CN112104661A - Dynamic control method and system for industrial control equipment firewall - Google Patents

Dynamic control method and system for industrial control equipment firewall Download PDF

Info

Publication number
CN112104661A
CN112104661A CN202010988642.2A CN202010988642A CN112104661A CN 112104661 A CN112104661 A CN 112104661A CN 202010988642 A CN202010988642 A CN 202010988642A CN 112104661 A CN112104661 A CN 112104661A
Authority
CN
China
Prior art keywords
industrial control
firewall
configuration
control equipment
industrial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010988642.2A
Other languages
Chinese (zh)
Other versions
CN112104661B (en
Inventor
关勇
郭浩波
王永峰
张晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Luoan Technology Co Ltd
Original Assignee
Beijing Luoan Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Luoan Technology Co Ltd filed Critical Beijing Luoan Technology Co Ltd
Priority to CN202010988642.2A priority Critical patent/CN112104661B/en
Publication of CN112104661A publication Critical patent/CN112104661A/en
Application granted granted Critical
Publication of CN112104661B publication Critical patent/CN112104661B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a dynamic control method and a system for an industrial control equipment firewall, wherein the method comprises the following steps: acquiring a safe operation state of an industrial control host and a firewall configuration application; when the safe operation state is safe, a first control instruction is sent to a firewall according to the firewall configuration application; and when the end information of the configuration operation of the industrial control equipment is acquired, sending a second control instruction to the firewall, wherein the second control instruction is used for indicating that the firewall forbids the modification operation of the parameter configuration of the industrial control equipment. By implementing the method and the device, the problems that the network security protection function of the firewall is invalid and the industrial control system is easily damaged maliciously in the related technology can be solved, the configuration information of the industrial control equipment can be dynamically modified, the security of the industrial control equipment is effectively improved, the safety release of operation and maintenance operation is realized, the operation flow for changing the security configuration and the strategy of the industrial control equipment is standardized, the safe operation and maintenance are transparent, standardized and automatic, the working efficiency is improved, and the service risk is reduced.

