CN202856781U - Industrial control system main station safety device - Google Patents
Industrial control system main station safety device Download PDFInfo
- Publication number
- CN202856781U CN202856781U CN201220435927.4U CN201220435927U CN202856781U CN 202856781 U CN202856781 U CN 202856781U CN 201220435927 U CN201220435927 U CN 201220435927U CN 202856781 U CN202856781 U CN 202856781U
- Authority
- CN
- China
- Prior art keywords
- network
- industrial control
- safety device
- outer net
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
Disclosed is an industrial control system main station safety device, characterized in that the device is arranged at the border of the industrial control main station system. The device comprises an external network host, an internal network host, and a non-network isolation channel, wherein the external network host is connected with the external network; the internal network host is connected with the internal network; and the external network host and the internal network host are connected via a non-network isolation channel formed by a user-defined private bus and an isolation card (PCIE bus and processing chip). The industrial control system main station safety device of the utility model provides network communication authentication and encryption service for the main station and terminal and realizes the confidentiality, integrity, and anti-replaying protection of the data transmission. Meanwhile, the industrial control system main station safety device of the utility model adopts the technical scheme featuring non-network isolation as well as internal and external hosts, and realizes the safety isolation of the internal network and the external network of the main station.
Description
Technical field
The utility model relates to a kind of industrial control system main website safety device that strengthens the intranet and extranet seperating safety.
Background technology
Industrial control system (ICS) is the general name to various control systems such as SCADA, DCS, PCS, PLC, is widely used in the industries such as electric power, petrochemical industry, water conservancy, industry manufacturing, municipal administration.Industrial control system is comprised of main website, network and terminal, and its principle is that terminal gathers industrial process data, by network data is delivered to main website, sends control command by network to terminal after the main website analysis, terminal fill order and to the main website return results.
Development along with computer and network technologies, the particularly fast development of information-based industrialization degree of depth fusion and Internet of Things, the industrial control system product adopts puppy parc, common hardware, common software more and more, be connected with the public network such as the Internet in every way, virus, wooden horse, Loopholes of OS etc. threaten and spread at industrial control system; On the other hand, traditional industrial control system does not consider to interconnect necessary Communication Security Problem in design substantially, does not almost have isolation features, and the safeguard function under the Internet and business administration net environment is very weak.Therefore industrial control system reduced Security of the system, and the message of main website and terminal room is not considered the secure contents such as authentication, data integrity, data encryption and preventing playback attack substantially yet when realizing systemic openness.If any point of industrial control system is subject to network attack, all very likely cause huge loss, therefore, the safety problem of industrial control system is badly in need of solving.
The utility model content
Technical problem to be solved in the utility model just provides a kind of industrial control system main website safety device that strengthens the intranet and extranet seperating safety.
Solve the problems of the technologies described above, the technical solution adopted in the utility model is:
A kind of industrial control system main website safety device, it is characterized in that: described device is located at Industry Control main station system border, this device comprises outer net main frame, intranet host and non-network isolated channel, the outer net main frame links to each other with outer net, intranet host links to each other with Intranet, and the outer net main frame is connected by the non-network isolated channel that is comprised of self-defined privately owned bus and isolation card (PCIE bus and process chip) with intranet host.
Described outer net main frame is by the network firewall module, realization effectively prevents from attacking from the disparate networks of outer net based on the access control function of address and port, and the blocking-up hacker utilizes procotol leak and Loopholes of OS invasion, in the default situation, the not open any port of outer net main frame.
Intranet host: link to each other with Intranet, be responsible for the IKE key agreement, the data that meet the VPN security strategy are carried out the encryption and decryption processing, and utilize L7 layer filtering module that illegal industrial control communication stipulations data are abandoned, then send the data to the service front-end processor of Intranet or send to the outer net main frame by non-network isolated channel.
Adopt the utility model technology, key agreement and VPN process and meet the state's close IPSEC of doing VPN technologies standard; Support the SM1 algorithm of 128 bit groupings, the SM2 algorithm of 256 bits and the SM3 algorithm of 256 bits; Support the ECC certificate verification; Security strategy and key (device keys, session key, working key) are present in intranet host, are subjected to the outer net Host Protection.
