CN114779737A - Novel industrial control system information physical security system architecture - Google Patents

Abstract

The invention discloses a novel industrial control system information physical security system architecture, which comprises: the honeypot MimePot is used for simulating a network physical structure of the industrial control system to obtain a simulated industrial control system, the simulated industrial control system is located in a control area network, and the control area network is connected to the manufacturing area and the enterprise area; the depth detection system is used for evaluating the simulated industrial control system according to the network data and generating an accurate report of the condition of the industrial control system; the decision support system is used for processing an accurate report for generating the condition of the industrial control system based on an analytic hierarchy process to obtain a final processing suggestion; the architecture can provide information physical security service for an industrial control system, can detect information physical threats influencing data availability, integrity and confidentiality, and can distinguish information detection network threats from physical side problems.

Description

Novel industrial control system information physical security system architecture

Technical Field

The invention belongs to the technical field of industrial control system network information security, and particularly relates to a novel industrial control system information physical security system architecture.

Background

With the development of computer technology, communication technology and control technology, the traditional control field starts to develop towards networking. Modern Industrial Control Systems (ICS) are computer-based systems used to monitor and control physical devices. Today, modern industrial control systems ICS represent a variety of networked Information Technology (IT) infrastructures connected to the physical domain, which can be considered as a kind of Cyber-physical systems (CPS). Modern industrial control systems ICS have a multi-layered structure and are arranged as a set of network agents, such as sensors, actuators, control units (programmable logic controllers-PLC), remote communication devices (remote terminal units-RTU), which are now at risk due to the increasing penetration of IT into the operating technology, exposing the ICS network to motivating and highly skilled attackers.

In the past few years, many computer network security events have occurred in industrial control systems: the threat may be caused by any unexpected software error, non-targeted attack, and targeted attack. When an adversary knows of the controlling system process, it is possible that a targeted attack occurs and the attack is intended to destroy the physical system being controlled.

Therefore, security of ICS has become an active research area in recent years, and IT is noted that protecting ICS is different from conventional IT security. Software patches and frequent updates are less suitable for control systems because upgrading a system may require planning months ahead and taking the system offline, which is not economical in industrial control systems. Some research efforts have attempted to provide mechanisms to protect data integrity and confidentiality, but these can be viewed as short-term solutions.

Disclosure of Invention

The purpose of the invention is as follows: in order to solve the problem that the existing industrial control system is easy to attack and control, the invention provides a novel industrial control system information physical security system architecture.

The technical scheme is as follows: a novel industrial control system information physical security architecture comprises the following modules:

the depth detection system is used for carrying out security assessment on the industrial control system according to network data in the industrial control area network and generating a security condition report of the industrial control system;

wherein the depth detection system comprises:

the extractor is used for acquiring and analyzing network data from the industrial control area network and forwarding the network data;

the network anomaly detection system is used for comparing the acquired network data with parameters in a pre-constructed network behavior configuration file within sampling time to detect the network data behavior anomaly;

the finite state automata detector is used for judging whether the network data is a specific protocol to be analyzed and whether the network data is abnormal data;

the privacy restriction detector is used for extracting the equipment information from the acquired network data and judging whether the equipment corresponding to the equipment information is safe or not according to whether the equipment information exists in the white list database or not; generating a security alert for an unsecure device;

the fault detection system is used for carrying out physical fault identification according to the acquired network data and generating physical fault information;

and the safety information and event management system is used for performing data association on the behavior abnormity detection data obtained by the network abnormity detection system, the abnormal flow condition data obtained by the finite state automata detector, the safety alarm generated by the privacy limitation detector and the physical fault information generated by the fault detection system to generate a network safety condition report of the industrial control area.

Further, the extractor extracts and analyzes network data from all received network data packets by using different network filters, and forwards the network data to a network anomaly detection system, a finite state automata detector, a privacy limitation detector and a fault detection system.

Further, the step of constructing the network behavior profile includes:

under the condition of not experiencing attacks or abnormal conditions, the state value of the physical equipment is extracted from the network data by utilizing the network data provided by the extractor, and a network behavior configuration file is generated.

Further, in the network anomaly detection system, the network anomaly detection system is configured to compare the acquired network data with parameters in a pre-constructed network behavior configuration file within a sampling time, and perform network data behavior anomaly detection, and is represented as:

η(i)＞η^＊(i)+δ(i) (1)

where η (i) is the ith value of the abnormality detection parameter, η^＊(i) An ith value representing a relevant parameter stored in a pre-constructed network behavior profile, δ (i) being an uncertainty value.

