WO2022239159A1 - Air conditioner, security attack countermeasure method, and program - Google Patents

Air conditioner, security attack countermeasure method, and program Download PDF

Info

Publication number
WO2022239159A1
WO2022239159A1 PCT/JP2021/018105 JP2021018105W WO2022239159A1 WO 2022239159 A1 WO2022239159 A1 WO 2022239159A1 JP 2021018105 W JP2021018105 W JP 2021018105W WO 2022239159 A1 WO2022239159 A1 WO 2022239159A1
Authority
WO
WIPO (PCT)
Prior art keywords
security attack
attack
security
unit
communication
Prior art date
Application number
PCT/JP2021/018105
Other languages
French (fr)
Japanese (ja)
Inventor
弘明 遠藤
弘晃 小竹
香 佐藤
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2021/018105 priority Critical patent/WO2022239159A1/en
Priority to JP2023520660A priority patent/JPWO2022239159A1/ja
Publication of WO2022239159A1 publication Critical patent/WO2022239159A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present disclosure relates to air conditioners, security attack coping methods, and programs.
  • Such air-conditioning systems may be subject to security attacks via public networks or by direct access to the field network within the air-conditioning system, and countermeasures are required.
  • Patent Document 1 discloses an intrusion detection device that detects intrusion into a network that connects a controller that controls air conditioners and a monitoring control terminal that monitors the air conditioners in a building management system.
  • This intrusion detection device acquires communication data relating to air conditioners flowing through a network, and adds a system state and cycle to the acquired communication data to generate communication determination data.
  • the intrusion detection device generates a communication permission rule that permits communication in the network and compares it with the communication determination data to detect intrusion into the network.
  • the intrusion detection device outputs an alarm to the network.
  • the output alarm is input to the supervisory control terminal via the network and displayed on the display of the supervisory control terminal.
  • Patent Document 1 When an intrusion into a network is detected, an alarm is output by the monitoring control terminal. It is possible. However, with the manual response after the alarm is output, it takes a considerable amount of time to complete the appropriate measures to respond to the intrusion into the network. There is concern that the impact of
  • the present disclosure has been made to solve the above problems, and aims to provide an air conditioner, a security attack coping method, and a program that can reduce the impact of security attacks.
  • the air conditioner according to the present disclosure is security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and determining the type of the security attack if it is determined that there is a security attack; a security attack countermeasure means for executing a security attack countermeasure process for eliminating the influence of the security attack, which is a process corresponding to the type of the security attack when the security attack detection means determines that there is a security attack; Prepare.
  • FIG. 1 is a block diagram showing the configuration of an air conditioning system according to an embodiment
  • FIG. FIG. 2 is a block diagram showing the hardware configuration of the central control device according to the embodiment
  • Fig. 2 is a block diagram showing the hardware configuration of the outdoor unit according to the embodiment
  • Fig. 2 is a block diagram showing the hardware configuration of the indoor unit according to the embodiment
  • FIG. 2 is a block diagram showing the hardware configuration of the remote controller according to the embodiment
  • FIG. 2 is a block diagram showing the hardware configuration of the communication adapter according to the embodiment
  • FIG. FIG. 2 is a block diagram showing the hardware configuration of the terminal device according to the embodiment
  • a diagram showing an example of an attack type determination table according to the embodiment Flowchart showing the procedure of processing when receiving a communication frame according to the embodiment
  • FIG. 1 is a diagram showing the overall configuration of an air conditioning system 1 according to an embodiment of the present disclosure.
  • the air conditioning system 1 is, for example, a system for air conditioning a building such as a building, a store, etc., and includes a server 2, a centralized control device 3, outdoor units 4a to 4c, indoor units 5a to 5f, a remote controller 6, and a communication adapter 7 .
  • the terminal device 8 is temporarily connected to the air conditioning system 1 during maintenance.
  • the server 2 is, for example, a cloud server that implements a public cloud such as AWS (Amazon Web Services), and is connected to a network N such as the Internet.
  • the server 2 transmits update firmware to the air conditioners (outdoor units 4a to 4c and indoor units 5a to 5f) whose firmware needs to be updated.
  • the server 2 collects data on the operation of each air conditioner (outdoor units 4a to 4c, indoor units 5a to 5f), and provides a service for controlling each air conditioner based on the collected data, or a service based on the collected data.
  • a service is provided for presenting information to persons concerned with the air conditioning system 1 (owner of the building, system manager, maintenance staff, etc.).
  • the centralized control device 3 is a device for centrally managing each air conditioner (outdoor units 4a to 4c, indoor units 5a to 5f) in the air conditioning system 1. It is installed in a place where no one can enter. As shown in FIG. 2, the centralized control device 3 has a hardware configuration including a first communication interface 30, a second communication interface 31, an operation reception unit 32, a display 33, a control circuit 34, and an auxiliary storage device. 35.
  • the first communication interface 30 is an interface for connecting to the network N and communicating with the server 2, for example, an interface based on Ethernet (registered trademark).
  • the second communication interface 31 is an interface for communicating with the outdoor units 4a to 4c via the transmission line 9, which is a centralized transmission line, for example, by a communication method in which an AMI waveform is superimposed on a DC power supply.
  • the operation reception unit 32 includes, for example, one or more input devices such as a keyboard, mouse, keypad, push button, touch panel, and touch pad, and receives an input operation from the user, and performs processing related to the received input operation.
  • a signal is output to the control circuit 34 .
  • the display 33 includes a display device such as a liquid crystal display and an organic EL (Electro Luminescence) display.
  • the display 33 displays a screen or the like for managing the air conditioning system 1 under the control of the control circuit 34 .
  • the control circuit 34 includes a CPU (Central Processing Unit), ROM (Read Only Memory), RAM (Random Access Memory), etc., and controls the centralized control device 3 in an integrated manner.
  • the auxiliary storage device 35 is composed of a readable/writable non-volatile semiconductor memory, HDD (Hard Disk Drive), or the like.
  • the readable and writable nonvolatile semiconductor memory is, for example, EEPROM (Electrically Erasable Programmable Read-Only Memory), flash memory, or the like.
  • the auxiliary storage device 35 stores a management program for managing the air conditioning system and data used when executing the management program.
  • the outdoor unit 4a, the indoor units 5a, and the indoor units 5b are bus-connected to a transmission line 10a, which is an internal/external transmission line, and are also connected via a first refrigerant pipe (not shown) for circulating the refrigerant. That is, the outdoor unit 4a, the indoor unit 5a, and the indoor unit 5b constitute one refrigerant system.
  • the outdoor unit 4b, the indoor unit 5c, and the indoor unit 5d are bus-connected to a transmission line 10b, which is an internal/external transmission line, and are connected via a second refrigerant pipe (not shown) different from the first refrigerant pipe.
  • a transmission line 10b which is an internal/external transmission line
  • a second refrigerant pipe (not shown) different from the first refrigerant pipe.
  • the outdoor unit 4c, the indoor unit 5e, and the indoor unit 5f are bus-connected to a transmission line 10c, which is an internal/external transmission line. Connected via piping. That is, the outdoor unit 4c and the indoor units 5e and 5f constitute one refrigerant system.
  • the outdoor unit 4 is an example of an air conditioner according to the present disclosure. As shown in FIG. 3, the outdoor unit 4 includes a first communication interface 40, a second communication interface 41, a main unit 42, a control circuit 43, and an auxiliary storage device 44 as a hardware configuration.
  • the first communication interface 40 is an interface for communicating with the central control device 3 , the remote control 6 and other outdoor units 4 via the transmission line 9 .
  • the second communication interface 41 is an interface for communicating with each indoor unit 5 connected to itself via the transmission line 10, which is an internal/external transmission line.
  • the communication method of the transmission line 9, which is a centralized transmission line, and the communication method of the transmission line 10, which is an internal/external transmission line, are the same (for example, a communication method in which an AMI waveform is superimposed on a DC power supply).
  • the main unit 42 is a component for realizing the essential functions of a general outdoor unit, and includes, for example, a compressor, a heat exchanger, an expansion valve, a four-way valve, a fan, and various sensors (current sensor, temperature sensor, etc.). sensor, pressure sensor, frequency sensor, acceleration sensor, etc.).
  • the control circuit 43 is a microcontroller that controls the outdoor unit 4 in an integrated manner.
  • the auxiliary storage device 44 is composed of a readable and writable non-volatile semiconductor memory such as EEPROM and flash memory, for example.
  • the auxiliary storage device 44 stores firmware, which is a software program for the control circuit 43 to control the outdoor unit 4 to implement functions related to air conditioning, and data used when executing the firmware.
  • firmware which is a software program for the control circuit 43 to control the outdoor unit 4 to implement functions related to air conditioning, and data used when executing the firmware.
  • a security attack countermeasure program which is a program for realizing the functions according to the present disclosure and is a program for countering security attacks from the outside, and when the security attack countermeasure program is executed, The data used are stored.
  • the above security attack countermeasure program can be downloaded to the outdoor unit 4 via the network N from another device such as the server 2.
  • the outdoor unit 4 can also receive a security attack countermeasure program from the terminal device 8 through communication via the remote controller 6 .
  • security attack countermeasure programs include CD-ROM (Compact Disc Read Only Memory), DVD (Digital Versatile Disc), magneto-optical disc, USB (Universal Serial Bus) memory, HDD, SSD (Solid State Drive), memory card, etc. It is also possible to store and distribute on a computer-readable recording medium. When such a recording medium is attached to the outdoor unit 4, the outdoor unit 4 can also read and import the security attack countermeasure program from the recording medium.
  • the indoor unit 5 is an example of an air conditioner according to the present disclosure. As shown in FIG. 4, the indoor unit 5 includes a first communication interface 50, a second communication interface 51, a main unit 52, a control circuit 53, and an auxiliary storage device 54 as a hardware configuration.
  • the first communication interface 50 is an interface for communicating with the outdoor unit 4 and other indoor units 5 via the transmission line 10 .
  • the second communication interface 51 is an interface for electrically connecting to the communication adapter 7 so as to be communicable.
  • the second communication interface 51 is a serial interface such as UART (Universal Asynchronous Receiver/Transmitter).
  • the main unit 52 is a component for realizing the essential functions of a general indoor unit, and includes, for example, a fan, a heat exchanger, a temperature sensor, a humidity sensor, and the like.
  • the control circuit 53 is a microcontroller that comprehensively controls the indoor unit 5 .
  • the auxiliary storage device 54 is composed of a readable and writable non-volatile semiconductor memory such as EEPROM, flash memory, etc., for example.
  • the auxiliary storage device 54 stores firmware, which is a software program for the control circuit 53 to control the indoor unit 5 to realize functions related to air conditioning, and data used when executing the firmware.
  • firmware which is a software program for the control circuit 53 to control the indoor unit 5 to realize functions related to air conditioning, and data used when executing the firmware.
  • a security attack countermeasure program and data used when executing the security attack countermeasure program are stored.
  • the above security attack countermeasure program can be downloaded to the indoor unit 5 via the network N from another device such as the server 2. Also, the indoor unit 5 can receive the security attack countermeasure program from the terminal device 8 by communication via the remote controller 6 . Further, when the above-described recording medium storing the security attack countermeasure program is attached to the indoor unit 5, the indoor unit 5 can read and load the security attack countermeasure program from the recording medium.
  • the remote controller 6 is a remote controller for air conditioning, is connected to the transmission line 9, and receives operations related to air conditioning from the user. As shown in FIG. 5, the remote controller 6 includes a first communication interface 60, a second communication interface 61, an operation reception unit 62, a display 63, a control circuit 64, and an auxiliary storage device 65 as hardware configuration. Prepare.
  • the first communication interface 60 is an interface for communicating with each outdoor unit 4 and the central control device 3 via the transmission line 9 .
  • the second communication interface 61 is an interface for performing short-range wireless communication with the terminal device 8, such as NFC (Near Field Communication), BLE (Bluetooth (registered trademark) Low Energy) communication, visible light communication, and infrared communication. .
  • the operation reception unit 62 includes, for example, one or more input devices such as a push button, a touch panel, and a touch pad, receives an input operation from the user, and outputs a signal related to the received input operation to the control circuit 64. do.
  • input devices such as a push button, a touch panel, and a touch pad
  • the display 63 includes, for example, a display device such as a liquid crystal display or an organic EL display.
  • the display 63 displays various screens under the control of the control circuit 64 .
  • the display 63 is an air conditioning unit for accepting user operations related to air conditioning, such as switching between start/stop of operation, switching between operation modes such as cooling, heating, dehumidification, and ventilation, and changing set temperature, set humidity, wind speed, and the like. Displays the operation screen, etc.
  • the control circuit 64 includes a CPU, ROM, RAM, etc., and controls the remote control 6 in a centralized manner.
  • the auxiliary storage device 65 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM and a flash memory.
  • the auxiliary storage device 65 stores a program for functioning as a user interface, a program for communication with the terminal device 8, and data used when these programs are executed.
  • the communication adapter 7 is a device for connecting the indoor unit 5 to the network N for communication. As shown in FIG. 6, the communication adapter 7 includes a first communication interface 70, a second communication interface 71, a control circuit 72, and an auxiliary storage device 73 as a hardware configuration.
  • the first communication interface 70 is an interface for electrically connecting to the indoor unit 5 so as to be communicable.
  • the first communication interface 70 is a serial interface such as UART.
  • the second communication interface 71 is a wireless LAN (Local Area Network) interface for connecting to the network N and communicating with the server 2, or hardware for mobile data communication.
  • LAN Local Area Network
  • the control circuit 72 includes a CPU, ROM, RAM, etc., and controls the communication adapter 7 in an integrated manner.
  • the auxiliary storage device 73 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM or a flash memory.
  • the auxiliary storage device 73 stores a program for communicating with the indoor unit 5, a program for communicating with the server 2, and data used when these programs are executed.
  • the terminal device 8 is a portable electronic device such as a smart phone or a tablet terminal possessed by a person in charge of maintenance of the air conditioning system 1 . As shown in FIG. 7, the terminal device 8 includes a communication interface 80, an operation receiving section 81, a display 82, a control circuit 83, and an auxiliary storage device 84 as a hardware configuration.
  • the communication interface 80 is an interface for performing the above-described short-range wireless communication with the remote control 6.
  • the operation reception unit 81 includes one or more input devices such as a push button, a touch panel, and a touch pad, receives operation input from the user, and outputs a signal related to the received operation to the control circuit 83 .
  • the display 82 includes a display device such as a liquid crystal display and an organic EL display. Under the control of the control circuit 83, the display 82 displays various screens and the like according to the user's operation.
  • the control circuit 83 includes a CPU, ROM, RAM, etc., and controls the terminal device 8 in an integrated manner.
  • the auxiliary storage device 84 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM or a flash memory.
  • the auxiliary storage device 84 stores a program executed during maintenance of the air conditioning system 1 and data used during execution of the program.
  • the indoor unit 5 includes a security attack detection unit 500, a communication anomaly detection unit 501, a normal response unit 502, a communication anomaly response unit 503, and a security attack response unit 504. These functional units are implemented by the control circuit 53 executing the above-described security attack countermeasure program stored in the auxiliary storage device 54 .
  • the security attack detection unit 500 is an example of security attack detection means according to the present disclosure.
  • the security attack detection unit 500 determines whether or not there is a security attack when a communication frame is received, and if it determines that there is a security attack, determines its type.
  • the security attack detection unit 500 includes an attack presence/absence determination unit 510 and an attack type determination unit 511.
  • the attack presence/absence determination unit 510 determines whether or not there is a security attack. Determine the type of attack.
  • the attack presence/absence determination unit 510 determines whether the received communication frame satisfies each of the following conditions A to C. The attack presence/absence determination unit 510 determines that there is a security attack if the received communication frame satisfies any one of the conditions A to C, and determines that there is no security attack if none of the conditions apply.
  • the fixed time is, for example, 1 minute, and the fixed number of times is, for example, 15 times.
  • the same communication frame means that the commands, data values, and sequence numbers are the same.
  • the above condition C means that the type of the transmission source device and the content of the command do not match. (Usually, the central control device 3, the remote controller 6, and the representative unit of the indoor unit 5 send the operation start command/operation stop command to the other indoor units 5 and the outdoor unit 4.).
  • a table (not shown) showing combinations of device types and commands is stored in the auxiliary storage device 54 in advance.