Described non-network isolated channel connects the internal, external network main frame, driven with isolation card hardware (PCIE bus and process chip) by isolation card to form, and be the unique channel of interaction data between the internal, external network main frame.
When interior (outside) host's machine is when outwards (interior) host machine sends data, the head of at first peeling off ethernet frame only is left the IP message part, encapsulate by self-defined proprietary protocol, carry out the characteristic information examination through PCIE bus transfer to non-network isolated channel, examine unsuccessfully and then abandon, pass and then be transmitted to outer (interior) host machine, last outer (interior) host machine is peeled off according to self-defined proprietary protocol, and re-assembly the IP message, thereby effectively isolated invalid data bag between the intranet and extranet main frame, realized the non-Network Isolation of intranet and extranet main frames.Wherein, the examination of the characteristic information of non-network isolated channel refers to the characteristic information in the protocol header of enciphered data message is examined.
Beneficial effect: the utility model provides network service authentication and cryptographic services for main website and terminal; realize confidentiality, integrality, the anti-playback protection of transfer of data; this device adopts non-Network Isolation and inside and outside two host computer system technical scheme simultaneously, has realized the safety isolation of main website Intranet and outer net.
Description of drawings
Fig. 1 is that safety device system of main website forms and the applied environment schematic diagram;
Fig. 2 is to outer net host data handling process schematic diagram from intranet host;
Fig. 3 is to intranet host flow chart of data processing schematic diagram from the outer net main frame.
Embodiment
Below in conjunction with the drawings and specific embodiments, the utility model is described more fully.
Fig. 1 shows industrial control system main website safety device composition of the present utility model and applied environment, the main website safety device is comprised of intranet host, outer net main frame and non-network isolated channel, the outer net main frame links to each other with external network, intranet host links to each other with internal network, and intranet host links to each other by non-network isolated channel with the outer net main frame.Wherein intranet host is the core of main website safety device; mainly contain the important module such as configuration management, the filtration of L7 layer, VPN processing and IKE key agreement; security strategy and key (device keys, session key, working key) etc. are present in intranet host; and protect by external host and non-network isolated channel; prevent from attacking from the disparate networks of outside, the blocking-up hacker utilizes the invasion of procotol leak and Loopholes of OS.
What Fig. 2 described is to outer net host data handling process from intranet host, that is to say the business datum of the industry terminal transmission from Intranet main website front end processor to outer net, through the processing procedure that the safety device intranet host VPN of main website encrypts, non-network isolated channel transmits, the outer net main frame is transmitted.Mainly be divided into following steps: step 1, main website safety device intranet host is accepted the clear data of Intranet main website front end processor; Step 2, intranet host carries out the Screening of L7 layer to the clear data that the intranet host front end processor sends, and illegal industrial control communication stipulations data are abandoned; Step 3, intranet host carries out the VPN encryption according to the VPN strategy; Step 4, intranet host is peeled off the Ethernet head to encrypt data, encapsulates and be sent to non-network isolated channel by proprietary protocol; Step 5, non-network isolated channel are carried out characteristic examination, if examination not by abandon, if pass, then send the outer net main frame; Step 6, outer net main frame are according to the proprietary protocol decapsulation, and restructuring IP message; Step 7, outer net main frame are carried out the firewall filtering processing, and data are sent outer net.Wherein non-network isolated channel carries out characteristic examination and refers to the characteristic information in the protocol header of enciphered data message is examined.
What Fig. 3 described is from the outer net main frame to the intranet host flow chart of data processing, i.e. the processing procedure that outer net industry terminal is deciphered and transmitted through main website safety device outer net host machine attack examination, the transmission of non-network isolated channel, intranet host VPN to the business datum of Intranet main website front end processor.Mainly be divided into following steps: step 1, main website safety device outer net main frame receives the encrypt data from the terminal security protector; Step 2, outer net main frame are carried out the attack signature examination; Step 3, the outer net main frame is peeled off the Ethernet head to data, encapsulates and be sent to non-network isolated channel by proprietary protocol; Step 4, non-network isolated channel are carried out characteristic examination, if examination not by abandon, if pass, then send intranet host; Step 5, intranet host be according to the proprietary protocol decapsulation, the IP message of laying equal stress on; Step 6, intranet host carries out the VPN decryption processing; Step 7, intranet host L7 layer filters invalid industrial control communication data, at last clear data is sent Intranet.