Further, said deterministic finite state machine is represented by a quintuple:

M＝(Q,∑,δ,q₀,F) (2)

wherein Q represents a finite state set, v is the alphabet of the input symbol, δ Q × Σ → Q is a transition function, Q₀The epsilon Q is the initial state,

is a feasible state set;

the method for judging whether the network data is the specific protocol to be analyzed and whether the network data is abnormal data by utilizing the determined finite state automaton specifically comprises the following steps:

reading character strings of network data one by one, and taking the character strings as the input of a determined finite state automaton;

the input character string accepts or rejects the network data provided by the input extractor according to the state and the defined specific path; the states represent predefined conditions that are reached by the input through a defined function.

Further, the creating step of the white list database comprises:

acquiring equipment information of all physical equipment connected in a control area network when an industrial control system is in a safe state;

the white list database is created by inserting the device information of the same physical device twice;

the device information includes an IP address and a MAC address.

Further, in the fault detection system, the physical fault identification comprises the following specific implementation steps:

and according to the state vector and the output vector definition, calculating residual values by using a state estimation algorithm:

wherein, y_kIn order to output the vector, the vector is output,

is the output estimate vector;

in the case of no fault, the residual value is zero;

when the residual error is larger than a set threshold value, detecting a physical fault; and if the residual error is not larger than the set threshold value, no physical fault is detected.

Further, in the system for managing security information and events, the data association includes:

converting data from the network anomaly detection system, finite state automata detector, privacy constraint detector, and fault detection system into a common format;

data summarization and data association are carried out on data with a common format;

and generating an industrial control area network safety condition report based on the predefined association rule.

Further, the system also comprises the following modules:

the honeypot MimePot is used for simulating the physical process of an industrial control system and a virtual industrial system of the control system, and induces an attacker to attack the industrial control system, so that the purpose of protecting the industrial control system is achieved.

Further, the method also comprises the following modules:

the decision support system is used for constructing decision problems in a layered mode according to the general targets and the sub-targets thereof and acquiring historical consequence data from the warning database based on the decision problems of each layer; and analyzing the historical result data to obtain decision information for assisting the decision of the user.

Has the beneficial effects that: the novel information physical security system architecture of the industrial control system can provide information physical security service for the industrial control system, is composed of a deep detection system, a honeypot and a decision support system, can detect information physical threats influencing data availability, integrity and confidentiality, and can distinguish information measurement network threats from physical side problems.

Drawings

FIG. 1 is a schematic block diagram of the present invention;

FIG. 2 is a depth detection system sub-module;

fig. 3 is a safety system with operator involvement.

Detailed Description

The technical solution of the present invention will be further explained with reference to the accompanying drawings and embodiments.

As shown in fig. 1, the novel industrial control system information physical security architecture of the present invention is composed of a depth detection system, a honeypot mimeot and a decision support system, and each of the constituent systems can be independently implemented, so as to increase the universality of the architecture for the requirements of end users. The architecture resides in a control area network that is connected to manufacturing and enterprise areas through firewalls and Demilitarized (DMZ) networks.

As shown in fig. 2, the Deep Detection System (DDS) of the present invention is a network detection System capable of distinguishing network and physical problems affecting an Industrial Control System (ICS) as a core of an architecture. The Depth Detection System (DDS) is composed of a plurality of flexible and interchangeable sub-modules and is used for realizing global security evaluation, and the specific sub-modules comprise: extractors, network anomaly detection systems (NADE), finite state automata detectors (FAD), privacy constraint detectors (CRD), feature-based intrusion detection systems (S-IDS), Fault Detection Systems (FDS), and Security Information and Event Management (SIEM) systems. A Depth Detection System (DDS) can also be implemented by connecting it to a mirror port in case of an existing network switch. Wherein, the network anomaly detection system (NADE), the finite state automata detector (FAD) and the privacy constraint detector (CRD) need to perform a learning phase before the active detection phase, which is defined as the security configuration and setting process of the modules that need the state history database as reference for detection, assuming that the initial state of security of the industrial control system can be foreseen.

The sub-modules that make up the Depth Detection System (DDS) are now described as follows.

The extractor receives all network data packets, extracts and analyzes data from the network data packets by using different network filters, and forwards the obtained network data to each sub-module. Network packet inspection is performed only once before different analysis methods of the core sub-module of the Deep Detector System (DDS).

