network addresses network attacks from the intranet perspective, fully mobilizes network security defense resources, isolates network viruses or Trojans, and controls viruses from their source. This network thus better aligns with the diversity and complexity of network topology. Blockchain technology primarily verifies, stores, updates, and encrypts data and ensures safe data transmission.

4. Challenges

Industrial control systems (ICSs) primarily consist of dedicated hardware, software, and communication protocols. ICSs are generally closed systems with strong specificity and little external influence, so the safety of these systems has not received enough attention. With the rapid development of information technology, information technology applications in ICSs have rapidly developed, forming industrial control networks with many TCP/IP technologies. Industrial control networks and enterprise management network connections are becoming increasingly close. ICSs are also undergoing closed system development for currently open systems, so ICSs and communication security must be considered to implement connectivity between equipment. The protection function of the enterprise management network and the industrial control network is very weak, even nearly lacking an isolation function; as a result, maintaining the safety of ICSs is becoming increasingly serious. If any point of an ICS is attacked, the entire system may break down. In this section, four security challenges faced by the IIoT are described.

4.1. Imperfect Back Door Protection of Equipment

Malicious attacks against the IIoT have occurred repeatedly, especially attacks exploiting the back door and vulnerability. These attacks pose an enormous threat to industrial production and national interests. Many mutant viruses can obtain the peripheral information of the target system through social network attacks and then use targeted backdoors to enhance the attacker’s permissions so that they can hide and continuously steal sensitive information from the target system. The Internet paralysis event in the United States in October 2016 originated from the botnet attack on Mirai, which targeted IoT devices. It launched a large-scale DDoS attack by scanning the back door and infecting multiple webcams, DVRs, and routers. The leakage and utilization of backdoor information greatly threaten the IIoT environment and seriously damage national interests. As important threats to public user privacy, malicious scenarios of backdoor leakage and utilization must be perceived and identified by the security protection system to provide support and reference for rejecting real-time attacks. As the IIoT environment will be widely used in the future, relevant research work is extremely urgent.

4.2. Hidden Trouble in Data Code

Data are an important strategic resource in the industrial manufacturing process, which have the characteristics of mining demand, manufacturing prediction, and the integration of the industrial chain. They are the core driving force for the development of intelligent manufacturing. Therefore, one core value of industrial Internet platforms is to achieve the sharing and real-time utilization of data. By systematically collecting, storing, processing, and utilizing data, industrial Internet platforms can help decision makers clarify the causes and solutions of problems in a timely and efficient manner to make correct decisions, ensuring that the various data gathered in the industrial Internet platform can be used to the maximum extent. In widely used industrial Internet platforms, however, the data produced from different areas greatly differ. The platform data storage, analysis, and utilization of resources thus have variety and large volumes, so industrial Internet platforms face data information leakage and damage, as well as a series of security risks.

At present, the production line in the IIoT is becoming increasingly intelligent and flexible. Only one instruction is issued in the factory, and the production line is processed according to the preset procedure without requiring human intervention. Production lines in some areas can even be customized to suit consumers’ preferences. The production program on the production line is thus editable, which means that the software code can be modified. This provides an attack opportunity for attackers and risks program tampering. Once the program is tampered with, immeasurable losses will impact the factory.

4.3. Hidden Trouble in Communication Protocol

The information technology of industrial control systems comes from traditional information technology, but it differs from traditional information technology. This is primarily because traditional information technology aims to transmit information, while the industrial control network conducts information transmission to transfer material or energy. As we all know, in office application environments, some computer viruses and worm viruses can cause company network failure. Using ordinary antivirus software and firewall software can address these security problems, but in the industrial control system, malicious intrusion software will lead the production line to stagnate, causing serious consequences.

With the continuous incorporation of industrialization and information technology, the TCP/IP and OPC (OLE for Process Control) protocol are increasingly widely used in industrial control systems. The communication protocol vulnerability problem is also becoming increasingly prominent. For example, the OPC Classic protocol (OPC DA ((Data Access)), OPC HAD (Historical Data Access), and OPC A&E (Alarms and Events)) is based on Microsoft’s DCOM (Distributed Component Object Model) protocol. Because the DCOM protocol was designed before the network security problem was widely recognized, it exhibits some security vulnerabilities and is thus vulnerable to attack. Moreover, OPC communication uses an unfixed port number. As a result, it is almost impossible for IT to use traditional IT firewalls to ensure the security of this protocol. Therefore, using OPC communication protocols to ensure the safety and reliability of industrial control systems is a great challenge for engineers. OPC UA is an evolution of the well-known OPC COM and XML specifications. The OPC Unified Architecture (OPC UA) is the most recent OPC Foundation technology for the secure, reliable, and interoperable transfer of raw data and preprocessed information from the shop floor to production planning systems [107]. It is designed to simplify and standardize the exchange of data between software applications in industrial environments. Despite being widely used and standardized, the OPC UA protocol has an extremely limited maximum update frequency, and it cannot provide a high enough sampling rate while achieving the needed bandwidth. Moreover, the OPC UA protocol has many insecure pointer calculations, data structures, and change constants, which opens the protocol to security risks.

