JP2018139344A - Network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To achieve a technology to eliminate the influence of information impersonating safety information in a network in which a safety device and a non-safety device coexist.SOLUTION: When a non-safety host (#1)31 connected to a node (#3)23 impersonates a safety host (#1)11 due to a failure, and non-safety information 82 is output to a safety host (#2)12, the non-safety information 82 captured in the safety host (#2)12 through a node (#4)24 is subjected to decryption processing performed by the safety host (#2)12 to be non-safety information 82z; however, since the non-safety information 82 is not encrypted information, the decryption processing fails and the information is discarded.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a network system, for example, a network system in which security devices and non-security devices are mixed in the same network.

  In a network in which safety devices in the railway signal field and non-security devices coexist, in order to ensure safety of security information, there is a known technique for preventing impersonation of non-security devices into safety devices. Here, “impersonation of a non-secure device as a secure device” assumes that information on the non-secure device is converted into information on the secure device due to a malfunction due to a failure or the like. Security equipment is equipment that ensures the safety of train transportation. Therefore, the information handled by the security device is required to have “high reliability”.

  In the railway communication technology standard (IEC62280), it is stipulated that encryption technology is used to prevent spoofing. Generally, AES (NIST FIPS197) widely used at present is used for secrecy.

  In addition, in a transmission apparatus system connected to multiple networks, the network topology is made ring-shaped so that system equalization and tandem connection are possible, so that variable length information frames of asynchronous random access can be performed without collision and discard of information frames. There is a transmission apparatus that can perform non-accumulated transmission (see, for example, Patent Document 1).

  Specifically, for example, a technique of a network system 101 as shown in FIG. 1 is disclosed. In this network system 101, a plurality of transmission terminal devices (gateway devices), more specifically, a node (# 1) 121 to a node (# 6) 126 are connected in series to form a network in a ring shape. doing. A device that wishes to exchange information using this network is called a “host”, and communicates with other hosts via this network line. The security device includes an FSCPU (fail-safe CPU), and has a function of performing verification in the event of a failure or the like, and the possibility of continuing abnormal operation in the event of a failure is eliminated. On the other hand, the non-security device has a normal CPU and does not have a verification function like the FSCPU.

  The transmission terminal devices (node (# 1) 121 to node (# 6) 126) include security control devices (security host (# 1) 111, security host (# 2) 112) and non-security control devices (non-security). A secure host 131) is connected via Ethernet (registered trademark) 191. In FIG. 1A, the secure host (# 1) 111 is connected to the node (# 1) 121. Any of the node (# 1) 121 to the node (# 6) 126 functions as a cycle monitoring node and outputs an information frame (transmission frame) at a predetermined cycle. Here, the IP address of the node (# 1) 121 is “192.168.1.1”, and the IP address of the secure host (# 1) 111 is “192.168.1.10”. The IP address of the node (# 4) 124 is “192.168.4.1”, and the IP address of the secure host (# 2) 112 is “192.168.4.10”.

  FIG. 2 shows the relationship of information frames used when information is transmitted from the secure host (# 1) 111 to the secure host (# 2) 112. As shown in the figure, when information addressed to “192.168.4.10” is output from the secure host (# 1) 111, the node (# 1) 121 sends it from the destination to the node (# 4) 124. Judge as information. The node (# 1) 121 uses the designation of the destination (to # 4) and the position information of the own node (frame number of # 1) to write to the information frame. The node (# 4) 124 extracts information addressed to its own node (addressed to # 4) (in this case, information addressed to “192.168.4.10”) from the information frame, and the security host (# 2) To 112.

JP 2002-353970 A

  By the way, the security device is equipped with an FSCPU (fail-safe CPU) and has a function of performing a test in the event of a failure, etc. However, a non-security device equipped with a normal CPU does not have a function like an FSCPU and continues to operate abnormally at the time of failure. there's a possibility that. Therefore, it is possible for a non-security device to be imitated as a security device in the same network, which may tamper with security information. For example, as shown in FIG. 1B, the information “a” output from the secure host (# 1) 111 to “node (# 4) 124 (secure host (# 2) 112)” The node (# 3) 123 to which the non-secure host 131 is connected may be destroyed. In this case, since the security host (# 2) 112 including the FSCPU detects an abnormality, the information is discarded and erroneous information is not used as the security information. On the other hand, as shown in FIG. 1B, when the non-secure information “b” output from the non-secure host 131 is impersonated as the secure information “b” at the node (# 3) 123, The system host (# 2) 12 may determine that the impersonated security information “b” is normal and misuse it.