The network anomaly detection system (NADE) is used for detecting the behavior anomaly. This sub-module is characterized by a learning phase and an active detection phase. The learning phase is performed without experiencing an attack or anomaly condition by storing multiple data of the same operation from the network data provided by the extractor to generate a normal network behavior profile to better determine the normal behavior pattern, the more accurate the learning phase, the greater the likelihood of identifying network traffic anomalies. The time required to complete the learning phase depends on the operating cycle of the system. Furthermore, the network anomaly detection system (NADE) is also able to extract physical system state values from network traffic, i.e. to implement a specific anomaly detection solution by selecting any traffic characteristics of the analyzed protocol. Once the network behavior profile is created, at each sampling time, the network anomaly detection system (NADE) analyzes the network traffic obtained at that sampling time and compares it to the network behavior profile generated during the learning phase, as follows:

η(i)＞η^＊(i)+δ(i) (1)

where η (i) is the ith value of the anomaly detection parameter obtained by analyzing the current network traffic, η^＊(i) Represents the ith value of the relevant parameter stored in the network behavior profile, and δ (i) is an uncertainty value that is chosen precisely to reduce the false detection probability.

Wherein the finite state automata detector (FAD) analyzes a specific control network protocol and identifies abnormal traffic conditions using a deterministic finite state automata. Each specific protocol has a specific message format, can be read one by one through a character table of the priority state automaton, and generates the next state through a transition function to finally obtain the final state. Therefore, whether a certain message data is a specific protocol to be analyzed or not and whether the message data is an abnormal message or not is judged. Specifically, the finite state automata detector (FAD) distinguishes normal and abnormal packets in data transmission by detecting a string of traffic packets, and by recognizing a predefined pattern. Formally, finite state automata is defined as an idealized machine that takes input from a character set, the ultimate goal of finite state automata being to accept or reject input according to a particular path defined by states and transition functions, each state representing a predefined condition that the input can achieve according to the defined function. The deterministic finite state automata can be represented by a five-tuple:

M＝(Q,∑,δ,q₀,F) (2)

wherein Q represents a finite state set, Σ is the alphabet of the input symbol, δ Q × Σ → Q is the transition function, Q₀E.g. Q is the initial state,

is a set of feasible states.

Among other things, the privacy constraint detector (CRD) represents a security system that is dedicated to discovering data confidentiality issues. The privacy restriction detector (CRD) comprises two stages: a learning phase and a detection phase. The learning phase is performed in a secure ICS state, and the privacy restrictions detector (CRD) is able to list all devices connected in the control zone in order to create a white list, populating the database with white list devices. To prevent malicious participants from finding a way to change the white list, therefore in the present privacy restriction detector (CRD), a simple but effective security check is applied by considering the insertion of the same entity twice; if a malicious participant finds a way to change the white list, he/she will not realize that the same entity needs to be inserted twice. In this way, during legacy user database analysis, if there is a single entity present, a security alert may be generated. A detection phase, a verification provided by a security restriction detector (CRD) which directly manages the users in the control area to prevent any intrusion, the security restriction detector (CRD) receiving the connected device information (for example IP address, MAC address) and verifying whether these information are present in the white list. A privacy restriction detector (CRD) may prevent a variety of potential network threats, such as Address Resolution Protocol (ARP) poisoning.

Among them, the feature-based intrusion detection system (S-IDS) is a detection tool based on predefined rules. Feature-based intrusion detection systems (S-IDS) are the basis for IT security applications, and their importance has also been recognized by Industrial Control Systems (ICS). Even if typical IT threats should not be present in the control area, the possibility of these threats occurring cannot be excluded in advance. Thus, signature-based intrusion detection techniques may also be used to control area networks. Further, the particular industrial protocol herein is typically different from the protocol in the IT network by defining special rules for the particular industrial protocol. A feature-based intrusion detection system (S-IDS) uses defined special rules for redundant security control of physical processes by analyzing network traffic associated with a particular industrial protocol.

Among other things, Fault Detection Systems (FDS) are used for physical fault identification, and in Industrial Control Systems (ICS) scenarios, physical devices as well as actuators and sensors are vulnerable to faults and attacks. Since network attacks on the control network also affect the physical behavior of the system, a Fault Detection System (FDS) may be used in conjunction with other sub-modules to distinguish between network threats and physical threats. Fault Detection Systems (FDS) can be addressed using linearized systems or nonlinear control dynamics methods, depending on the complexity and accuracy required for the particular CPS being analyzed. The ICS is assumed to be a substantially linear time invariant system:

x_k+1＝Ax_k+Bu_k+w_k (3)

y_k＝Cx_k+Du_k+v_k (4)

wherein x ∈ RⁿFor the state vector, u ∈ R^pFor an input (or control) vector, y ∈ R^qIs the output (or sensor) vector. The matrices a, B, C, D are real constant matrices defined as follows: a is equal to R^n×nRepresents the state transition matrix, B ∈ R^n×pFor the input matrix, C ∈ R^q×nIs an output matrix. Vector w_kN (0, Q) and v_kN (0, R) is an independent Gaussian noise with mean zero, variance Q and R, respectively. Based on the provided state and output vector definitions, the Fault Detection System (FDS) uses a state estimation algorithm for the computation of residual values. The residual is defined as follows:

wherein, y_kIs the output vector of the system as defined previously,

is an estimated vector of system output values. In the absence of a fault, the residual is ideally zero. When the residual error is greater than a set threshold, a physical fault is detected. Several model-based fault detection methods may be implemented in a Fault Detection System (FDS). The method can be used to detect single and multiple physical faults of different types and is of great significance in a modular architecture.