For some other communication protocols, most users only understand some aspects of the protocol. They do not know how to transmit network equipment, what the contents of the transmissions are, or what methods to use for detecting hidden unknown threats. The protocol agreement may incorporate unpublished or even undisclosed agreements. Once users use these devices to connect to the Internet, there is a great possibility that third parties can control or even steal confidential information.

4.4. PLC System in IIoT

Programmable logic controllers (PLCs) have always been a key building block of industrial control systems, with their primary role being to control low-level regulatory feedback control loops. The Industry 4.0 manufacturing automation environment demands a high performance from PLCs, but PLCs have yet to meet the functionality required for Industry 4.0-oriented control systems [108]. PLCs include a variety of wireless interfaces for field-level connectivity with sensors and actuators. In addition, they contain internal filtering modules for preprocessing data streams, as well as lightweight local databases for short-term trending and display via their human–machine interfaces (HMIs). The manager process is responsible for generating control loops using field sensors and actuators and instantiating the controller as a container for low-level regulatory control. High-level connectivity consists of two interfaces: a dedicated interface for cloud connectivity that can provide standardized information models for integration with various control systems and a lightweight interface for horizontal connectivity with other IoT PLCs deployed in the field [109].

To better utilize PLCs in Industry 4.0, they must be fundamentally redesigned. Due to the increasing automation of industry, increasing demands are being placed on control systems. As a result, modern PLC workers face the following core challenges. In smart manufacturing environments, PLCs must be able to more rapidly handle commands and service interruptions and support HMI integration. This incurs higher demands on the real-time performance of the control system. More advanced power multicore processors are needed to meet this demand, but this increases the cost over time. In machine-to-machine (M2M) interconnections, the exact connections between different machines require compatibility with multiple industrial Ethernet protocols in a single PLC system. These protocols can include aspects such as industrial control, remote operation, and security. Furthermore, interenterprise connectivity requires an interoperability framework. Since PLCs are connected to plant networks and external networks of enterprises that are vulnerable to computer attacks, security is a major issue.

However, as the interconnectivity and interoperability environment continues to progress, the market needs change, which can require corresponding adjustments in software and hardware. These changes include shorter product lifecycles, an increased diversity of customer needs, and new requirements for software architectures. Other challenges of Industry 4.0 include scalability, functional safety, a low energy consumption, a tiny pin design, and software input protection.

4.5. Summary

In this section, four security challenges faced by the industrial Internet are discussed. Inadequately protecting device backdoors enables attackers to elevate their privileges through targeted backdoors, with these attackers lurking to persistently steal sensitive information from the target system. In today’s industrial Internet, the production line is becoming increasingly intelligent and flexible, the production program on the production line is editable, the software code can be modified, and hidden dangers are present in the data code, which provides attack opportunities, which opens the program to being tampered with and causes incalculable losses to the factory. With the continuous incorporation of industrialization and informatization, general protocols, such as the TCP/IP and OPC protocol, are increasingly widely used in industrial control systems, and communication protocol vulnerabilities are becoming increasingly prominent. The programmable logic controller (PLC) is an inseparable aspect of factory automation and industrial process control, and a great security risk arises because the PLC is connected to the factory network and the external network of the enterprise, which is vulnerable to computer attacks.

5. Conclusions

The security issues of the IIoT have been reviewed in this paper. Thus far, the security issues on the IIoT have been characterized by a wide range of applications under complex interactions among physical space, cyberspace, and various threats resources. Threats, detections, and defenses have been analyzed in detail, and security issues have been generally classified into the following categories based on the basic architecture of the IIoT:

• Threats to the IIoT. The equipment in the IIoT connected by the device layer is vulnerable to external attacks. Device exposure also greatly threatens the IIoT and industrial control system security.
• Attack detections. Due to the open communication protocol in the application layer, the IIoT is vulnerable to third-party intrusion attacks. The transmission layer and the processing layer are also very vulnerable to attackers during data transmission, with these attacks resulting in the leakage of a large amount of private and confidential information and irreversibly damaging the IIoT.
• Defenses against attacks. Many secure strategies have been developed to handle various malicious attacks from different perspectives. However, the deep integration of cyberspace and physical plants causes such defense or protection methods to only partially protect the IIoT.

In view of the security issues mentioned above, intrusion detection has been introduced to monitor and detect the internal and external networks in real time, respond to problems in a timely manner, and minimize the loss of the factory. The threat defense measures are also summarized in this paper, providing an expected reference value. In fact, the security defense system can monitor and analyze various security threats in a unified manner, provide early warnings, display key basic information, provide standard interfaces, integrate third-party situation awareness systems, control enterprise network security, detect potential threats in a timely manner, and handle security measures. The immune network can fully mobilize network security defense resources; use routers, switches, and other network devices to isolate network viruses or Trojan horses; diverge the virus from the source; and then achieve the network security of the group prevention and control function. Finally, relevant research continues to deepen and improve countermeasures against malicious threats, which will supply important support for the development of industrial Internet security.