Pass through the utility model; on the one hand; the main website safety device adopts two host computer systems and non-network security channel isolation; strengthened main website internal-external network seperating safety; on the other hand; main website safety device and terminal security protector are set up the VPN passage; message to main website and industrial terminal room is encrypted processing; utilize the security feature of IPSEC VPN; realize the confidentiality of transfer of data; integrality; anti-playback protection; and encryption key produces by both sides' dynamic negotiation, adopts the ECC certificate verification, also guaranteed authentication strict between main website and the industrial terminal.
Claims (4)
1. industrial control system main website safety device, it is characterized in that: described safety device is located at Industry Control main station system border, safety device comprises outer net main frame, intranet host and non-network isolated channel, the outer net main frame links to each other with outer net, intranet host links to each other with Intranet, and the outer net main frame is connected by the non-network isolated channel that is comprised of self-defined privately owned bus and isolation card with intranet host.
2. industrial control system according to claim 1 main website safety device, it is characterized in that: described outer net main frame includes the network firewall module, open any port in the default situation; The outer net main frame is peeled off the network layer that the packet that receives filters laggard row packet, and with the Packet Generation peeled off to channel isolation; Channel isolation sends it to interior outdoor main unit after data are examined; Interior outdoor main unit restructuring IP message, and carry out decryption processing.
3. industrial control system according to claim 2 main website safety device, it is characterized in that: described intranet host includes L7 layer filtering module illegal industrial control communication stipulations data is abandoned, and then sends the data to the service front-end processor of Intranet or sends to the outer net main frame by non-network isolated channel.
4. industrial control system according to claim 2 main website safety device, it is characterized in that: described non-network isolated channel is comprised of PCIE bus and process chip, is the unique channel of interaction data between the internal, external network main frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201220435927.4U CN202856781U (en) | 2012-08-29 | 2012-08-29 | Industrial control system main station safety device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201220435927.4U CN202856781U (en) | 2012-08-29 | 2012-08-29 | Industrial control system main station safety device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN202856781U true CN202856781U (en) | 2013-04-03 |
Family
ID=47987924
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201220435927.4U Expired - Lifetime CN202856781U (en) | 2012-08-29 | 2012-08-29 | Industrial control system main station safety device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN202856781U (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401756A (en) * | 2013-08-21 | 2013-11-20 | 北京华烽泰特科技有限公司 | Security protection system used for industrial network |
| CN103457948A (en) * | 2013-08-29 | 2013-12-18 | 网神信息技术(北京)股份有限公司 | Industrial control system and safety device thereof |
| CN103475478A (en) * | 2013-09-03 | 2013-12-25 | 广东电网公司电力科学研究院 | Terminal safety protection method and equipment |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| CN103746920A (en) * | 2014-01-24 | 2014-04-23 | 成都卫士通信息产业股份有限公司 | Method for realizing data transmission based on gatekeeper |
| CN103812861A (en) * | 2014-01-20 | 2014-05-21 | 广东电网公司电力科学研究院 | IPSEC (internet protocol security) VPN (virtual private network) device, isolation method thereof and isolation system thereof |
| CN104320332A (en) * | 2014-11-13 | 2015-01-28 | 济南华汉电气科技有限公司 | Multi-protocol industrial communication safety gateway and communication method with gateway applied |
| CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