  • the attack presence/absence determination unit 510 determines that there is no security attack, it notifies the normal response unit 502 that no security attack has been detected. On the other hand, if the attack presence/absence determination unit 510 determines that there is a security attack, the attack type determination unit 510 determines that the security attack has been detected and determines the determination results (that is, whether or not the conditions are met) for each of the conditions A to C. Notify 511.
  • the attack type determination unit 511 determines the type of security attack. In this embodiment, three types of security attacks are assumed: "replay attack”, "spoofing", and "takeover”. The attack type determination unit 511 determines whether or not each of the conditions A to C notified from the attack presence/absence determination unit 510 is met, and the attack type determination table stored in the auxiliary storage device 54 in advance. Based on this, the type of the security attack is determined.
  • the attack type determination table is a table in which rules for determining the type of security attack are defined. Specifically, as shown in FIG. It is a table that associates . In FIG. 9, “O” means that the determination condition is met, and “X” means that the determination condition is not met. Further, the determination conditions include the above conditions A to C and the following condition D.
  • the periodic communication frame is a communication frame that is periodically received from the transmission source. is a communication frame showing Also, "normal reception of the periodic communication frame” means reception of the periodic communication frame in the correct period.
  • Equipment server 2, centralized control device 3, outdoor unit 4, other indoor unit 5 or remote control 6) that is the transmission source of the air conditioner (here, indoor unit 5), content of periodic communication frame, and reception
  • a table (not shown) in which the period is associated is stored in advance in the auxiliary storage device 54 .
  • no normal response means that the response to the communication frame previously transmitted from the air conditioner (here, the indoor unit 5) to the transmission source is a predetermined timeout from the transmission source. It means if you don't get back in time.
  • the attack type determination unit 511 determines that the type of security attack is a "replay attack” regardless of the determination result of condition D. and discriminate. In addition, if the received communication frame does not meet condition A but meets condition C, the attack type determination unit 511 further determines whether the transmission source meets condition D regardless of the determination result of condition B. Based on the result, the type of security attack is determined. Specifically, if the source does not meet condition D, the attack type determination unit 511 determines that the type of security attack is “spoofing”. The type of security attack is determined to be "hijacking".
  • the attack type determination unit 511 determines that the type of security attack is "spoofing" regardless of the determination results of conditions B to D.
  • the attack type determination unit 511 notifies the security attack response unit 504 of the determined type of security attack.
  • the communication abnormality detection unit 501 detects communication abnormality. Specifically, the communication error detection unit 501 periodically determines whether or not there is a communication destination that satisfies the condition D described above. If there is a communication destination that satisfies the condition D, the communication error detection unit 501 notifies the communication error handling unit 503 that the communication error has been detected.
  • the normal handling unit 502 executes normal processing based on the content of the received communication frame. For example, when the received communication frame includes a command to change the operation, the normal response unit 502 executes processing for changing the operation of its own device (here, the indoor unit 5) according to the command. . Further, when the received communication frame includes a command to inquire about the state, the normal response unit 502 executes processing for transmitting the state of the device to the transmission source according to the command.
  • the communication anomaly handling unit 503 executes processing corresponding to the occurrence of a communication anomaly. For example, the communication abnormality handling unit 503 notifies the central control device 3, the remote controller 6, or the terminal device 8 that an abnormality has occurred in communication with the communication destination. The central control device 3, the remote controller 6, or the terminal device 8 that has received such notification displays the information regarding the abnormality on the display 33, the display 63, or the display 82 to notify the user. In addition, when the device is equipped with an LED (Light Emitting Diode), the communication abnormality handling unit 503 may notify the user of the communication abnormality by causing the LED to emit light in a predetermined manner, If the device has a speaker, the user may be notified of the communication abnormality by outputting an electronic sound from the speaker.
  • LED Light Emitting Diode
  • the security attack handling unit 504 is an example of security attack handling means according to the present disclosure.
  • the security attack countermeasure unit 504 executes security attack countermeasure processing to eliminate the influence of the security attack.
  • the security attack handling unit 504 executes security attack handling processing according to the type of security attack determined by the attack type determining unit 511 as follows.
  • the security attack response unit 504 detects the communication frame corresponding to condition B, that is, the same communication sent in large quantities from the same source within a certain period of time. Discard all frames without doing anything. However, communication frames that do not meet the condition B are treated as normal even if they are from the same source, and the same processing as the normal handling unit 502 is executed.
  • the security attack response unit 504 detects communication frames that meet condition B or condition C, that is, identical communication frames or communication frames in which the combination of the source and the command does not match are all discarded without doing anything. However, communication frames that do not meet either condition B or condition C are treated as usual even if they are from the same source, and the same processing as the normal handling unit 502 is executed.
  • the security attack response unit 504 discards all communication frames from the transmission source without doing anything. In addition, the security attack handling unit 504 prohibits transmission of communication frames addressed to the source.
  • FIG. 10 is a flow chart showing the procedure of communication frame reception processing executed by the air conditioners (outdoor unit 4 and indoor unit 5).
  • Step S101 The air conditioner determines whether or not a new communication frame has been received from any device in the air conditioning system 1 .
  • a communication frame is received from any device (step S101; YES)
  • the processing of the air conditioner transitions to step S102.
  • Step S102 The air conditioner determines whether there is a security attack. Specifically, the air conditioner determines whether the received communication frame satisfies each of the conditions A to C described above. The air conditioner determines that there is a security attack if the received communication frame satisfies any one of the conditions A to C, and determines that there is no security attack if none of the conditions apply. When it is determined that there is no security attack (step S102; NO), the processing of the air conditioner transitions to step S103. On the other hand, when it is determined that there is a security attack (step S102; YES), the processing of the air conditioner transitions to step S104.
  • Step S103 The air conditioner performs normal processing based on the content of the received communication frame. After that, the processing of the air conditioner returns to step S101.
  • Step S104 The air conditioner determines the type of security attack. Specifically, the air conditioner uses the attack type determination table shown in FIG. 9 to determine which type of security attack is "replay attack”, "spoofing", or "takeover”. discriminate. After that, the processing of the air conditioner transitions to step S105.
  • Step S105 The air conditioner executes security attack countermeasure processing according to the determined type of security attack. After that, the processing of the air conditioner returns to step S101.
  • each air conditioner (each outdoor unit 4 and each indoor unit 5) detects a security attack, it determines the type of the security attack, determines Security attack countermeasure processing corresponding to the type of attack is immediately executed. Therefore, the impact of the security attack can be quickly eliminated, and the impact of the security attack can be suppressed.
  • each air conditioner restricts specific processing based on communication with the sender determined to have a security attack as high-risk processing, but other processing is normal processing. , the influence on the air conditioning system 1 can be suppressed as much as possible, and the user's comfort can be maintained.
  • Modification 1 For example, the conditions under which the security attack detection unit 500 determines whether or not there is a security attack (for example, the condition for determining whether a certain number of times and for a certain period of time in condition B, the same communication frame, etc.), and the type of security attack. (contents of the attack type determination table in FIG. 9) and the like may be changed appropriately via the server 2, the central control device 3, the remote controller 6, the terminal device 8, and the like. Also, the air conditioner may learn and update the contents of conditions such as condition B during operation.
  • a security attack for example, the condition for determining whether a certain number of times and for a certain period of time in condition B, the same communication frame, etc.
  • content of the attack type determination table in FIG. 9 and the like may be changed appropriately via the server 2, the central control device 3, the remote controller 6, the terminal device 8, and the like.
  • the air conditioner may learn and update the contents of conditions such as condition B during operation.
  • a user notification unit (user according to the present disclosure) that notifies the user that a security attack has been detected
  • An example of notification means may be further provided.
  • the security attack detection unit 500 determines that there is a security attack
  • the user notification unit includes the time when the security attack was detected (that is, the current time) and information indicating the type of security attack.
  • a notification is issued to the centralized control device 3, the server 2, the remote controller 6, or the terminal device 8 (hereinafter referred to as the centralized control device 3, etc.).
  • the above security attack detection notification may further include a combination of determination conditions when the type of security attack is determined, the content of security attack response processing, and the like.
  • the central control device 3 or the like Upon receiving the security attack detection notification, the central control device 3 or the like displays the information indicated by the security attack detection notification on the display 33 or the like, or outputs it by voice, etc., to notify the user such as the system administrator or the maintenance staff. do.
  • the security attack detection unit 500 may transmit the security attack detection notification to a pre-registered destination by e-mail, SMS (Short Message Service), or the like.
  • the user notification unit may notify the user that a security attack has been detected by causing an LED provided in the device to emit light in a predetermined manner.
  • a user may be notified that a security attack has been detected by outputting a sound from a speaker provided.
  • the security attack detection unit 500 determines that there is a security attack when receiving a communication frame transmitted from a device having a user interface (the central control device 3, the remote controller 6, and the terminal device 8), the security attack response unit 504 , if a confirmation request frame requesting user confirmation is sent to the device, and then a response frame indicating that the user has been confirmed is received from the device, the previously received communication frame should be treated as a normal communication frame. and normal processing based on the content of the communication frame may be executed.
  • a communication frame with the same content as the communication frame determined to be a "replay attack” (meaning that the command, data value, etc. are the same) is sent to other devices.
  • the security attack response unit 504 may change the content of the communication frame to the extent that it does not affect the operation of the air conditioner, the user's comfort, and the like. For example, if a communication frame determined to be a "replay attack” indicates a change in the set temperature and the set temperature is "26°C", it is necessary to send a communication frame with the same content. Then, the security attack response unit 504 transmits a communication frame in which the set temperature value is changed to "25.5°C".
  • the security attack response unit 504 issues a notification including the content of the communication frame determined to be a “replay attack” (hereinafter referred to as a replay attack detection notification) to each device of the air conditioning system 1.
  • a replay attack detection notification the notification including the content of the communication frame determined to be a “replay attack” (hereinafter referred to as a replay attack detection notification) to each device of the air conditioning system 1.
  • each outdoor unit 4 and each indoor unit 5 that has received the replay attack detection notification may change the content of the communication frame to be transmitted as described above.
  • the security attack response unit 504 issues a notification (hereinafter referred to as a spoofing detection notification) including the address of the transmission source of the communication frame determined to be "spoofing" to each device of the air conditioning system 1.
  • a spoofing detection notification including the address of the transmission source of the communication frame determined to be "spoofing" to each device of the air conditioning system 1.
  • the authorized device with the same address as the address indicated by the spoofing detection notification changes its own address to another authorized address, and transmits a notification indicating the address change to each device in the air conditioning system 1.
  • the central control device 3, the outdoor unit 4, or the like reassigns a different authorized address to the authorized device with the address indicated by the spoofing detection notification, and sends a notification indicating a change in the address of the device to the air conditioning system 1. may be issued to each device in the
  • the security attack response unit 504 issues a notification (hereinafter referred to as a hijacking detection notification) containing the address of the transmission source of the communication frame determined to be "hijacking" to each device of the air conditioning system 1.
  • a hijacking detection notification containing the address of the transmission source of the communication frame determined to be "hijacking" to each device of the air conditioning system 1.
  • each device that receives the hijacking detection notification discards all communication frames from the address indicated in the hijacking detection notification without doing anything, and transmits communication frames addressed to the address. may be omitted.
  • the authorized device having the same address as the address indicated by the takeover detection notification changes its own address to another authorized address, and issues a notification indicating the address change to each device of the air conditioning system 1.
  • the central control device 3, the outdoor unit 4, or the like reassigns a different authorized address to the authorized device with the address indicated by the takeover detection notification, and sends a notification indicating a change in the address of the device to the air conditioning system 1. may be issued to each device in the
  • the security attack response unit 504 performs security attack response processing according to the security attack described above. , change the order. For example, in a set of communication frames for inquiring about the state of an air conditioner (operation mode, wind speed, suction temperature, etc.), in the past, when the inquiry communication frames were transmitted in the order of A state, B state, and C state. Furthermore, the security attack countermeasure unit 504 is changed so that communication frames are transmitted in the order of B state, A state, and C state. In addition, the security attack response unit 504 issues a notification indicating the change (hereinafter referred to as a transmission order change notification) to the inquiry destination of the state.
  • a transmission order change notification a notification indicating the change
  • the device After receiving the above transmission order change notification, the device treats the communication frames related to the status inquiry as normal communication frames only if they are received in the order indicated by the transmission order change notification.
  • the security attack response unit 504 performs security attack response processing in response to the security attack described above, and also detects communication frames related to predetermined highly important information. may restrict the transmission and reception of
  • the security attack response unit 504 restricts the transmission and reception of information used for advanced control such as information indicating whether or not a person is detected by the thermal image sensor provided in the indoor unit 5, or the outdoor unit 4 and the indoor unit 5 Restricts download of firmware, etc. when updating firmware.
  • the attack presence/absence determination unit 510 may further determine the necessity of warning, and may newly add a warning unit to the functional configuration of the air conditioner (see FIG. 8).
  • the conditions for determining that a warning is necessary are less stringent than the conditions for determining that there is a security attack. For example, in condition B, if the same communication frame is received 15 times or more within a certain period of time, it is determined that there is a security attack. determines that a warning is necessary.
  • the warning unit notifies the central control device 3, the server 2, and the remote controller 6 , the terminal device 8 or the like, emits light from the LED of its own device, or outputs voice or electronic sound from its own device to warn the user.
  • the security attack handling unit 504 does not execute security attack handling processing.
  • the central control device 3 and the remote controller 6 may have the same functional configuration (see FIG. 8) as the air conditioner in the above embodiment.
  • All or part of the functional units (see FIG. 8) of the air conditioners (outdoor unit 4 and indoor unit 5) may be realized by dedicated hardware.
  • Dedicated hardware is, for example, a single circuit, a composite circuit, a programmed processor, an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array), or a combination thereof.
  • the present disclosure can be suitably applied to an air conditioning system configured with multiple air conditioners.
  • 1 air conditioning system 2 server, 3 centralized control device, 4, 4a ⁇ 4c outdoor unit, 5, 5a ⁇ 5f indoor unit, 6 remote control, 7 communication adapter, 8 terminal device, 9, 10, 10a ⁇ 10c transmission line, 30 , 40, 50, 60, 70 first communication interface, 31, 41, 51, 61, 71 second communication interface, 32, 62, 81 operation receiving unit, 33, 63, 82 display, 34, 43, 53, 64 , 72, 83 control circuit, 35, 44, 54, 65, 73, 84 auxiliary storage device, 42, 52 main unit, 80 communication interface, 500 security attack detection unit, 501 communication abnormality detection unit, 502 normal response unit, 503 Communication anomaly response unit, 504 Security attack response unit, 510 Attack presence/absence determination unit, 511 Attack type determination unit, N Network