  For this reason, in a network used for railway signals, a security device (security host) and a non-security device (non-security host) are operated on separate dedicated lines, and the relay device relays these dedicated lines. It was a complicated configuration.

  This invention is made | formed in view of such a condition, Comprising: It is providing the technique which solves the said subject.

The present invention is a network system in which a security device and a non-security device are mixed and connected by a network, and the security device and the non-security device are each connected to the network by a node device, The security device has a verification function for verifying an abnormal operation, and the non-security device does not have the verification function, and when the security devices communicate with each other, communication using encrypted ciphertext is performed. The communication between the security device and the non-security device, or the communication between the non-security devices, is performed in plain text in a non-encrypted state.
The network may be configured such that the node devices are connected in a ring shape and may have a monitoring function using a periodic refresh method.
The security device includes an encrypted path through which encrypted communication is transmitted and a non-encrypted path through which unencrypted communication is transmitted, and the non-security device includes the encrypted communication. It is not necessary to provide an encryption path for transmitting.
Further, a standard communication standard interface may be used for the connection between the security device and the node device and the connection between the non-security device and the node device.

  According to the present invention, it is possible to realize a technology that eliminates the influence of information that has become security information in a network in which security devices and non-security devices coexist.

It is a figure which shows schematic structure of the network system based on background art. It is a figure which shows the relationship of the information frame in communication between security type | system | group hosts based on background art. It is a figure explaining the outline | summary of the function which prevents impersonation to the security equipment by the non-security equipment based on this embodiment. It is a figure which shows the structure of the network system based on this embodiment. It is a figure which shows the structure of the security type | system | group host and node based on this embodiment. It is a figure which shows the structure of the non-security type | system | group host and node based on this embodiment. It is a figure explaining the setting rule of IP address based on this embodiment. It is a figure which shows the example of a transmission route from a non-secure host to a secure host according to the present embodiment. It is a figure which shows the example of a transmission route from a non-secure host to a secure host according to the present embodiment. It is a figure which shows the structure of the duplexed network system based on this embodiment. It is a figure which shows the example of a transmission route in the duplexed network system based on this embodiment.

  Next, modes for carrying out the present invention (hereinafter, simply referred to as “embodiments”) will be specifically described with reference to the drawings.

  First, the outline of the present embodiment will be described with reference to FIG. In the present embodiment, the security host 10 (security device) is provided with a secret function using AES of secret key encryption. On the other hand, the non-secure host 30 is not equipped with a secret function by AES. The security host 10 is provided with an FSCPU 61 (see FIG. 5 and the like) and supports the above-described secret function. On the other hand, not the FSCPU 61 but a normal CPU (hereinafter referred to as “nCPU 71”) (see FIG. 6 etc.) is mounted on the non-secure host 30 and does not support the above-described secret function. An Ethernet frame is used for communication between the secure host 10 and the non-secure host 30.

  FIG. 3A shows an example of communication by ciphertext from the secure host 10 to the secure host 10. Since the security host 10 implements a secret function by AES, it can encrypt the information to be transmitted and decrypt the received information. FIG. 3B shows an example of communication in plain text from the secure host 10 to the non-secure host 30. The FSCPU 61 selects the ciphertext and the plaintext in the security host 10. FIG. 3C shows an example of plaintext communication from the non-secure host 30 to the non-secure host 30. Since the non-secure host 30 cannot perform encryption and decryption, the plaintext communication is performed.

  FIG. 3D shows an example of communication from the “non-secure host impersonated secure host” 30 x in which the non-secure host 30 has become the secure host 10 to the secure host 10. Since the non-secure host 30 is not equipped with a concealment function by AES, plain text is output. The security-related host 10 that has received the plain text performs a decryption process on the plain text, so that it becomes a meaningless sentence (data) and discards it.