| CN105072025A (en) * | 2015-08-05 | 2015-11-18 | 北京科技大学 | Safe protective gateway and system for modern industrial control system network communication |
| CN105187388A (en) * | 2015-08-07 | 2015-12-23 | 深圳市科陆电子科技股份有限公司 | Method for realizing network security isolation with concentrator and concentrator |
| CN106411816A (en) * | 2015-07-29 | 2017-02-15 | 研祥智能科技股份有限公司 | Industrial control system, secure interconnection system and processing method thereof |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| CN107276987A (en) * | 2017-05-17 | 2017-10-20 | 厦门奥普拓自控科技有限公司 | A kind of the special line physical isolation industrial data means of communication and system |
| CN108521423A (en) * | 2018-04-10 | 2018-09-11 | 江苏亨通工控安全研究院有限公司 | HWIL simulation industry control network target range system |
| CN109194662A (en) * | 2018-09-13 | 2019-01-11 | 江苏站企动网络科技有限公司 | A kind of network-based business information services system |
| CN109947040A (en) * | 2019-02-22 | 2019-06-28 | 信联科技(南京)有限公司 | A kind of safe and intelligent programmable logic controller (PLC) and application based on open system |
| CN110417756A (en) * | 2019-07-11 | 2019-11-05 | 北京百度网讯科技有限公司 | Across a network data transmission method and device |
| CN111142484A (en) * | 2019-12-24 | 2020-05-12 | 南京轩世琪源软件科技有限公司 | Industrial control system and control method |
| CN112596483A (en) * | 2020-12-17 | 2021-04-02 | 浙江国利网安科技有限公司 | Data acquisition method and system based on unidirectional import equipment |
| CN112671719A (en) * | 2020-12-08 | 2021-04-16 | 山东鲁能软件技术有限公司 | Network security isolation method and device based on data stripping and construction method thereof |
| CN115694945A (en) * | 2022-10-25 | 2023-02-03 | 北京珞安科技有限责任公司 | Industrial terminal host maintenance method, system and equipment |
-
2012
- 2012-08-29 CN CN201220435927.4U patent/CN202856781U/en not_active Expired - Lifetime
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401756A (en) * | 2013-08-21 | 2013-11-20 | 北京华烽泰特科技有限公司 | Security protection system used for industrial network |
| CN103457948A (en) * | 2013-08-29 | 2013-12-18 | 网神信息技术(北京)股份有限公司 | Industrial control system and safety device thereof |
| CN103475478A (en) * | 2013-09-03 | 2013-12-25 | 广东电网公司电力科学研究院 | Terminal safety protection method and equipment |
| CN103475478B (en) * | 2013-09-03 | 2017-04-12 | 广东电网公司电力科学研究院 | Terminal safety protection method and equipment |
| CN103490895B (en) * | 2013-09-12 | 2016-09-14 | 电小虎能源科技(北京)有限公司 | A kind of industrial control identity authentication applying the close algorithm of state and device |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| CN103812861A (en) * | 2014-01-20 | 2014-05-21 | 广东电网公司电力科学研究院 | IPSEC (internet protocol security) VPN (virtual private network) device, isolation method thereof and isolation system thereof |
| CN103812861B (en) * | 2014-01-20 | 2017-02-08 | 广东电网公司电力科学研究院 | Isolation method and system for IPSEC (internet protocol security) VPN (virtual private network) device |
| CN103746920A (en) * | 2014-01-24 | 2014-04-23 | 成都卫士通信息产业股份有限公司 | Method for realizing data transmission based on gatekeeper |
| CN103746920B (en) * | 2014-01-24 | 2017-03-15 | 成都卫士通信息产业股份有限公司 | A kind of method that data transfer is realized based on gateway |
| CN104320332A (en) * | 2014-11-13 | 2015-01-28 | 济南华汉电气科技有限公司 | Multi-protocol industrial communication safety gateway and communication method with gateway applied |
| CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
| CN106411816B (en) * | 2015-07-29 | 2021-02-05 | 研祥智能科技股份有限公司 | Industrial control system, safety interconnection system and processing method thereof |
| CN106411816A (en) * | 2015-07-29 | 2017-02-15 | 研祥智能科技股份有限公司 | Industrial control system, secure interconnection system and processing method thereof |
| CN105072025A (en) * | 2015-08-05 | 2015-11-18 | 北京科技大学 | Safe protective gateway and system for modern industrial control system network communication |
| CN105072025B (en) * | 2015-08-05 | 2018-03-13 | 北京科技大学 | For the security protection gateway and system of modern industrial control system network service |
| CN105187388B (en) * | 2015-08-07 | 2018-05-11 | 深圳市科陆电子科技股份有限公司 | The method and concentrator of network security isolation are realized using concentrator |