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Selective Calling Equipment (AREA)

Abstract

An indoor unit (5) comprises: a security attack detection part (500) that determines the presence or absence of a security attack at the time of reception of a communication frame and that, when the presence of the security attack has been determined, identifies a type of the security attack; and a security attack response part (504) for, when the presence of a security attack has been determined by the security attack detection part (500), executing a security attack response process that is a process according to the type of the security attack and that is for removing the influence of the security attack.

Description

空調機、セキュリティ攻撃対処方法及びプログラムAir conditioner, security attack coping method and program
 本開示は、空調機、セキュリティ攻撃対処方法及びプログラムに関する。 The present disclosure relates to air conditioners, security attack coping methods, and programs.
 ビル、店舗等の建物の空気調和を行う空調システムにおいて、空調システム内のフィールドネットワークを介して、複数の室外機、複数の室内機等が接続される構成は一般的に知られている。また、近年、インターネット等のパブリックネットワークへの接続環境の充実化に伴い、空調システムを構成する機器をパブリックネットワークへ直接又は間接的に接続されるようにした技術が進展している。 In an air conditioning system that air-conditions buildings such as buildings and stores, a configuration in which multiple outdoor units, multiple indoor units, etc. are connected via a field network within the air conditioning system is generally known. Further, in recent years, with the enhancement of the connection environment to public networks such as the Internet, there has been progress in technology for directly or indirectly connecting the devices constituting the air conditioning system to the public network.
 このような空調システムでは、パブリックネットワーク経由、あるいは、空調システム内のフィールドネットワークに直接にアクセスするなどの方法によってセキュリティ攻撃を受ける可能性があり、その対処が求められる。 Such air-conditioning systems may be subject to security attacks via public networks or by direct access to the field network within the air-conditioning system, and countermeasures are required.
 例えば、特許文献1には、ビル管理システムにおいて、空調機器を制御するコントローラと空調機器を監視する監視制御端末との間を接続するネットワークへの侵入を検知する侵入検知装置について開示されている。この侵入検知装置は、ネットワークを流れる空調機器に関する通信データを取得し、取得した通信データに、システム状態、周期を付加して通信判定データを生成する。また、侵入検知装置は、ネットワークにおける通信を許可する通信許可ルールを生成し、通信判定データと比較してネットワークへの侵入を検知する。そして、ネットワークへの侵入を検知した際、侵入検知装置は、ネットワークに警報を出力する。出力された警報は、ネットワークを介して監視制御端末に入力され、監視制御端末のディスプレイに表示される。 For example, Patent Document 1 discloses an intrusion detection device that detects intrusion into a network that connects a controller that controls air conditioners and a monitoring control terminal that monitors the air conditioners in a building management system. This intrusion detection device acquires communication data relating to air conditioners flowing through a network, and adds a system state and cycle to the acquired communication data to generate communication determination data. Also, the intrusion detection device generates a communication permission rule that permits communication in the network and compares it with the communication determination data to detect intrusion into the network. When an intrusion into the network is detected, the intrusion detection device outputs an alarm to the network. The output alarm is input to the supervisory control terminal via the network and displayed on the display of the supervisory control terminal.
国際公開第2019/004101号WO2019/004101
 上記の特許文献1で開示される技術では、ネットワークへの侵入が検知されると監視制御端末によって警報が出力されるため、その後、管理者等は、当該ネットワークへの侵入に対する措置をとることは可能である。しかしながら、警報が出力された後の人為的な対応では、当該ネットワークへの侵入に対応した適切な措置を終えるまでに少なからず時間を要してしまい、当該ネットワークへの侵入による当該ビル管理システムへの影響が大きくなってしまうという懸念がある。 With the technology disclosed in Patent Document 1, when an intrusion into a network is detected, an alarm is output by the monitoring control terminal. It is possible. However, with the manual response after the alarm is output, it takes a considerable amount of time to complete the appropriate measures to respond to the intrusion into the network. There is concern that the impact of
 本開示は、上記課題を解決するためになされたものであり、セキュリティ攻撃による影響を抑えることが可能な空調機、セキュリティ攻撃対処方法及びプログラムを提供することを目的とする。 The present disclosure has been made to solve the above problems, and aims to provide an air conditioner, a security attack coping method, and a program that can reduce the impact of security attacks.
 上記目的を達成するため、本開示に係る空調機は、
 通信フレームの受信時にセキュリティ攻撃の有無を判定し、セキュリティ攻撃があると判定した場合、当該セキュリティ攻撃の種類を判別するセキュリティ攻撃検出手段と、
 前記セキュリティ攻撃検出手段によってセキュリティ攻撃があると判定された場合、当該セキュリティ攻撃の種類に応じた処理であって、当該セキュリティ攻撃による影響を排除するセキュリティ攻撃対応処理を実行するセキュリティ攻撃対応手段と、を備える。 In order to achieve the above object, the air conditioner according to the present disclosure is
security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and determining the type of the security attack if it is determined that there is a security attack;
a security attack countermeasure means for executing a security attack countermeasure process for eliminating the influence of the security attack, which is a process corresponding to the type of the security attack when the security attack detection means determines that there is a security attack; Prepare.
 本開示によれば、セキュリティ攻撃による影響を抑えることが可能となる。 According to this disclosure, it is possible to reduce the impact of security attacks.
実施の形態における空調システムの構成を示すブロック図1 is a block diagram showing the configuration of an air conditioning system according to an embodiment; FIG. 実施の形態における集中管理装置のハードウェア構成を示すブロック図FIG. 2 is a block diagram showing the hardware configuration of the central control device according to the embodiment; 実施の形態における室外機のハードウェア構成を示すブロック図Fig. 2 is a block diagram showing the hardware configuration of the outdoor unit according to the embodiment; 実施の形態における室内機のハードウェア構成を示すブロック図Fig. 2 is a block diagram showing the hardware configuration of the indoor unit according to the embodiment; 実施の形態におけるリモコンのハードウェア構成を示すブロック図FIG. 2 is a block diagram showing the hardware configuration of the remote controller according to the embodiment; 実施の形態における通信アダプタのハードウェア構成を示すブロック図FIG. 2 is a block diagram showing the hardware configuration of the communication adapter according to the embodiment; FIG. 実施の形態における端末装置のハードウェア構成を示すブロック図FIG. 2 is a block diagram showing the hardware configuration of the terminal device according to the embodiment; 実施の形態における室内機の機能構成を示す図The figure which shows the functional structure of the indoor unit in embodiment. 実施の形態における攻撃種類判別用テーブルの一例を示す図A diagram showing an example of an attack type determination table according to the embodiment 実施の形態における通信フレーム受信時処理の手順を示すフローチャートFlowchart showing the procedure of processing when receiving a communication frame according to the embodiment
 以下、本開示の実施の形態について図面を参照して詳細に説明する。 Hereinafter, embodiments of the present disclosure will be described in detail with reference to the drawings.
 図1は、本開示の実施の形態における空調システム1の全体構成を示す図である。空調システム1は、例えば、ビル、店舗等の建物の空気調和を行うシステムであり、サーバ2と、集中管理装置3と、室外機4a~4cと、室内機5a~5fと、リモコン6と、通信アダプタ7とを備える。また、メンテナンス時において、空調システム1には、端末装置8が一時的に接続される。 FIG. 1 is a diagram showing the overall configuration of an air conditioning system 1 according to an embodiment of the present disclosure. The air conditioning system 1 is, for example, a system for air conditioning a building such as a building, a store, etc., and includes a server 2, a centralized control device 3, outdoor units 4a to 4c, indoor units 5a to 5f, a remote controller 6, and a communication adapter 7 . In addition, the terminal device 8 is temporarily connected to the air conditioning system 1 during maintenance.
<サーバ2>
 サーバ2は、例えば、AWS(Amazon Web Services)等のパブリッククラウドを実現するクラウドサーバであり、インターネット等のネットワークNに接続される。サーバ2は、ファームウェアの更新が必要な空調機(室外機4a~4c、室内機5a~5f)に対して更新用のファームウェアを送信する。また、サーバ2は各空調機(室外機4a~4c、室内機5a~5f)の運転に関するデータを収集し、収集したデータに基づいて各空調機を制御するサービス、あるいは、収集したデータに基づく情報を当該空調システム1の関係者(当該建物のオーナ、システム管理者、メンテナンス担当者等)に提示するサービスを提供する。 <Server 2>
The server 2 is, for example, a cloud server that implements a public cloud such as AWS (Amazon Web Services), and is connected to a network N such as the Internet. The server 2 transmits update firmware to the air conditioners (outdoor units 4a to 4c and indoor units 5a to 5f) whose firmware needs to be updated. In addition, the server 2 collects data on the operation of each air conditioner (outdoor units 4a to 4c, indoor units 5a to 5f), and provides a service for controlling each air conditioner based on the collected data, or a service based on the collected data. A service is provided for presenting information to persons concerned with the air conditioning system 1 (owner of the building, system manager, maintenance staff, etc.).
<集中管理装置3>
 集中管理装置3は、当該空調システム1における、各空調機(室外機4a~4c、室内機5a~5f)を集中して管理するための装置であり、当該建物内の管理室等、関係者以外が立ち入ることのできない場所に設置される。図2に示すように、集中管理装置3は、ハードウェア構成として、第1通信インタフェース30と、第2通信インタフェース31と、操作受付部32と、ディスプレイ33と、制御回路34と、補助記憶装置35とを備える。 <Central control device 3>
The centralized control device 3 is a device for centrally managing each air conditioner (outdoor units 4a to 4c, indoor units 5a to 5f) in the air conditioning system 1. It is installed in a place where no one can enter. As shown in FIG. 2, the centralized control device 3 has a hardware configuration including a first communication interface 30, a second communication interface 31, an operation reception unit 32, a display 33, a control circuit 34, and an auxiliary storage device. 35.
 第1通信インタフェース30は、ネットワークNに接続してサーバ2と通信するためのインタフェースであり、例えば、Ethernet(登録商標)に基づくインタフェースである。第2通信インタフェース31は、集中伝送ラインである伝送ライン9を介して、例えば、DC電源にAMI波形を重畳させる通信方式で室外機4a~4cと通信するためのインタフェースである。 The first communication interface 30 is an interface for connecting to the network N and communicating with the server 2, for example, an interface based on Ethernet (registered trademark). The second communication interface 31 is an interface for communicating with the outdoor units 4a to 4c via the transmission line 9, which is a centralized transmission line, for example, by a communication method in which an AMI waveform is superimposed on a DC power supply.
 操作受付部32は、例えば、キーボード、マウス、キーパッド、押しボタン、タッチパネル、タッチパッド等の1つ以上の入力デバイスを含んで構成され、ユーザからの入力操作を受け付け、受け付けた入力操作に係る信号を制御回路34に出力する。ディスプレイ33は、液晶ディスプレイ、有機EL(Electro Luminescence)ディスプレイ等の表示デバイスを含んで構成される。ディスプレイ33は、制御回路34の制御の下、当該空調システム1を管理するための画面等を表示する。 The operation reception unit 32 includes, for example, one or more input devices such as a keyboard, mouse, keypad, push button, touch panel, and touch pad, and receives an input operation from the user, and performs processing related to the received input operation. A signal is output to the control circuit 34 . The display 33 includes a display device such as a liquid crystal display and an organic EL (Electro Luminescence) display. The display 33 displays a screen or the like for managing the air conditioning system 1 under the control of the control circuit 34 .
 制御回路34は、CPU(Central Processing Unit)、ROM(Read Only Memory)、RAM(Random Access Memory)等を含んで構成され、集中管理装置3を統括的に制御する。補助記憶装置35は、読み書き可能な不揮発性の半導体メモリ、HDD(Hard Disk Drive)等で構成される。読み書き可能な不揮発性の半導体メモリは、例えば、EEPROM(Electrically Erasable Programmable Read-Only Memory)、フラッシュメモリ等である。補助記憶装置35には、当該空調システムを管理するための管理プログラムと、かかる管理プログラムの実行時に使用されるデータとが記憶される。 The control circuit 34 includes a CPU (Central Processing Unit), ROM (Read Only Memory), RAM (Random Access Memory), etc., and controls the centralized control device 3 in an integrated manner. The auxiliary storage device 35 is composed of a readable/writable non-volatile semiconductor memory, HDD (Hard Disk Drive), or the like. The readable and writable nonvolatile semiconductor memory is, for example, EEPROM (Electrically Erasable Programmable Read-Only Memory), flash memory, or the like. The auxiliary storage device 35 stores a management program for managing the air conditioning system and data used when executing the management program.
<室外機4a~4c、室内機5a~5f>
 室外機4aと、室内機5a及び室内機5bとは、内外伝送ラインである伝送ライン10aにバス接続されるとともに、冷媒を循環させるための図示しない第1冷媒配管を介して接続される。即ち、室外機4aと室内機5a及び室内機5bとは、一の冷媒系統を構成する。 <Outdoor units 4a to 4c, indoor units 5a to 5f>
The outdoor unit 4a, the indoor units 5a, and the indoor units 5b are bus-connected to a transmission line 10a, which is an internal/external transmission line, and are also connected via a first refrigerant pipe (not shown) for circulating the refrigerant. That is, the outdoor unit 4a, the indoor unit 5a, and the indoor unit 5b constitute one refrigerant system.
 室外機4bと、室内機5c及び室内機5dとは、内外伝送ラインである伝送ライン10bにバス接続されるとともに、上記の第1冷媒配管とは異なる図示しない第2冷媒配管を介して接続される。即ち、室外機4bと室内機5c及び室内機5dとは、一の冷媒系統を構成する。 The outdoor unit 4b, the indoor unit 5c, and the indoor unit 5d are bus-connected to a transmission line 10b, which is an internal/external transmission line, and are connected via a second refrigerant pipe (not shown) different from the first refrigerant pipe. be. That is, the outdoor unit 4b, the indoor unit 5c, and the indoor unit 5d constitute one refrigerant system.
 室外機4cと、室内機5e及び室内機5fとは、内外伝送ラインである伝送ライン10cにバス接続されるとともに、上記の第1冷媒配管及び第2冷媒配管のいずれとも異なる図示しない第3冷媒配管を介して接続される。即ち、室外機4cと室内機5e及び5fとは、一の冷媒系統を構成する。 The outdoor unit 4c, the indoor unit 5e, and the indoor unit 5f are bus-connected to a transmission line 10c, which is an internal/external transmission line. Connected via piping. That is, the outdoor unit 4c and the indoor units 5e and 5f constitute one refrigerant system.
 以下、室外機4a~4cにおいて共通する説明については、特に個々を指定せずに室外機4と表記し、室内機5a~5fにおいて共通する説明については、特に個々を指定せずに室内機5と表記し、伝送ライン10a~10cにおいて共通する説明については、特に個々を指定せずに伝送ライン10と表記する。 Hereinafter, descriptions common to the outdoor units 4a to 4c will be referred to as the outdoor unit 4 without specifying each one, and descriptions common to the indoor units 5a to 5f will be referred to as the indoor unit 5 without specifying each one. , and the description common to the transmission lines 10a to 10c will be referred to as the transmission line 10 without specifying each one.
 室外機4は、本開示に係る空調機の一例である。図3に示すように、室外機4は、ハードウェア構成として、第1通信インタフェース40と、第2通信インタフェース41と、メインユニット42と、制御回路43と、補助記憶装置44とを備える。第1通信インタフェース40は、伝送ライン9を介して、集中管理装置3、リモコン6及び他の室外機4と通信するためのインタフェースである。第2通信インタフェース41は、内外伝送ラインである伝送ライン10を介して、自機に接続される各室内機5と通信するためのインタフェースである。本実施の形態では、集中伝送ラインである伝送ライン9の通信方式と内外伝送ラインである伝送ライン10の通信方式は同一(例えば、DC電源にAMI波形を重畳させる通信方式)である。 The outdoor unit 4 is an example of an air conditioner according to the present disclosure. As shown in FIG. 3, the outdoor unit 4 includes a first communication interface 40, a second communication interface 41, a main unit 42, a control circuit 43, and an auxiliary storage device 44 as a hardware configuration. The first communication interface 40 is an interface for communicating with the central control device 3 , the remote control 6 and other outdoor units 4 via the transmission line 9 . The second communication interface 41 is an interface for communicating with each indoor unit 5 connected to itself via the transmission line 10, which is an internal/external transmission line. In this embodiment, the communication method of the transmission line 9, which is a centralized transmission line, and the communication method of the transmission line 10, which is an internal/external transmission line, are the same (for example, a communication method in which an AMI waveform is superimposed on a DC power supply).
 メインユニット42は、一般的な室外機の本来的な機能を実現するための構成部であり、例えば、圧縮機、熱交換器、膨張弁、四方弁、ファン、各種のセンサ(電流センサ、温度センサ、圧力センサ、周波数センサ、加速度センサ等)等を備える。制御回路43は、当該室外機4を統括的に制御するマイクロコントローラである。 The main unit 42 is a component for realizing the essential functions of a general outdoor unit, and includes, for example, a compressor, a heat exchanger, an expansion valve, a four-way valve, a fan, and various sensors (current sensor, temperature sensor, etc.). sensor, pressure sensor, frequency sensor, acceleration sensor, etc.). The control circuit 43 is a microcontroller that controls the outdoor unit 4 in an integrated manner.