Description

Dynamic control method and system for industrial control equipment firewall
Technical Field
The invention relates to the field of industrial control, in particular to a dynamic control method and a dynamic control system for a firewall of industrial control equipment.
Background
In a practical application scenario of an industrial control network, a security boundary is set at some important industrial control hosts or intranets, that is, an industrial firewall in the industrial control network is generally known, and the industrial firewall can solve a basic network security problem.
However, when the production process flow is changed and optimized, and the control logic in the industrial control device controller is adjusted, when the number of I/O points of the control system is increased, when the industrial control device is reconfigured, when the program in the industrial control device controller needs to be periodically uploaded and backed up, and when the version of the hardware firmware of the industrial control system is updated, a specific host needs to access a specific server to implement the reconfiguration, so that the security configuration policy of the industrial firewall of the industrial control device needs to be changed The deletion, even more, causes serious consequences such as forced interruption of the industrial system or network, equipment shutdown, economic loss, and casualties.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defects that in the prior art, when the configuration of the industrial control equipment is modified, the path is opened for a long time, any server can change the configuration of the industrial control equipment at will, which results in the failure of the network security protection function of the firewall, and the industrial control system is maliciously damaged by worms and viruses, thereby providing a method and a system for dynamically controlling the firewall of the industrial control equipment.
According to a first aspect, an embodiment of the present invention provides a dynamic control method for a firewall of an industrial control device, including: acquiring a safe operation state of an industrial control host and a firewall configuration application; when the safe operation state is safe, sending a first control instruction to a firewall according to the firewall configuration application, wherein the first control instruction is used for indicating that the firewall allows modification operation on parameter configuration of industrial control equipment; and when the end information of the configuration operation of the industrial control equipment is obtained, sending a second control instruction to the firewall according to the end information, wherein the second control instruction is used for indicating the firewall to forbid the modification operation of the parameter configuration of the industrial control equipment.
With reference to the first aspect, in a first implementation manner of the first aspect, the safe operating state is generated by performing, by the configuration software monitor, safety state evaluation on the industrial control host after obtaining the network connection notification sent by the industrial control host; and the end information of the configuration operation of the industrial control equipment is generated according to the process closing notice when the industrial control host acquires the process closing notice of the stored configuration data of the industrial control equipment.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the step of performing security state evaluation on the industrial control host specifically includes: analyzing the first preset inspection list to obtain a plurality of evaluation indexes; judging whether the industrial control host is matched with each evaluation index or not to obtain a plurality of inspection results; and calculating and generating the safe operation state of the industrial control host according to a preset strategy and a plurality of inspection results.
With reference to the first aspect, in a third implementation manner of the first aspect, when end information for modifying configuration operation of the industrial control device is obtained, before sending a second control instruction to the firewall according to the end information, the dynamic control method further includes: obtaining an application result fed back by the firewall according to the first control instruction; and sending a first notice according to the application result, wherein the first notice is used for informing a user of executing modification operation on the parameter configuration of the industrial control equipment.
According to a second aspect, an embodiment of the present invention provides a dynamic control method for a firewall of an industrial control device, including: acquiring a first control instruction sent by a server, wherein the first control instruction is generated by the server according to the acquired safe running state of the industrial control host and the firewall configuration application; according to the first control instruction, allowing modification operation of parameter configuration of the industrial control equipment; and when a second control instruction sent by the server is acquired, prohibiting the parameter configuration of the industrial control equipment from being modified, wherein the second control instruction is generated by the server according to the acquired end information for modifying the configuration operation of the industrial control equipment.
With reference to the second aspect, in a first implementation manner of the second aspect, before acquiring the first control instruction sent by the server, the method further includes: initializing a control rule, wherein the control rule is used for forbidding to execute modification operation of parameter configuration of the industrial control equipment.
With reference to the first embodiment of the second aspect, in the second embodiment of the second aspect, the step of allowing a modification operation on a parameter configuration of the industrial control device specifically includes: adding a temporary release rule on a firewall, wherein the temporary release rule is used for generating a temporary modification channel, and the temporary modification channel is used for receiving configuration data corresponding to modification operation of parameter configuration of industrial control equipment.
According to a third aspect, an embodiment of the present invention provides a dynamic control system for a firewall of an industrial control device, including: server, firewall, wherein: the server is used for acquiring a safe operation state of the industrial control host and a firewall configuration application, and when the safe operation state is safe, a first control instruction is sent to the firewall according to the firewall configuration application; the firewall is used for allowing modification operation of parameter configuration of the industrial control equipment according to the first control instruction; the server is used for sending a second control instruction to the firewall according to the end information when the end information of the configuration operation of the industrial control equipment is obtained; and the firewall is used for forbidding to modify the parameter configuration of the industrial control equipment when the second control instruction sent by the server is obtained.
With reference to the third aspect, in a first embodiment of the third aspect, the system further includes: industrial control host computer, configuration software monitor and industrial control equipment, wherein: the configuration software monitor is used for acquiring a corresponding process and a process program file according to a process creation notice when receiving the process creation notice; when the process is determined to be a target configuration change program according to the process program file, starting monitoring the industrial control host; the industrial control host is used for sending a network connection notice according to the configuration software; the configuration software monitor is used for analyzing a first preset check list to obtain a plurality of evaluation indexes when the network connection notification is received, and judging whether the industrial control host is matched with each evaluation index to obtain a plurality of check results; calculating and generating the safe operation state of the industrial control host according to a preset strategy and a plurality of inspection results; the industrial control host is used for sending configuration data corresponding to modification operation of parameter configuration of industrial control equipment to the industrial control host according to the first control instruction; the industrial control equipment is used for receiving and storing the configuration data; the configuration software monitor is used for acquiring a process closing notification and generating end information for modifying the configuration operation of the industrial control equipment according to the process closing notification.
With reference to the first embodiment of the third aspect, in a second embodiment of the third aspect, the system further includes: the configuration software monitor is also used for registering a process in the industrial control host to create a notification callback function; and the industrial control host is also used for generating a process creation notification according to the starting request and the process creation notification callback function when receiving the starting request of the configuration software input by the user.
With reference to the second embodiment of the third aspect, in a third embodiment of the third aspect, the system further includes: the configuration software monitor is further configured to: analyzing the process program file to generate process characteristic information; and when the process characteristic information is matched with a second preset check list, determining that the process is a target configuration change program.
With reference to the third implementation manner of the third aspect, in a fourth implementation manner of the third aspect, the industrial control host is further configured to generate a process shutdown notification after the configuration data saved by the industrial control device is acquired.
According to a fourth aspect, an embodiment of the present invention provides a computer device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the processor, and the instructions are executed by the at least one processor to cause the at least one processor to perform the steps of the method for dynamically controlling an industrial control device firewall according to the first aspect or any embodiment of the first aspect, and the steps of the method for dynamically controlling an industrial control device firewall according to the second aspect or any embodiment of the second aspect.
According to a fifth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for dynamically controlling an industrial control device firewall according to the first aspect or any of the embodiments of the first aspect, and the steps of the method for dynamically controlling an industrial control device firewall according to the second aspect or any of the embodiments of the second aspect.
The technical scheme of the invention has the following advantages:
the invention provides a dynamic control method and a system for a firewall of industrial control equipment, wherein the method comprises the following steps: acquiring a safe operation state of an industrial control host and a firewall configuration application; when the safe operation state is safe, sending a first control instruction to the firewall according to the firewall configuration application, wherein the first control instruction is used for indicating that the firewall allows modification operation on the parameter configuration of the industrial control equipment; and when the end information of the configuration operation of the industrial control equipment is obtained, sending a second control instruction to the firewall according to the end information, wherein the second control instruction is used for indicating the firewall to forbid the modification operation of the parameter configuration of the industrial control equipment. By implementing the method and the system, the problems that the network security protection function of a firewall is invalid and an industrial control system is easily damaged maliciously by PLC worms and viruses due to the fact that a manager directly modifies the configuration of the industrial control equipment and a reconfigured access is opened for a long time in the related technology can be solved, the configuration information of the industrial control equipment can be dynamically modified, the security of the industrial control equipment is effectively improved, further, the safety release of operation and maintenance operation is realized through technical means, the operation flow for changing the security configuration and the strategy of the industrial control equipment is standardized, the safety operation and maintenance are transparent, standardized and automatic, the working efficiency is improved, and the service risk is reduced; the access control authority of the specific industrial control equipment of the service system can be automatically released.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a specific example of a dynamic control method for a firewall of an industrial control device according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another specific example of a dynamic control method for a firewall of an industrial control device according to an embodiment of the present invention;
FIG. 3 is a schematic block diagram of a specific example of a dynamic control system of an industrial control device firewall according to an embodiment of the present invention;
FIG. 4 is a schematic block diagram of another embodiment of a dynamic control system for an industrial control device firewall according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a dynamic control system of an industrial control device firewall according to an embodiment of the present invention;
FIG. 6 is a diagram showing a specific example of a computer device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; the two elements may be directly connected or indirectly connected through an intermediate medium, or may be communicated with each other inside the two elements, or may be wirelessly connected or wired connected. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
In order to solve the technical problems that in the related art, the configuration of industrial control equipment is directly modified by a manager, and a reconfigured access is opened for a long time, so that the network security protection function of a firewall is invalid, and an industrial control system is easily damaged maliciously by PLC worms and viruses, effective intervention can be performed before a security policy of the firewall (or other security equipment or software) is adjusted, so that a correct control policy, process and technology change can be executed, the situations can be avoided, or economic loss caused by the security problem can be reduced to the greatest extent, and the security can be visible and controllable.
Based on the above background, the present invention provides a dynamic control method and system for an industrial control device firewall, which can standardize configuration modification processes and record firewall modification information by changing control rules, where the modification information may include a change person, change content, change time, change reason, and change method. Changes and processes can be closely linked and recorded as part of a change plan in order to improve work efficiency and reduce business risks in order to avoid changes that exceed a predetermined range.
The embodiment of the invention provides a dynamic control method for a firewall of industrial control equipment, which comprises the following steps of:
step S11: acquiring a safe operation state of an industrial control host and a firewall configuration application; in this embodiment, the industrial control host may be a computer device capable of accessing the controller of the industrial control device and modifying the control logic in the controller, and may be a tool assembly for detecting and controlling the production process, the electromechanical device and the process equipment by using a bus structure, and the industrial control host is generally provided with industrial control device configuration software, and a user may modify the configuration parameters of the industrial control device by using the industrial control device configuration software; the safe operation state can be a configuration software monitor installed on the industrial control host, and after receiving a network connection notification sent by the industrial control host, the information is generated after evaluation according to the obtained safety information of the industrial control host and the like so as to represent the operation state of the industrial control host; the firewall configuration application may be an operation request initiated by a user through configuration software on the industrial control host to modify configuration parameters of the industrial control device.
Specifically, the server receives the safe operation state information sent by the configuration software monitor and the modification operation application for the configuration of the industrial control parameters sent by the user through the configuration software, and the server may be a safety management server and is used for evaluating whether the operation state of the industrial control host is safe or not according to the obtained safe operation state information of the industrial control host.
Step S12: when the safe operation state is safe, sending a first control instruction to the firewall according to the firewall configuration application, wherein the first control instruction is used for indicating that the firewall allows modification operation on the parameter configuration of the industrial control equipment; in this embodiment, when the safety management server determines that the industrial control host is safe according to the safe operation state, it indicates that the industrial control host meets the requirement of the safety standard, and the industrial control host can be allowed to access the industrial control device, so as to modify the corresponding configuration parameters. Specifically, when the safety state of the industrial control host is judged to meet the requirement by the safety management server, the safety management server may issue a first control instruction to a firewall corresponding to the industrial control device according to an operation application for modifying the configuration parameters of the industrial control device, where the operation application is sent by the configuration software, and the first control instruction may be a notification that the firewall temporarily allows the industrial control host to modify the configuration parameters of the industrial control device.
Step S13: and when the end information of the configuration operation of the industrial control equipment is obtained, sending a second control instruction to the firewall according to the end information, wherein the second control instruction is used for indicating the firewall to forbid the modification operation of the parameter configuration of the industrial control equipment. In this embodiment, the end information for modifying the configuration operation of the industrial control device may be generated according to a process closing notification that the industrial control host acquires the process closing notification that the industrial control device has saved the configuration data.
The invention provides a dynamic control method of an industrial control equipment firewall, which comprises the following steps: acquiring a safe operation state of an industrial control host and a firewall configuration application; when the safe operation state is safe, sending a first control instruction to the firewall according to the firewall configuration application, wherein the first control instruction is used for indicating that the firewall allows modification operation on the parameter configuration of the industrial control equipment; and when the end information of the configuration operation of the industrial control equipment is obtained, sending a second control instruction to the firewall according to the end information, wherein the second control instruction is used for indicating the firewall to forbid the modification operation of the parameter configuration of the industrial control equipment. By implementing the method and the system, the problems that the network security protection function of a firewall is invalid and an industrial control system is easily damaged maliciously by PLC worms and viruses due to the fact that a manager directly modifies the configuration of the industrial control equipment and a reconfigured access is opened for a long time in the related technology can be solved, the configuration information of the industrial control equipment can be dynamically modified, the security of the industrial control equipment is effectively improved, further, the safety release of operation and maintenance operation is realized through technical means, the operation flow for changing the security configuration and the strategy of the industrial control equipment is standardized, the safety operation and maintenance are transparent, standardized and automatic, the working efficiency is improved, and the service risk is reduced; the access control authority of the specific industrial control equipment of the service system can be automatically released.
As an optional implementation manner of the present invention, in the dynamic control method for the firewall of the industrial control device, the secure operation state is generated by performing security state evaluation on the industrial control host after the configuration software monitor obtains the network connection notification sent by the industrial control host; the end information for modifying the configuration operation of the industrial control equipment is generated by the industrial control host according to the process closing notification when the process closing notification of the stored configuration data of the industrial control equipment is obtained.
As an optional implementation manner of the present invention, the step of evaluating the safety state of the industrial control host specifically includes:
firstly, analyzing a first preset check list to obtain a plurality of evaluation indexes; in this embodiment, the first preset check list may be a check list preset according to the industrial control system and used for determining whether the corresponding industrial control host is safe, and the multiple evaluation indexes obtained according to the first preset check list may include: the method comprises the steps of updating key patches of the system of the industrial control host, deploying safety protection software in the system of the industrial control host, enabling the virus trojan existing in the self-starting item of the system of the industrial control host, enabling high-risk services of the system of the industrial control host, setting the account password strategy of the system and the like.
Secondly, judging whether the industrial control host is matched with each evaluation index or not to obtain a plurality of inspection results; in this embodiment, whether the operation condition of the industrial control host is matched with each evaluation index is judged, and actually, whether a key patch is updated by the system of the industrial control host, whether safety protection software is deployed in the system of the industrial control host, whether a virus trojan exists in a self-starting item of the system of the industrial control host, whether high-risk service of the system of the industrial control host is started, and whether the setting of an account password policy of the system meets requirements can be judged; for example, when the industrial control host has updated the key patch, the operation condition and the evaluation index of the industrial control host can be considered as follows: and matching the updating conditions of the key patches of the system of the industrial control host to obtain matched checking results, wherein the checking results can be specific scores of all evaluation indexes. The determination manner of other evaluation indexes in the first preset check list is similar to the above process, and is not described herein again.
And thirdly, calculating and generating the safe operation state of the industrial control host according to a preset strategy and a plurality of inspection results. In this embodiment, the preset policy may be importance of each evaluation index determined according to protection requirements of a user, and the check result is an evaluation score in each evaluation index obtained by comparing the actual running state of the industrial control host with the first preset check list by the configuration software monitor; and adding the evaluation scores of the evaluation indexes and the weights of the evaluation scores of the evaluation indexes to obtain the safety evaluation score of the industrial control host, and obtaining the safe operation state of the industrial control host according to the safety evaluation score.
Specifically, when the safety evaluation score of the industrial control host reaches the preset safety score threshold, the safe operation state of the industrial control host can be considered as safe, and when the safety evaluation score of the industrial control host does not reach the preset safety score threshold, the safe operation state of the industrial control host can be considered as non-safe, and at the moment, dynamic configuration modification and adjustment can be performed according to the protection requirements of the industrial control system and the industrial control equipment.
According to the dynamic control method of the industrial control equipment firewall, provided by the invention, the configuration software monitor can be combined with the first preset check list and the running state of the industrial control host to judge whether the industrial control host is safe or not, and then dynamic release of modification operation of the configuration parameters of the industrial control equipment can be realized according to the judgment result, so that the safety state of the industrial control equipment is effectively improved.
As an optional implementation manner of the present invention, in step S13, before obtaining end information for modifying the configuration operation of the industrial control device, and sending a second control instruction to the firewall according to the end information, the dynamic control method further includes:
firstly, obtaining an application result fed back by a firewall according to a first control instruction; in this embodiment, after sending the first control instruction to the firewall, the security management server may obtain a feedback result of the firewall according to the first control instruction in real time, that is, an execution result of the firewall according to the first control instruction. Specifically, the first control instruction may be a control policy issued by the security management server and allowing the industrial control host to temporarily modify the configuration parameters of the industrial control device; when the firewall receives instruction information which is issued by the safety management server and allows the configuration parameters of the industrial control host computer to be temporarily modified, the firewall generates a temporary channel which allows the configuration instructions and the configuration data to pass through and is used for modifying the configuration parameters of the industrial control host computer.
Specifically, the application result fed back by the firewall according to the first control instruction may be that, after the firewall receives a control policy that "allows the industrial control host to temporarily modify the configuration parameter of the industrial control device" sent by the security management server, the application result of the control policy may be, for example, that the firewall has performed corresponding adjustment according to the received control policy, and has added a temporary pass-through channel.
And secondly, sending a first notice according to the application result, wherein the first notice is used for informing a user of executing modification operation on the parameter configuration of the industrial control equipment. In this embodiment, the application result may be an execution condition of the firewall in the method described in the above embodiment on the received control policy issued by the security management server; the first notification may be notification information generated by the security management server after receiving the application result, and the notification information is sent to the configuration software monitor on the industrial control host, so as to notify a user that the configuration parameters of the industrial control device can be modified through the configuration software on the industrial control host via the temporary release channel.
Specifically, after receiving an application result of a control policy issued by the security management server, the security management server generates a first notification according to the application result, and sends the first notification to a configuration software monitor on the industrial control host, so as to notify the industrial control host that configuration parameters of the industrial control device can be modified.
The embodiment of the invention provides a dynamic control method for a firewall of industrial control equipment, which comprises the following steps of:
step S21: acquiring a first control instruction sent by a server, wherein the first control instruction is generated by the server according to the acquired safe operation state of the industrial control host and the firewall configuration application; in this embodiment, the server may be a security management server, and the first control instruction may be generated by the security management server according to the operating state of the industrial control host and a protection wall configuration application sent by the configuration software monitor. Specifically, the firewall receives the first control instruction sent by the security management server, and the firewall allows the industrial control host to temporarily modify the configuration parameters of the industrial control device according to a control policy in the first control instruction, that is, the control policy of the security management server on the firewall.
Step S22: according to the first control instruction, allowing modification operation of parameter configuration of the industrial control equipment; in this embodiment, the protection wall allows a user to modify the configuration parameters of the industrial control device through configuration software on the industrial control host according to a control policy "allowing the industrial control host to temporarily modify the configuration parameters of the industrial control device" issued by the security management server, that is, the firewall may temporarily allow operation information for modifying the configuration parameters of the industrial control device to pass through, or may temporarily allow operation data to pass through, and transmit the operation information or the operation data to the corresponding industrial control device.
Step S23: and when a second control instruction sent by the server is acquired, prohibiting the parameter configuration of the industrial control equipment from being modified, wherein the second control instruction is generated by the server according to the acquired end information for modifying the configuration operation of the industrial control equipment. In this embodiment, the second control instruction may be control information generated by the security management server after receiving notification information that the operation of modifying the configuration parameters of the industrial control device is completed, which is issued by the industrial control host via the configuration software monitor; the end information for modifying the configuration operation of the industrial control equipment may be end information generated by the configuration software monitor on the industrial control host when the configuration parameters of the industrial control equipment have been modified.
Specifically, after the configuration software monitor monitors that configuration software on the industrial control host computer has finished modifying the configuration parameters of the industrial control equipment, the configuration software monitor generates 'end information for modifying the configuration operation of the industrial control equipment', and sends the end information to the security management server, the security management server generates a second control instruction according to the obtained end information, when the firewall receives the second control instruction, any modification of the configuration parameters of the industrial control equipment by any equipment is forbidden, at the moment, a temporary release channel generated by the firewall according to the first control instruction is deleted, the safe operation of the industrial control equipment is ensured, and the security protection function of the firewall can be realized.
The dynamic control method for the industrial control equipment firewall provided by the embodiment of the invention comprises the following steps: the firewall acquires the first control instruction sent by the server, temporarily allows modification operation on the parameter configuration of the industrial control equipment at the moment according to the first control instruction, and prohibits any equipment from modifying the configuration parameters of the industrial control equipment at the moment when the firewall receives the second control instruction sent by the server. By implementing the method and the system, the problems that the network security protection function of a firewall is invalid and an industrial control system is easily damaged maliciously by PLC worms and viruses due to the fact that a manager directly modifies the configuration of the industrial control equipment and a reconfigured access is opened for a long time in the related technology can be solved, the configuration information of the industrial control equipment can be dynamically modified, the security of the industrial control equipment is effectively improved, further, the safety release of operation and maintenance operation is realized through technical means, the operation flow for changing the security configuration and the strategy of the industrial control equipment is standardized, the safety operation and maintenance are transparent, standardized and automatic, the working efficiency is improved, and the service risk is reduced; the access control authority of the specific industrial control equipment of the service system can be automatically released.
