Emergency Management Framework Based on Blockchain: Take China as an Example

. Building a national uniﬁed ISEMS (industrial internet security emergency management system) plays an important role in industrial cybersecurity defense. However, due to technical and management constraints, the current ISEMS has problems such as scattered security organizations, poor sharing channels, and fails to form an overall security guarantee capability for threat reporting, analyzing, warning, and disposing. The blockchain technology has the characters of decentralized trust construction, inter-organizational data sharing, data integrity assurance, data traceability, which just meets the requirements of the emergency management process. This paper analyzes the situation and challenges of ISEMS, describes the system architecture and organizational structure based on the blockchain, and describes the key implementation processes of blockchain-based ISEMS, including threat report, risk analysis, warning release and emergency response.

data leaks are exposed frequently. Meanwhile, China's ISEMS management framework lacks the systematic design. Therefore, it is necessary to construct a comprehensive and secure emergency response mechanism and take closed-loop defense measures to active defense, real-time sensing, and emergency recovery. Building a national unified emergency management system is an important part of the Industrial Internet security defense. It comprehensively analyzes threat information through technology and management methods, builds capabilities such as early warning, notification, emergency handling, and information sharing, also helps emergency department dispatch resources, investigate risk, dispose emergency, to maintain the security of Industrial Internet platforms, networks, controls, equipment, and data.
However, owing to the scattered industrial internet emergency management institutions, the inconsistent sharing channels, and the insufficient risk analysis of the industrial internet infrastructure, it is hard to form a global security capability. The blockchain, which combining data blocks into a "chain" structure in chronological order uses distributed accounting, peer-to-peer communication, cryptographic technology, consensus mechanisms, and the disclosure of intelligent contracts to achieve a decentralized and tamper-proofing data storage [1], and can solve problems such as scattered institutions, unreliable data sources, and inability to achieve multi-party storage in industrial internet emergency management. It also well meets the needs of transparent and credible requirements in multiple parties during the emergency information management process.

Organizational Structure
Seen from the Fig. 1, China's industrial internet emergency organization is a tree management structure. The root node is the national industrial internet security authority, mainly responsible for the emergency management function including early warning, risk notification, emergency response, information sharing, etc. Secondary nodes are provincial industrial internet security authorities and state-owned enterprises, which responsible for performing its management supervisors. Security vendors and scientific research institutes are also secondary nodes, responsible for reporting risk information and conducting risk research and emergency response. The third-level nodes are mainly city-level emergency management departments, small security vendors and research institutions, of which the function is consistent with the secondary node, and local industrial enterprises which are the main bodies in carrying out the disposal of risk and incident.
In recent years, the MIIT has continuously invested special funds to support the construction of industrial internet threat information sharing and emergency response command platform, through which the country can effectively improve the ability of grasping risk information, carrying out emergency command and response, nevertheless, it has not yet formed a nationwide ISEMS with vertical linkage and horizontal communication.