  FIG. 3E shows an example of information transmission by ciphertext from the “non-secure host impersonated secure host” 30 x in which the non-secure host 30 has become the secure host 10. As described above, since the non-secure host 30 is not equipped with a concealment function by AES, information transmission by ciphertext is impossible.

  In this way, even when the non-secure host 30 has become the secure host 10 due to a failure or the like, the secure host 10 that has received the information can tamper with the security information by discarding the message due to a decryption failure. To prevent.

  The secure host 10 is provided with two completely independent communication channels. Specifically, the secure host 10 communicates with the “secure device communication channel (Crypto channel 52 described later)” used for communication between the secure hosts 10 in encrypted text and the non-secure host 30 in plain text. A “non-secure device communication channel (normal channel 51 described later)” is prepared, and the AES concealment function is implemented only in the secure device communication channel (described later crypto channel 52). The non-secure host 30 prepares only one channel as a communication channel. In other words, the non-secure host 30 uses a non-secure device communication channel (a normal channel 51 described later) for communication with the secure host 10 or another non-secure host 30 in either case. Receive a message with (unencrypted data).

  Therefore, when the non-secure host 30 impersonates the secure host 10 and transmits information, the secure host 10 that has received the plaintext message from the secure device communication channel cannot decrypt and discards the received message. More specifically, the message after decryption processing is discarded because it does not constitute an Ethernet frame. As a result, it is possible to prevent falsification of the security information due to the impersonation of the non-security host 30 to the security host 10 and to greatly reduce the number of lines. More specific description will be given below.

  FIG. 4 is a block diagram showing a schematic configuration of the network system 1 according to the present embodiment. In this network system 1, a plurality of transmission terminal devices (node (# 1) 21 to node (# 6) 26) are connected in series to form a network 2 in a ring shape. In the case where the nodes (# 1) 21 to (# 6) 26 are not distinguished, they are simply referred to as “node 20”.

  A device that transmits and receives information using this network 2 is called a “host” and communicates with other hosts by connecting to the node 20. There are a secure host 10 and a non-secure host 30 as hosts. An Ethernet 91 is used for connection between the node 20 and each host (secure host 10 and non-secure host 30).

  In the figure, the secure host (# 1) 11 is connected to the node (# 1) 21. The secure host (# 2) 12 is connected to the node (# 4) 24. A non-secure host (# 1) 31 is connected to the node (# 3) 23.

  The network system 1 according to the present embodiment has a characteristic having a constant periodicity, and the periodicity of information between the network 2 and the node 20 is guaranteed. For example, if the “cycle is set to 500 μs”, the nodes 20 are not connected to each other. Information is transmitted in 500 μs.

  Any of the node (# 1) 21 to the node (# 6) 26 functions as a cycle monitoring node and outputs an information frame (transmission frame) at a predetermined cycle. Here, the node (# 1) 21 is set as the initial period monitoring node.

  Such a “fixed-cycle refresh method” ensures a fixed-cycle of information transmission. The fixed-cycle refresh method is a ring-connected network method in which only one node 20 that monitors a specially defined cycle is used, and information frames are circulated according to a cycle created by the node 20 that monitors the cycle. An information frame is a frame for each node to put information, and each node 20 exchanges information using a given location of the information frame.

  In the fixed cycle refresh method, even if a disconnection occurs in the network 2, the fixed cycle is maintained as much as possible. That is, even if a partial disconnection occurs, since the fixed-cycle transmission is continued on the remaining normally connected line, the node 20 that cannot receive the information frame at a fixed cycle due to the disconnection Start periodic monitoring at the same cycle as the monitoring node. The node 20 that has been periodically monitored so far stops the periodic monitoring and starts an operation equivalent to that of the other nodes 20 when the nodes other than the node 20 start the periodic monitoring. As a result, the function of the periodic refresh method is continued for information exchange between nodes 20 that does not affect disconnection.