 補助記憶装置44は、例えば、EEPROM、フラッシュメモリ等の読み書き可能な不揮発性の半導体メモリ等で構成される。補助記憶装置44には、制御回路43が当該室外機4を制御して空調に係る機能を実現するためのソフトウェアプログラムであるファームウェアと、ファームウェアの実行時に使用されるデータとが記憶される。さらに、補助記憶装置44には、本開示に係る機能を実現するためのプログラムであって、外部からのセキュリティ攻撃に対処するためのプログラムであるセキュリティ攻撃対処プログラムと、セキュリティ攻撃対処プログラムの実行時に使用されるデータとが記憶される。 The auxiliary storage device 44 is composed of a readable and writable non-volatile semiconductor memory such as EEPROM and flash memory, for example. The auxiliary storage device 44 stores firmware, which is a software program for the control circuit 43 to control the outdoor unit 4 to implement functions related to air conditioning, and data used when executing the firmware. Furthermore, in the auxiliary storage device 44, a security attack countermeasure program, which is a program for realizing the functions according to the present disclosure and is a program for countering security attacks from the outside, and when the security attack countermeasure program is executed, The data used are stored.
 上記のセキュリティ攻撃対処プログラムは、サーバ2等の他の装置からネットワークNを介して室外機4にダウンロードすることができる。また、室外機4は、リモコン6を介した通信により端末装置8からセキュリティ攻撃対処プログラムを受信することも可能である。また、セキュリティ攻撃対処プログラムは、CD-ROM(Compact Disc Read Only Memory)、DVD(Digital Versatile Disc)、光磁気ディスク、USB(Universal Serial Bus)メモリ、HDD、SSD(Solid State Drive)、メモリカード等のコンピュータ読み取り可能な記録媒体に格納して配布することも可能である。室外機4は、そのような記録媒体が当該室外機4に装着されると、当該記録媒体からセキュリティ攻撃対処プログラムを読み出して取り込むことも可能である。 The above security attack countermeasure program can be downloaded to the outdoor unit 4 via the network N from another device such as the server 2. The outdoor unit 4 can also receive a security attack countermeasure program from the terminal device 8 through communication via the remote controller 6 . In addition, security attack countermeasure programs include CD-ROM (Compact Disc Read Only Memory), DVD (Digital Versatile Disc), magneto-optical disc, USB (Universal Serial Bus) memory, HDD, SSD (Solid State Drive), memory card, etc. It is also possible to store and distribute on a computer-readable recording medium. When such a recording medium is attached to the outdoor unit 4, the outdoor unit 4 can also read and import the security attack countermeasure program from the recording medium.
 室内機5は、本開示に係る空調機の一例である。図4に示すように、室内機5は、ハードウェア構成として、第1通信インタフェース50と、第2通信インタフェース51と、メインユニット52と、制御回路53と、補助記憶装置54とを備える。第1通信インタフェース50は、伝送ライン10を介して、室外機4及び他の室内機5と通信するためのインタフェースである。第2通信インタフェース51は、通信アダプタ7と通信可能に電気的に接続するためのインタフェースである。本実施の形態では、第2通信インタフェース51は、UART(Universal Asynchronous Receiver/Transmitter)等のシリアルインタフェースである。 The indoor unit 5 is an example of an air conditioner according to the present disclosure. As shown in FIG. 4, the indoor unit 5 includes a first communication interface 50, a second communication interface 51, a main unit 52, a control circuit 53, and an auxiliary storage device 54 as a hardware configuration. The first communication interface 50 is an interface for communicating with the outdoor unit 4 and other indoor units 5 via the transmission line 10 . The second communication interface 51 is an interface for electrically connecting to the communication adapter 7 so as to be communicable. In this embodiment, the second communication interface 51 is a serial interface such as UART (Universal Asynchronous Receiver/Transmitter).
 メインユニット52は、一般的な室内機の本来的な機能を実現するための構成部であり、例えば、ファン、熱交換器、温度センサ、湿度センサ等を備える。制御回路53は、当該室内機5を統括的に制御するマイクロコントローラである。 The main unit 52 is a component for realizing the essential functions of a general indoor unit, and includes, for example, a fan, a heat exchanger, a temperature sensor, a humidity sensor, and the like. The control circuit 53 is a microcontroller that comprehensively controls the indoor unit 5 .
 補助記憶装置54は、例えば、EEPROM、フラッシュメモリ等の読み書き可能な不揮発性の半導体メモリ等で構成される。補助記憶装置54には、制御回路53が当該室内機5を制御して空調に係る機能を実現するためのソフトウェアプログラムであるファームウェアと、ファームウェアの実行時に使用されるデータとが記憶される。さらに、補助記憶装置54には、室外機4と同様、セキュリティ攻撃対処プログラムと、セキュリティ攻撃対処プログラムの実行時に使用されるデータとが記憶される。 The auxiliary storage device 54 is composed of a readable and writable non-volatile semiconductor memory such as EEPROM, flash memory, etc., for example. The auxiliary storage device 54 stores firmware, which is a software program for the control circuit 53 to control the indoor unit 5 to realize functions related to air conditioning, and data used when executing the firmware. Furthermore, in the auxiliary storage device 54, as in the outdoor unit 4, a security attack countermeasure program and data used when executing the security attack countermeasure program are stored.
 上記のセキュリティ攻撃対処プログラムは、サーバ2等の他の装置からネットワークNを介して室内機5にダウンロードすることができる。また、室内機5は、リモコン6を介した通信により端末装置8からセキュリティ攻撃対処プログラムを受信することも可能である。また、室内機5は、セキュリティ攻撃対処プログラムが格納された上述した記録媒体が当該室内機5に装着されると、当該記録媒体からセキュリティ攻撃対処プログラムを読み出して取り込む込むことも可能である。 The above security attack countermeasure program can be downloaded to the indoor unit 5 via the network N from another device such as the server 2. Also, the indoor unit 5 can receive the security attack countermeasure program from the terminal device 8 by communication via the remote controller 6 . Further, when the above-described recording medium storing the security attack countermeasure program is attached to the indoor unit 5, the indoor unit 5 can read and load the security attack countermeasure program from the recording medium.
<リモコン6>
 リモコン6は、空調用のリモートコントローラであり、伝送ライン9に接続され、ユーザから空調に係る操作を受け付ける。図5に示すように、リモコン6は、ハードウェア構成として、第1通信インタフェース60と、第2通信インタフェース61と、操作受付部62と、ディスプレイ63と、制御回路64と、補助記憶装置65とを備える。 <Remote control 6>
The remote controller 6 is a remote controller for air conditioning, is connected to the transmission line 9, and receives operations related to air conditioning from the user. As shown in FIG. 5, the remote controller 6 includes a first communication interface 60, a second communication interface 61, an operation reception unit 62, a display 63, a control circuit 64, and an auxiliary storage device 65 as hardware configuration. Prepare.
 第1通信インタフェース60は、伝送ライン9を介して、各室外機4及び集中管理装置3と通信するためのインタフェースである。第2通信インタフェース61は、端末装置8と、NFC(Near Field Communication)、BLE(Bluetooth(登録商標) Low Energy)通信、可視光通信、赤外線通信等の近距離無線通信を行うためのインタフェースである。 The first communication interface 60 is an interface for communicating with each outdoor unit 4 and the central control device 3 via the transmission line 9 . The second communication interface 61 is an interface for performing short-range wireless communication with the terminal device 8, such as NFC (Near Field Communication), BLE (Bluetooth (registered trademark) Low Energy) communication, visible light communication, and infrared communication. .
 操作受付部62は、例えば、押しボタン、タッチパネル、タッチパッド等の1つ以上の入力デバイスを含んで構成され、ユーザからの入力操作を受け付け、受け付けた入力操作に係る信号を制御回路64に出力する。 The operation reception unit 62 includes, for example, one or more input devices such as a push button, a touch panel, and a touch pad, receives an input operation from the user, and outputs a signal related to the received input operation to the control circuit 64. do.
 ディスプレイ63は、例えば、液晶ディスプレイ、有機ELディスプレイ等の表示デバイスを含んで構成される。ディスプレイ63は、制御回路64の制御の下、各種の画面を表示する。例えば、ディスプレイ63は、ユーザから運転の開始/停止の切り替え、冷房,暖房,除湿,送風等の運転モードの切り替え、設定温度,設定湿度,風速等の変更等の空調に関する操作を受け付けるための空調操作画面等を表示する。 The display 63 includes, for example, a display device such as a liquid crystal display or an organic EL display. The display 63 displays various screens under the control of the control circuit 64 . For example, the display 63 is an air conditioning unit for accepting user operations related to air conditioning, such as switching between start/stop of operation, switching between operation modes such as cooling, heating, dehumidification, and ventilation, and changing set temperature, set humidity, wind speed, and the like. Displays the operation screen, etc.
 制御回路64は、CPU、ROM、RAM等を含んで構成され、リモコン6を統括的に制御する。補助記憶装置65は、例えば、EEPROM、フラッシュメモリ等の読み書き可能な不揮発性の半導体メモリ等で構成される。補助記憶装置65には、ユーザインタフェースとして機能するためのプログラムと、端末装置8との通信に関するプログラムと、これらのプログラムの実行時に使用されるデータとが記憶される。 The control circuit 64 includes a CPU, ROM, RAM, etc., and controls the remote control 6 in a centralized manner. The auxiliary storage device 65 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM and a flash memory. The auxiliary storage device 65 stores a program for functioning as a user interface, a program for communication with the terminal device 8, and data used when these programs are executed.
<通信アダプタ7>
 通信アダプタ7は、室内機5をネットワークNに通信接続させるための機器である。図6に示すように、通信アダプタ7は、ハードウェア構成として、第1通信インタフェース70と、第2通信インタフェース71と、制御回路72と、補助記憶装置73とを備える。 <Communication adapter 7>
The communication adapter 7 is a device for connecting the indoor unit 5 to the network N for communication. As shown in FIG. 6, the communication adapter 7 includes a first communication interface 70, a second communication interface 71, a control circuit 72, and an auxiliary storage device 73 as a hardware configuration.
 第1通信インタフェース70は、室内機5と通信可能に電気的に接続するためのインタフェースである。本実施の形態では、第1通信インタフェース70は、UART等のシリアルインタフェースである。第2通信インタフェース71は、ネットワークNに接続してサーバ2と通信するための無線LAN(Local Area Network)インタフェース、あるいは、モバイルデータ通信用のハードウェアである。 The first communication interface 70 is an interface for electrically connecting to the indoor unit 5 so as to be communicable. In this embodiment, the first communication interface 70 is a serial interface such as UART. The second communication interface 71 is a wireless LAN (Local Area Network) interface for connecting to the network N and communicating with the server 2, or hardware for mobile data communication.
 制御回路72は、CPU、ROM、RAM等を含んで構成され、通信アダプタ7を統括的に制御する。補助記憶装置73は、例えば、EEPROM、フラッシュメモリ等の読み書き可能な不揮発性の半導体メモリ等で構成される。補助記憶装置73には、室内機5と通信するためのプログラムと、サーバ2と通信するためのプログラムと、これらのプログラムの実行時に使用されるデータとが記憶される。 The control circuit 72 includes a CPU, ROM, RAM, etc., and controls the communication adapter 7 in an integrated manner. The auxiliary storage device 73 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM or a flash memory. The auxiliary storage device 73 stores a program for communicating with the indoor unit 5, a program for communicating with the server 2, and data used when these programs are executed.
<端末装置8>
 端末装置8は、当該空調システム1のメンテナンス担当者によって所持されるスマートフォン、タブレット端末等の携帯可能な電子機器である。図7に示すように、端末装置8は、ハードウェア構成として、通信インタフェース80と、操作受付部81と、ディスプレイ82と、制御回路83と、補助記憶装置84とを備える。 <Terminal device 8>
The terminal device 8 is a portable electronic device such as a smart phone or a tablet terminal possessed by a person in charge of maintenance of the air conditioning system 1 . As shown in FIG. 7, the terminal device 8 includes a communication interface 80, an operation receiving section 81, a display 82, a control circuit 83, and an auxiliary storage device 84 as a hardware configuration.
 通信インタフェース80は、リモコン6と上述した近距離無線通信を行うためのインタフェースである。操作受付部81は、押しボタン、タッチパネル、タッチパッド等の1つ以上の入力デバイスを含んで構成され、ユーザからの操作入力を受け付け、受け付けた操作に係る信号を制御回路83に出力する。 The communication interface 80 is an interface for performing the above-described short-range wireless communication with the remote control 6. The operation reception unit 81 includes one or more input devices such as a push button, a touch panel, and a touch pad, receives operation input from the user, and outputs a signal related to the received operation to the control circuit 83 .
 ディスプレイ82は、液晶ディスプレイ、有機ELディスプレイ等の表示デバイスを含んで構成される。ディスプレイ82は、制御回路83の制御の下、ユーザの操作に応じた各種の画面等を表示する。 The display 82 includes a display device such as a liquid crystal display and an organic EL display. Under the control of the control circuit 83, the display 82 displays various screens and the like according to the user's operation.
 制御回路83は、CPU、ROM、RAM等を含んで構成され、端末装置8を統括的に制御する。補助記憶装置84は、例えば、EEPROM、フラッシュメモリ等の読み書き可能な不揮発性の半導体メモリ等で構成される。補助記憶装置84には、空調システム1のメンテナンス時に実行されるプログラムと、当該プログラムの実行時に使用されるデータとが記憶される。 The control circuit 83 includes a CPU, ROM, RAM, etc., and controls the terminal device 8 in an integrated manner. The auxiliary storage device 84 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM or a flash memory. The auxiliary storage device 84 stores a program executed during maintenance of the air conditioning system 1 and data used during execution of the program.
<室外機4及び室内機5の機能構成>
 続いて、いずれも本開示に係る空調機の一例である室外機4及び室内機5の機能構成について説明する。なお、室外機4及び室内機5のそれぞれの機能構成は、本開示に係る特徴的な構成が共通するため、以下では、室内機5の機能構成を両者の代表として詳細に説明する。 <Functional Configuration of Outdoor Unit 4 and Indoor Unit 5>
Subsequently, functional configurations of the outdoor unit 4 and the indoor unit 5, which are both examples of the air conditioner according to the present disclosure, will be described. In addition, since the functional configuration of each of the outdoor unit 4 and the indoor unit 5 has a common characteristic configuration according to the present disclosure, the functional configuration of the indoor unit 5 will be described in detail below as a representative of both.
 図8に示すように、室内機5は、セキュリティ攻撃検出部500と、通信異常検出部501と、通常対応部502と、通信異常対応部503と、セキュリティ攻撃対応部504とを備える。これらの機能部は、制御回路53が補助記憶装置54に記憶されている上述したセキュリティ攻撃対処プログラムを実行することで実現される。 As shown in FIG. 8, the indoor unit 5 includes a security attack detection unit 500, a communication anomaly detection unit 501, a normal response unit 502, a communication anomaly response unit 503, and a security attack response unit 504. These functional units are implemented by the control circuit 53 executing the above-described security attack countermeasure program stored in the auxiliary storage device 54 .
 セキュリティ攻撃検出部500は、本開示に係るセキュリティ攻撃検出手段の一例である。セキュリティ攻撃検出部500は、通信フレームの受信時にセキュリティ攻撃の有無を判定し、セキュリティ攻撃があると判定した場合には、その種類を判別する。詳細には、セキュリティ攻撃検出部500は、攻撃有無判定部510と、攻撃種類判別部511とを備え、攻撃有無判定部510が、セキュリティ攻撃の有無を判定し、攻撃種類判別部511が、セキュリティ攻撃の種類を判別する。 The security attack detection unit 500 is an example of security attack detection means according to the present disclosure. The security attack detection unit 500 determines whether or not there is a security attack when a communication frame is received, and if it determines that there is a security attack, determines its type. Specifically, the security attack detection unit 500 includes an attack presence/absence determination unit 510 and an attack type determination unit 511. The attack presence/absence determination unit 510 determines whether or not there is a security attack. Determine the type of attack.
 具体的には、攻撃有無判定部510は、受信した通信フレームについて、以下の条件A~Cのそれぞれに該当するか否かを判定する。攻撃有無判定部510は、受信した通信フレームについて、条件A~Cのいずれかに該当する場合、セキュリティ攻撃があると判定し、いずれにも該当しない場合、セキュリティ攻撃がないと判定する。 Specifically, the attack presence/absence determination unit 510 determines whether the received communication frame satisfies each of the following conditions A to C. The attack presence/absence determination unit 510 determines that there is a security attack if the received communication frame satisfies any one of the conditions A to C, and determines that there is no security attack if none of the conditions apply.
(条件A)送信元アドレスと自身のアドレスが同一
(条件B)一定時間内に同一の送信元から同一の通信フレームを一定回数以上受信
(条件C)送信元とコマンドの組合せが不一致 (Condition A) The sender address and own address are the same (Condition B) The same communication frame is received from the same sender within a given period of time more than a given number of times (Condition C) The combination of the sender and the command does not match
 上記の条件Bにおいて、一定時間は、例えば1分であり、一定回数は、例えば15回である。また、同一の通信フレームとは、コマンド、データ値、シーケンス番号が同一であることを意味する。また、上記の条件Cは、送信元の機器の種類とコマンドの内容とが一致していないことを意味し、例えば、室内機5において、室外機4から運転開始コマンド又は運転停止コマンドを受信した場合等がこれに該当する(通常は、集中管理装置3、リモコン6、室内機5の代表機から他の室内機5、室外機4に運転開始コマンド/運転停止コマンドが送信される。)。機器の種類とコマンドの組合せを示すテーブル(図示しない)は、予め補助記憶装置54に保存されている。 In the above condition B, the fixed time is, for example, 1 minute, and the fixed number of times is, for example, 15 times. Also, the same communication frame means that the commands, data values, and sequence numbers are the same. In addition, the above condition C means that the type of the transmission source device and the content of the command do not match. (Usually, the central control device 3, the remote controller 6, and the representative unit of the indoor unit 5 send the operation start command/operation stop command to the other indoor units 5 and the outdoor unit 4.). A table (not shown) showing combinations of device types and commands is stored in the auxiliary storage device 54 in advance.