As an optional implementation manner of the present invention, before the step S21, acquiring the first control instruction sent by the server, the dynamic control method further includes: and initializing a control rule, wherein the control rule is used for forbidding to execute modification operation on the parameter configuration of the industrial control equipment. In this embodiment, in the dynamic control method for an industrial control device firewall described in the above embodiment, first, a control rule of the firewall needs to be initialized, where the initialized control rule may be a control rule that the firewall prohibits, by default, any computer device or the like from modifying configuration parameters of the industrial control device, that is, when the dynamic control method for an industrial control device firewall described in the above embodiment is executed in an industrial control system, the control rule in the existing industrial control system needs to be initialized, that is, the control rule is modified to prohibit any computer device from modifying configuration parameters of the industrial control device in the industrial control system by default.
The dynamic control method for the industrial control equipment firewall provided by the embodiment of the invention combines the control rule of forbidding any computer equipment to modify the configuration parameters of the industrial control equipment in the industrial control system by default, can effectively improve the operation safety of the industrial control equipment, enables a system background to identify the potential change behavior of the configuration parameters without any change of a user, and automatically releases the access control authority to the specific equipment of a target service system based on the safety state of an industrial control host.
As an optional implementation manner of the present invention, in step S22, the step of allowing a modification operation on the parameter configuration of the industrial control device specifically includes: and adding a temporary release rule on the firewall, wherein the temporary release rule is used for generating a temporary modification channel, and the temporary modification channel is used for receiving configuration data corresponding to modification operation of parameter configuration of the industrial control equipment. In this embodiment, when the firewall receives a first control instruction issued by the security manager, the control policy of the security management server on the firewall is analyzed and generated according to the first control instruction, that is, the industrial control host is allowed to temporarily modify the configuration parameters of the industrial control device, at this time, the firewall automatically adds a temporary release rule, that is, according to the temporary release rule, a temporary release channel is generated on the firewall, where the temporary release channel is used to allow the configuration instruction and the configuration data to pass through, that is, the industrial control device may receive the configuration data or the configuration instruction of the industrial control host through the temporary release channel, and the industrial control device may modify the parameter configuration of the industrial control device according to the configuration data or the configuration instruction.
An embodiment of the present invention provides a dynamic control system for a firewall of an industrial control device, as shown in fig. 3 and 4, including: server 33, firewall 34, wherein:
the server 33 is configured to obtain a safe operation state of the industrial control host 31 and a firewall configuration application, and send a first control instruction to the firewall 34 according to the firewall configuration application when the safe operation state is safe; the server 33, i.e. the security management server 33, can refer to the related description of step S11 and step S21 in the above method embodiment.
The firewall 34 is used for allowing the modification operation of the parameter configuration of the industrial control equipment 35 according to the first control instruction; for details, reference may be made to the related description of step S12 and step S22 in the above method embodiment.
The server 33 is configured to send a second control instruction to the firewall 34 according to the end information when the end information for modifying the configuration operation of the industrial control device is acquired; the detailed implementation can be referred to the related description of step S13 in the above method embodiment.
The firewall 34 is configured to prohibit modification of the parameter configuration of the industrial control device when acquiring the second control instruction sent by the server 33. The detailed implementation can be referred to the related description of step S23 in the above method embodiment.
The invention provides a dynamic system of an industrial control equipment firewall, which comprises: the server 33 is used for acquiring the safe operation state of the industrial control host 31 and a firewall configuration application, and when the safe operation state is safe, a first control instruction is sent to the firewall 34 according to the firewall configuration application; the firewall 34 is used for allowing modification operation of parameter configuration of the industrial control equipment according to the first control instruction; the server 33 is configured to send a second control instruction to the firewall 34 according to the end information when the end information for modifying the configuration operation of the industrial control device is acquired; the firewall 34 is configured to prohibit modification of the parameter configuration of the industrial control device when acquiring the second control instruction sent by the server 33.
By implementing the method and the system, the problems that the network security protection function of a firewall is invalid and an industrial control system is easily damaged maliciously by PLC worms and viruses due to the fact that a manager directly modifies the configuration of the industrial control equipment and a reconfigured access is opened for a long time in the related technology can be solved, the configuration information of the industrial control equipment can be dynamically modified, the security of the industrial control equipment is effectively improved, further, the safety release of operation and maintenance operation is realized through technical means, the operation flow for changing the security configuration and the strategy of the industrial control equipment is standardized, the safety operation and maintenance are transparent, standardized and automatic, the working efficiency is improved, and the service risk is reduced; the access control authority of the specific industrial control equipment of the service system can be automatically released.
As an alternative embodiment of the present invention, as shown in fig. 4, the dynamic control system further includes: industrial control host computer 31, configuration software monitor 32 and industrial control equipment 35, wherein:
the configuration software monitor 32 is configured to, when receiving the process creation notification, obtain the corresponding process and the process program file according to the process creation notification; when determining that the process is the target configuration change program according to the process program file, starting to monitor the industrial control host 31; in this embodiment, the configuration software monitor 32 registers a process creation notification callback function in the industrial control host 31; when the user starts the configuration software on the industrial control host 31, that is, when the industrial control host 31 receives a start request of the configuration software input by the user, the industrial control host 31 creates a notification callback function according to a preset registered process, generates a process creation notification, and sends the process creation notification to the configuration software monitor 32.
Specifically, when the configuration software monitor 32 receives the process creation notification, it may be determined that a user needs to modify a configuration parameter of a certain industrial control device 35 in the industrial control system at this time; at this time, the configuration software monitor 32 acquires the corresponding process and the process program file according to the process creation notification. Specifically, the process is used to characterize the configuration software to initiate a request for modifying the configuration parameters of the corresponding industrial control device 35, and the process program file may be an executable file, which generally includes file version information, internal name information, product name information, manufacturer information, and the like.
Specifically, the configuration software monitor 32 may determine the process according to the acquired process program file, and start to perform network monitoring on the industrial control host 31 when determining that the process is to modify the configuration parameters of the industrial control device 35 according to the executable file.
The industrial control host 31 is used for sending a network connection notification according to the configuration software; in this embodiment, when the user starts the configuration software, the configuration software generates a network connection request, and the configuration software monitor 32 performing network monitoring on the industrial control host 31 immediately receives a network connection notification.
The configuration software monitor 32 is configured to, when receiving the network connection notification, analyze the first preset check list to obtain a plurality of evaluation indexes, and determine whether the industrial personal computer is matched with each evaluation index to obtain a plurality of check results; calculating to generate a safe operation state of the industrial control host according to a preset strategy and a plurality of inspection results; in this embodiment, when the configuration software monitor monitors that the industrial control host initiates a network request, the operational state of the industrial control host is evaluated according to a preset first preset check list, and the specific execution process may refer to the corresponding description of the "evaluation of the operational state of the industrial control host" step in the above method embodiment, which is not described herein again.