  When the node 20 that newly starts the period monitoring after the disconnection is updated, the node 20 can be confirmed, so that the disconnection point can be detected. That is, it is possible to detect which node 20 is disconnected.

  Hosts (secure host 10 and non-secure host 30) transmit information to a desired destination address using IP packets. The node 20 outputs an IP packet in which information acquired from the host is placed at a predetermined transmission frame position with respect to the destination node number read from the IP packet.

  The node 20 that has received the data addressed to itself transmits an IP packet that is the content of the information to the host. As described above, Ethernet communication is established between the hosts. Therefore, even if a host device is added, connection can be established by automatic connection confirmation between the nodes 20 (also referred to as “ARP (Address Resolution Protocol)”), so only the settings of the added host device and the node 20 are supported. It becomes possible.

  Further, in the conventional network, devices (secure host 10 and non-secure host 30) having different information amounts and transmission cycles cannot be mixed in the same network. However, in this network system 1, communication is performed using a standard communication network called Ethernet 91, so that all devices can be connected to the same network 2. In that case, safety for connecting the secure host 10 and the non-secure host 30 to the same network 2 must be considered. Here, in order to prevent the non-secure host 30 from interfering with the secure host 10, the above-described encryption is performed to exchange the secure information between the secure hosts 10.

  The IP addresses set for the host and node are as follows. The IP address setting rule will be described later with reference to FIG. The IP address of the node (# 1) 21 is “192.168.1.1”, and the IP address of the secure host (# 1) 11 connected to the node (# 1) 21 is “192.168.1.10” (non-secure device) Communication channel) and "192.168.101.10." (Security device communication channel). The IP address of the node (# 3) 23 is “192.168.3.1”, and the IP address of the non-secure host (# 1) 31 connected to the node (# 3) 23 is “192.168.3.10” (non-secure Device communication channel). The IP address of the node (# 4) 24 is “192.168.4.1”, and the IP address of the secure host (# 2) 112 connected to it is “192.168.4.10” (non-secure device) Communication channel) and “192.168.104.10” (security device communication channel).

  Here, FIG. 4A corresponds to an example of communication by ciphertext from the secure host 10 to the secure host 10 in FIG. In the security host (# 1) 11, the security information 81 is encrypted and converted into encrypted security information 81x. The source IP address of the encrypted security information 81x is “192.168.101.10”, and the IP address “192.168..12” of the security host (# 2) 12 connected to the node (# 4) 24. 104.10 "is the destination IP address.

  The encrypted security information 81x is taken into the security host (# 2) 12 by the node (# 4) 24 via the node (# 1) 21, the node (# 2) 22, and the node (# 3) 23. Since the information captured here is the encrypted security information 81x, the decryption process is properly performed and the reception is successful.

  FIG. 4B shows an example of communication from the “non-secure host impersonated secure host” 30 x in FIG. 3D to the secure host 10. Here, non-secure information 82 is output from the non-secure host (# 1) 31 connected to the node (# 3) 23 to the secure host (# 2) 12.

  That is, the transmission destination is set to the IP address “192.168.104.10” which is not originally set as the transmission destination from the non-secure host 30 due to a failure or the like. Here, the non-secure information 82 taken into the secure host (# 2) 12 via the node (# 4) 24 is decrypted by the secure host (# 2) 12 to become non-secure information 82z. At this time, since the non-security information 82 is not encrypted information, the non-security information 82 is discarded by becoming a meaningless data by the decryption process.

  Next, the configuration of the secure host 10, the non-secure host 30, and the node 20 will be described. FIG. 5 shows a schematic configuration of the security host 10 and the node 20. The security host 10 includes a Vital device 60 including the FSCPU 61 and two communication boards (a plaintext board 50a and an encryption board 50b).

  The Vital device 60 passes through the encryption board 50 b in connection with the node 20. Information created by the Vital device 60 is referred to as “vital information (Vital information)”. The vital device 60 ensures the reliability / safety corresponding to the safety level (SIL) 4 in the high-frequency mode, for example, indicated by IEC61508 regarding the vital information. Information created by the NVital device 70 (see FIG. 6) is referred to as “non-vital information (NVital information)”.