| CN105187388A (en) * | 2015-08-07 | 2015-12-23 | 深圳市科陆电子科技股份有限公司 | Method for realizing network security isolation with concentrator and concentrator |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| CN107276987A (en) * | 2017-05-17 | 2017-10-20 | 厦门奥普拓自控科技有限公司 | A kind of the special line physical isolation industrial data means of communication and system |
| CN108521423A (en) * | 2018-04-10 | 2018-09-11 | 江苏亨通工控安全研究院有限公司 | HWIL simulation industry control network target range system |
| CN109194662A (en) * | 2018-09-13 | 2019-01-11 | 江苏站企动网络科技有限公司 | A kind of network-based business information services system |
| CN109947040B (en) * | 2019-02-22 | 2021-10-08 | 信联科技(南京)有限公司 | Safe intelligent programmable logic controller based on open system and application |
| CN109947040A (en) * | 2019-02-22 | 2019-06-28 | 信联科技(南京)有限公司 | A kind of safe and intelligent programmable logic controller (PLC) and application based on open system |
| CN110417756A (en) * | 2019-07-11 | 2019-11-05 | 北京百度网讯科技有限公司 | Across a network data transmission method and device |
| CN110417756B (en) * | 2019-07-11 | 2022-09-27 | 北京百度网讯科技有限公司 | Cross-network data transmission method and device |
| CN111142484A (en) * | 2019-12-24 | 2020-05-12 | 南京轩世琪源软件科技有限公司 | Industrial control system and control method |
| CN111142484B (en) * | 2019-12-24 | 2021-04-30 | 南京轩世琪源软件科技有限公司 | Industrial control system and control method |
| CN112671719A (en) * | 2020-12-08 | 2021-04-16 | 山东鲁能软件技术有限公司 | Network security isolation method and device based on data stripping and construction method thereof |
| CN112596483A (en) * | 2020-12-17 | 2021-04-02 | 浙江国利网安科技有限公司 | Data acquisition method and system based on unidirectional import equipment |
| CN115694945A (en) * | 2022-10-25 | 2023-02-03 | 北京珞安科技有限责任公司 | Industrial terminal host maintenance method, system and equipment |
| CN115694945B (en) * | 2022-10-25 | 2023-05-23 | 北京珞安科技有限责任公司 | Industrial terminal host maintenance method and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN202856781U (en) | Industrial control system main station safety device | |
| CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
| CN102882789B (en) | A kind of data message processing method, system and equipment | |
| CN107172020A (en) | A kind of network data security exchange method and system | |
| TW200307423A (en) | Password device and method, password system | |
| CN102664896A (en) | Safety network transmission system and method based on hardware encryption | |
| CN111800436B (en) | IPSec isolation network card equipment and secure communication method | |
| CN109344639A (en) | A kind of distribution automation double protection safety chip, data transmission method and equipment | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN107094137A (en) | A kind of VPN security gateways | |
| CN110011786A (en) | A kind of IP secret communication method of high safety | |
| CN102882850A (en) | Cryptographic device and method thereof for isolating data by employing non-network way | |
| CN110691074B (en) | IPv6 data encryption method and IPv6 data decryption method | |
| CN105635154A (en) | Flexible MACSec message encryption and authentication implementation method and device on chip | |
| CN103763301B (en) | A kind of system and method for use ppp protocol encapsulations IPsec frame structures | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| CN102111377A (en) | Network cipher machine | |
| CN110417706A (en) | A kind of safety communicating method based on interchanger | |
| CN110768958B (en) | IPv4 data encryption method and IPv4 data decryption method | |
| CN111541663A (en) | Link exchange encryption system based on national password standard | |
| CN103269301A (en) | Desktop type IPSecVPN cryptographic machine and networking method | |
| CN114124416A (en) | System and method for quickly exchanging data between networks | |
| Huang et al. | The Research of VPN on WLAN | |
| CN105721458A (en) | Industrial Ethernet switching method based on ISG security password technique | |
| CN102868686B (en) | Method for enhancing data encryption based on ESP (encapsulating security payload) encapsulation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20130403 |
|
| CX01 | Expiry of patent term |