The industrial control host 31 is used for receiving and storing configuration data by the industrial control equipment according to the first control instruction; sending configuration data corresponding to modification operation of parameter configuration of the industrial control equipment to the industrial control equipment; in this embodiment, the firewall acquires the management policy issued by the security management server according to the first control instruction, and generates an application result or an execution result of the management policy issued by the security management server after the firewall temporarily allows the industrial control host to modify the configuration parameters of the industrial control device according to the first control instruction; and feeding back the execution result to a security management server, generating a first notification after the security management server receives the feedback result of the application policy, and sending the first notification to a configuration software monitor, or directly sending the first notification to the configuration software, so as to prompt a user that an operation of modifying the configuration parameters can be executed on the industrial control equipment at the moment. At this time, the user can update the configuration of the industrial control equipment through the configuration software on the industrial control host, that is, the configuration data corresponding to the configuration parameters of the industrial control equipment is modified and sent to the industrial control equipment. When the industrial control equipment receives the configuration data, the updated configuration parameters can be analyzed according to the configuration data, and then corresponding modification is carried out.
The configuration software monitor 32 is configured to obtain a process shutdown notification, and generate end information for modifying the configuration operation of the industrial control device 35 according to the process shutdown notification. In this embodiment, after the configuration software on the industrial control host finishes modifying the configuration parameters of the industrial control device, the configuration software is turned off, and after the configuration software is turned off, a process-off notification is generated according to a preset registered process-off notification callback function, and the process-off notification is sent to the configuration software monitor 32.
When the configuration software monitor 32 receives the process closing notification, it automatically generates end information for modifying the configuration operation of the industrial control device, where the end information is used to represent that the modification operation of the configuration parameters of the industrial control device by the user is completed at this time, and before that, the temporary release passage created by the firewall 34 can be closed, and the firewall 34 returns to a state in which the modification of the configuration parameters of the industrial control device by any computer device is prohibited by default.
As an optional embodiment of the present invention, the configuration software monitor 32 in the dynamic control system is further configured to register a process creation notification callback function in the industrial control host 31; the industrial control host 31 is further configured to, when receiving a start request of the configuration software input by a user, generate a process creation notification according to the start request and the process creation notification callback function.
As an optional embodiment of the present invention, the configuration software monitor 32 in the dynamic control system is further configured to parse the process program file to generate process characteristic information; and when the process characteristic information is matched with the second preset check list, determining the process as a target configuration change program.
As an optional implementation manner of the present invention, the industrial control host 31 in the dynamic control system is further configured to generate a process shutdown notification after obtaining the notification information that the industrial control device 35 has saved the configuration data.
The functions of the system are described in detail below with reference to an embodiment, as shown in fig. 4 and 5, the dynamic control system may include an industrial host 31, a configuration software monitor 32, a server 33, a firewall 34, and an industrial device 35, and the implementation of the system may be as follows:
it is necessary to initialize the control rule of the firewall 34, modify the control rule of the firewall 34 to default, prohibit any computer device from modifying the configuration parameters of the industrial control device, and configure the configuration software monitor 32 on the industrial control host 31. When a user wants to modify the configuration parameters of the industrial control equipment through the industrial control host 31, the user starts configuration software on the industrial control host 31, wherein the configuration software can be functional software capable of modifying the configuration parameters of the industrial control equipment; when the user starts the configuration software, a process creation notification is generated and sent to the configuration software monitor 32; after receiving the process creation notification, the configuration software monitor 32 acquires the corresponding process and the process program file according to the process creation notification, and further determines whether the process is a configuration change process according to the process program file, and when the process is the configuration change process, the configuration software monitor 32 starts network monitoring on the industrial control host 31.
Further, when the user initiates a network connection through the configuration software on the industrial personal computer 31, the configuration software monitor 32 evaluates the security condition corresponding to the operating status of the industrial personal computer 31 according to the network connection notification. Then, the configuration software monitor 32 sends the preliminary evaluation result and the received configuration change application sent by the industrial host 31 to the security management server 33; when the security management server 33 receives the preliminary evaluation result, the security evaluation score of the industrial control host 31 is calculated and generated according to the preliminary evaluation result, and when the industrial control host 31 is determined to be secure according to the security evaluation score, a first control instruction is issued to the firewall 34, where the first control instruction is used for instructing the firewall 34 to temporarily allow the industrial control host 31 to modify the configuration parameters of the industrial control device.
When the firewall 34 receives the first control instruction, that is, receives the control policy issued by the security management server 33, it may execute a corresponding command according to the control policy, for example, add a temporary release rule, that is, create a temporary release channel for passing through the configuration data sent by the industrial host 31. When the firewall 34 has added the temporary release rule, feedback is given to the security management server 33, that is, the result of application of the control policy is fed back. When the safety management server 33 receives the feedback result, a first notification is generated for notifying a user that the configuration parameters of the industrial control equipment can be modified through the configuration software; the first notification is sent to the configuration software monitor 32, that is, to the industrial personal computer 31.
When the user receives the first notification, the configuration parameters of the industrial control device 35 are updated on the configuration software, and then the configuration software sends the updated configuration parameters, that is, the configuration instruction and the configuration data, to the industrial control device 35 through the temporary release channel created by the firewall 34, and the industrial control device 35 stores the updated configuration parameters after receiving the configuration instruction and the configuration data. After the configuration of the user is completed, the configuration software is closed, and at this time, the industrial control host 31 sends a process closing notification to the configuration software monitor 32, so as to represent that the user has completed modifying the configuration parameters of the industrial control equipment at the current time; when the configuration software monitor 32 receives the process shutdown notification, it generates configuration operation end information and sends it to the security management server 33; when the security management server 33 receives the notification of the end of the configuration operation, a second control instruction is generated for instructing the firewall 34 to modify the configuration parameters of the industrial control equipment by any computer device, that is, to issue a control policy for modifying the configuration parameters; after receiving the control policy, the firewall 34 deletes the previously added temporary release rule, and closes the temporary release channel, at this time, the firewall 34 may resume to a state where any computer device modifies the configuration parameters of the industrial control device.
An embodiment of the present invention further provides a computer device, as shown in fig. 6, the computer device may include a processor 41 and a memory 42, where the processor 41 and the memory 42 may be connected by a bus or in another manner, and fig. 6 illustrates an example of a connection by a bus.
The processor 41 may be a Central Processing Unit (CPU). The Processor 41 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 42, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the dynamic control method of the firewall of the industrial control device in the embodiment of the present invention. The processor 41 executes various functional applications and data processing of the processor by running the non-transitory software programs, instructions and modules stored in the memory 42, so as to implement the dynamic control method of the firewall of the industrial control equipment in the above method embodiment.
The memory 42 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 41, and the like. Further, the memory 42 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 42 may optionally include memory located remotely from processor 41, which may be connected to processor 41 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 42 and when executed by the processor 41, perform a method for dynamically controlling a firewall of an industrial control device as in the embodiments shown in fig. 1 and 2.
The details of the computer device can be understood by referring to the corresponding related descriptions and effects in the embodiments shown in fig. 1 and fig. 2, and are not described herein again.
Optionally, an embodiment of the present invention further provides a non-transitory computer readable medium, where the non-transitory computer readable storage medium stores computer instructions, and the computer instructions are used to enable a computer to execute the dynamic control method for a firewall of an industrial control device described in any of the above embodiments, where the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid-State Drive (Solid-State Drive, SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.