  The plaintext board 50 a includes a normal channel 51. The encryption board 50 b includes a Crypto channel 52 and an encryption control unit 53.

  The normal channel 51 is a channel in which plain text is used in communication with an external host, and is connected to the Ch_A 41 of the node 20 via the Ethernet 91. The Crypto channel 52 is a channel in which ciphertext is used in communication with an external host, and is connected to the Ch_B 42 of the node 20 by the Ethernet 91.

  The encryption control unit 53 controls the Crypto channel 52. That is, the encryption control unit 53 executes a concealment process using AES.

  The node 20 includes a CPU 43, FPGA 44, Ch_A 41, Ch_B 42, and an optical I / F 45.

  Ch_A 41 is connected to the normal channel 51 of the plaintext board 50 a and the Ethernet 91 as described above. Ch_B 42 is connected to the Crypto channel 52 by the Ethernet 91.

  The optical I / F 45 is connected to another node 20 by an optical cable or the like. When the node 20 communicates with another node 20, the node 20 passes through the FPGA 44 provided between the Ch_A 41 and Ch_B 42 and the optical I / F 45. The FPGA 44 includes a “node number reading function” and a “frame information mounting function”, and exchanges desired information. In other words, the information frame is written to an appropriate position and the information sent to the secure host 10 connected to the information frame is extracted. Further, the FPGA 44 can set whether to use Ch_B 42 according to the connected host, for example, by switching a DIP switch or the like.

  FIG. 6 shows a schematic configuration of the non-secure host 30 and the node 20. The configuration of the node 20 is the same as the configuration illustrated in FIG. 5, but Ch_B 42 cannot be used due to the setting of the FPGA 44.

  The non-security host 30 includes the NVital device 70 including the nCPU 71 and the plaintext board 50a. However, the encryption board 50b may be mixed for common use with the security host 10. However, the encryption board 50 b has the same configuration as that shown in FIG. 5, but the Crypto channel 52 is not used for connection with the node 20. That is, only the communication channel for non-secure devices connected by the Ethernet 91 between the Normal channel 51 and Ch_A 41 is used.

  Note that a configuration in which the functions of the plaintext board 50a and the encryption board 50b are mounted on one communication board may be adopted from the viewpoint of sharing the apparatus.

  FIG. 7 is a diagram showing an IP address setting rule. The first to third octets are network segments. The first octet is a fixed value of “192”. In the second octet, “168” to “171” are assigned to the line numbers 1 to 4. In this embodiment, “168” of line number 1 is set. For the third octet, “node number” is set when using Ch_A41, and “node number +100” is set when using Ch_B42. For the fourth octet, “1” is set for the node 20, and “2 to 255” is set for the host (secure host 10, non-secure host 30).

  In network management, in setting the IP address of the host device (secure host 10, non-secure host 30), the network number matches the node number of the node 20 to be connected. For example, if the IP address of the node 20 is “192.168.N.1” (N is a natural number), the IP address of the secure host 10 connected to the node 20 is “192.168.N.10”. The secure host 10 registers the connected node 20 as a gateway (gateway: 192.168.N.1). Therefore, if the network numbers are different, the node 20 cannot be used as a gateway.

  8 and 9 are diagrams showing a transmission route from the non-secure host 30 to the secure host 10. More specifically, in the secure host 10, the node 20, and the non-secure host 30 shown in FIGS. 5 and 6, what channel information is transmitted from the non-secure host 30 to the secure host 10 through. It is specifically explained. 8 and 9, the secure host 10 is connected to the node (#N) 20N with the node number “N”. Further, the non-secure host 30 is connected to the node (#M) 20M of the node number “M”. In the drawing, the encryption control unit 53 of the encryption board 50 is omitted.

  8 and 9, plaintext information output from the NVital device 70 is transmitted to the node (#M) 20M via the normal channel 51 of the plaintext board 50a. In the node (#M) 20M, the data is transmitted to the node (#N) 20N via the Ch_A 41, the FPGA 44, and the optical I / F 45.