Technical Status
Related Work. In terms of ISEMS research, Zhang Zhen et al. [2] analyzed the content and characteristics of the U.S. cybersecurity emergency management system, and made suggestions on the construction of China's cybersecurity emergency management system from the legal system, organizational structure, and operating mechanism. The establishment of command systems with incident response, information sharing, and emergency response from the technical level has not been further studied. Liu Feng [3], Zhao Xu et al. [4] proposed technical solutions to the provincial cybersecurity emergency management platform from the aspects of security access design, basic data collection, and command function implementation, but still lacking of consideration on information sharing, multi-party coordination, mutual identity trust, regulatory review, etc. Li Ruoyu et al. [5] established an emergency response system model for governments and enterprises, and pointed out the indispensability of security service vendors in national cybersecurity emergency response work, but did not give specific implementation plans at the operational and technical levels. Since 2003, the U.S. Department of Homeland Security has implemented continuous monitoring, early warning and response to Internet export threats of government agencies through the Einstein Plan. However, due to compatibility and diverse issues, only 68.7% of government agencies have achieved the goals of the Einstein Project by 2019 [6].
Problems. The problems in the construction of national ISEMS as follows.
1. Isolated islands of information. The communication among the information systems of institutions and organizations is incomplete. In the early stage of the big data era, the isolated information island problem is common in various industries and fields [7,8]. Due to historical reasons such as insufficient top-level design and system performance constraints, the governments, security vendors and industrial enterprises have built independent threat information databases, vulnerability databases and emergency disposal systems, leading to an obvious "data chimney" effect, which comprehensively restricts the work efficiency of threat submission, sharing, and emergency disposal, etc.
2. Poor threat sharing. The security subject of Industrial Internet has weak willingness to share threat information. On the one hand, due to the high sharing frequency and complex path of industrial internet security data, data leakage may occur in the transmission process or non-legal endpoints; On the other hand, industrial internet security information has its own particular characteristics such as being multi-sourced, heterogeneous and distributed. Data classify measures are deficient to ensure the rationality of the scope of information sharing. In addition, for which the current information sharing rights and responsibilities are not clear and the audit tracking ability is insufficient, both leads to the enterprises unwilling to share information as "private property", and the competent authorities of industry are afraid of compulsory sharing. 3. Untrusted data source. Phishing, extortion, mining, etc. have become an important threat to Industrial Internet Security [9,10]. In addition to directly attacking industrial enterprises, due to the lack of effective authentication and security measures for information source and transmission, hackers utilize the defects of insufficient enduser's management ability to spread malicious code embedded in risk information through industrial internet security emergency, causing a more targeted large-scale attack on competent authorities of industry and enterprises. 4. Inefficient emergency response. China has not yet established a unified emergency disposal command and communication system. The disposal of major cybersecurity incidents still stays in traditional ways such as SMS and telephone. It is difficult to meet the requirements in timeliness, portability, confidentiality, and other aspects. In addition, due to the lack of recognized evaluation methods, the security technology team cannot get the point in the first time after the security incident and hardly obtain evidence and division of responsibilities. With the combination of above two analysis, the repetitive emergency work has been carried out continuously. 5. Lack of motivation. As the main body of information reporting and emergency response, security vendors play an indispensable role in the emergency system, also the key to the effective implementation of the national industrial Internet security emergency. It is difficult to ensure the sustainability simply with the incentive measures of social responsibility. More effective measures must be introduced to improve the positivity of security vendors. 6. System security factors. The national ISEMS is intricacy while enormous system, with large cyber-attack surface and high security risk. Once centralized data storage infrastructure being attacked may lead to the collapse of the whole system. Meanwhile, with complex and multi-subject end-user identity, the ineffective management of all users results in the system vulnerability.

Challenge
In view of the issues above, the construction of national ISEMS has the following challenge.
1. Unified interface standard. The construction of a unified standard system interface and protocol could realize the interconnection of emergency information, form an emergency coordination and disposal mechanism with timely response and feedback.
which could provide channels for central and local emergency institute and organization to obtain and convey emergency information, realize the interconnection of emergency information systems of superior and subordinate units. 2. Confidentiality, availability and non-repudiation. Traditional information systems are vulnerable to single point of failure due to centralization. Through multi centralized storage deployment Enhance the robustness and usability of the system. In addition, by verifying the identity legitimacy and rationality of the users, the data source can be trusted, managed and traceable. Third, ensure the security of data transmission, storage and sharing, especially the integrity confidentiality and of data. 3. User incentive. In the process of information report and emergency disposal involving security vendors and scientific research institutions, the competitive ranking mechanism can improve the enthusiasm of participation, grasp the technical strength of each unit, so that an appropriate emergency response team could be found timely and accurately in a security incident. Second, for the industry competent departments and industrial enterprises, introduce the reward-punishment and assessment mechanism combined with national laws and industry regulations, implement the responsibility, and ensure the sustainable development of the ISEIMS. 4. Data classification. The system should store all kinds of data information, including system vulnerabilities, early warning notifications, typical cases, knowledge base, etc. In order to ensure the security and controllability of the data as a strategic resource, Data classify and grade according to its ownership, application scope, sensitivity and other dimensions, so as to improve the sharing and circulation of data use while protecting user privacy, realize the effective balance of data privacy and social utility.

Principle
Blockchain technology is a distributed ledger technology that uses the linked data structure to verify, store, generate, update data and ensure its transmission security. It is an integrated application and innovative combination of existing technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, etc. [11]. Its most significant technical feature is to change the centralization to decentralization, as shown in Fig. 2.

Research Status
Blockchain has the technical advantages of decentralization, non-tampering, traceability, high reliability and high availability, began to form distributed collaboration architecture supporting various typical industries [12]. According to the degree of openness, blockchain can be divided into three types: Public Blockchain, Private Blockchain and Consortium Blockchain. Public blockchain is completely decentralized, and also, any user can join the network, access and write data. The typical representatives are bitcoin and Ethereum. Private Blockchain is partial decentralized, and also, only part of users can access, read and write data with internal permissions. Consortium Blockchain is multi centralized, and only authorized organizations can join the network. Its organization nodes are fully trusted and strongly scalable. Its scale could rise from institutional enterprises to the national level [13].
With the gradual development of blockchain, the research on its key technologies has shown multiple development directions, Herrera joancommarti [14], Saxena [15] do research on privacy protection issues such as anonymity and hybrid protocol of Bitcoin. Kishigami [16] and others proposed a blockchain-based digital content publishing system to move blockchain technology from theory to practice with intelligent contracts. Paul [17] and others calculated and verified the bitcoin mining energy consumption scheme, and studied the resource loss of blockchain technology. Mougayar [18] and others analyzed the trend of bitcoin vulnerability and countermeasures to study blockchain security technology. In addition, SANA, bjabendu, Jian Chen and others studied the application, management, security and openness of blockchain technology in the Internet of things, big data and other new fields [19][20][21].

Base Model
The earliest form of blockchain is public blockchain, but the public blockchain is completely decentralized and difficult to supervise, which is different from China's governance structure. Consortium Blockchain is a form of "supervision friendly" blockchain, which is easy to pass the access system and use contract automation supervision to meet regulatory needs. Generally, the industry is oriented to institutions and enterprises, which need to solve the trust problems among them, and require the organizations that set up the blockchain to conduct identity authentication. The number of members in the blockchain can be controlled, and the characteristics of the Consortium Blockchain fully meet these needs. The Consortium Blockchain adopts the federal access mechanism with certain trust premise, which has a large space in the selection of efficient consensus algorithm and is easy to find a balance between security and performance. In recent years, various industries are actively exploring the "blockchain +" industry application mode. Based on the blockchain as a service (BaaS), the rapid construction of blockchain network and the implementation of industry application are gradually deepened. By deeply combining blockchain technology with cloud computing, BaaS platform integrates the underlying computing resources, blockchain service functions and upper business functions through the centralized management, realizes the available and dynamic expansion of the underlying blockchain framework with virtualization container, support the ability of multi-user, multi-chain, shared storage, log monitoring, etc., and greatly reduces blockchain barriers.
In this scheme, the Hyperledger Fabric Consortium Blockchain is proposed as the technology selection to design the ISEMS architecture. Fabric is the most widely used project in the hyper ledger blockchain open source project, aiming to promote the crossindustry application of blockchain, and its architecture model is shown in Fig. 3. Fabric Consortium Blockchain network is composed of members, which refers to the organization, also composed of several organizations with cooperative relationship. The users in the Consortium Blockchain belong to the members of the blockchain, which can be divided into two types, administrator and ordinary user. Administrator is the manager of blockchain, who can choose to join, exit the chain and install the intelligent contract. The user is the initiator of the transaction, and can interact with the blockchain network through the client or SDK. The nodes in the Consortium Blockchain refer to the physical resources actually running in the Consortium Blockchain. Each member of the blockchain has one or more peer peers and Ca nodes. Peer node is the node that each member can realize ledger storage, which includes endorsement node, bookkeeping node and master node. Endorsement refers to the process that a specific peer node executes a series of transactions and verifies their validity, and returns a successful or failed endorsement response to the members who generate the transaction proposal. The function of Ca node is to provide members in Fabric network with identity information based on digital certificate. The order node is jointly owned by the members of the blockchain. It is mainly responsible for collecting and sorting the received transactions of protection endorsement signature, generating blocks in sequence and broadcasting the transactions, in order to ensure that the nodes in the same chain receive the same messages and have the same logical order.
In the process of ISEIM, the organization is scattered and diverse. Based on the Consortium Blockchain, it can solve the problems, such as the organization is not mutual trust, the data source is not credible, not achieving multi-party storage, etc.

Architecture
The technical architecture of the ISEMS is shown in Fig. 4, which includes the underlying infrastructure, the intermediate service layer, and the calling API provided by the upper application system. In order to quickly start the consortium blockchain, the basic underlying blockchain framework uses the Swarm or K8s group management technology and container management technology to build the Fabric blockchain network framework, and automatically starts and manages the CA and peer nodes for blockchain members. The blockchain service layer management includes five modules of basic services, contract management, security management, operation monitoring, and query engines. Among them, the basic service module implements storage management, pluggable consensus mechanism, and network communication services. The contract management

Member Member
Member Consortium Blockchain Network Fig. 3. Consortium blockchain network architecture model module implements intelligent installation, operation, and version management. The security management module implements security mechanisms such as data encryption, access control, and multi-chain isolation. Core modules, such as operation monitoring and query engines, provide basic services for upper data API and blockchain service API interfaces. The blockchain API layer provides blockchain transaction read-write API, chain and contract management API, access control API and encryption authentication API, etc. It provides call interfaces for application requirements such as upper-level risk reporting, early warning release, information sharing, and emergency disposal.

Organization Structure
Organizational Structure of ISEMS based on consortium Blockchain is shown in Fig. 5.
In the business scenario of ISEIM, the organization nodes involved are not completely parallel in function positioning. For example, local emergency management departments are responsible for reviewing the risk and vulnerability information reported by the regional security vendors, industrial enterprises and research institutions, and reporting to the central authorities only after passing the review. Therefore, for ISEIM business is multi-level and needs timely supervision, this scheme combines multi-chain and crosschain technology to build multi-level consortium blockchain. Details can be seen in Fig. 5. The first-level members are composed of national and provincial industrial internet security emergency management department, security enterprises, state-owned enterprises and central enterprises. The second-level members are composed of provincial and municipal industrial internet security emergency management department, security vendors, research institutions, etc. The provincial and municipal departments exist in both the first level and the second level. Each member of the primary and secondary consortium blockchain has its own administrator and ordinary user group. The administrator is responsible for consortium blockchain management, contract management and other functions. The subordinate local organization can set multiple users to report risks, receive early warnings and dispose emergencies. The administrator of national industrial internet security emergency management department is also responsible for blockchain management and contract management. Different users can respectively call intelligent contracts to implement information sharing, emergency strategy release, early warning, etc. For the local industrial Internet security emergency management departments, it is also necessary to create multiple users for risk reporting, information receiving, reviewing and releasing.

Critical Process
Threat Reporting. The threat reporting process is generally handled by members of the secondary consortium blockchain such as local security vendors, research institutions and industrial enterprises. As shown in Fig. 6, after the consortium members find the vulnerability, Threat reporting subsystem call the blockchain smart contract through the risk reporting API to write the risk data to blockchain ledger. At the same time, according to the agreement in the endorsement strategy of the intelligent contract, they first submit it to the default endorsement node, i.e. the local emergency management department for review. After the review is passed, the risk information will be written into the ledger and synchronized to the members of the secondary consortium blockchain. In addition, the local emergency management department will submit the risk information to the first-level consortium blockchain and synchronously submit to the central emergency management department and other local emergency management departments for information sharing, so as to complete the reporting of emergency information under abnormal conditions. Compared with the traditional risk threat reporting process, the blockchain-based reporting, using the tamper-proof capability of the blockchain, can spread and synchronize to the peer timely.

Secondary Emergency Management Consortium Blockchain
Blockchain ledger

Synchronous Ledger Risk Information
First-level Emergency Management Consortium Blockchain

Fig. 6. Threat reporting process based on blockchain
Risk Analysis. The traditional risk analysis requires the central emergency management department to collect related risk data and organize relevant experts to carry out risk analysis and prediction. However, the risk analysis source data is too scattered to mobilize these resources to carry out analysis in time. The distributed blockchain-based risk analysis can realize risk vulnerability analysis and the training of distributed shared risk model locally. The online incremental learning of monitoring data is realized by capturing the data characteristics of each participant. Finally, each node can synchronize the updated risk model parameters or gradients to improve the risk prediction accuracy, as shown in Fig. 7.
Warning Release. When industrial internet security emergency event occurs, the early warning release and sharing system can quickly release vulnerabilities, notifications and policies to local competent departments or enterprises at all levels. In order to share emergency event knowledge base to specific members, and ensure members' identity trusted, the consortium blockchain firstly implements the identity authentication of members. Based on the CA digital certificate mechanism, it realizes the identification and authority Fig. 7. Risk analysis process based on blockchain control for members, so that early warning can be managed and controlled. Secondly, based on the consortium blockchain, the parallel uplink authority management supporting the complex business among multiple organizations is implemented, as shown in Fig. 8. By building different sub chains in the consortium blockchain and assigning different roles to its members, the authority control of the sub chain management and the ledger data reading and writing is carried out, so that the early warning information can be updated in time and synchronized to the relevant organizations, the scope of the early warning release is controlled, and the access of the non-authorized organizations to the relevant information is prevented.

Consortium Blockchain
Emergency Response. Emergency response mainly includes evidence collection, tracing and coordination. traditional methods take a lot of valuable time to find the responsible person and technical support. Meanwhile, it is unable to quickly locate whether the support has good technical reserves in this risk field. In order to mobilize the enthusiasm of various organizations in ISEM and maintain the normal operation of the emergency management blockchain platform, a competition incentive mechanism is introduced to reward enterprises that can timely report vulnerabilities and analysis results. Through the scoring mechanism in blockchain, Management department can independently select security vendors or research institutions with higher score to support offline emergency response, and timely assist industrial enterprises in upgrading the system and vulnerability database. Detailed incentive model is referred in Fig. 9.  First of all, the report time of risk and vulnerability can be recorded on the blockchain ledger. Local emergency management organizations utilize the untampered and untraceable characteristics of blockchain to accurately and fast trace and rate the enterprise who report risk. Secondly, each organization can adjust the accuracy of the risk prediction model according to the local risk source data, improve the analysis model with adjusted accuracy. The institutions report the trained risk prediction model in time will be rewarded with points. Third, when the emergency management organization assigns the emergency assistance tasks, enterprises with high points and outstanding technical advantages will have the priority. Industrial enterprises can also score on the chain for the effect of support organizations' disposal, and the score results will be distributed to support enterprises in the form of points. The points will ultimately affect the industry influence of enterprises, provide basis for national projects, awards and honor declaration, and form a benign incentive for enterprises and research institutions to actively report, analyze and deal with safety risks.

Secondary Emergency Management Consortium Blockchain
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.