JPWO2012111117A1 - Programmable logic controller and programmable logic controller password storage method - Google Patents

Abstract

The programmable logic controller 100 according to the embodiment includes a master unit 110 and one or more slave units 120, 130, 140, 150, 160. The master unit 110 has a composition information table 111a for managing IO numbers assigned to the slave units 120, 130, 140, 150, and 160, and password division data obtained by dividing a password set in the master unit 110. The password distribution information 121a, 131a, 141a, 151a, 161a is generated from the IO numbers assigned to the slave units 120, 130, 140, 150, 160, and the slave units 120, 130, 140, 150, 160 are generated. Stores the password distribution information 121a, 131a, 141a, 151a, 161a sent from the master unit 110.

Description

  The present invention relates to a technique for preventing password leakage in a control system using a programmable logic controller.

  Conventionally, a microprocessor is built in, and the drive control of electric loads such as various actuators and display devices is performed in response to the state of input signals such as operation switches and various sensors and the sequence program stored in the program memory. A programmable logic controller (PLC) that performs the above is well known.

  Each PLC unit (PLC unit) includes a plurality of input units each including an input interface circuit, an output unit including an output interface circuit, and a basic unit that controls the input unit, the output unit, and the like based on a sequence program. The unit is connected to each connector on the motherboard base plate (base unit) having a plurality of connectors connected to each other by bus, or connected to each other by connecting the bus connectors to each other. Structures in which units can be easily mounted or removed and connected in various combinations are widely used.

  In addition, in various forms of PLC units as described above, various means for protecting internal data have been proposed so that anyone other than the system administrator cannot change or steal internal data such as sequence programs and setting information of the PLC unit. ing.

  Conventionally, as a means of protecting internal data, when a system administrator changes or reads internal data from the PLC unit, the PLC unit uses the password information set for itself and the password information entered by the system administrator from a personal computer tool or the like. There is a method of performing collation to determine whether the request source is a system administrator.

  At this time, there are a method of storing the PLC unit itself as a storage destination of the password information set in the PLC, a method of fragmenting the password information of the PLC unit and storing it in another PLC unit, and the like. The method for storing the authentication information by the PLC unit itself is a very natural method from the viewpoint of data storage. On the other hand, (k, n) threshold secret sharing method is known as a method for fragmenting and storing authentication information (see Non-Patent Document 1), and it is easy to apply this method to a PLC.

  On the other hand, the PLC unit is generally equipped with a mechanism for detecting the attachment / detachment of other PLC units on the system in preparation for failure, disconnection, or unit disconnection.

  In addition to this mechanism, in recent years, even if a PLC unit breaks down while the system is in operation, the PLC unit can be replaced with the same type of PLC unit without stopping the system. It is required that the operation can be performed without any change (see Patent Document 1).

JP 2008-97369 A

A. Shamir, “How to Share a Secret,” Commun. ACM, vol. 22 no. 11 pp. 612-613, 1979. )

  As described above, according to the conventional technique, the PLC unit can detect the removal of another unit or the mounting of the unit. However, the PLC unit that is not the replacement target on the control system (the non-replaceable unit) is replaced with the PLC unit after replacement from the PLC unit (the unit before replacement) installed in the slot number that is the replacement target (after replacement). It was not determined whether or not the replaced unit was installed as intended by the control system administrator. In other words, it is determined whether the system administrator is the PLC unit (regular unit) that the system administrator wants to operate on the control system, or the PLC unit (non-regular unit) that the system administrator does not intend to operate on the system. Therefore, there has been a problem that non-regular units are mixed into the control system by replacing the units.

  Also, among the data (password division data) obtained by dividing the password information of the PLC unit into n pieces (n is a natural number not including 0), k or more pieces of password division data (k is excluding 0 below n) If the natural number) is prepared, the password information of the PLC unit may be restored.

  For example, such a restoration method includes the (k, n) threshold secret sharing method described above. When this method is used, the password division data generated by the (k, n) threshold secret sharing method is saved in another PLC unit, but the password division data is also saved in the unit before the exchange. Therefore, each time the unit is exchanged, the password division data decreases, and it is necessary to prevent the password division data from being reduced when the unit exchange is repeated.

  Every time the unit is replaced, the system administrator restores the password information by the (k, n) threshold secret sharing method from the password split data remaining on the control system, and again by the (k, n) threshold secret sharing method. We want to create password split data and distribute and store it in PLC units on the control system including the replaced unit. At this time, if the password split data stored in the unit before replacement and the password split data stored in the unit after replacement are not the same, a malicious worker selects an arbitrary slot number, and When the PLC unit (malicious unit) programmed to steal password information is repeatedly attached to or removed from the slot number, the amount of password division data sent to the malicious unit increases.

  As a result, it becomes a problem that the malicious unit can finally recover the password information using the (k, n) threshold secret sharing method on the acquired password division data. In such a situation, the PLC unit on the control system must prevent the malicious PLC unit from collecting the password when distributing and storing its own password information to other PLC units on the control system. I must.

  For example, a PLC unit that distributes and stores its own password division data in a plurality of other PLC units on the control system (a PLC unit that distributes and stores passwords) is another PLC that actually stores password division data. Need to be sent to the unit. At this time, if the password division data is, for example, data obtained by simply dividing the password information, the PLC unit that stores the password division data extracts the password division data by a malicious operator or stores the passwords in a distributed manner. If the PLC unit mistakenly sends password division data to a malicious unit mixed in the control system, even if it is part of the password information, it will be leaked to the outside.

  In order to prevent such a situation, a PLC unit that divides password information and distributes and stores it in other PLC units on the system is information that cannot be decrypted by other PLC units before dividing the password information. Need to be converted to Alternatively, after dividing the password information, it is necessary to convert the password fragment information into information that cannot be decoded by other PLC units. In any case, the key data used for conversion is meaningless unless the PLC unit that stores and saves the password information in another PLC unit is the only information known on the system.

  Therefore, for PLC units that store passwords in a distributed manner, unit replacement of PLC units that store their own password division data, unit replacement methods can be abused and replaced with malicious units, or units may be stolen It is necessary to take measures against erroneously sending password split data when the replaced unit is not the unit intended by the system administrator. Furthermore, a malicious unit collects various types of password split data (in the case of (k, n) threshold secret sharing method, data corresponding to k password split data is collected) There is a problem that countermeasures must be taken against the problem that the password division data inside the unit easily leaks due to restoration or theft of the unit.

  The present invention has been made in view of the above, and an object of the present invention is to obtain a programmable logic controller that is effective in preventing outflow of passwords that are distributed and stored, and a password storage method for the programmable logic controller.

  In order to solve the above-described problems and achieve the object, the present invention is a programmable logic controller including a master unit and one or more slave units, and the master unit is assigned to the slave unit. It has an organization information table for managing IO numbers, and generates password distribution information using the IO numbers assigned to the slave units from the password division data obtained by dividing the password set in the master unit. The password distribution information sent from the master unit is stored.

  According to the present invention, it is possible to reduce the cost of password management for the system administrator by preventing the outflow of password information.

FIG. 1 is a block diagram showing an overall configuration of a programmable logic controller according to an embodiment of the present invention. FIG. 2 is a flowchart at the time of unit replacement according to the embodiment of the present invention.

  Embodiments of a programmable logic controller and a password storage method for the programmable logic controller according to the present invention will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a block diagram showing an overall configuration of a programmable logic controller 100 according to an embodiment of the present invention.

<State before unit replacement>
In FIG. 1, the programmable logic controller 100 includes a basic unit 110 (master unit), a plurality of input units 120, 140, 160, and a plurality of output units 130, 150. Here, the input units 120, 140, 160 and the output units 130, 150 are collectively referred to as an input / output unit or a slave unit.

  The basic unit 110 is attached to a detachable connector of the slot 181a of the base unit 180, and an input / output unit (slave unit) connected to the detachable connectors of the other slots 181b, 181c, 181d, 181e, 181f of the base unit 180. Control of 120, 130, 140, 150, 160 and detection of attachment / detachment of the input / output units 120, 130, 140, 150, 160 are performed in cooperation with the base unit 180.

  In the basic unit 110, an MPU 114, a memory (ROM) 111 serving as an auxiliary storage device, a main storage device (RAM) 112, and a data bus interface 113 for communication between the units are provided.

  Input units 120, 140, and 160 are installed in slots 181b, 181d, and 181f of base unit 180, respectively (input unit 120 is installed in slot 181b, input unit 140 is installed in slot 181d, and input unit 160 is installed in slot 181f). Are connected to the basic unit 110 via the base unit 180.

  An external switching signal / analog signal 191 or the like is input to the input unit 120 via an input terminal block (not shown) and is connected to an input I / F (including MPU) 122. An external switching signal / analog signal 193 or the like is input to the input unit 140 via an input terminal block (not shown), and is connected to an input I / F (including MPU) 142. An external opening / closing signal / analog signal 194 or the like is input to the input unit 160 via an input terminal block (not shown) and is connected to an input I / F (including MPU) 162.

  The input unit 120 includes an input I / F (including an MPU) 122, a memory (ROM) 121 that is an auxiliary storage device, a main storage device (RAM) 123, and a data bus I / F 124. The input units 140 and 160 have the same configuration as shown in FIG.

  The output unit 130 includes an output I / F (including an MPU) 132, a memory (ROM) 131 as an auxiliary storage device, a main storage device (RAM) 133, and a data bus I / F 134. The output unit 150 and the output unit 170 to be replaced later with the output unit 150 have the same configuration as shown in FIG. An external load / analog load 192 or the like is connected to the output I / F (including MPU) 132 via an output terminal block (not shown).

  The organization information 111a held in the memory (ROM) 111 of the basic unit 110 includes the slot number of the slot 181b and the head IO number assigned to the slot 181b, the slot number of the slot 181c, and the head IO assigned to the slot 181c. The first IO number assigned to the slot 181d and the slot 181d, the slot number of the slot 181e and the first IO number assigned to the slot 181e, the slot number of the slot 181f and the first IO number assigned to the slot 181f. , Is a data group (organization information table).

  The password distribution information 111c is the password information set in the basic unit 110 itself used for authentication to the system (for example, authentication for reading data in the PLC unit from the engineering tool), for example, (k, n) secret sharing method. This is reversible data (password distributed storage data) generated by using the head IO number of the basic unit 110 for the password division data divided by the above. The password distribution information 111c can be restored to the original password division data by the head IO number assigned to the basic unit 110.

  The replacement password 111b is data for determining whether the replacement of the unit is the replacement intended by the system administrator for the unit after the replacement by the basic unit 110.

  The password sharing information 121a is the same as the password sharing information 111c, and the password information set in the basic unit 110 used for authentication to the system is divided into password division data obtained by dividing the password information by the (k, n) secret sharing method. Reversible data (password distributed storage data) generated in the basic unit 110 using the IO number and transmitted to the input unit 120.

  Similarly, the password sharing information 131a, 141a, 151a, and 161a are respectively input / output to password division data obtained by dividing the password information set in the basic unit 110 used for authentication to the system by the (k, n) secret sharing method. Reversible data (password distributed storage data) generated in the basic unit 110 using the first IO number of the units 130, 140, 150, 160 and sent to the input / output units 130, 140, 150, 160, respectively. It is.

  The output unit 150 is a unit that is replaced in an operating system, and corresponds to the unit before replacement described above.

  The output unit 170 is a unit added to the system after replacement in place of the output unit 150, and corresponds to the unit after replacement described above.

  The replacement password 171b is password information for the basic unit 110 to determine whether or not the output unit 170 is a unit that has been intentionally replaced by the system administrator when the unit is replaced.

<Unit replacement flow>
Next, the operation at the time of unit replacement according to the embodiment in the programmable logic controller 100 shown in FIG. 1 will be described in detail with reference to the flowchart of FIG. The flowchart of FIG. 2 relates to the operation within the basic unit 110. The output unit 170 shown in FIG. 1 corresponds to the “unit after replacement” in the flowchart of FIG. 2, the output unit 150 corresponds to the “unit before replacement” in FIG. 2, and the slot 181e corresponds to the “replacement target” in FIG. Corresponds to “slot”.

  First, in step S200, the basic unit 110 has removed the PLC unit (output unit 150) from the base unit 180 at the slot number of “replacement target slot” and a new PLC unit (output unit 170) is mounted. Is detected.

  Thereafter, in step S210, the basic unit 110 reads the replacement password 171b in the replaced unit (output unit 170).

  Next, in step S220, the basic unit 110 determines whether or not the replacement password 171b read from the output unit 170 after replacement in step S210 matches the replacement password 111b stored in the basic unit 110. To do. If they match (step S220: Yes), the process proceeds to step S230. If they do not match (step S220: No), the process proceeds to step S290. Even when the replacement password cannot be read from the replaced unit (output unit 170) in step S210, it is determined that the passwords do not match (step S220: No), and the process proceeds to step S290. move on.

  In step S230, since it is determined in step S220 that the installed output unit 170 after replacement is a unit due to installation intended by the system administrator, it is stored in the replaced unit in order to prevent the replacement password from being leaked. The exchange password 171b that has been used is deleted.

  Next, in step S240, the basic unit 110 collects the password distribution information stored in the unit mounted in the slot with the slot number not to be replaced that is a slot other than the slot 181e to be replaced. In the case of FIG. 1, the slots with slot numbers not subject to replacement are slots 181b, 181c, 181d, and 181f, and the units attached to them are the input / output units 120, 130, 140, and 160. Therefore, the basic unit 110 collects the password distribution information 121a, 131a, 141a, 161a.

  Next, in step S250, the basic unit 110 uses the head IO number in the composition information 111a for the password distribution information 121a, 131a, 141a, 161a collected from the unit installed in the slot with the slot number not to be replaced. It tries to restore password information by restoring to password split data and using (k, n) threshold secret sharing method.

  If the number of pieces of password distribution information collected in step S240 is less than k, the password information cannot be restored by the (k, n) threshold secret sharing method (step S250: No). In this case, the process proceeds to step S290. If the password information can be restored (step S250: Yes), the process proceeds to step S260.

  In step S260, the basic unit 110 reads the head IO number assigned to the slot number of the replacement target slot 181e from the composition information 111a.

  Next, in step S270, the password information restored in step S250 is divided as password division data using the (k, n) threshold secret sharing method, and the first IO assigned to the exchange target slot number read in step S260. Using the number, the password distribution information sent to the unit before exchange (output unit 150) is generated.

  In step S280, the password distribution information generated in step S270 is transmitted to the exchanged unit (output unit 170), and the process proceeds to step S290.

  Step S290 indicates the end of authentication determination.

  In the above-described embodiment, an example of generating password division data using the (k, n) threshold secret sharing method as a method of dividing a password has been described. However, the password division data is used in a PLC that distributes and stores passwords. The password dividing method is not limited to the (k, n) threshold secret sharing method. When password information of a certain PLC unit is divided into n pieces (n is a natural number not including 0), k pieces of password division data (k is n or less) out of n pieces of data (password division data). If the method can restore the password information of the PLC unit by aligning the natural numbers (not including 0), a method other than the (k, n) threshold secret sharing method can be implemented in the same manner as in the above embodiment. .

  As described above, the programmable logic controller password storage method according to the embodiment of the present invention is a programmable logic controller including a basic unit and a plurality of input / output units detachably connected to the basic unit. In order to protect the sequencer program and setting information, the password set in the basic unit is distributed and stored in other units in the system using, for example, a threshold secret sharing method.

  The password storage method of the programmable logic controller according to the embodiment is a technique for reducing the outflow of password when the unit is exchanged in the system. This means that the password management cost can be reduced, and as a result, the risk of leakage of data protected by the password can be reduced.

  The PLC unit of the programmable logic controller according to the embodiment has a function of distributing and storing passwords set in the basic unit in other PLC units, and has a function of detecting the removal / attachment of the PLC unit. The PLC units to be managed are IO-assigned by the IO assignment function. For example, the PLC units managed by the PLC units have slot numbers in the order in which they are connected on the system. The PLC unit of the programmable logic controller according to the embodiment has a function of holding data requested by another PLC unit in its input / output, and the basic unit for controlling the slot number to be exchanged is referred to as “the slot to be exchanged”. Numbered master unit "(basic unit 110 in FIG. 1).

  The “master unit of the slot number to be exchanged” is processed by using the first IO number of the PLC unit installed in the slot number for which the password division data is to be distributed and stored, so that “password” is reversible data to the password division data. Data for distributed storage "is generated. When replacing the unit that is installed in a slot other than the replacement target slot number managed by the “master unit of the replacement target slot number” as the “non-replaceable slot number” and replacing the unit before replacement with the unit after replacement The password distribution storage data stored in the unit in which the “exchanging slot number master unit” is installed in the non-replacement slot number is restored to the password information by the (k, n) threshold distribution method.

  If the unit replacement password is set in advance for the unit after replacement, and the unit replacement password held by the “master unit of the slot number to be replaced” matches the “master unit of the slot number to be replaced” after the replacement Are determined to be regular units. If it is determined that the unit is a regular unit, the “master unit of the slot number to be replaced” deletes the unit replacement password set in advance for the replaced unit.

  Furthermore, the “master unit of the slot number to be exchanged” uses the restored password information and the IO assignment information assigned to the slot number to be exchanged for password distributed storage data (which was distributed and stored in the unit before replacement). Password distributed storage data) and save it in the replaced unit that is determined to be a regular unit.

  “Master unit of slot number to be replaced” indicates that the replacement password preset in the unit after replacement does not match the replacement password held in “Master unit of slot number to be replaced”. Do not send password information, password split data, password distributed storage data, etc. to this unit.

  According to the embodiment of the present invention, the master PLC unit uses a (k, n) threshold secret sharing method to set a password for protecting data such as programs and settings stored in the unit. Even if a malicious worker removes a legitimate unit on the control system and replaces it with a malicious unit, the malicious unit does not contain a replacement password. Otherwise, the password information, password split data, and password distributed storage data are not sent to the malicious unit, so that the password information can be prevented from being leaked. This can reduce the cost of password management for the system administrator.

  Further, according to the embodiment of the present invention, for example, a password that protects data such as programs and settings stored in the unit is assigned to a plurality of PLC units on the system by the (k, n) threshold secret sharing method. The PLC unit serving as the master for the distributed storage, even if the password for storing the password is stored by the malicious unit because the replacement password is known to the malicious operator, the data for the password distributed storage is not Since it is processed by the IO allocation information, it is difficult to restore the password split data. Even if the password split data can be restored, the password split data is generated by the (k, n) threshold secret sharing method. If you do not restore your password-distributed data to password-divided data, it will prevent the password information from leaking it can. This can reduce the cost of password management for the system administrator.

  Furthermore, the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the scope of the invention in the implementation stage. Further, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent requirements.

  For example, even if some constituent requirements are deleted from all the constituent requirements shown in the above embodiment, the problem described in the column of the problem to be solved by the invention can be solved, and is described in the column of the effect of the invention. In the case where a certain effect can be obtained, a configuration from which this configuration requirement is deleted can be extracted as an invention. Furthermore, you may combine the structural requirements in the said embodiment suitably.

  As described above, the programmable logic controller and the password storage method of the programmable logic controller according to the present invention are useful for preventing the outflow of passwords, and are particularly suitable when the passwords are distributed and stored in a plurality of PLC units.

100 Programmable logic controller 110 Basic unit 120, 140, 160 Input unit 130 Output unit 150 Output unit before replacement in unit replacement 170 Output unit after replacement in unit replacement 111, 121, 131, 141, 151, 161, 171 Memory ( ROM)
112, 123, 133, 143, 153, 163, 173 Main memory (RAM)
113, 124, 134, 144, 154, 164, 174 Data bus I / F
114 MPU
122, 142, 162 Input I / F
132, 152, 172 Output I / F
111a Composition information 111b, 171b Replacement password 111c, 121a, 131a, 141a, 151a, 161a Password distribution information 180 Base unit 181a, 181b, 181c, 181d, 181e, 181f Slot 191, 193, 194 Open / close signal / analog signal, etc. 192 External load / analog load, etc. S200 ~ S290 Step

Claims (12)

A programmable logic controller comprising a master unit and one or more slave units,
The master unit has an organization information table for managing the IO numbers assigned to the slave units, and uses the IO numbers assigned to the slave units from the password division data obtained by dividing the password set for the master unit. To generate password distribution information,
The said slave unit preserve | saves the said password distribution information sent from the said master unit. The programmable logic controller characterized by the above-mentioned. The said master unit produces | generates and preserve | saves self-password distribution information using the IO number allocated to the said master unit from the password division | segmentation data which divided | segmented the password set to the said master unit. Programmable logic controller described in 1. When the slave unit is replaced with a new slave unit,
The master unit is stored by the replaced slave unit only when the first replacement password held by the master unit matches the second replacement password held by the new slave unit. The programmable logic controller according to claim 1, wherein the password distribution information is sent to the new slave unit. When the slave unit is replaced with the new slave unit,
The master unit collects the password distribution information stored in the slave unit that has not been exchanged, and generates the password distribution information to be sent to the new slave unit based on the password distribution information. 4. The programmable logic controller according to 3. If the first replacement password held by the master unit matches the second replacement password held by the new slave unit, the second replacement password is obtained from the new slave unit. The programmable logic controller according to claim 3 or 4, wherein the programmable logic controller is deleted. 6. The programmable logic controller according to claim 1, wherein password division data is generated by dividing a password set in the master unit by a (k, n) threshold secret sharing method. . A password storage method for a programmable logic controller comprising a master unit and one or more slave units,
The master unit generates password division data by dividing a password set in the master unit,
The master unit generates password distribution information from the password split data using an IO number assigned to the slave unit managed by the master unit,
The master unit sends the password distribution information to the slave unit,
The slave unit stores the password distribution information sent from the master unit. A password storage method for a programmable logic controller, wherein: The password saving of the programmable logic controller according to claim 7, wherein the master unit generates and saves self-password distribution information from the password division data using an IO number assigned to the master unit. Method. When the slave unit is replaced with a new slave unit,
Determining whether the first replacement password held by the master unit matches the second replacement password held by the new slave unit;
The programmable logic controller according to claim 7 or 8, wherein the master unit sends the password distribution information stored in the replaced slave unit to the new slave unit only when they match. Password storage method. When the slave unit is replaced with the new slave unit,
The master unit collects the password distribution information stored in the slave unit that has not been exchanged, and generates the password distribution information to be sent to the new slave unit based on the password distribution information. The password storage method for the programmable logic controller according to claim 9. If the first replacement password held by the master unit matches the second replacement password held by the new slave unit, the second replacement password is obtained from the new slave unit. It deletes. The password storage method of the programmable logic controller of Claim 9 or 10 characterized by the above-mentioned. The programmable logic controller according to any one of claims 7 to 11, wherein the password set in the master unit is divided by a (k, n) threshold secret sharing method to generate password division data. Password storage method.

Images