  In the node (#N) 20N, the information acquired by the FPGA 44 via the optical I / F 45 is information from the secure host or non-secure host, with reference to the IP address of the transmission source. Judgment.

  If it is determined that the information is the security host information, the FPGA 44 selects Ch_B 42 as a channel for communicating with the security host 10 as shown in FIG.

  In the secure host 10, the Crypto channel 52 of the encryption board 50b acquires information via the Ch_B 42 of the node (#N) 20N. At this time, since the information output from the non-secure host 30 is plain text data, the Crypto channel 52 fails to decrypt and discards the information (message discard). Therefore, the impersonation information is not transmitted to the Vital device 60.

  If it is determined that the information is information on the non-secure host, the FPGA 44 selects Ch_A 41 as a channel for communicating with the secure host 10 as shown in FIG.

  As shown in FIG. 9, in the secure host 10, the normal channel 51 of the plaintext board 50a acquires information via the Ch_A 41 of the node (#N) 20N. The plaintext board 50a (normal channel 51) discards the information (discard message) because it is plaintext information (information to the normal channel 51) despite the information impersonated the virtual device 60. Therefore, impersonation information is not transmitted to the Vital device 60 even in this route.

  As described above, according to the network system 1 of the present embodiment, even when the secure host 10 and the non-secure host 30 are installed in the same network 2, the non-secure host 30 has become the secure host 10. The influence of the case can be eliminated, and the soundness of the security information can be ensured.

In order for the non-secure host 30 to become the secure host 10, it is necessary to satisfy (4) or (5) in addition to the following conditions (1) to (3).
Condition (1): The IP address of the non-secure host 30 is the same as the IP address of the secure host 10.
Condition (2): The IP address of the node 20 connected to the non-secure host 30 (referred to as “non-secure node”) is the same as the IP address of the node 20 connected to the secure host 10 (referred to as “secure node”). become. Here, the information location of the security node of the information frame is used.
Condition (3): The default gateway of the non-secure host 30 becomes the node 20 of the condition (2).
Condition (4): The encryption function is implemented in the non-secure host 30.
Condition (5): The prepared non-security information becomes the same data array as the data encrypted by chance.

Among the above conditions, the conditions (1) and (3) depend on the host CPU, and the condition (2) depends on the node CPU, and there must be an error in a plurality of CPUs. By satisfying the conditions (1) to (3), it becomes a “situation to be realized”. In condition (4), physical errors such as arrangement mistakes at the time of facility introduction must occur, and inspection and acceptance are very strict in the railway field (multiple operations are performed). It can't happen. Condition (5) has an occurrence probability per hour of 6.2 × 10 ⁻²¹ , and is sufficiently safe as compared to the safety level (SIL) 4 in the high frequency mode indicated by IEC61508 described above. .
As described above, security information and non-security information can be mixed.

  Here, it is assumed that continuous transmission (increase in load due to line occupancy) occurs due to a malfunction of the NVital device 70 and the processing load on the Vital device 60 increases to hinder normal operation.

  Case 1: It is assumed that an incorrect unit data number is used in an information frame due to a hardware (FPGA 44) failure of the node 20. If the line configuration is a single line and the NVital device 70 is downstream of the Vital device 60 (fake Vital device 60), the information of the Vital device 60 is overwritten, so that the Vital information of the Vital device 60 is not transmitted. However, since this information is discarded and not used as vital information, there is no influence on security.

  Case 2: It is assumed that the NVital device 70 runs away and continues to issue NVital information to the Vital device 60. Although it is NVital information, there is no impact on security, but the total amount of NVital information processed by the Vital device 60 increases and the load on the FSCPU 61 and the like increases. However, since only one message can be transmitted in one cycle, even if a plurality of NVital devices 70 are in the same failure state, even if an incorrect message is transmitted every cycle, the processing load is not greatly affected.