Wherein a Security Information and Event Management (SIEM) system is used to analyze specific data and alarms from detecting each sub-module. First, a Security Information and Event Management (SIEM) system may capture event data from various sources throughout a network. By collecting, storing and analyzing logs and traffic data of the network in real time, security operators are enabled to automatically manage event logs and network traffic data of their networks at a centralized location. Second, event data from various sources is converted to a common format, the data is summarized and data from multiple sources is correlated to help an administrator distinguish true threats from false positives. Using customizable predefined association rules, an administrator can be alerted immediately and take appropriate mitigation measures to avoid it developing into more significant security issues.

The sub-modules that make up the Depth Detection System (DDS) are described in detail above.

The honeypot mimeot is now further explained. Honeypot MimePot is capable of simulating the physical processes and control programs of a plant. The most basic functions of honeypot MimePot are represented by a virtual system, which can simulate the network physical structure of a factory. Honeypot MimePot is a separation of the physical process and the control process. Thus, when an attacker enters a target network, it can be easily fooled by discovering the individual nodes that communicate between them via industrial protocols and viable physical process data. For this reason honeypot MimePot needs to be a realistic and attractive target for potential malicious participants. The simulated state space equation of the industrial control system is as follows:

wherein x is^M∈RⁿFor the simulated state vector, u^M∈R^pFor an analogous control vector, y^M∈R^qIs the output vector of the simulation. Matrix A^M,B^M,C^M,D^MIs a matrix of real constants which is,

and

respectively gaussian noise with mean zero and variance Q and R, respectively.

The simulated plant depends on the complexity of the real plant, but the attacker must be tricked according to the attack conditions. Furthermore, the goal of honeypot mimeot is to hide the true plant physical topology and configuration when an attacker gains access to the control center network.

From a network communication perspective, honeypot MimePot can be implemented in a virtual environment. The simulated physical values are placed directly in the application layer of a particular network packet. In this way, the values of sensors and actuators are managed through a real industrial communication protocol, and an attacker is deceived in a preliminary reconnaissance stage through false but credible physical process behaviors.

The Decision Support System (DSS) will now be further explained.

A Decision Support System (DSS) is an information system that assists users in making decisions through data, models, and knowledge, assisting users in planning and solving various action scenarios, usually solving semi-structural or non-structural problems in a man-machine interaction manner. It is an advanced information management system resulting from the development of a management information system to a higher level. It provides the decision maker with the environment for analyzing the problem, building the model, simulating the decision process and scheme, calls various information resources and analysis tools, helps the decision maker make the decision or improve the decision level and quality, and emphasizes the support of decision making instead of human. Decision Support Systems (DSS) are based on analytic hierarchy methods, allowing selection among different alternatives in the presence of multiple criteria.

The Decision Support System (DSS) decomposes the decision problem into its constituent elements, builds it hierarchically according to the main objectives and their sub-objectives, and finally processes the data and opinions to achieve the objective. Firstly, a decision support system constructs a database according to alarm information, log information and the like, then the consequences which are possibly brought by the alarm are given through expert experience or historical records, and finally safety operators can see the consequences which can be brought by various alarm time through a human-computer interaction interface and make decisions according to analysis.

In fact, it is not possible to completely exclude manual decision-making operations in the critical security scenarios of ICS: the experience of human operators in applying countermeasures is always the most basic. In the proposed architecture, there are two possible complementary paths for information between modules for data from a Depth Detection System (DDS) containing alarms (fig. 3). The first is defined as passive defense, allowing the alarm to reach the operator directly. The second approach, namely to enhance passive defense, allows operators to receive alarm data from a Depth Detection System (DDS) and countermeasure recommendations provided by a Decision Support System (DSS), and network security operators to take the best countermeasures against the threat.

Claims (10)

1. A novel industrial control system information physical security system architecture is characterized in that: the system comprises the following modules:

the depth detection system is used for carrying out security assessment on the industrial control system according to network data in the industrial control area network and generating a security condition report of the industrial control system;

wherein the depth detection system comprises:

the extractor is used for acquiring and analyzing network data from the industrial control area network and forwarding the network data;

the network anomaly detection system is used for comparing the acquired network data with parameters in a pre-constructed network behavior configuration file within sampling time to detect the network data behavior anomaly;

the finite state automata detector is used for judging whether the acquired network data is a specific protocol to be analyzed and whether the acquired network data is abnormal data;

the privacy restriction detector is used for extracting the equipment information from the acquired network data and judging whether the equipment corresponding to the equipment information is safe or not according to whether the equipment information exists in the white list database or not; generating a security alert for an unsecure device;

the fault detection system is used for carrying out physical fault identification according to the acquired network data and generating physical fault information;

and the safety information and event management system is used for carrying out data association on the behavior abnormity detection data obtained by the network abnormity detection system, the abnormity data obtained by the finite state automata detector, the safety alarm generated by the confidentiality limit detector and the physical fault information generated by the fault detection system to generate a network safety condition report of the industrial control area.

2. The novel industrial control system cyber-physical security architecture of claim 1, wherein:

the extractor extracts and analyzes network data from all received network data packets by using different network filters, and forwards the network data to a network anomaly detection system, a finite state automata detector, a privacy limitation detector and a fault detection system.

3. The novel industrial control system cyber-physical security architecture of claim 1, wherein: the network behavior configuration file constructing step comprises the following steps:

under the condition of not experiencing attacks or abnormal conditions, the network data provided by the extractor is utilized to extract the physical equipment state value from the network data, and a network behavior configuration file is generated.

4. The novel industrial control system information physical security architecture according to claim 1, characterized in that: in the network anomaly detection system, the network data obtained in the sampling time is compared with parameters in a network behavior configuration file constructed in advance, and the network data behavior anomaly detection is performed, and is expressed as:

η(i)＞η^＊(i)+δ(i) (1)

where η (i) is the ith value of the abnormality detection parameter, η^＊(i) An ith value representing a relevant parameter stored in a pre-constructed network behavior profile, δ (i) being an uncertainty value.

5. The novel industrial control system information physical security architecture according to claim 1, characterized in that: in the finite state automata detector, whether the acquired network data is a specific protocol to be analyzed and whether the acquired network data is abnormal data is judged, and the specific implementation operations are as follows:

reading character strings of network data one by one, and taking the character strings as the input of a determined finite state automaton;

the input character string accepts or rejects the network data provided by the input extractor according to the state and the defined specific path; the state represents a predefined condition to which the input is brought by a defined function;

said deterministic finite state automaton is represented by a quintuple:

M＝(Q,∑,δ,q₀,F) (2)

where Q represents a finite state set, Σ is the alphabet of the input symbol, δ Q × Σ → Q is the transition function, Q₀The epsilon Q is the initial state,

is a set of feasible states.

6. The novel industrial control system cyber-physical security architecture of claim 1, wherein: the white list database creating step comprises:

acquiring equipment information of all physical equipment connected in a control area network when an industrial control system is in a safe state;

creating a white list database by inserting the same device information of the physical device twice;

the device information includes an IP address and a MAC address.

7. The novel industrial control system information physical security architecture according to claim 1, characterized in that: in a fault detection system, physical fault identification comprises the following specific implementation steps:

and according to the state vector and the output vector definition, calculating residual values by using a state estimation algorithm:

wherein, y_kIn order to output the vector, the vector is,

is the output estimate vector;

in the case of no fault, the residual value is zero;

when the residual error is larger than a set threshold value, detecting a physical fault; and if the residual error is not larger than the set threshold value, no physical fault is detected.

8. The novel industrial control system information physical security architecture according to claim 1, characterized in that: in the system for managing security information and events, the data association comprises:

converting data from the network anomaly detection system, finite state automata detector, privacy constraint detector, and fault detection system into a common format;

data summarization and data association are carried out on the data with the common format;

and generating a network security condition report of the industrial control area based on the predefined association rule.

9. The novel industrial control system information physical security architecture according to claim 1, characterized in that: the system also comprises the following modules:

the honeypot MimePot is used for establishing a virtual industrial system which induces an attacker to attack the honeypot MimePot, and the virtual industrial system simulates the physical process and the control process of an industrial control system.

10. The novel industrial control system information physical security architecture according to claim 1, characterized in that: the system also comprises the following modules:

the decision support system is used for constructing decision problems in a layered mode according to the general targets and the sub-targets thereof and acquiring historical consequence data from the warning database based on the decision problems of each layer; and analyzing the historical result data to obtain decision information for assisting the decision of the user.

Images