Claims (14)

1. A dynamic control method for industrial control equipment firewall is characterized by comprising the following steps:
acquiring a safe operation state of an industrial control host and a firewall configuration application;
when the safe operation state is safe, sending a first control instruction to a firewall according to the firewall configuration application, wherein the first control instruction is used for indicating that the firewall allows modification operation on parameter configuration of industrial control equipment;
and when the end information of the configuration operation of the industrial control equipment is obtained, sending a second control instruction to the firewall according to the end information, wherein the second control instruction is used for indicating the firewall to forbid the modification operation of the parameter configuration of the industrial control equipment.
2. The dynamic control method of the industrial control equipment firewall according to claim 1, wherein the safe operating state is generated by the configuration software monitor evaluating the safety state of the industrial control host after acquiring the network connection notification sent by the industrial control host; and the end information of the configuration operation of the industrial control equipment is generated according to the process closing notice when the industrial control host acquires the process closing notice of the stored configuration data of the industrial control equipment.
3. The method for dynamically controlling the firewall of the industrial control equipment according to claim 2, wherein the step of evaluating the security state of the industrial control host specifically comprises:
analyzing the first preset inspection list to obtain a plurality of evaluation indexes;
judging whether the industrial control host is matched with each evaluation index or not to obtain a plurality of inspection results;
and calculating and generating the safe operation state of the industrial control host according to a preset strategy and a plurality of inspection results.
4. The dynamic control method for the firewall of the industrial control equipment according to claim 1, wherein when end information for modifying configuration operation of the industrial control equipment is obtained, before sending a second control instruction to the firewall according to the end information, the dynamic control method further comprises:
obtaining an application result fed back by the firewall according to the first control instruction;
and sending a first notice according to the application result, wherein the first notice is used for informing a user of executing modification operation on the parameter configuration of the industrial control equipment.
5. A dynamic control method for industrial control equipment firewall is characterized by comprising the following steps:
acquiring a first control instruction sent by a server, wherein the first control instruction is generated by the server according to the acquired safe running state of the industrial control host and the firewall configuration application;
according to the first control instruction, allowing modification operation of parameter configuration of the industrial control equipment;
and when a second control instruction sent by the server is acquired, prohibiting the parameter configuration of the industrial control equipment from being modified, wherein the second control instruction is generated by the server according to the acquired end information for modifying the configuration operation of the industrial control equipment.
6. The dynamic control method for the industrial control equipment firewall according to claim 5, wherein before acquiring the first control instruction sent by the server, the dynamic control method further comprises:
initializing a control rule, wherein the control rule is used for forbidding to execute modification operation of parameter configuration of the industrial control equipment.
7. The method for dynamically controlling the firewall of the industrial control equipment according to claim 6, wherein the step of allowing the modification operation on the parameter configuration of the industrial control equipment specifically comprises:
adding a temporary release rule on a firewall, wherein the temporary release rule is used for generating a temporary modification channel, and the temporary modification channel is used for receiving configuration data corresponding to modification operation of parameter configuration of industrial control equipment.
8. A dynamic control system of industrial control equipment firewall is characterized by comprising: server, firewall, wherein:
the server is used for acquiring a safe operation state of the industrial control host and a firewall configuration application, and when the safe operation state is safe, a first control instruction is sent to the firewall according to the firewall configuration application;
the firewall is used for allowing modification operation of parameter configuration of the industrial control equipment according to the first control instruction;
the server is used for sending a second control instruction to the firewall according to the end information when the end information of the configuration operation of the industrial control equipment is obtained;
and the firewall is used for forbidding to modify the parameter configuration of the industrial control equipment when the second control instruction sent by the server is obtained.
9. The dynamic control system of industrial control equipment firewall according to claim 8, further comprising: industrial control host computer, configuration software monitor and industrial control equipment, wherein:
the configuration software monitor is used for acquiring a corresponding process and a process program file according to a process creation notice when receiving the process creation notice;
when the process is determined to be a target configuration change program according to the process program file, starting monitoring the industrial control host;
the industrial control host is used for sending a network connection notice according to the configuration software;
the configuration software monitor is used for analyzing a first preset check list to obtain a plurality of evaluation indexes when the network connection notification is received, and judging whether the industrial control host is matched with each evaluation index to obtain a plurality of check results; calculating and generating the safe operation state of the industrial control host according to a preset strategy and a plurality of inspection results;
the industrial control host is used for sending configuration data corresponding to modification operation of parameter configuration of industrial control equipment to the industrial control host according to the first control instruction;
the industrial control equipment is used for receiving and storing the configuration data;
the configuration software monitor is used for acquiring a process closing notification and generating end information for modifying the configuration operation of the industrial control equipment according to the process closing notification.
10. The dynamic control system of the industrial control equipment firewall according to claim 9, wherein the configuration software monitor is further configured to register a process creation notification callback function in an industrial control host; and the industrial control host is also used for generating a process creation notification according to the starting request and the process creation notification callback function when receiving the starting request of the configuration software input by the user.
11. The dynamic control system of an industrial control equipment firewall according to claim 10, wherein the configuration software monitor is further configured to:
analyzing the process program file to generate process characteristic information;
and when the process characteristic information is matched with a second preset check list, determining that the process is a target configuration change program.
12. The dynamic control system of an industrial control device firewall according to claim 11, wherein the industrial control host is further configured to generate a process shutdown notification after the configuration data stored in the industrial control device is acquired.
13. A computer device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the one processor to cause the at least one processor to perform the steps of the method for dynamic control of an industrial control device firewall according to any of claims 1-7.
14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for dynamic control of a firewall for an industrial control device according to any one of claims 1 to 7.
CN202010988642.2A 2020-09-18 2020-09-18 Dynamic control method and system for industrial control equipment firewall Active CN112104661B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010988642.2A CN112104661B (en) 2020-09-18 2020-09-18 Dynamic control method and system for industrial control equipment firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010988642.2A CN112104661B (en) 2020-09-18 2020-09-18 Dynamic control method and system for industrial control equipment firewall