  In the conventional signal LAN, there is no “restriction in hardware that prevents malfunction due to an administrator (user) setting error” in the LAN information, and the host (secure host 10, non-secure host 30) It was a structure that could send and receive information using all information locations. For this reason, the security information transmission / reception must be a “dedicated security transmission LAN” to which only the FSCPU 61, which is premised on not outputting abnormal data at the time of failure, is connected. Further, since the transmission capacity of the LAN itself was small, the security information was also used as a dedicated LAN for each security host 10 by individual settings (ATC LAN, electronic interlocking LAN, etc.).

  In this network system 1, by greatly increasing the transmission capacity, each node 20 is constrained to use a dedicated data position, and basically the one-to-one communication improves the reliability of information. In the existing signal LAN, it is possible to overwrite the non-security information in a place where the security information is to be used. On the other hand, in this network system 1, since the node 20 on which the security information is to be placed is different from the node 20 on which the non-security information is to be placed, information interference due to a CPU error does not occur.

  It is possible to realize the network system 1 that secures the reliability that can be used as the information network of the security host 10 while adopting the highly versatile Ethernet 91 as the interface. That is, since the information of the secure host 10 (Vital device 60) and the non-secure host 30 (NVital device 70) can be mixed, all devices can be connected to the same network and exchange various information. It becomes possible. In addition, even when the network system 1 is initially installed with only a minimally configured device, it is easy to introduce a new device and update the equipment.

  The node 20 and the secure host 10 or non-secure host 30 connected to the node 20 are generally arranged in the same space with the connected devices as a set. At this time, since the Ethernet 91 is used for the connection, not only the optical cable but also a metal cable can be used, the communication cable can be easily routed, and the degree of freedom of installation can be increased.

  FIG. 10 shows a network system 101 in which the above-described network system 1 is multiplexed (duplexed here). In this network system 101, a secure host 110 and a non-secure host 130 are connected to a network (A) 2A and a network (B) 2B. Similarly to the network 2 described above, the network (A) 2A and the network (B) 2B are configured in a ring shape. In the network (A) 2A, power is transmitted clockwise in the figure. In the network (B) 2B, power transmission is performed counterclockwise in the figure.

  The secure host 110 is connected to the network (A) 2A via the node (# N1) 20N1, and is connected to the network (B) 2B via the node (# N2) 20N2. The non-secure host 130 is connected to the network (A) 2A via the node (# M1) 20M1, and is connected to the network (B) 2B via the node (# M2) 20M2.

  The configuration of the node (# N1) 20N1, the node (# N2) 20N2, the node (# M1) 20M1, and the node (# M2) 20M2 is the same as that of the node 20 described above. Here, the CPU 43 and the FPGA 44 described above are configured. The illustration is omitted. Further, the number of nodes and the number of security-type hosts 110 and non-security-type hosts 130 are set according to the system configuration.

  The security host 110 includes one Vital device 60 and two communication boards (a plaintext board 50a and an encryption board 50b) for connecting to the network (A) 2A and the network (B) 2B.

  The plaintext board 50a includes a normal channel (1) 51_1 connected to the network (A) 2A and a normal channel (2) 51_2 connected to the network (B) 2B. Here, the normal channel (1) 51_1 is connected to the Ch_B 42 of the node (# N1) 20N1. The normal channel (2) 51_2 is connected to the Ch_B 42 of the node (# N2) 20N2.

  The encryption board 50b includes a crypto controller (1) 52_1 connected to the network (A) 2A, a crypto controller (2) 52_2 connected to the network (B) 2B, and an encryption controller (not shown) corresponding to each. Prepare. Here, the Crypto channel (1) 52_1 is connected to the Ch_A 41 of the node (# N1) 20N1. The Crypto channel (2) 52_2 is connected to the Ch_A 41 of the node (# N2) 20N2.

  The non-secure host 30 includes an NVital device (1) 70_1, an NVital device (2) 70_2, a plaintext board (1) 50a_1, and a plaintext board (2) 50a_2.

  The NVital device (1) 70_1 is connected to the network (A) 2A and the network (B) 2B via the plaintext board (1) 50a_1. The NVital device (2) 70_2 is connected to the network (A) 2A and the network (B) 2B via the plaintext board (2) 50a_2.

  Specifically, the Normal channel (1) 51_1 of the plaintext board (1) 50a_1 is connected to Ch_A41 of the node (# M1) 20M1, and the Normal channel (2) 51_2 is connected to Ch_A41 of the node (# M2) 20M2. . Also, the normal channel (1) 51_1 of the plaintext board (2) 50a_2 is connected to Ch_B42 of the node (# M1) 20M1, and the Normal channel (2) 51_2 is connected to Ch_B42 of the node (# M2) 20M2.

  In communication in the network system 101, the IP address setting rule described above with reference to FIG. 7 is used. However, since they are duplicated, the IP addresses of the two systems of the network (A) 2A and the network (B) 2B are designated.

  FIG. 11 is a diagram for explaining a transmission route from the secure host 110 to the non-secure host 130. Here, a path when plain text is transmitted from the virtual device 60 of the secure host 110 to the NVital device (1) 70_1 of the non-secure host 130 will be described (however, the optical I / F 45 is omitted).

  In the route using the network (A) 2A (thick solid line), the virtual device 60, the normal channel (1) 51_1 of the plaintext board 50a, the Ch_B 42 of the node (# N1) 20N1, and the network (A) 2A in the clockwise direction in the figure. The route is the route of the Ch_A 41 of the node (# M1) 20M1, the plaintext board (1) 50a_1 of the non-secure host 130, the normal channel (1) 51_1 of the 50a_1, and the NVital device (1) 70_1.

  In the route using the network (B) 2B (thick one-dot broken line), the Vital device 60, the Normal channel (2) 51_2 of the plaintext board 50a, the Ch_B 42 of the node (# N2) 20N2, and the network (B) 2B shown in FIG. The route is a clockwise route, the Ch_A 41 of the node (# M2) 20M2, the plaintext board (1) 50a_1 of the non-secure host 130, the normal channel (2) 51_2 of the 50a_1, and the NVital device (1) 70_1.

  The communication board is configured to be compatible with a plurality of channels, and a product that selects functions / settings with a DIP switch or the like may be used. In such a case, by adopting the configuration of the network system 101, it is possible to avoid the generation of an unused channel (for example, the encryption board 50b in FIG. 6), and an efficient system configuration can be achieved. realizable.

  The present invention has been described based on the embodiments. This embodiment is an exemplification, and it is understood by those skilled in the art that various modifications are possible for the combination of each of those components, and such modifications are also within the scope of the present invention.

1, 101 Network system 2 Network 2A Network (A)
2B network (B)
10, 110 Security host 11 Security host (# 1)
12 Security host (# 2)
20 nodes 20M nodes (#M)
20M1 node (# M1)
20M2 node (# M2)
20N node (#N)
20N1 node (# N1)
20N2 node (# N2)
21-26 node (# 1) to node (# 6)
30, 130 Non-secure host 31 Non-secure host (# 1)
41 Ch_A
42 Ch_B
43 CPU
44 FPGA
45 Hikari I / F
50 Encryption board 51 Normal channel 51_1 Normal channel (1)
51_2 Normal channel (2)
52 Crypto channel 52_1 Crypto channel (1)
52_2 Crypto channel (2)
53 Cryptographic Control Unit 60 Vital Device 61 FSCPU
91 Ethernet

Claims (4)

A network system in which security devices and non-security devices are mixed and connected via a network,
The security device and the non-security device are each connected to the network by a node device,
The security device has a verification function to verify abnormal operation,
The non-security device does not have the verification function,
When the security devices communicate with each other, perform communication using encrypted ciphertext,
A communication in plain text in a non-encrypted state is performed for communication between the security device and the non-security device or between the non-security devices.   The network system according to claim 1, wherein the network is configured by connecting the node devices in a ring shape, and has a monitoring function based on a periodic refresh method. The security device is
An encrypted path through which encrypted communication is transmitted;
A non-encrypted path through which unencrypted communication is transmitted,
The network system according to claim 1, wherein the non-secure device does not include an encryption path through which encrypted communication is transmitted.   The interface of a standard communication standard is used for the connection between the security device and the node device, and the connection between the non-security device and the node device, respectively. The network system according to any of the above.

Images