 攻撃有無判定部510は、セキュリティ攻撃がないと判定すると、セキュリティ攻撃が検出されなかったことを通常対応部502に通知する。一方、攻撃有無判定部510は、セキュリティ攻撃があると判定すると、セキュリティ攻撃が検出されたことと、条件A~Cの各々についての判定結果(即ち、該当する否か)とを攻撃種類判別部511に通知する。 When the attack presence/absence determination unit 510 determines that there is no security attack, it notifies the normal response unit 502 that no security attack has been detected. On the other hand, if the attack presence/absence determination unit 510 determines that there is a security attack, the attack type determination unit 510 determines that the security attack has been detected and determines the determination results (that is, whether or not the conditions are met) for each of the conditions A to C. Notify 511.
 攻撃種類判別部511は、攻撃有無判定部510によってセキュリティ攻撃が検出されると、当該セキュリティ攻撃の種類を判別する。本実施の形態では、セキュリティ攻撃として、“リプレイ攻撃”、“なりすまし”、“乗っ取り”の3種類を想定している。攻撃種類判別部511は、攻撃有無判定部510から通知された、条件A~Cの各々について該当したか否かの情報と、予め補助記憶装置54に保存されている攻撃種類判別用テーブルとに基づいて、当該セキュリティ攻撃の種類を判別する。 When a security attack is detected by the attack presence/absence determination unit 510, the attack type determination unit 511 determines the type of security attack. In this embodiment, three types of security attacks are assumed: "replay attack", "spoofing", and "takeover". The attack type determination unit 511 determines whether or not each of the conditions A to C notified from the attack presence/absence determination unit 510 is met, and the attack type determination table stored in the auxiliary storage device 54 in advance. Based on this, the type of the security attack is determined.
 攻撃種類判別用テーブルは、セキュリティ攻撃の種類を判別するための規則が定義されたテーブルであり、具体的には、図9に示すように、攻撃の種類と、各判別条件の該当有無の組み合わせとを対応付けたテーブルである。図9において、“○”は、当該判別条件に該当することを意味し、“×”は、当該判別条件に該当しないことを意味する。また、判別条件には、上記の条件A~Cと、下記の条件Dが含まれている。 The attack type determination table is a table in which rules for determining the type of security attack are defined. Specifically, as shown in FIG. It is a table that associates . In FIG. 9, "O" means that the determination condition is met, and "X" means that the determination condition is not met. Further, the determination conditions include the above conditions A to C and the following condition D.
(条件D)送信元から、周期的通信フレームの正常な受信なし、又は、正常な応答なし (Condition D) No normal reception of periodic communication frames or no normal response from the sender
 上記の条件Dにおいて、周期的通信フレームとは、当該送信元から周期的に受信する通信フレームであり、例えば、空調機の状態(運転モード、風速、吸込温度等)の問合せ(即ち、要求)を示す通信フレームである。また、「周期的通信フレームの正常な受信」とは、当該周期的通信フレームの正しい周期での受信を意味する。当該空調機(ここでは、室内機5)の送信元となる機器(サーバ2、集中管理装置3、室外機4、他の室内機5又はリモコン6)と、周期的通信フレームの内容と、受信周期とを対応付けたテーブル(図示せず)は、予め補助記憶装置54に保存されている。 In the above condition D, the periodic communication frame is a communication frame that is periodically received from the transmission source. is a communication frame showing Also, "normal reception of the periodic communication frame" means reception of the periodic communication frame in the correct period. Equipment (server 2, centralized control device 3, outdoor unit 4, other indoor unit 5 or remote control 6) that is the transmission source of the air conditioner (here, indoor unit 5), content of periodic communication frame, and reception A table (not shown) in which the period is associated is stored in advance in the auxiliary storage device 54 .
 また、条件Dにおいて、「正常な応答なし」とは、当該空調機(ここでは、室内機5)から当該送信元に対して先に送信した通信フレームに対する応答が当該送信元から予め定めたタイムアウト時間以内に返ってこなかった場合を意味する。 Further, in the condition D, "no normal response" means that the response to the communication frame previously transmitted from the air conditioner (here, the indoor unit 5) to the transmission source is a predetermined timeout from the transmission source. It means if you don't get back in time.
 攻撃種類判別部511は、受信した通信フレームについて、条件A及びCに該当せず、条件Bに該当する場合、条件Dの判定結果にかかわらず、当該セキュリティ攻撃の種類は“リプレイ攻撃”であると判別する。また、攻撃種類判別部511は、受信した通信フレームについて、条件Aに該当せず、条件Cに該当する場合、条件Bの判定結果にかかわらず、さらに当該送信元が条件Dに該当するか否かを判定し、その結果に基づいて当該セキュリティ攻撃の種類を判別する。具体的には、攻撃種類判別部511は、当該送信元が条件Dに該当しない場合、当該セキュリティ攻撃の種類は“なりすまし”であると判定し、当該送信元が条件Dに該当する場合、当該セキュリティ攻撃の種類は“乗っ取り”であると判別する。 If the received communication frame does not meet conditions A and C but meets condition B, the attack type determination unit 511 determines that the type of security attack is a "replay attack" regardless of the determination result of condition D. and discriminate. In addition, if the received communication frame does not meet condition A but meets condition C, the attack type determination unit 511 further determines whether the transmission source meets condition D regardless of the determination result of condition B. Based on the result, the type of security attack is determined. Specifically, if the source does not meet condition D, the attack type determination unit 511 determines that the type of security attack is “spoofing”. The type of security attack is determined to be "hijacking".
 また、攻撃種類判別部511は、受信した通信フレームについて、条件Aに該当する場合は、条件B~Dの判定結果にかかわらず、当該セキュリティ攻撃の種類は“なりすまし”であると判別する。攻撃種類判別部511は、判別したセキュリティ攻撃の種類をセキュリティ攻撃対応部504に通知する。 In addition, if the received communication frame satisfies condition A, the attack type determination unit 511 determines that the type of security attack is "spoofing" regardless of the determination results of conditions B to D. The attack type determination unit 511 notifies the security attack response unit 504 of the determined type of security attack.
 図8に戻り、通信異常検出部501は、通信異常を検出する。具体的には、通信異常検出部501は、周期的に上記の条件Dに該当する通信先があるか否かを判定する。条件Dに該当する通信先がある場合には、通信異常検出部501は、通信異常を検出したことを通信異常対応部503に通知する。 Returning to FIG. 8, the communication abnormality detection unit 501 detects communication abnormality. Specifically, the communication error detection unit 501 periodically determines whether or not there is a communication destination that satisfies the condition D described above. If there is a communication destination that satisfies the condition D, the communication error detection unit 501 notifies the communication error handling unit 503 that the communication error has been detected.
 通常対応部502は、受信した通信フレームの内容に基づく通常処理を実行する。例えば、受信した通信フレームに動作の変更を指示するコマンドが含まれている場合、通常対応部502は、当該コマンドに従って、自機(ここでは、室内機5)の動作を変更する処理を実行する。また、受信した通信フレームに状態を問い合わせるコマンドが含まれている場合、通常対応部502は、当該コマンドに従って、自機の状態を当該送信元に送信する処理を実行する。 The normal handling unit 502 executes normal processing based on the content of the received communication frame. For example, when the received communication frame includes a command to change the operation, the normal response unit 502 executes processing for changing the operation of its own device (here, the indoor unit 5) according to the command. . Further, when the received communication frame includes a command to inquire about the state, the normal response unit 502 executes processing for transmitting the state of the device to the transmission source according to the command.
 通信異常対応部503は、通信異常の発生に対応した処理を実行する。例えば、通信異常対応部503は、集中管理装置3、リモコン6又は端末装置8に対して、当該通信先との通信に異常が発生したことを通知する。かかる通知を受けた集中管理装置3、リモコン6又は端末装置8は、当該異常に関する情報をディスプレイ33、ディスプレイ63又はディスプレイ82に表示して、ユーザに報知する。また、通信異常対応部503は、自機がLED(Light Emitting Diode)を備えている場合には、当該LEDを予め定めた態様で発光させることでユーザに通信異常を報知してもよいし、自機がスピーカを備えている場合には、当該スピーカから電子音を出力させることでユーザに通信異常を報知してもよい。 The communication anomaly handling unit 503 executes processing corresponding to the occurrence of a communication anomaly. For example, the communication abnormality handling unit 503 notifies the central control device 3, the remote controller 6, or the terminal device 8 that an abnormality has occurred in communication with the communication destination. The central control device 3, the remote controller 6, or the terminal device 8 that has received such notification displays the information regarding the abnormality on the display 33, the display 63, or the display 82 to notify the user. In addition, when the device is equipped with an LED (Light Emitting Diode), the communication abnormality handling unit 503 may notify the user of the communication abnormality by causing the LED to emit light in a predetermined manner, If the device has a speaker, the user may be notified of the communication abnormality by outputting an electronic sound from the speaker.
 セキュリティ攻撃対応部504は、本開示に係るセキュリティ攻撃対応手段の一例である。セキュリティ攻撃対応部504は、セキュリティ攻撃検出部500によってセキュリティ攻撃があると判定されると、当該セキュリティ攻撃による影響を排除するセキュリティ攻撃対応処理を実行する。具体的には、セキュリティ攻撃対応部504は、以下のように、攻撃種類判別部511によって判別された当該セキュリティ攻撃の種類に応じたセキュリティ攻撃対応処理を実行する。 The security attack handling unit 504 is an example of security attack handling means according to the present disclosure. When the security attack detection unit 500 determines that there is a security attack, the security attack countermeasure unit 504 executes security attack countermeasure processing to eliminate the influence of the security attack. Specifically, the security attack handling unit 504 executes security attack handling processing according to the type of security attack determined by the attack type determining unit 511 as follows.
(リプレイ攻撃)
 セキュリティ攻撃が“リプレイ攻撃”であると判別された場合、セキュリティ攻撃対応部504は、条件Bに該当する通信フレーム、即ち、一定時間内に同一の送信元から多量に送られてきた同一の通信フレームを何もせずに全て破棄する。ただし、条件Bに該当しない通信フレームについては、同じ送信元であっても、通常通り取り扱うこととし、通常対応部502と同様の処理を実行する。 (replay attack)
If the security attack is determined to be a "replay attack", the security attack response unit 504 detects the communication frame corresponding to condition B, that is, the same communication sent in large quantities from the same source within a certain period of time. Discard all frames without doing anything. However, communication frames that do not meet the condition B are treated as normal even if they are from the same source, and the same processing as the normal handling unit 502 is executed.
(なりすまし)
 セキュリティ攻撃が“なりすまし”であると判別された場合、セキュリティ攻撃対応部504は、条件B又は条件Cに該当する通信フレーム、即ち、一定時間内に同一の送信元から多量に送られてきた同一の通信フレーム又は送信元とコマンドの組合せが不一致な通信フレームを何もせずに全て破棄する。ただし、条件Bと条件Cのいずれにも該当しない通信フレームについては、同じ送信元であっても、通常通り取り扱うこととし、通常対応部502と同様の処理を実行する。 (impersonation)
If the security attack is determined to be "spoofing", the security attack response unit 504 detects communication frames that meet condition B or condition C, that is, identical communication frames or communication frames in which the combination of the source and the command does not match are all discarded without doing anything. However, communication frames that do not meet either condition B or condition C are treated as usual even if they are from the same source, and the same processing as the normal handling unit 502 is executed.
(乗っ取り)
 セキュリティ攻撃が“乗っ取り”であると判別された場合、セキュリティ攻撃対応部504は、当該送信元からの通信フレームを何もせずに全て破棄する。また、セキュリティ攻撃対応部504は、当該送信元を宛先とした通信フレームの送信を禁止する。 (takeover)
If the security attack is determined to be "hijacking", the security attack response unit 504 discards all communication frames from the transmission source without doing anything. In addition, the security attack handling unit 504 prohibits transmission of communication frames addressed to the source.
 図10は、空調機(室外機4及び室内機5)が実行する通信フレーム受信時処理の手順を示すフローチャートである。 FIG. 10 is a flow chart showing the procedure of communication frame reception processing executed by the air conditioners (outdoor unit 4 and indoor unit 5).
(ステップS101)
 空調機は、空調システム1におけるいずれかの機器から新たな通信フレームを受信したか否かを判定する。いずれかの機器から通信フレームを受信した場合(ステップS101;YES)、空調機の処理は、ステップS102に遷移する。 (Step S101)
The air conditioner determines whether or not a new communication frame has been received from any device in the air conditioning system 1 . When a communication frame is received from any device (step S101; YES), the processing of the air conditioner transitions to step S102.
(ステップS102)
 空調機は、セキュリティ攻撃の有無を判定する。具体的には、空調機は、受信した通信フレームについて、上述した条件A~Cのそれぞれに該当するか否かを判定する。空調機は、受信した通信フレームについて、条件A~Cのいずれかに該当する場合、セキュリティ攻撃があると判定し、いずれにも該当しない場合、セキュリティ攻撃がないと判定する。セキュリティ攻撃はないと判定した場合(ステップS102;NO)、空調機の処理は、ステップS103に遷移する。一方、セキュリティ攻撃があると判定した場合(ステップS102;YES)、空調機の処理は、ステップS104に遷移する。 (Step S102)
The air conditioner determines whether there is a security attack. Specifically, the air conditioner determines whether the received communication frame satisfies each of the conditions A to C described above. The air conditioner determines that there is a security attack if the received communication frame satisfies any one of the conditions A to C, and determines that there is no security attack if none of the conditions apply. When it is determined that there is no security attack (step S102; NO), the processing of the air conditioner transitions to step S103. On the other hand, when it is determined that there is a security attack (step S102; YES), the processing of the air conditioner transitions to step S104.
(ステップS103)
 空調機は、受信した通信フレームの内容に基づく通常処理を実行する。その後、空調機の処理は、ステップS101に戻る。 (Step S103)
The air conditioner performs normal processing based on the content of the received communication frame. After that, the processing of the air conditioner returns to step S101.
(ステップS104)
 空調機は、当該セキュリティ攻撃の種類を判別する。具体的には、空調機は、図9に示す攻撃種類判別用テーブルを使用して、当該セキュリティ攻撃の種類が、“リプレイ攻撃”、“なりすまし”及び“乗っ取り”のうちのいずれであるかを判別する。その後、空調機の処理は、ステップS105に遷移する。 (Step S104)
The air conditioner determines the type of security attack. Specifically, the air conditioner uses the attack type determination table shown in FIG. 9 to determine which type of security attack is "replay attack", "spoofing", or "takeover". discriminate. After that, the processing of the air conditioner transitions to step S105.
(ステップS105)
 空調機は、判別したセキュリティ攻撃の種類に応じたセキュリティ攻撃対応処理を実行する。その後、空調機の処理は、ステップS101に戻る。 (Step S105)
The air conditioner executes security attack countermeasure processing according to the determined type of security attack. After that, the processing of the air conditioner returns to step S101.
 以上説明したように、本実施の形態の空調システム1によれば、各空調機(各室外機4及び各室内機5)は、セキュリティ攻撃を検出すると、当該セキュリティ攻撃の種類を判別し、判別した種類に応じたセキュリティ攻撃対応処理を即座に実行する。このため、早急に当該セキュリティ攻撃による影響を排除することができ、当該セキュリティ攻撃による影響を抑えることが可能となる。 As described above, according to the air conditioning system 1 of the present embodiment, when each air conditioner (each outdoor unit 4 and each indoor unit 5) detects a security attack, it determines the type of the security attack, determines Security attack countermeasure processing corresponding to the type of attack is immediately executed. Therefore, the impact of the security attack can be quickly eliminated, and the impact of the security attack can be suppressed.
 また、各空調機は、セキュリティ攻撃対応処理において、セキュリティ攻撃があると判定した当該送信元との通信に基づく特定の処理等を危険性の高い処理として制限するものの、他の処理については通常処理として実行するため、空調システム1における影響を極力抑えることができ、また、ユーザの快適性を維持することが可能となる。 In addition, in the security attack response process, each air conditioner restricts specific processing based on communication with the sender determined to have a security attack as high-risk processing, but other processing is normal processing. , the influence on the air conditioning system 1 can be suppressed as much as possible, and the user's comfort can be maintained.
 本開示は、上記の実施の形態に限定されず、本開示の要旨を逸脱しない範囲での種々の変更は勿論可能である。 The present disclosure is not limited to the above embodiments, and various modifications are of course possible without departing from the gist of the present disclosure.
(変形例1)
 例えば、セキュリティ攻撃検出部500が、セキュリティ攻撃の有無を判定する際の条件(例えば、条件Bにおける、一定時間と一定回数、同一の通信フレームとみなす条件等)、セキュリティ攻撃の種類を判別するための規則(図9の攻撃種類判別用テーブルの内容)等については、サーバ2、集中管理装置3、リモコン6、端末装置8等を介して適宜変更できるようにしてもよい。また、空調機が、動作中に条件B等の条件の内容を学習して更新できるようにしてもよい。 (Modification 1)
For example, the conditions under which the security attack detection unit 500 determines whether or not there is a security attack (for example, the condition for determining whether a certain number of times and for a certain period of time in condition B, the same communication frame, etc.), and the type of security attack. (contents of the attack type determination table in FIG. 9) and the like may be changed appropriately via the server 2, the central control device 3, the remote controller 6, the terminal device 8, and the like. Also, the air conditioner may learn and update the contents of conditions such as condition B during operation.
(変形例2)
 空調機(室外機4及び室内機5)において、セキュリティ攻撃検出部500によってセキュリティ攻撃があると判定された場合、セキュリティ攻撃が検出されたことをユーザに報知するユーザ報知部(本開示に係るユーザ報知手段の一例)をさらに備えるようにしてもよい。例えば、ユーザ報知部は、セキュリティ攻撃検出部500によってセキュリティ攻撃があると判定された場合、セキュリティ攻撃を検出した時刻(即ち、現在時刻)と、当該セキュリティ攻撃の種類を示す情報とが含まれた通知(セキュリティ攻撃検出通知)を集中管理装置3、サーバ2、リモコン6又は端末装置8(以下、集中管理装置3等という。)に発報する。 (Modification 2)
In the air conditioner (outdoor unit 4 and indoor unit 5), when the security attack detection unit 500 determines that there is a security attack, a user notification unit (user according to the present disclosure) that notifies the user that a security attack has been detected An example of notification means) may be further provided. For example, when the security attack detection unit 500 determines that there is a security attack, the user notification unit includes the time when the security attack was detected (that is, the current time) and information indicating the type of security attack. A notification (security attack detection notification) is issued to the centralized control device 3, the server 2, the remote controller 6, or the terminal device 8 (hereinafter referred to as the centralized control device 3, etc.).
 上記のセキュリティ攻撃検出通知には、さらに、当該セキュリティ攻撃の種類を判別した際の判別条件の組合せと、セキュリティ攻撃対応処理の内容等が含まれていてもよい。セキュリティ攻撃検出通知を受信した集中管理装置3等は、当該セキュリティ攻撃検出通知が示す情報をディスプレイ33等に表示し、あるいは音声出力する等して、システム管理者、メンテナンス担当者等のユーザに報知する。また、セキュリティ攻撃検出部500は、セキュリティ攻撃検出通知を電子メール、SMS(Short Message Service)等によって予め登録された宛先に送信してもよい。 The above security attack detection notification may further include a combination of determination conditions when the type of security attack is determined, the content of security attack response processing, and the like. Upon receiving the security attack detection notification, the central control device 3 or the like displays the information indicated by the security attack detection notification on the display 33 or the like, or outputs it by voice, etc., to notify the user such as the system administrator or the maintenance staff. do. In addition, the security attack detection unit 500 may transmit the security attack detection notification to a pre-registered destination by e-mail, SMS (Short Message Service), or the like.
 上記に代えて、あるいは併用して、ユーザ報知部は、自機が備えるLEDを予め定めた態様で発光させることでユーザにセキュリティ攻撃が検出されたことを報知してもよいし、自機が備えるスピーカから音を出力させることでユーザにセキュリティ攻撃が検出されたことを報知してもよい。 Instead of or in combination with the above, the user notification unit may notify the user that a security attack has been detected by causing an LED provided in the device to emit light in a predetermined manner. A user may be notified that a security attack has been detected by outputting a sound from a speaker provided.
(変形例3)
 ユーザインタフェースを備える機器(集中管理装置3、リモコン6及び端末装置8)から送信された通信フレームの受信時に、セキュリティ攻撃検出部500によってセキュリティ攻撃があると判定された場合、セキュリティ攻撃対応部504は、当該機器に対してユーザの確認を要求する確認要求フレームを送信し、その後、当該機器から確認したことを示す応答フレームを受信した場合、先に受信した通信フレームを正常な通信フレームとして取り扱うようにし、当該通信フレームの内容に基づく通常処理を実行してもよい。 (Modification 3)
When the security attack detection unit 500 determines that there is a security attack when receiving a communication frame transmitted from a device having a user interface (the central control device 3, the remote controller 6, and the terminal device 8), the security attack response unit 504 , if a confirmation request frame requesting user confirmation is sent to the device, and then a response frame indicating that the user has been confirmed is received from the device, the previously received communication frame should be treated as a normal communication frame. and normal processing based on the content of the communication frame may be executed.
(変形例4)
 空調機(室外機4及び室内機5)において、“リプレイ攻撃”であると判定した通信フレームと同じ内容の通信フレーム(コマンド、データ値等が同一という意味)の通信フレームを他の機器に送信しなければならない場合、セキュリティ攻撃対応部504は、空調の動作、ユーザの快適性等に影響がない範囲で当該通信フレームの内容を変更してもよい。例えば、“リプレイ攻撃”であると判定された通信フレームが設定温度変更の通知を示すものであり、その設定温度が“26℃”であった場合に、同じ内容の通信フレームの送信が必要になると、セキュリティ攻撃対応部504は、設定温度の値を“25.5℃”に変更した通信フレームを送信する。 (Modification 4)
In the air conditioner (outdoor unit 4 and indoor unit 5), a communication frame with the same content as the communication frame determined to be a "replay attack" (meaning that the command, data value, etc. are the same) is sent to other devices. If it must be done, the security attack response unit 504 may change the content of the communication frame to the extent that it does not affect the operation of the air conditioner, the user's comfort, and the like. For example, if a communication frame determined to be a "replay attack" indicates a change in the set temperature and the set temperature is "26°C", it is necessary to send a communication frame with the same content. Then, the security attack response unit 504 transmits a communication frame in which the set temperature value is changed to "25.5°C".
 また、セキュリティ攻撃対応部504は、“リプレイ攻撃”であると判別された通信フレームの内容が含まれた通知(以下、リプレイ攻撃検出通知という。)を空調システム1の各機器に対して発報してもよい。この場合、リプレイ攻撃検出通知を受信した各室外機4及び各室内機5は、上記のように、送信する通信フレームの内容を変更する対応を行うようにしてもよい。 In addition, the security attack response unit 504 issues a notification including the content of the communication frame determined to be a “replay attack” (hereinafter referred to as a replay attack detection notification) to each device of the air conditioning system 1. You may In this case, each outdoor unit 4 and each indoor unit 5 that has received the replay attack detection notification may change the content of the communication frame to be transmitted as described above.
(変形例5)
 セキュリティ攻撃対応部504は、“なりすまし”であると判別された通信フレームの送信元のアドレスが含まれた通知(以下、なりすまし検出通知という。)を空調システム1の各機器に対して発報してもよい。この場合、なりすまし検出通知で示されるアドレスと同一アドレスの正規の機器は、自機のアドレスを別の正規なアドレスに変更し、アドレスの変更を示す通知を空調システム1の各機器に対して送信してもよい。あるいは、集中管理装置3、室外機4等が、なりすまし検出通知で示されるアドレスの正規の機器に対して、別の正規のアドレスを振り直し、当該機器のアドレスの変更を示す通知を空調システム1の各機器に対して発報してもよい。 (Modification 5)
The security attack response unit 504 issues a notification (hereinafter referred to as a spoofing detection notification) including the address of the transmission source of the communication frame determined to be "spoofing" to each device of the air conditioning system 1. may In this case, the authorized device with the same address as the address indicated by the spoofing detection notification changes its own address to another authorized address, and transmits a notification indicating the address change to each device in the air conditioning system 1. You may Alternatively, the central control device 3, the outdoor unit 4, or the like reassigns a different authorized address to the authorized device with the address indicated by the spoofing detection notification, and sends a notification indicating a change in the address of the device to the air conditioning system 1. may be issued to each device in the
(変形例6)
 セキュリティ攻撃対応部504は、“乗っ取り”であると判別された通信フレームの送信元のアドレスが含まれた通知(以下、乗っ取り検出通知という。)を空調システム1の各機器に対して発報してもよい。この場合、乗っ取り検出通知を受信した各機器は、以後、当該乗っ取り検出通知で示されるアドレスからの通信フレームを何もせずに全て破棄し、また、当該アドレスを宛先とした通信フレームの送信を行わないようにしてもよい。 (Modification 6)
The security attack response unit 504 issues a notification (hereinafter referred to as a hijacking detection notification) containing the address of the transmission source of the communication frame determined to be "hijacking" to each device of the air conditioning system 1. may In this case, each device that receives the hijacking detection notification discards all communication frames from the address indicated in the hijacking detection notification without doing anything, and transmits communication frames addressed to the address. may be omitted.
 また、乗っ取り検出通知で示されるアドレスと同一アドレスの正規の機器は、自機のアドレスを別の正規なアドレスに変更し、アドレスの変更を示す通知を空調システム1の各機器に対して発報してもよい。あるいは、集中管理装置3、室外機4等が、乗っ取り検出通知で示されるアドレスの正規の機器に対して、別の正規のアドレスを振り直し、当該機器のアドレスの変更を示す通知を空調システム1の各機器に対して発報してもよい。 In addition, the authorized device having the same address as the address indicated by the takeover detection notification changes its own address to another authorized address, and issues a notification indicating the address change to each device of the air conditioning system 1. You may Alternatively, the central control device 3, the outdoor unit 4, or the like reassigns a different authorized address to the authorized device with the address indicated by the takeover detection notification, and sends a notification indicating a change in the address of the device to the air conditioning system 1. may be issued to each device in the
(変形例7)
 セキュリティ攻撃対応部504は、セキュリティ攻撃検出部500によってセキュリティ攻撃があると判定された場合、上述した当該セキュリティ攻撃に応じたセキュリティ攻撃対応処理に加え、定常的に予め定めた順序で送信する通信フレームの組において、当該順序を変更する。例えば、空調機の状態(運転モード、風速、吸込温度等)を問い合わせるための通信フレームの組において、従前においては、A状態、B状態、C状態の順に問合せの通信フレームを送信していた場合に、セキュリティ攻撃対応部504は、B状態、A状態、C状態の順に通信フレームを送信するように変更する。また、セキュリティ攻撃対応部504は、当該変更を示す通知(以下、送信順序変更通知という。)を当該状態の問合せ先に発報する。 (Modification 7)
When the security attack detection unit 500 determines that there is a security attack, the security attack response unit 504 performs security attack response processing according to the security attack described above. , change the order. For example, in a set of communication frames for inquiring about the state of an air conditioner (operation mode, wind speed, suction temperature, etc.), in the past, when the inquiry communication frames were transmitted in the order of A state, B state, and C state. Furthermore, the security attack countermeasure unit 504 is changed so that communication frames are transmitted in the order of B state, A state, and C state. In addition, the security attack response unit 504 issues a notification indicating the change (hereinafter referred to as a transmission order change notification) to the inquiry destination of the state.
 上記の送信順序変更通知を受信した機器は、以後、状態の問合せに係る通信フレームについては、当該送信順序変更通知で示される順番で受信した場合に限り、正常な通信フレームとして取り扱う。 After receiving the above transmission order change notification, the device treats the communication frames related to the status inquiry as normal communication frames only if they are received in the order indicated by the transmission order change notification.
(変形例8)
 セキュリティ攻撃対応部504は、セキュリティ攻撃検出部500によってセキュリティ攻撃があると判定された場合、上述した当該セキュリティ攻撃に応じたセキュリティ攻撃対応処理に加え、予め定めた重要性の高い情報に係る通信フレームの送信及び受信を制限してもよい。例えば、セキュリティ攻撃対応部504は、室内機5が備える熱画像センサによる人検出の有無を示す情報等の高度な制御に用いる情報の送信及び受信を制限したり、室外機4、室内機5のファームウェアの更新の際のファームウェアのダウンロード等を制限する。 (Modification 8)
When the security attack detection unit 500 determines that there is a security attack, the security attack response unit 504 performs security attack response processing in response to the security attack described above, and also detects communication frames related to predetermined highly important information. may restrict the transmission and reception of For example, the security attack response unit 504 restricts the transmission and reception of information used for advanced control such as information indicating whether or not a person is detected by the thermal image sensor provided in the indoor unit 5, or the outdoor unit 4 and the indoor unit 5 Restricts download of firmware, etc. when updating firmware.
(変形例9)
 攻撃有無判定部510は、警告の要否判定をさらに行うようにし、また、空調機の機能構成(図8参照)に警告部を新たに追加してもよい。この場合、警告が必要であると判定するための条件は、セキュリティ攻撃があると判定するための条件よりも緩くなる。例えば、条件Bにおいて、一定時間内に同一の通信フレームを15回以上受信した場合は、セキュリティ攻撃があると判定するが、一定時間内に同一の通信フレームを8回以上15回未満受信した場合は、警告の必要があると判定する。 (Modification 9)
The attack presence/absence determination unit 510 may further determine the necessity of warning, and may newly add a warning unit to the functional configuration of the air conditioner (see FIG. 8). In this case, the conditions for determining that a warning is necessary are less stringent than the conditions for determining that there is a security attack. For example, in condition B, if the same communication frame is received 15 times or more within a certain period of time, it is determined that there is a security attack. determines that a warning is necessary.
 セキュリティ攻撃があると判定するための条件は満たさないが、警告が必要であると判定するための条件を満たす場合、警告部は、その旨を示す通知を集中管理装置3、サーバ2、リモコン6、端末装置8等に発報したり、自機のLEDを発光させたり、自機から音声、電子音を出力させる等してユーザに警告する。ただし、この場合、セキュリティ攻撃対応部504は、セキュリティ攻撃対応処理を実行しない。 If the conditions for judging that there is a security attack are not satisfied but the conditions for judging that a warning is necessary, the warning unit notifies the central control device 3, the server 2, and the remote controller 6 , the terminal device 8 or the like, emits light from the LED of its own device, or outputs voice or electronic sound from its own device to warn the user. However, in this case, the security attack handling unit 504 does not execute security attack handling processing.
(変形例10)
 また、集中管理装置3及びリモコン6が、上記の実施の形態における空調機と同様の機能構成(図8参照)を備えるようにしてもよい。 (Modification 10)
Also, the central control device 3 and the remote controller 6 may have the same functional configuration (see FIG. 8) as the air conditioner in the above embodiment.
(変形例11)
 また、空調機(室外機4及び室内機5)の機能部(図8参照)の全部又は一部が、専用のハードウェアで実現されるようにしてもよい。専用のハードウェアとは、例えば、単一回路、複合回路、プログラム化されたプロセッサ、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)又はこれらの組み合わせである。 (Modification 11)
Also, all or part of the functional units (see FIG. 8) of the air conditioners (outdoor unit 4 and indoor unit 5) may be realized by dedicated hardware. Dedicated hardware is, for example, a single circuit, a composite circuit, a programmed processor, an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array), or a combination thereof.
 上記の各変形例に係る技術思想は、それぞれ単独で実現されてもよいし、適宜組み合わされて実現されてもよい。 The technical ideas related to each of the modifications above may be realized independently, or may be realized in combination as appropriate.
 本開示は、広義の精神と範囲を逸脱することなく、様々な実施の形態及び変形が可能である。また、上述した実施の形態は、本開示を説明するためのものであり、本開示の範囲を限定するものではない。つまり、本開示の範囲は、実施の形態ではなく、請求の範囲によって示される。そして、請求の範囲内及びそれと同等の開示の意義の範囲内で施される様々な変形が、本開示の範囲内とみなされる。 Various embodiments and modifications are possible for the present disclosure without departing from its broad spirit and scope. In addition, the embodiments described above are for explaining the present disclosure, and do not limit the scope of the present disclosure. In other words, the scope of the present disclosure is indicated by the claims rather than the embodiments. Various modifications made within the scope of the claims and within the scope of equivalent disclosure are considered to be within the scope of the present disclosure.
 本開示は、複数の空調機で構成される空調システムに好適に採用され得る。 The present disclosure can be suitably applied to an air conditioning system configured with multiple air conditioners.
 1 空調システム、2 サーバ、3 集中管理装置、4,4a~4c 室外機、5,5a~5f 室内機、6 リモコン、7 通信アダプタ、8 端末装置、9,10,10a~10c 伝送ライン、30,40,50,60,70 第1通信インタフェース、31,41,51,61,71 第2通信インタフェース、32,62,81 操作受付部、33,63,82 ディスプレイ、34,43,53,64,72,83 制御回路、35,44,54,65,73,84 補助記憶装置、42,52 メインユニット、80 通信インタフェース、500 セキュリティ攻撃検出部、501 通信異常検出部、502 通常対応部、503 通信異常対応部、504 セキュリティ攻撃対応部、510 攻撃有無判定部、511 攻撃種類判別部、N ネットワーク 1 air conditioning system, 2 server, 3 centralized control device, 4, 4a ~ 4c outdoor unit, 5, 5a ~ 5f indoor unit, 6 remote control, 7 communication adapter, 8 terminal device, 9, 10, 10a ~ 10c transmission line, 30 , 40, 50, 60, 70 first communication interface, 31, 41, 51, 61, 71 second communication interface, 32, 62, 81 operation receiving unit, 33, 63, 82 display, 34, 43, 53, 64 , 72, 83 control circuit, 35, 44, 54, 65, 73, 84 auxiliary storage device, 42, 52 main unit, 80 communication interface, 500 security attack detection unit, 501 communication abnormality detection unit, 502 normal response unit, 503 Communication anomaly response unit, 504 Security attack response unit, 510 Attack presence/absence determination unit, 511 Attack type determination unit, N Network

Claims (6)

  1.  通信フレームの受信時にセキュリティ攻撃の有無を判定し、セキュリティ攻撃があると判定した場合、当該セキュリティ攻撃の種類を判別するセキュリティ攻撃検出手段と、
     前記セキュリティ攻撃検出手段によってセキュリティ攻撃があると判定された場合、当該セキュリティ攻撃の種類に応じた処理であって、当該セキュリティ攻撃による影響を排除するセキュリティ攻撃対応処理を実行するセキュリティ攻撃対応手段と、を備える、空調機。     security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and determining the type of the security attack if it is determined that there is a security attack;
    a security attack countermeasure means for executing a security attack countermeasure process for eliminating the influence of the security attack, which is a process corresponding to the type of the security attack when the security attack detection means determines that there is a security attack; An air conditioner.
  2.  前記セキュリティ攻撃検出手段によってセキュリティ攻撃があると判定された場合、ユーザに報知するユーザ報知手段をさらに備える、請求項1に記載の空調機。 The air conditioner according to claim 1, further comprising user notification means for notifying a user when the security attack detection means determines that there is a security attack.
  3.  ユーザインタフェースを備える機器から送信された通信フレームの受信時に、前記セキュリティ攻撃検出手段によってセキュリティ攻撃があると判定された場合、前記セキュリティ攻撃対応手段は、前記機器に対してユーザの確認を要求する確認要求フレームを送信し、その後、前記機器から確認したことを示す応答フレームを受信した場合、前記受信した通信フレームを正常な通信フレームとして取り扱う、請求項1又は2に記載の空調機。 When the security attack detecting means determines that there is a security attack when receiving a communication frame transmitted from a device having a user interface, the security attack handling means requests confirmation from the user to the device. 3. The air conditioner according to claim 1, wherein when a request frame is transmitted and then a response frame indicating confirmation is received from said device, said received communication frame is treated as a normal communication frame.
  4.  前記セキュリティ攻撃検出手段によってセキュリティ攻撃があると判定された場合、前記セキュリティ攻撃対応手段は、さらに、予め定めた重要性の高い情報の送信及び受信を制限する、請求項1から3のいずれか1項に記載の空調機。 4. Any one of claims 1 to 3, wherein when said security attack detection means determines that there is a security attack, said security attack countermeasure means further restricts transmission and reception of predetermined highly important information. Air conditioner described in paragraph.
  5.  通信フレームの受信時にセキュリティ攻撃の有無を判定し、セキュリティ攻撃があると判定した場合、当該セキュリティ攻撃の種類を判別し、
     セキュリティ攻撃があると判定した場合、当該セキュリティ攻撃の種類に応じた処理であって、当該セキュリティ攻撃による影響を排除するセキュリティ攻撃対応処理を実行する、セキュリティ攻撃対処方法。     determining whether or not there is a security attack when a communication frame is received, and if determining that there is a security attack, determining the type of security attack,
    A security attack countermeasure method for, when it is determined that there is a security attack, executing a security attack countermeasure process for eliminating the influence of the security attack, which is a process corresponding to the type of the security attack.
  6.  空調機を、
     通信フレームの受信時にセキュリティ攻撃の有無を判定し、セキュリティ攻撃があると判定した場合、当該セキュリティ攻撃の種類を判別するセキュリティ攻撃検出手段、
     前記セキュリティ攻撃検出手段によってセキュリティ攻撃があると判定された場合、当該セキュリティ攻撃の種類に応じた処理であって、当該セキュリティ攻撃による影響を排除するセキュリティ攻撃対応処理を実行するセキュリティ攻撃対応手段、として機能させる、プログラム。     the air conditioner,
    security attack detection means for determining the presence or absence of a security attack when a communication frame is received, and determining the type of the security attack if it is determined that there is a security attack;
    security attack countermeasure means for executing a security attack countermeasure process for eliminating the effects of the security attack, which is a process corresponding to the type of security attack when the security attack detection means determines that there is a security attack; A program that works.
PCT/JP2021/018105 2021-05-12 2021-05-12 Air conditioner, security attack countermeasure method, and program WO2022239159A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/018105 WO2022239159A1 (en) 2021-05-12 2021-05-12 Air conditioner, security attack countermeasure method, and program
JP2023520660A JPWO2022239159A1 (en) 2021-05-12 2021-05-12

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/018105 WO2022239159A1 (en) 2021-05-12 2021-05-12 Air conditioner, security attack countermeasure method, and program

Publications (1)

Publication Number Publication Date
WO2022239159A1 true WO2022239159A1 (en) 2022-11-17

Family

ID=84028041

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/018105 WO2022239159A1 (en) 2021-05-12 2021-05-12 Air conditioner, security attack countermeasure method, and program

Country Status (2)

Country Link
JP (1) JPWO2022239159A1 (en)
WO (1) WO2022239159A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006352669A (en) * 2005-06-17 2006-12-28 Fujitsu Ltd Attack detection/defense system
JP2017079429A (en) * 2015-10-21 2017-04-27 本田技研工業株式会社 Communication system, control device, and control method
JP2020096320A (en) * 2018-12-14 2020-06-18 本田技研工業株式会社 Illegal signal processing device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006352669A (en) * 2005-06-17 2006-12-28 Fujitsu Ltd Attack detection/defense system
JP2017079429A (en) * 2015-10-21 2017-04-27 本田技研工業株式会社 Communication system, control device, and control method
JP2020096320A (en) * 2018-12-14 2020-06-18 本田技研工業株式会社 Illegal signal processing device

Also Published As

Publication number Publication date
JPWO2022239159A1 (en) 2022-11-17

Similar Documents

Publication Publication Date Title
JP6044527B2 (en) Air conditioning system
JP4337923B2 (en) Device monitoring device and remote monitoring system
JP6051089B2 (en) Air conditioning system
JP5542772B2 (en) Building equipment management system connection system, building equipment management system connection method, and building equipment management system connection program
WO2018154652A1 (en) Remote control device, air conditioner, and air conditioning system
JP2023076482A (en) Apparatus management system
CN106369752B (en) Control method and control device of air conditioner, outdoor unit and air conditioner
KR20190028402A (en) United remote control system for ventilation apparatus in public building
US10652040B2 (en) Common social interface for system controls
JP2018121445A (en) Remote control system for refrigeration cycle appliance and remote control system for home electric appliance
KR100697079B1 (en) Multi-Airconditioner Center Control System and Error Report Method thereof
JP6029523B2 (en) Remote control system for refrigeration cycle equipment
WO2022239159A1 (en) Air conditioner, security attack countermeasure method, and program
JP5821935B2 (en) Air conditioning system
JP2015197723A (en) remote management system
JP4770629B2 (en) Remote monitoring and control system
JP5915685B2 (en) Equipment management system
JP6072906B2 (en) Air conditioning system
JP6017369B2 (en) Remote control system for refrigeration cycle equipment
KR101970523B1 (en) Facilities control system and operating method of the same
WO2018216202A1 (en) Air conditioning management control device, portable terminal, and air conditioner control method
CN107431734B (en) Indoor device, communication adapter, control method, and recording medium
JP6030777B2 (en) COMMUNICATION SYSTEM, HOME EQUIPMENT, COMMUNICATION METHOD, AND PROGRAM
JP5880530B2 (en) Air conditioning system
KR20090052746A (en) Method for controlling partial locking for multi-air conditioner

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21941893

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023520660

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21941893

Country of ref document: EP

Kind code of ref document: A1