Publications (2)

Publication Number Publication Date
CN112104661A true CN112104661A (en) 2020-12-18
CN112104661B CN112104661B (en) 2022-10-21

Family

ID=73758888

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010988642.2A Active CN112104661B (en) 2020-09-18 2020-09-18 Dynamic control method and system for industrial control equipment firewall

Country Status (1)

Country Link
CN (1) CN112104661B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010005545A1 (en) * 2008-07-08 2010-01-14 Industrial Defender, Inc. Techniques for agent configuration
EP2163027A1 (en) * 2007-06-26 2010-03-17 Core Sdi, Incorporated System and method for simulating computer network attacks
CN103281288A (en) * 2013-02-05 2013-09-04 武汉安天信息技术有限责任公司 Mobile phone firewall system and mobile phone firewall method
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
CN103561002A (en) * 2013-10-22 2014-02-05 北京神州泰岳软件股份有限公司 Safety access method and system based on fire wall policy
CN104717205A (en) * 2015-02-04 2015-06-17 上海展湾信息科技有限公司 Industrial control firewall control method based on message reconstitution
CN107360134A (en) * 2017-06-08 2017-11-17 杭州谷逸网络科技有限公司 Safety long-distance controls the implementation method and its security system of terminal
CN109564603A (en) * 2016-06-02 2019-04-02 哈勃股份有限公司 The system and method for the network configuration setting of multiplexer for safely changing in industrial control system
CN110033174A (en) * 2019-03-20 2019-07-19 烽台科技(北京)有限公司 A kind of industrial information efficient public security system building method
CN111464563A (en) * 2020-05-08 2020-07-28 武汉思普崚技术有限公司 Protection method of industrial control network and corresponding device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2163027A1 (en) * 2007-06-26 2010-03-17 Core Sdi, Incorporated System and method for simulating computer network attacks
WO2010005545A1 (en) * 2008-07-08 2010-01-14 Industrial Defender, Inc. Techniques for agent configuration
CN103281288A (en) * 2013-02-05 2013-09-04 武汉安天信息技术有限责任公司 Mobile phone firewall system and mobile phone firewall method
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
CN103561002A (en) * 2013-10-22 2014-02-05 北京神州泰岳软件股份有限公司 Safety access method and system based on fire wall policy
CN104717205A (en) * 2015-02-04 2015-06-17 上海展湾信息科技有限公司 Industrial control firewall control method based on message reconstitution
CN109564603A (en) * 2016-06-02 2019-04-02 哈勃股份有限公司 The system and method for the network configuration setting of multiplexer for safely changing in industrial control system
CN107360134A (en) * 2017-06-08 2017-11-17 杭州谷逸网络科技有限公司 Safety long-distance controls the implementation method and its security system of terminal
CN110033174A (en) * 2019-03-20 2019-07-19 烽台科技(北京)有限公司 A kind of industrial information efficient public security system building method
CN111464563A (en) * 2020-05-08 2020-07-28 武汉思普崚技术有限公司 Protection method of industrial control network and corresponding device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
SEBASTIAN OBERMEIER,MICHAEL WAHLER,THANIKESAVAN SIVANTHI,ROMAN S: "Automatic attack surface reduction in next-generation industrial control systems", 《IEEE》 *
徐珊珊: "工业控制系统轻量级安全传输的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
陶志坚,姚日煌: "工业控制系统信息安全风险评估研究", 《网络安全与系统可靠性》 *

Also Published As

Publication number Publication date
CN112104661B (en) 2022-10-21

Similar Documents

Publication Publication Date Title
US10826792B2 (en) Updating electronic devices using a push model
EP3586259B1 (en) Systems and methods for context-based mitigation of computer security risks
US10848563B2 (en) On-device, application-specific compliance enforcement
AU2019246773B2 (en) Systems and methods of risk based rules for application control
US20180018161A1 (en) Updating firmware at enterprise devices
CN107395395B (en) Processing method and device of safety protection system
CN111914249A (en) Program white list generation method, program updating method and device
CN103593616B (en) Enterprise information system USB flash disk virus prevention and control system and method
CN111368293B (en) Process management method, device, system and computer readable storage medium
CN105809055A (en) Access control method and device, and related equipment
CN115174269B (en) Linux host network communication security protection method and device
US20190109824A1 (en) Rule enforcement in a network
US9642013B2 (en) Mobile communicator network routing decision system and method
JP6282204B2 (en) System and method for monitoring access to network in secure site
CN111309978A (en) Transformer substation system safety protection method and device, computer equipment and storage medium
CN110781512A (en) Server user permission control method, device and system and springboard machine
CN112104661B (en) Dynamic control method and system for industrial control equipment firewall
CN102436567B (en) Information processing device, password diagnosing method
CN109076068A (en) It reduces via network access point to the attack possibility of equipment weakness
CN111083089A (en) Safety ferry system and method
CN114462038B (en) Security protection method, device, equipment and computer readable storage medium
EP3509004A1 (en) Adaption of mac policies in industrial devices
CN102164136B (en) Safety management method, authentication client, server and safety management system
KR101428769B1 (en) Black box apparatus and method for supporting reconfiguration of smart grid system
CN109460654B (en) Service control method, service control system, server and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant