WO2023090012A1 - Communication management apparatus and method - Google Patents

Communication management apparatus and method Download PDF

Info

Publication number
WO2023090012A1
WO2023090012A1 PCT/JP2022/038414 JP2022038414W WO2023090012A1 WO 2023090012 A1 WO2023090012 A1 WO 2023090012A1 JP 2022038414 W JP2022038414 W JP 2022038414W WO 2023090012 A1 WO2023090012 A1 WO 2023090012A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
revoked
communication method
certificate
management device
Prior art date
Application number
PCT/JP2022/038414
Other languages
French (fr)
Japanese (ja)
Inventor
貴之 亀田
利彦 中野
光朗 石場
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2023090012A1 publication Critical patent/WO2023090012A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to communication management between multiple communication devices. In particular, it relates to monitoring and changing communication methods.
  • a conventional business system is a so-called closed system in consideration of security, and its communication range is limited.
  • communication devices such as ATMs and bank staff terminals are connected via an intra-bank network.
  • security was ensured by limited communication via a device or system called a firewall.
  • certificate communication a certificate issued by a so-called certificate authority is used to confirm the safety of the communication destination.
  • certificate communication some problem may occur in certificate communication.
  • the business in the corresponding business system will also stop.
  • the production line will stop.
  • such a business system is required to carry out business continuously in consideration of social impact. Therefore, there is a need to continue communications for business continuity.
  • Patent Literature 1 describes how to respond when a higher-level certificate authority among multiple certificate authorities is compromised.
  • Japanese Patent Laid-Open No. 2002-200002 aims to continue using a distributed certificate so that certificate communication can be maintained even when such compromise occurs.
  • Patent Literature 1 discloses the following technique.
  • the authentication system 10 of Patent Document 1 comprises upper intermediate certificate authorities 21 and 22 and a lower intermediate certificate authority 31 under these.
  • the higher intermediate certification authority 31 requests the issuance of a certificate
  • the higher intermediate certification authority exchanges status information with other higher intermediate certification authorities, and issues a certificate based on the exchanged status information.
  • the requested certificate is issued to the lower intermediate certificate authority 31 that requested the issuance.
  • the other upper intermediate certification authority with which the status information is exchanged further issues the same certificate as the previously issued certificate to the lower intermediate certification authority 31 that requested the issuance of the certificate based on the status information. do.
  • an object of the present invention is to maintain communication more easily even when a problem including a decrease in security occurs in communication.
  • the security according to the communication method of each communication device is monitored, and as a result, if the security is lowered, the communication method of the corresponding communication device is determined.
  • This security monitoring includes monitoring whether the tools used to secure communications have expired.
  • the revocation of a tool includes not only the fact that the tool has been revoked, but also the possibility of revocation being a predetermined revocation schedule or expected revocation.
  • the tool includes an electronic certificate (certificate) and a common key, which are examples of encryption means.
  • the plurality of A monitoring unit that monitors the safety of communication according to the communication method of a communication device and, as a result of the monitoring, identifies the revoked communication device whose security has been lowered;
  • the communication management device includes a method determining unit and an output unit for notifying the revoked communication device of the determined communication method.
  • the present invention also includes a communication management method using the communication management device, a program for causing the communication management device to function as a computer, and a storage medium storing the same.
  • the present invention it is possible to more easily determine the communication method, and to suppress the suspension of communication even when there is a question of safety.
  • FIG. 1 is a system configuration diagram in one embodiment of the present invention
  • FIG. It is a figure which shows the structure of the communication management apparatus in one Embodiment of this invention.
  • FIG. 4 illustrates a revocation list used in one embodiment of the invention; It is a figure which shows the apparatus management table used by one Embodiment of this invention. 4 is a diagram showing a communication method management table used in one embodiment of the present invention; FIG. It is a figure which shows the function management table used by one Embodiment of this invention. It is a flow chart which shows the processing flow in one embodiment of the present invention. It is a figure which shows the modification which implement
  • FIG. 1 is a diagram for explaining the technical background of this embodiment.
  • FIG. 1(a) shows a system configuration including a production system 70 for conventional production equipment.
  • FIG. 1( a ) robots 3 a and 3 b , controller 4 , and control server 2 , which are one type of equipment to be controlled, are connected via a control network 41 .
  • the production control system (the terminal device 22 constituting this), the control server 2 and the firewall (hereinafter referred to as FW 30) are connected via a control information network 42.
  • FIG. A control network 41 and a control information network 42 are connected. This figure shows an example in which a control network 41 and a control information network 42 are connected via the control server 2 .
  • the production system 70 is connected to other systems (the terminal device 33 constituting this) and an external network such as the Internet 43 via the FW 30 .
  • the production system 70 is configured as a closed system, and the FW 30 protects against attacks such as virus 61 from unauthorized accessor 60 .
  • the production system 70 centrally manages boundaries with other systems and external networks by the FW 30 .
  • borderline defense by FW30 functioned well.
  • control information network 42 it may cooperate with the external production base 50 regarding production.
  • the production equipment may be monitored by the camera 5 via the control network 41 .
  • control server 2 may receive predictive diagnosis of AI utilization in the cloud system 80 and remote control.
  • the external base station 90 and the mobile terminal 91 may communicate with each other for maintenance and inspection using the mobile terminal 91 brought into the production facility. These are communications outside the control of the FW 30, and a so-called security hole exists in the boundary type defense by the FW 30.
  • the security of communication may be compromised. For example, if a communication device such as the camera 5 is newly connected, its legitimacy is questionable.
  • certificates and keys of encryption means used in encryption schemes for communication may expire due to aging or the like.
  • the behavior of the communication device may raise doubts about the validity of the certificate or key.
  • FIG. 2 is a system configuration diagram in this embodiment.
  • a control network 41, a control information network 42, and the Internet 43 which are networks, are connected to communication devices, respectively, and communication is performed between the communication devices. Therefore, the system configuration shown in FIG. 2 is roughly divided into three layers for each network. The configuration of this embodiment will be described below for each layer, that is, for each network.
  • the control network 41 mainly communicates information about control over production equipment.
  • the following various communication devices are connected to the control network 41 .
  • robots 3a to 3c which are devices to be controlled, and controllers 4a to 4c for controlling them are connected.
  • the production equipment (controlled equipment) is not limited to the robots 3a to 3c, and includes machine tools and the like.
  • a control server 2 that manages and controls the controllers 4a to 4c is also connected. Also connected to the control network 41 are a camera 5 for monitoring these production facilities and a terminal device 6 for managing the production facilities such as displaying the monitoring results of the camera 5 . Furthermore, the communication management device 1 that executes the main processing of this embodiment is also connected to the control network 41 .
  • the robots 3a-3c operate for production according to control signals from the controllers 4a-4c.
  • the robots 3a-3c and the controllers 4a-4c may be directly connected or may be connected via a control network 41.
  • the controllers 4a-4c may be provided inside the robots 3a-3c.
  • the control server 2 outputs control notifications to the controllers 4a-4c and receives operating states of the controllers 4a-4c and the robots 3a-3c.
  • the control server 2 is implemented by a so-called computer.
  • the camera 5 acquires an image of the production facility and notifies the control server 2 and the terminal device 6 of the image. It is desirable that the camera 5 operates according to instructions from the terminal device 6 .
  • the terminal device 6 can be implemented by a computer such as a so-called PC, tablet, or smart phone.
  • the communication management device 1 monitors the safety of communication equipment and determines the communication method according to the monitoring results.
  • the communication management device 1 has an input unit 11 , a monitoring unit 12 , a communication method determination unit 13 , an output unit 14 and a storage unit 15 .
  • the input unit 11 receives information for confirming the safety of communication equipment via the control network 41 .
  • the monitoring unit 12 determines whether or not the safety of communication has been compromised or doubt has arisen based on the received information. In other words, it is determined whether or not the safety has deteriorated.
  • the decrease in security includes the invalidation of security tools used according to the communication method, and the fact that the communication device is the target or subject of attack by a virus, malicious program, or the like. Tools also include keys such as certificates and common keys, and their revocation includes lack of validity such as authority.
  • the communication method determination unit 13 determines the communication method of the revoked communication device, which is the corresponding communication device, when the security is lowered (for example, a tool such as a certificate is revoked).
  • the output unit 14 notifies related communication devices of the determined communication method.
  • the storage unit 15 stores various information and the like for executing the processing of the communication management device 1 .
  • the communication method in the present embodiment includes the type of communication, in particular, the type of encrypted communication for ensuring safety, the suppression (stop) control of communication, and the communication related to any of the functions of the communication device. includes control over whether to run An implementation example of the communication method determination unit 13 and details of its processing will be described later.
  • control network 41 communicates, as communication contents of these communication devices, image data which is the monitoring result of the camera 5, control signals for controlling the robots 3a to 3c, and the like. Furthermore, information for the communication management device 1 to perform monitoring and notification of the determined communication method are also communicated.
  • the control information network 42 is connected to a production control server 23 for production control and a terminal device 22 for production control. Also connected to the control information network 42 is an internal CA 21 that is a certificate authority for internal use in an organization such as a company that operates the production system 70 .
  • the production management server 23 executes information processing for production operations such as production planning and production management in production facilities, and for this purpose can be realized by, for example, a computer.
  • the terminal device 22 is used by a user who performs production work to output instructions to the production control server 23 and display processing results in the production control server 23 .
  • the terminal device 22 can be realized by a computer such as a so-called PC, tablet, or smart phone.
  • the internal CA 21 can be realized by a computer that issues and manages certificates such as public key certificates.
  • the control information network 42 is also connected to the FW 30 for connecting with the outside of the production system 70 . This completes the description of the hierarchy of the control information network 42. Next, the hierarchy of the Internet 43 will be described. The Internet 43 is also connected to various communication devices described below.
  • the FW 30 connects with other systems in the organization that operates the production system 70 .
  • the other system is a system for performing business other than production, such as product sales and distribution management, and has a business server 32 and a terminal device 33 .
  • the business server 32 executes information processing for various business according to instructions from the terminal device 33 and outputs the result to the terminal device 33 .
  • the terminal device 33 is used for executing business.
  • the business server 32 and the terminal device 33 are realized by computers, and in particular the terminal device 33 can be realized by a so-called PC, tablet, smartphone, or the like.
  • the external CA 31 and the terminal device 34 as well as the external production base 50 are connected via the Internet 43 .
  • the external CA 31 is a certification authority operated outside the organization that operates the production system 70 .
  • the external CA 31 can be implemented by a computer that issues and manages certificates such as public key certificates.
  • the terminal device 34 is implemented by a computer such as a so-called PC, tablet, or smart phone, and executes various information processing according to various user operations.
  • the external production base 50 is provided with a production system at a base different from the production system 70 . This production system desirably has the same configuration as the production system 70 such as the FW 30 .
  • control network 41 is located furthest from the Internet 43 in the production system 70, that is, it is a network that is difficult to intrude from the outside.
  • the Internet 43 is the outside itself, and the control information network 42 is configured closer to the outside.
  • the content of communication on the control network 41 may be made less secure than the communication on the control information network 42 and the Internet 43 .
  • the control network 41 may perform common key communication or communication without encryption (plain communication). However, these may be determined for each communication device or communication, and each network (hierarchy) is not limited to a uniform communication method, and may have a configuration in which a plurality of communication methods are mixed.
  • FIG. 3 is a diagram showing the configuration of the communication management device 1 in the embodiment.
  • FIG. 3 is a configuration example for realizing the functional blocks of the communication management device 1 shown in FIG.
  • the communication management device 1 will be described as an example of a computer that performs processing according to a program (software). However, it may be configured using dedicated hardware, FPGA (field-programmable gate array), or the like.
  • the communication management device 1 has a network I/F 110 (network interface), a processing unit 120, a main storage unit 130 and an auxiliary storage unit 140, which are connected to each other via a communication path such as a bus.
  • the network I/F 110 has a function of communicating with other communication devices via the control network 41, and corresponds to the input section 11 and the output section 14 in FIG.
  • the network I/F 110 may implement the input function and the output function with independent configurations.
  • the network I/F 110 may be connected to a network other than the control network 41 or a direct communication device.
  • processing unit 120 is implemented by a processor, CPU, etc., and performs calculations according to each program developed in the main storage unit 130 . That is, the processing unit 120 executes the processing in the monitoring unit 12 and the communication method determining unit 13 in FIG.
  • the main storage unit 130 develops programs stored in the auxiliary storage unit 140 and other storage media, and information necessary for other calculations.
  • the programs developed in the main storage unit 130 include a monitoring program 141 and a communication method determination program 142 .
  • the monitoring program 141 corresponds to the function of the monitoring unit 12 in FIG. 2
  • the communication method determination program 142 corresponds to the function of the communication method determination unit 13 in FIG.
  • each of these programs may not be an independent program. That is, each of these may be implemented as a module of a program.
  • the auxiliary storage unit 140 can be realized by so-called storage such as HDD (Hard Disk Drive) and SSD (Solid State Drive).
  • the auxiliary storage unit 140 stores, as information, a revocation list 143, a device management table 144, a communication method management table 145, and a function management table 146 in addition to the programs described above.
  • the auxiliary storage unit 140 may be configured independently from the communication management device 1 .
  • it can be realized by a file server connected via the network I/F 110 .
  • the main storage section 130 and the auxiliary storage section 140 correspond to the storage section 15 in FIG.
  • the communication management device 1 may be realized by a plurality of computers. In this case, it is possible to share a plurality of computer functions.
  • FIG. 4 is a diagram showing the revocation list 143 used in this embodiment.
  • the revocation list 143 is information for identifying communication devices whose security has been lowered according to the communication method. For this reason, the revocation list 143 of this embodiment indicates security for each communication device.
  • the revocation list 143 of this embodiment has items of device ID, device name, and status.
  • a device ID is information for identifying a communication device.
  • the device name is information indicating the name of the communication device. Only one of the device ID and the device name may be used.
  • the status indicates the safety status based on the communication method of the communication device. In other words, it is an item that indicates whether the security has expired.
  • a decrease in security is determined by whether or not a certificate, which is a kind of tool for ensuring security, has been revoked.
  • a communication device that satisfies at least one of the following conditions is determined to have lowered security.
  • the monitoring unit 12 identifies the device as a revoked communication device. ⁇ Communication equipment whose certificate has expired ⁇ Communication equipment whose validity has been questioned ⁇ Communication equipment whose certificate has been notified of revocation by another device In addition to these conditions, conditions may be set .
  • the list includes items whose status is "maintenance”, but the list may be narrowed down to "expired” or "scheduled to expire”.
  • This revocation list 143 may be created by the communication management device 1, or may be created by another device such as the terminal device 6 or the internal CA 21.
  • the communication management device 1 When the communication management device 1 creates it, it can receive information about the validity of the certificate from the internal CA 21 or the external CA 31 and create it. Also, it is possible to check the communication state and connection state of the communication device to the control network 41 and the like and create it.
  • the communication management device 1 uses this revocation list 143 to determine the communication method. The details of this determination will be described later using a flowchart.
  • FIG. 5 is a diagram showing the device management table 144 used in this embodiment.
  • the device management table 144 is a table in which information related to communication for each communication device is registered. As shown in FIG. 5, the device management table 144 of this embodiment has device IDs, device names, IP addresses, MAC addresses, communication methods, time limits, functions, and communication states.
  • the device ID and device name are the same as those in the revocation list 143.
  • the IP address and MAC address each indicate an address related to communication of the target communication device, and at least one of them may be provided.
  • the communication method indicates a communication method that can be supported by the target communication device.
  • the expiration date indicates the expiration date (expiration date) of the common key and certificate of the target communication device.
  • the function indicates whether the function can be stopped by the target communication device (whether non-stop operation is required). It is particularly desirable that this function is a function related to communication.
  • the communication state indicates a communication state related to the safety of communication of the target communication device.
  • the communication method indicates that both certificate communication (including SSL communication, which is an example thereof) and common key communication can be supported.
  • the expiration dates of the certificate and common key are 00:00 on 3/31 and 00:00 on 12/1, respectively, indicating that non-stop operation is required for all functions.
  • the current communication state is normal, indicating that the safety of communication is ensured.
  • the "control server" indicates that there is no need for revocation at this point.
  • command notification, emergency reception and normal reception are possible.
  • Command notification and emergency reception indicate that non-stop operation is required, and normal reception indicates that suspension is possible.
  • the command notification indicates output of a command (control signal) from the controller to the robot.
  • emergency reception means receiving an emergency stop command for accident prevention or the like.
  • normal reception is reception for normal operations other than emergency reception.
  • controller D is normal, indicating that the security of the common key is maintained.
  • the communication management device 1 has received a revocation notice from the internal CA 21, indicating that the certificate is scheduled to be revoked.
  • the communication management device 1 also uses this device management table 144 to determine the communication method. The details of this determination will be described later using a flowchart. It should be noted that items of functions in the device management table 144 may be managed in a function management table 146 to be described later. In this case, the function item can be omitted from the device management table 144 .
  • FIG. 6 is a diagram showing the communication method management table 145 used in this embodiment.
  • the communication method management table 145 is a table in which information for managing communication methods between communication devices is registered.
  • the communication method management table 145 of this embodiment has a device ID, partner device, communication method, and communication state for each communication device.
  • the device ID is information similar to the revocation list 143 .
  • the partner device indicates the device ID of the communication device that communicates with the target communication device.
  • the communication method indicates the current communication method of the target communication device and the counterpart device.
  • the communication state indicates the current communication state of the target communication device and the partner device, which is the same information as the device management table 144 .
  • FIG. 7 is a diagram showing the function management table 146 used in this embodiment.
  • the function management table 146 is a table in which information is registered in the function for each type of communication device.
  • the function management table 146 of the present embodiment has device type, function, stop possibility, and countermeasure for each type of communication device.
  • the device type indicates the type of communication device, but may be for each communication device.
  • the function and whether it can be stopped indicates whether the function can be stopped (whether non-stop operation is required) for the function that can be executed by the target communication device.
  • FIG. 8 is a flow chart showing the processing flow in this embodiment.
  • the processing of the communication management apparatus 1 will be described below with reference to FIG. 8. At that time, the main body of processing in each step will be described using the units shown in FIG.
  • step S1 the monitoring unit 12 starts monitoring the safety of communication in the communication device. This may be executed in response to an instruction from the terminal device 6, or may be executed when an activation condition such as a predetermined cycle is satisfied. Note that the communication management device 1 may be operated continuously to continuously execute the processes after step S2.
  • step S2 the monitoring unit 12 determines whether any of the communication devices has deteriorated in safety as a result of monitoring.
  • the monitoring unit 12 monitors whether the certificate or the like has been revoked.
  • the monitoring unit 12 checks the revocation list 143 .
  • the process proceeds to step S3. If there is no revocation or revocation schedule in the revocation list 143 (NO), the process returns to step S1 to continue monitoring.
  • the records confirmed in step S2 may be appropriately deleted and unconfirmed records may be left, or a flag indicating confirmation may be recorded. As a result, redundant processing after step S3 can be prevented.
  • revocation indicates that the validity of a certificate or key is questioned due to the expiration of the certificate or key due to the expiration of the statute of limitations, etc., or the behavior of communication equipment, etc., and includes the scheduled revocation.
  • the key includes a private key and a common key in addition to the public key. Further, revocation may also include reduced safety due to viruses and the like.
  • step S3 the monitoring unit 12 identifies, from the revocation list 143, the communication device indicated by the revoked or scheduled revocation device ID as a revoked communication device.
  • the communication method determination unit 13 identifies the communication method that has been revoked by the revoked communication device and the communication method that can be supported.
  • the communication method determination unit 13 may use the communication state of the device management table 144, or check the communication method and communication state of the communication method management table 145. good.
  • the revocation list 143 may be used to record communication methods that have been revoked or are scheduled to be revoked.
  • the communication method determining unit 13 uses the communication method of the device management table 144 .
  • the communication method determining unit 13 identifies related communication devices related to the revoked communication device identified in step S3.
  • the communication method determination unit 13 uses the communication method management table 145 .
  • the monitoring unit 12 identifies the partner device corresponding to the device ID of the revoked communication device as the related communication device.
  • the partner device that is the communication destination of the revoked communication device is specified, but the related communication device is not limited to this.
  • each communication device managed by the communication management apparatus 1 may be the related communication device, or a communication device connected to the same network as the expired communication device may be the related communication device.
  • step S6 the communication method determination unit 13 identifies a communication method that can be used by the related communication device identified in step S5. For this purpose, the communication method determination unit 13 identifies the communication method of the related communication device from the device management table 144 .
  • step S7 the communication method determining unit 13 uses the results of steps S4 to S6 to determine the communication method. The details are described below.
  • This decision method includes multiple methods such as (1) and (2) below.
  • the communication method determination unit 13 identifies a valid communication method that has not expired among the available communication methods identified in step S4. Next, the communication method determining unit 13 matches the communication method that can be supported by the associated communication device identified in step S6 with the identified effective communication method. Then, the communication method determining unit 13 determines a matching communication method.
  • the communication method determination unit 13 identifies a valid communication method that has not expired among the available communication methods identified in step S4, and selects it as a communication method. Determined as In this case, steps S5 and S6 can be omitted.
  • the communication method can be determined as follows. First, for each communication method, it is set whether or not the factor can be dealt with. Then, in step S4, the communication method determination unit 13 uses the setting contents to identify the communication method that can and cannot cope with the factor in the expired communication device. Further, in step S6, the communication method determining unit 13 uses the setting contents to specify the communication method that can or cannot deal with the factor in the related communication device. Then, in this step, the communication method is determined by comparing the communication methods that can deal with the factor. In this case, it is desirable to determine the communication method with the highest security among the communication methods that can be supported by both parties.
  • the determination of the communication method includes the following aspects.
  • change the communication type For example, changing certificate communication to common key communication or plain communication, or changing common key communication to plain communication.
  • change the communication type For example, changing certificate communication to common key communication or plain communication, or changing common key communication to plain communication.
  • the communication method to be determined it may be determined whether to suppress communication or maintain communication for each function of the revoked communication device.
  • the communication method determination unit 13 uses the functions of the device management table 144 or the function management table 146 .
  • the communication method includes specifying the communication method itself (type of communication) and the communication function of the communication device. Also, the communication method may be determined by a combination of these.
  • step S7 the communication method determining unit 13 determines at least the communication method that can communicate with the expired communication device.
  • step S8 the communication method determined in step S7 is notified from the output unit 14.
  • the notification destination at this time is the revoked communication device or the related communication device.
  • the communication method determination unit 13 updates the communication method of the communication method management table 145 to the determined communication method.
  • the communication method determination unit 13 also updates the communication status of the device management table 144 and the communication method management table 145 .
  • step S9 the monitoring unit 12 monitors the expired communication device that communicates with the determined communication method.
  • step S10 the monitoring unit 12 monitors whether or not the revocation of the revoked communication device has been restored. This can be realized by a process similar to that of step S2. In other words, the monitoring unit 12 can confirm whether the revocation has been restored by checking the revocation list 143 or the like. As a result, when it recovers (YES), it changes to step S11. On the other hand, if it has not recovered, the process proceeds to step S9 to continue monitoring.
  • step S10 will be explained using an example of renewing a revoked certificate.
  • the terminal device when invalidation occurs, a warning is sent to each terminal device. Therefore, the terminal device outputs a certificate update request to the internal CA 21 or the external CA 31 according to the user's operation. Then, in the internal CA 21 or the external CA 31, when the certificate is updated in response to the update request, it is determined that the recovery in this step has been completed. Note that this recovery may be automatically executed by the internal CA 21 or the external CA 31 .
  • step S11 the communication method determination unit 13 re-determines the communication method of the expired communication device. This is the process of restoring the content determined to be invalid in step S2. In other words, if the revoked communication device or related communication device is changed from certificate communication to common key communication as a result of determination in step S7, it is determined again (restored) to change to certificate communication.
  • step S12 the output unit 14 notifies the communication method re-determined in step S11.
  • This notification destination is the revoked communication device or the related communication device, as in step S8.
  • the communication method determination unit 13 updates the communication method of the communication method management table 145 to the re-determined communication method, as in step S8.
  • the communication method determination unit 13 also updates the communication status of the device management table 144 and the communication method management table 145 .
  • the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 of a warning. This is an advanced warning. Therefore, it is desirable that the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 of a warning when it is determined that there is an expiration. In this way, it is possible to notify the fact that the security of communication has been lowered by dividing it into an advance warning and a main warning. As described above, the user of each terminal, such as a communication or business manager, can grasp that the security of communication has changed, for example, has been lowered.
  • step S7 at least one of the terminal device 6, the terminal device 22, and the terminal device 34 is notified of a warning that the communication method has been changed. This may be done only when safety is compromised, or may be done without any particular conditions.
  • the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 to that effect. This allows the user of each terminal device to know that the safety of communication has been restored.
  • the management by the communication management device 1 of this embodiment is not limited to the communication of communication devices under its control.
  • the production management server 23 is not under the control of the communication management device 1 and that the control server 2 communicates with it.
  • a communication method is determined such that the communication function with the production management server 23 is maintained and other functions are disabled. This allows the production control server 23 to behave as if it is maintaining the communication up to that point.
  • the communication method is changed by changing the type of communication or inhibiting communication of some functions of the communication device.
  • Revocation includes not only the revocation itself but also the possibility of revocation being greater than or equal to a predetermined value.
  • FIG. 9 is a diagram showing a modification in which the present embodiment is realized by a cloud system.
  • the communication management device 1 is connected to the Internet 43 .
  • the communication management device 1 manages the communication devices of each network connected to the Internet 43 . Specifically, it manages communication devices of the control information network 42a and the control network 41a connected via the FW 30a and communication devices of the control information network 42b and the control network 41b connected via the FW 30b.
  • the configuration and processing flow of this modified example are as described above, and the details thereof will be omitted.
  • the communication management device 1 may be provided so as to connect the control information network 42a and the control information network 42b.
  • the present invention is not limited to this embodiment.
  • it can be applied to fields other than production, such as financial services.
  • the communication equipment various equipment related to control, mobile units, ATMs, etc. can be used in addition to the illustrated communication equipment.
  • encrypted communication is taken as an example of communication, but the communication is not limited to this.
  • encrypted communication is not limited to certificate communication or common key communication.

Abstract

The present invention addresses the problem of maintaining communication more easily even in the event of a failure in an encrypting means, including a decrease in security, during communications, such as cryptographic communication. The structure of the present invention for solving the problem is a communication management apparatus 1 for managing communication in a plurality of communication devices connected via a network and each capable of communicating using a plurality of communication schemes. The communication management apparatus 1 comprises: a monitoring unit 12 that monitors the security of communication in accordance with the communication schemes of the plurality of communication devices and that identifies, as a result of the monitoring, an ineffective communication device for which the security is degraded; a communication scheme determination unit 13 that determines a communication scheme available to the ineffective communication device; and an output unit 14 that notifies the ineffective communication device of the determined communication scheme.

Description

通信管理装置および方法Communication management device and method
 本発明は、複数の通信機器間での通信管理に関する。その中でも特に、通信方式の監視や変更に関する。 The present invention relates to communication management between multiple communication devices. In particular, it relates to monitoring and changing communication methods.
 従来から生産システム、物流システムや金融システムなどの業務システムにおいては、これを構成する機器、装置(以下、単に通信機器と称する)がネットワークを介して互いに通信し、所定の業務のための情報処理を行っていた。従来の業務システムは、セキュリティの観点も考慮し、いわゆるクローズなシステムであり、その通信範囲が限定的であった。例えば、金融システム(特に勘定系システム)では、行内ネットワークにてATMや行員端末等の通信機器が接続され、構成される。そして、他行との連携の際には、ファイアフォールと呼ばれる装置ないしシステムを介して限定的に通信を行うことで、安全性を確保していた。 Conventionally, in business systems such as production systems, distribution systems, and financial systems, devices and devices (hereinafter simply referred to as communication devices) that make up these systems communicate with each other via a network to perform information processing for a given business. was doing A conventional business system is a so-called closed system in consideration of security, and its communication range is limited. For example, in a financial system (particularly, an accounting system), communication devices such as ATMs and bank staff terminals are connected via an intra-bank network. When collaborating with other banks, security was ensured by limited communication via a device or system called a firewall.
 ここで、IoT(Internet of Thing)技術やクラウドなどの進展に伴い、通信の対象機器・範囲が広がってきている。例えば、インターネットバンキングの進展や生産システムにおけるクラウド利用による予兆診断や遠隔コントロールといったニーズが高まっている。このような場合、インターネット等を介して接続される外部機器との通信が必要になってくる。この外部機器との通信を行う場合、従来のクローズなシステムと比較して、安全性に懸念が生じる。例えば、悪意の第三者による不正アクセスのリスクが高まる。 Here, with the development of IoT (Internet of Things) technology and the cloud, the target devices and scope of communication are expanding. For example, there is a growing need for predictive diagnosis and remote control using the development of Internet banking and the use of the cloud in production systems. In such a case, it becomes necessary to communicate with an external device connected via the Internet or the like. When communicating with this external device, security concerns arise compared to conventional closed systems. For example, the risk of unauthorized access by a malicious third party increases.
 このため、暗号化通信といった安全性を高める通信方式が採用されてきた。この暗号化通信の1つの例として、電子証明書(単に証明書とも称する)を利用した通信(以下、単に証明書通信と称する)が存在する。証明書通信では、いわゆる認証局が発行した証明書を利用して、通信先の安全性を確認している。 For this reason, communication methods that improve security, such as encrypted communication, have been adopted. One example of this encrypted communication is communication using an electronic certificate (simply referred to as certificate) (hereinafter simply referred to as certificate communication). In certificate communication, a certificate issued by a so-called certificate authority is used to confirm the safety of the communication destination.
 ここで、証明書通信においては、証明書通信に何らかの不具合が生じることがある。このような場合、通信自体停止すると、該当の業務システムでの業務も停止してしまうことになる。例えば、生産システムでは、生産ラインが停止してしまう。但し、このような業務システムは、社会的な影響も加味して、継続的に業務を遂行することが求められている。したがって、業務の継続のために、通信についても継続するニーズが存在する。 Here, in certificate communication, some problem may occur in certificate communication. In such a case, if the communication itself stops, the business in the corresponding business system will also stop. For example, in a production system, the production line will stop. However, such a business system is required to carry out business continuously in consideration of social impact. Therefore, there is a need to continue communications for business continuity.
 例えば、特許文献1では、複数の認証局のうち、上位の認証局に危殆化が生じた場合の対応について記載されている。特許文献1では、このような危殆化が生じた場合でも、証明書通信を維持できるように、配布済の証明書を継続して利用できるようにすることを課題としている。この課題を解決するために、特許文献1には、以下の技術が開示されている。 For example, Patent Literature 1 describes how to respond when a higher-level certificate authority among multiple certificate authorities is compromised. Japanese Patent Laid-Open No. 2002-200002 aims to continue using a distributed certificate so that certificate communication can be maintained even when such compromise occurs. In order to solve this problem, Patent Literature 1 discloses the following technique.
 特許文献1の認証システム10は、上位中間認証局21及び22と、これらの配下にある下位中間認証局31とを備えている。上位中間認証局は、下位中間認証局31から証明書の発行が要求されると、他の上位中間認証局との間で、ステータス情報を交換し、交換したステータス情報に基づいて、証明書の発行を要求した下位中間認証局31に、要求された証明書を発行する。ステータス情報の交換先の他の上位中間認証局は、ステータス情報に基づいて、証明書の発行を要求した下位中間認証局31に、先に発行された証明書と同一の証明書を、更に発行する。 The authentication system 10 of Patent Document 1 comprises upper intermediate certificate authorities 21 and 22 and a lower intermediate certificate authority 31 under these. When the lower intermediate certification authority 31 requests the issuance of a certificate, the higher intermediate certification authority exchanges status information with other higher intermediate certification authorities, and issues a certificate based on the exchanged status information. The requested certificate is issued to the lower intermediate certificate authority 31 that requested the issuance. The other upper intermediate certification authority with which the status information is exchanged further issues the same certificate as the previously issued certificate to the lower intermediate certification authority 31 that requested the issuance of the certificate based on the status information. do.
特開2014-187475号公報JP 2014-187475 A
 しかしながら、特許文献1に記載の技術においては、証明書通信に何らかの不具合(危殆)が生じた場合、再度電子証明書を発行する必要がある。このため、通信を維持するために、余分な手間が掛かってしまう。また、証明書通信以外の安全性を確保するための通信について不具合が生じた場合の対策については、何ら考慮されていなかった。例えば、暗号化通信における暗号化手段に不具合が生じても安全な通信を維持する手立てがなかった。 However, with the technology described in Patent Document 1, if some kind of problem (compromise) occurs in certificate communication, it is necessary to reissue the electronic certificate. Therefore, it takes extra time and effort to maintain communication. In addition, no consideration has been given to countermeasures against failures in communication for ensuring security other than certificate communication. For example, there is no way to maintain secure communication even if the encryption means in encrypted communication fails.
 そこで、本発明では、通信において、安全性の低下を含む不具合が生じた場合でも、より容易に通信を維持することを課題とする。 Therefore, an object of the present invention is to maintain communication more easily even when a problem including a decrease in security occurs in communication.
 上記課題を解決するために、本発明では、各通信機器の通信方式に応じた安全性を監視し、この結果、安全性が低下した場合、該当の通信機器の通信方式を決定する。この安全性の監視には、通信の安全を確保するために用いられるツールが失効したかを監視することが含まれる。なお、ツールの失効とは、失効した事実の他、失効する可能性が所定失効予定や失効の見込みであることも含まれる。そして、ツールには、暗号化手段の例である電子証明書(証明書)や共通鍵が含まれる。 In order to solve the above problems, in the present invention, the security according to the communication method of each communication device is monitored, and as a result, if the security is lowered, the communication method of the corresponding communication device is determined. This security monitoring includes monitoring whether the tools used to secure communications have expired. Note that the revocation of a tool includes not only the fact that the tool has been revoked, but also the possibility of revocation being a predetermined revocation schedule or expected revocation. The tool includes an electronic certificate (certificate) and a common key, which are examples of encryption means.
 より具体的には、ネットワークを介して接続される複数の通信機器であって、それぞれが複数の通信方式で通信が可能である複数の通信機器における通信を管理する通信管理装置において、前記複数の通信機器の通信方式に応じた通信の安全性を監視し、当該監視の結果、前記安全性が低下した失効通信機器を特定する監視部と、前記失効通信機器で可能な通信方式を決定する通信方式決定部と、前記失効通信機器に、決定された前記通信方式を通知する出力部を有する通信管理装置である。 More specifically, in a communication management device that manages communication in a plurality of communication devices that are connected via a network and that are capable of communicating in a plurality of communication methods, the plurality of A monitoring unit that monitors the safety of communication according to the communication method of a communication device and, as a result of the monitoring, identifies the revoked communication device whose security has been lowered; The communication management device includes a method determining unit and an output unit for notifying the revoked communication device of the determined communication method.
 また、本発明には、通信管理装置を用いた通信管理方法や通信管理装置をコンピュータとして機能させるためのプログラムならびにこれを格納した記憶媒体も含まれる。 The present invention also includes a communication management method using the communication management device, a program for causing the communication management device to function as a computer, and a storage medium storing the same.
 本発明によれば、より容易に通信方式を決定でき、安全性の疑義が生じた場合にも通信の停止を抑制できる。 According to the present invention, it is possible to more easily determine the communication method, and to suppress the suspension of communication even when there is a question of safety.
本発明の一実施形態における技術的背景を説明するための図である。It is a figure for explaining the technical background in one embodiment of the present invention. 本発明の一実施形態におけるシステム構成図である。1 is a system configuration diagram in one embodiment of the present invention; FIG. 本発明の一実施形態における通信管理装置の構成を示す図である。It is a figure which shows the structure of the communication management apparatus in one Embodiment of this invention. 本発明の一実施形態で用いられる失効リストを示す図である。FIG. 4 illustrates a revocation list used in one embodiment of the invention; 本発明の一実施形態で用いられる機器管理テーブルを示す図である。It is a figure which shows the apparatus management table used by one Embodiment of this invention. 本発明の一実施形態で用いられる通信方式管理テーブルを示す図である。4 is a diagram showing a communication method management table used in one embodiment of the present invention; FIG. 本発明の一実施形態で用いられる機能管理テーブルを示す図である。It is a figure which shows the function management table used by one Embodiment of this invention. 本発明の一実施形態における処理フローを示すフローチャートである。It is a flow chart which shows the processing flow in one embodiment of the present invention. 本発明の一実施形態をクラウドシステムで実現した変形例を示す図である。It is a figure which shows the modification which implement|achieved one Embodiment of this invention by the cloud system.
 以下、本発明の一実施形態を、図面を用いて説明する。
<背景>
 本実施形態では、生産設備に関する通信について、適用先の一例として説明する。図1は、本実施形態における技術的背景を説明するための図である。図1(a)は、従来の生産設備に関する生産システム70を含むシステム構成を示す。 An embodiment of the present invention will be described below with reference to the drawings.
<Background>
In the present embodiment, communication regarding production equipment will be described as an example of an application destination. FIG. 1 is a diagram for explaining the technical background of this embodiment. FIG. 1(a) shows a system configuration including a production system 70 for conventional production equipment.
 図1(a)においては、被制御機器の一種であるロボット3a、3b、コントローラ4や制御用サーバ2が、制御ネットワーク41を介して接続されている。また、生産管理システム(これを構成する端末装置22)、制御用サーバ2やファイアウォール(以下、FW30)が、制御情報ネットワーク42を介して接続されている。そして、制御ネットワーク41と制御情報ネットワーク42が、接続されている。本図では、制御用サーバ2を介して、制御ネットワーク41と制御情報ネットワーク42が接続されている例を示す。
また、生産システム70は、FW30を介して、他システム(これを構成する端末装置33)やインターネット43等の外部ネットワークを接続している。 In FIG. 1( a ), robots 3 a and 3 b , controller 4 , and control server 2 , which are one type of equipment to be controlled, are connected via a control network 41 . Also, the production control system (the terminal device 22 constituting this), the control server 2 and the firewall (hereinafter referred to as FW 30) are connected via a control information network 42. FIG. A control network 41 and a control information network 42 are connected. This figure shows an example in which a control network 41 and a control information network 42 are connected via the control server 2 .
Also, the production system 70 is connected to other systems (the terminal device 33 constituting this) and an external network such as the Internet 43 via the FW 30 .
 ここで、図1(a)では、生産システム70がクローズなシステムとして構成されており、不正アクセス者60からのウイルス61等の攻撃をFW30により防御している。つまり、生産システム70は、FW30により他システムや外部ネットワークとの境界を集中管理している。このように、図1(a)においては、FW30による境界型防御が十便に機能していた。 Here, in FIG. 1( a ), the production system 70 is configured as a closed system, and the FW 30 protects against attacks such as virus 61 from unauthorized accessor 60 . In other words, the production system 70 centrally manages boundaries with other systems and external networks by the FW 30 . Thus, in FIG. 1(a), borderline defense by FW30 functioned well.
 ここで、近年は、システムのオープン化、生産設備のクラウド、IoTの利活用が一般化している。このため、生産システムのシステム構成が、図1(a)から図1(b)に示すように変化しつつある。つまり、オープン化等により、接続先や接続経路が複雑化し境界が曖昧になってきており、生産システム70の境界内への侵入機会が増加している。 Here, in recent years, the use of open systems, the cloud of production equipment, and the use of IoT has become commonplace. Therefore, the system configuration of the production system is changing as shown in FIG. 1(a) to FIG. 1(b). In other words, due to openness and the like, connection destinations and connection paths have become complicated, and boundaries have become ambiguous.
 例えば、制御情報ネットワーク42を介して、外部生産拠点50と生産についての連携することがある。また、制御ネットワーク41を介して、カメラ5による生産設備を監視することもある。また、制御用サーバ2がクラウドシステム80でのAI活用の予兆診断、遠隔コントロールを受けることもある。またさらに、生産設備に持ち込まれた携帯端末91を用いたメンテナンス・点検のために、外部の基地局90と携帯端末91が通信する子こともある。これらは、FW30の管理外通信となり、FW30による境界型防御に、いわゆるセキュリティホールが存在することになる。 For example, via the control information network 42, it may cooperate with the external production base 50 regarding production. Also, the production equipment may be monitored by the camera 5 via the control network 41 . In addition, the control server 2 may receive predictive diagnosis of AI utilization in the cloud system 80 and remote control. Furthermore, the external base station 90 and the mobile terminal 91 may communicate with each other for maintenance and inspection using the mobile terminal 91 brought into the production facility. These are communications outside the control of the FW 30, and a so-called security hole exists in the boundary type defense by the FW 30.
 このため、特に図1(b)の態様を利用する場合、生産システム70を構成する通信機器や外部の通信機器での通信での安全性の確保が重要となる。このため、これらの通信においては、安全性の確保、維持、管理が重要になる。このために、例えば、通信方式として暗号化通信を採用して、一定以上の安全性を確保しようとする。 For this reason, when using the mode of FIG. 1(b) in particular, it is important to ensure safety in communication between the communication devices that make up the production system 70 and external communication devices. Therefore, it is important to secure, maintain, and manage safety in these communications. For this reason, for example, encrypted communication is adopted as a communication method to ensure a certain level of security.
 但し、何らかの事情で、通信についての安全性が損なわれることがある。例えば、カメラ5のような通信機器が新たに接続された場合、その正当性には疑義が残る。また、通信に暗号化方式に用いられる暗号化手段の証明書や鍵が時効などにより失効することがある。さらに、その通信機器のふるまいなどにより、証明書や鍵の正当性に疑義が生じることがある。 However, for some reason, the security of communication may be compromised. For example, if a communication device such as the camera 5 is newly connected, its legitimacy is questionable. In addition, certificates and keys of encryption means used in encryption schemes for communication may expire due to aging or the like. Furthermore, the behavior of the communication device may raise doubts about the validity of the certificate or key.
 これらの場合、安全性を確保するためには、該当の通信機器の通信自体を停止することが考えられる。但し、生産システムなどの業務システムでは、通信停止を抑止したいとのニーズが存在する。これは、通信停止が業務、サービスの停止に繋がるため、できるだけ通信を維持することが求められる。本実施形態の生産システム70においては、通信停止が生産の停止に繋がり、納期の遅延、納品拒否の問題が生じてしまう。 In these cases, in order to ensure safety, it is conceivable to stop the communication itself of the communication device in question. However, in business systems such as production systems, there is a need to prevent communication stoppages. This is because the suspension of communication leads to the suspension of business and services, so it is required to maintain communication as much as possible. In the production system 70 of the present embodiment, communication stoppage leads to stoppage of production, which causes problems such as delivery delay and delivery rejection.
 そこで、本実施形態では、通信の安全性が損なわれたり、疑義が生じたりした場合でも、ある程度の安全性を確保して、通信を継続する構成とした。以下、その詳細を、図面を用いて、説明する。 Therefore, in this embodiment, even if the safety of communication is compromised or a question arises, a certain degree of safety is ensured and communication is continued. Details thereof will be described below with reference to the drawings.
 <構成>
 図2は、本実施形態におけるシステム構成図である。図2において、ネットワークである制御ネットワーク41、制御情報ネットワーク42およびインターネット43が、それぞれ通信機器と接続され、各通信機器間の通信が行われる。このため、図2に示すシステム構成は、ネットワークごとに、大きく3つの階層に分けられる。以下、各階層、つまり、ネットワークごとに、本実施形態の構成を説明する。 <Configuration>
FIG. 2 is a system configuration diagram in this embodiment. In FIG. 2, a control network 41, a control information network 42, and the Internet 43, which are networks, are connected to communication devices, respectively, and communication is performed between the communication devices. Therefore, the system configuration shown in FIG. 2 is roughly divided into three layers for each network. The configuration of this embodiment will be described below for each layer, that is, for each network.
 まず、制御ネットワーク41の階層について説明する。制御ネットワーク41は、生産設備に対する制御についての情報が主に通信される。そして、制御ネットワーク41には、以下の各種通信機器が接続される。まず、生産設備として、被制御機器であるロボット3a~3c、これに対する制御を行うコントローラ4a~4cが接続される。なお、生産設備(被制御機器)は、ロボット3a~3cに限定されず工作機械なども含まれる。 First, the hierarchy of the control network 41 will be explained. The control network 41 mainly communicates information about control over production equipment. The following various communication devices are connected to the control network 41 . First, as production equipment, robots 3a to 3c, which are devices to be controlled, and controllers 4a to 4c for controlling them are connected. The production equipment (controlled equipment) is not limited to the robots 3a to 3c, and includes machine tools and the like.
 また、コントローラ4a~4cの管理、制御を行う制御用サーバ2も接続される。また、これら生産設備を監視するためのカメラ5やカメラ5の監視結果の表示などの生産設備の管理を行う端末装置6も、制御ネットワーク41に接続される。またさらに、本実施形態の主たる処理を実行する通信管理装置1も、制御ネットワーク41に接続される。 A control server 2 that manages and controls the controllers 4a to 4c is also connected. Also connected to the control network 41 are a camera 5 for monitoring these production facilities and a terminal device 6 for managing the production facilities such as displaying the monitoring results of the camera 5 . Furthermore, the communication management device 1 that executes the main processing of this embodiment is also connected to the control network 41 .
 ここで、ロボット3a~3cは、コントローラ4a~4cからの制御信号に従って、生産のために稼働する。また、ロボット3a~3cとコントローラ4a~4cは、直接接続してもよいし、制御ネットワーク41を介して接続されていてもよい。さらに、コントローラ4a~4cは、ロボット3a~3c内部に設けてもよい。また、生産設備全体を管理するために、制御用サーバ2がコントローラ4a~4cへ制御用の通知を出力したり、コントローラ4a~4cやロボット3a~3cの稼働状態を受信したりする。この機能を実現するために、制御用サーバ2は、いわゆるコンピュータで実現される。また、カメラ5は、生産設備の画像を取得し、制御用サーバ2や端末装置6に通知する。なお、カメラ5は、端末装置6の指示に従って稼働することが望ましい。またさらに、端末装置6は、いわゆるPC、タブレット、スマートフォンといったコンピュータで実現できる。 Here, the robots 3a-3c operate for production according to control signals from the controllers 4a-4c. Also, the robots 3a-3c and the controllers 4a-4c may be directly connected or may be connected via a control network 41. FIG. Furthermore, the controllers 4a-4c may be provided inside the robots 3a-3c. In addition, in order to manage the entire production facility, the control server 2 outputs control notifications to the controllers 4a-4c and receives operating states of the controllers 4a-4c and the robots 3a-3c. In order to implement this function, the control server 2 is implemented by a so-called computer. Also, the camera 5 acquires an image of the production facility and notifies the control server 2 and the terminal device 6 of the image. It is desirable that the camera 5 operates according to instructions from the terminal device 6 . Furthermore, the terminal device 6 can be implemented by a computer such as a so-called PC, tablet, or smart phone.
 また、通信管理装置1は、通信機器の安全性を監視し、この監視結果に応じて通信方式を決定する。このために、通信管理装置1は、入力部11、監視部12、通信方式決定部13、出力部14および記憶部15を有する。入力部11は、制御ネットワーク41を介して、通信機器の安全性を確認するための情報を受け付ける。また、監視部12は、受け付けた情報に基づいて、通信の安全性が損なわれたり、疑義が生じたりしたかを判定する。つまり、安全性が低下したかを判定する。ここで、安全性の低下には、通信方式に応じて用いられる安全性を確保するためのツールの失効や通信機器がウイルス、不正プログラム等での攻撃対象もしくは攻撃主体であることが含まれる。また、ツールには、証明書や共通鍵等の鍵が含まれ、その失効には、権限といった有効性の欠如などが含まれる。 In addition, the communication management device 1 monitors the safety of communication equipment and determines the communication method according to the monitoring results. For this purpose, the communication management device 1 has an input unit 11 , a monitoring unit 12 , a communication method determination unit 13 , an output unit 14 and a storage unit 15 . The input unit 11 receives information for confirming the safety of communication equipment via the control network 41 . In addition, the monitoring unit 12 determines whether or not the safety of communication has been compromised or doubt has arisen based on the received information. In other words, it is determined whether or not the safety has deteriorated. Here, the decrease in security includes the invalidation of security tools used according to the communication method, and the fact that the communication device is the target or subject of attack by a virus, malicious program, or the like. Tools also include keys such as certificates and common keys, and their revocation includes lack of validity such as authority.
 また、通信方式決定部13は、安全性が低下した場合(例えば、証明書といったツールの失効)に、該当の通信機器である失効通信機器の通信方式を決定する。また、出力部14は、決定された通信方式を、関連する通信機器に通知する。またさらに、記憶部15は、通信管理装置1の処理を実行するための各種情報等を記憶する。また、本実施例における通信方式には、通信の種別、特に、安全性を確保するための暗号化通信の種別や通信の抑止(停止)制御、特に、通信機器が有する機能のうちいずれに関する通信を実行するかの制御が含まれる。なお、通信方式決定部13の実装例やその処理の詳細については、後述する。 In addition, the communication method determination unit 13 determines the communication method of the revoked communication device, which is the corresponding communication device, when the security is lowered (for example, a tool such as a certificate is revoked). In addition, the output unit 14 notifies related communication devices of the determined communication method. Furthermore, the storage unit 15 stores various information and the like for executing the processing of the communication management device 1 . In addition, the communication method in the present embodiment includes the type of communication, in particular, the type of encrypted communication for ensuring safety, the suppression (stop) control of communication, and the communication related to any of the functions of the communication device. includes control over whether to run An implementation example of the communication method determination unit 13 and details of its processing will be described later.
 また、制御ネットワーク41は、これら通信機器の通信内容として、カメラ5の監視結果である画像データや、ロボット3a~3cを制御するための制御信号など通信される。
さらに、通信管理装置1が監視を実行するための情報や決定された通信方式の通知も通信される。 In addition, the control network 41 communicates, as communication contents of these communication devices, image data which is the monitoring result of the camera 5, control signals for controlling the robots 3a to 3c, and the like.
Furthermore, information for the communication management device 1 to perform monitoring and notification of the determined communication method are also communicated.
 以上で制御ネットワーク41の階層に関する説明を終わり、次に、制御情報ネットワーク42の階層について説明する。制御情報ネットワーク42は、各種通信機器が接続され、生産管理を行うためのいわゆる情報系の通信が主に行われる。そして、制御情報ネットワーク42には、生産管理を行う生産管理サーバ23や生産管理のための端末装置22が接続される。また、制御情報ネットワーク42には、生産システム70を運用する会社等の組織内部用の認証局である内部CA21も接続される。 This completes the description of the hierarchy of the control network 41. Next, the hierarchy of the control information network 42 will be described. Various communication devices are connected to the control information network 42, and so-called information communication for production management is mainly performed. The control information network 42 is connected to a production control server 23 for production control and a terminal device 22 for production control. Also connected to the control information network 42 is an internal CA 21 that is a certificate authority for internal use in an organization such as a company that operates the production system 70 .
 ここで、生産管理サーバ23は、生産設備における生産計画や生産管理などの生産業務のための情報処理を実行し、このために例えばコンピュータで実現できる。また、端末装置22は、生産業務を遂行する利用者により利用され、生産管理サーバ23への指示を出力したり、生産管理サーバ23での処理結果を表示したりする。このために、端末装置22は、いわゆるPC、タブレット、スマートフォンといったコンピュータで実現できる。 Here, the production management server 23 executes information processing for production operations such as production planning and production management in production facilities, and for this purpose can be realized by, for example, a computer. Also, the terminal device 22 is used by a user who performs production work to output instructions to the production control server 23 and display processing results in the production control server 23 . For this reason, the terminal device 22 can be realized by a computer such as a so-called PC, tablet, or smart phone.
 また、内部CA21は、公開鍵証明書といった証明書を発行管理するコンピュータで実現できる。 Also, the internal CA 21 can be realized by a computer that issues and manages certificates such as public key certificates.
 また、制御情報ネットワーク42は、生産システム70の外部と接続するためのFW30とも接続される。以上で制御情報ネットワーク42の階層に関する説明を終わり、次に、インターネット43の階層について説明する。インターネット43にも以下説明する各種通信機器が接続される。 The control information network 42 is also connected to the FW 30 for connecting with the outside of the production system 70 . This completes the description of the hierarchy of the control information network 42. Next, the hierarchy of the Internet 43 will be described. The Internet 43 is also connected to various communication devices described below.
 まず、FW30が、生産システム70を運用する組織における他システムと接続する。
他システムは、生産物の販売や流通管理などの生産以外の業務を行うためのシステムで、業務サーバ32や端末装置33を有する。この業務サーバ32は、端末装置33からの指示に応じて各種業務のための情報処理を実行し、端末装置33にその結果を出力する。このように、端末装置33は、業務を実行するために用いられる。このため、業務サーバ32や端末装置33はコンピュータで実現されるが、特に端末装置33はいわゆるPC、タブレット、スマートフォンなどで実現できる。 First, the FW 30 connects with other systems in the organization that operates the production system 70 .
The other system is a system for performing business other than production, such as product sales and distribution management, and has a business server 32 and a terminal device 33 . The business server 32 executes information processing for various business according to instructions from the terminal device 33 and outputs the result to the terminal device 33 . In this way, the terminal device 33 is used for executing business. For this reason, the business server 32 and the terminal device 33 are realized by computers, and in particular the terminal device 33 can be realized by a so-called PC, tablet, smartphone, or the like.
 また、インターネット43を介して、外部CA31や端末装置34の他、外部生産拠点50が接続される。外部CA31は、生産システム70を運用する組織以外で運用される認証局である。つまり、外部CA31は、内部CAと同様に、公開鍵証明書といった証明書を発行管理するコンピュータで実現できる。また、端末装置34は、いわゆるPC、タブレット、スマートフォンなどのコンピュータで実現され、利用者の各種操作により各種情報処理を実行する。また、外部生産拠点50は、生産システム70とは別拠点の生産システムが設置される。この生産システムは、FW30などの生産システム70と同様の構成を有することが望ましい。 In addition, the external CA 31 and the terminal device 34 as well as the external production base 50 are connected via the Internet 43 . The external CA 31 is a certification authority operated outside the organization that operates the production system 70 . In other words, like the internal CA, the external CA 31 can be implemented by a computer that issues and manages certificates such as public key certificates. The terminal device 34 is implemented by a computer such as a so-called PC, tablet, or smart phone, and executes various information processing according to various user operations. Also, the external production base 50 is provided with a production system at a base different from the production system 70 . This production system desirably has the same configuration as the production system 70 such as the FW 30 .
 ここで、制御ネットワーク41は、生産システム70において、インターネット43から最も奥に位置、つまり、外部から侵入しにくいネットワークである。逆に、インターネット43は外部そのものであり、制御情報ネットワーク42はより外部に近く構成される。このため、制御ネットワーク41の通信内容については、制御情報ネットワーク42やインターネット43での通信よりも安全性を低下させてもよい。例えば、制御情報ネットワーク42やインターネット43で証明書通信を行うのに対し、制御ネットワーク41では共通鍵通信や暗号化なしの通信(プレーン通信)を実行してもよい。但し、これらは、通信機器や通信ごとに決めてもよく、各ネットワーク(階層)では、一律の通信方式に限定されず、複数の通信方式が混在する構成としてもよい。以上を纏めると、全体的な傾向として、図1や図2面の上方に記載された階層ほど、全体として、安全性が高い通信方式で通信される傾向にある。本実施形態では、このように複数の通信方式が混在する構成であっても、通信方式を、その安全性に応じて決定する。以下、このための構成について説明する。 Here, the control network 41 is located furthest from the Internet 43 in the production system 70, that is, it is a network that is difficult to intrude from the outside. Conversely, the Internet 43 is the outside itself, and the control information network 42 is configured closer to the outside. For this reason, the content of communication on the control network 41 may be made less secure than the communication on the control information network 42 and the Internet 43 . For example, while certificate communication is performed on the control information network 42 and the Internet 43, the control network 41 may perform common key communication or communication without encryption (plain communication). However, these may be determined for each communication device or communication, and each network (hierarchy) is not limited to a uniform communication method, and may have a configuration in which a plurality of communication methods are mixed. To summarize the above, as an overall trend, there is a tendency for communication to be performed using a communication method with a higher degree of security as the layers appear higher in FIGS. 1 and 2 . In this embodiment, even in a configuration in which a plurality of communication methods are mixed in this manner, the communication method is determined according to its security. A configuration for this purpose will be described below.
 図3は、実施形態における通信管理装置1の構成を示す図である。つまり、図3は、図2に示す通信管理装置1の機能ブロックを実現するための一構成例である。図2では、通信管理装置1を、プログラム(ソフトウエア)に従って、処理を行うコンピュータを一例として説明する。但し、専用ハードウエアやFPGA(field-programmable gate array)などを用いて構成してもよい。 FIG. 3 is a diagram showing the configuration of the communication management device 1 in the embodiment. In other words, FIG. 3 is a configuration example for realizing the functional blocks of the communication management device 1 shown in FIG. In FIG. 2, the communication management device 1 will be described as an example of a computer that performs processing according to a program (software). However, it may be configured using dedicated hardware, FPGA (field-programmable gate array), or the like.
 図2において、通信管理装置1は、ネットワークI/F110(ネットワークインターフェース)、処理部120、主記憶部130および補助記憶部140を有し、これらは互いにバスなどの通信経路を介して接続されている。ここで、ネットワークI/F110は、制御ネットワーク41を介して他の通信機器と通信する機能を有し、図2の入力部11および出力部14に相当する。なお、ネットワークI/F110は、入力機能と出力機能を独立した構成で実現してもよい。さらに、ネットワークI/F110は、制御ネットワーク41以外のネットワークや直接通信機器と接続してもよい。 2, the communication management device 1 has a network I/F 110 (network interface), a processing unit 120, a main storage unit 130 and an auxiliary storage unit 140, which are connected to each other via a communication path such as a bus. there is Here, the network I/F 110 has a function of communicating with other communication devices via the control network 41, and corresponds to the input section 11 and the output section 14 in FIG. Note that the network I/F 110 may implement the input function and the output function with independent configurations. Furthermore, the network I/F 110 may be connected to a network other than the control network 41 or a direct communication device.
 また、処理部120は、プロセッサ、CPU等で実現され、主記憶部130に展開された各プログラムに従って、演算を行う。つまり、処理部120により、図2の監視部12や通信方式決定部13での処理を実行する。 In addition, the processing unit 120 is implemented by a processor, CPU, etc., and performs calculations according to each program developed in the main storage unit 130 . That is, the processing unit 120 executes the processing in the monitoring unit 12 and the communication method determining unit 13 in FIG.
 また、主記憶部130は、補助記憶部140やその他記憶媒体に記憶されたプログラムやその他演算に必要な情報が展開される。ここで、主記憶部130に展開されるプログラムには、監視プログラム141や通信方式決定プログラム142が含まれる。ここで、監視プログラム141は、図2の監視部12の機能に相当し、通信方式決定プログラム142は、図2の通信方式決定部13の機能に相当する。また、これら各プログラムは、それぞれ独立したプログラムでなくともよい。つまり、これらのそれぞれをプログラムのモジュールとして実現してもよい。 In addition, the main storage unit 130 develops programs stored in the auxiliary storage unit 140 and other storage media, and information necessary for other calculations. Here, the programs developed in the main storage unit 130 include a monitoring program 141 and a communication method determination program 142 . Here, the monitoring program 141 corresponds to the function of the monitoring unit 12 in FIG. 2, and the communication method determination program 142 corresponds to the function of the communication method determination unit 13 in FIG. Moreover, each of these programs may not be an independent program. That is, each of these may be implemented as a module of a program.
 さらに、補助記憶部140は、HDD(Hard Disk Drive)やSSD(Solid State Drive)などのいわゆるストレージで実現できる。そして、補助記憶部140は、情報として上述のプログラムの他、失効リスト143、機器管理テーブル144、通信方式管理テーブル145、機能管理テーブル146を記憶する。なお、補助記憶部140は、通信管理装置1から独立した構成としてもよい。例えば、ネットワークI/F110と介して接続されるファイルサーバで実現できる。ここで、主記憶部130や補助記憶部140が、図2の記憶部15に相当する。 Furthermore, the auxiliary storage unit 140 can be realized by so-called storage such as HDD (Hard Disk Drive) and SSD (Solid State Drive). The auxiliary storage unit 140 stores, as information, a revocation list 143, a device management table 144, a communication method management table 145, and a function management table 146 in addition to the programs described above. Incidentally, the auxiliary storage unit 140 may be configured independently from the communication management device 1 . For example, it can be realized by a file server connected via the network I/F 110 . Here, the main storage section 130 and the auxiliary storage section 140 correspond to the storage section 15 in FIG.
 なお、通信管理装置1は、複数のコンピュータで実現してもよい。この場合、複数のコンピュータ機能を分担することが可能である。 Note that the communication management device 1 may be realized by a plurality of computers. In this case, it is possible to share a plurality of computer functions.
 以上で、本実施形態の構成についての説明を終わり、以下、補助記憶部140に記憶される各種情報について説明する。 This concludes the description of the configuration of the present embodiment, and the various types of information stored in the auxiliary storage unit 140 will be described below.
 <情報>
 図4は、本実施形態で用いられる失効リスト143を示す図である。失効リスト143は、通信方式に応じた安全性が低下した通信機器を特定するための情報である。このために、本実施形態の失効リスト143は、通信機器ごとの安全性を示している。図4に示すように、本実施形態の失効リスト143は、機器ID、機器名および状況の項目を有する。機器IDは、通信機器を識別する情報である。機器名は、通信機器の名称を示す情報である。機器IDと機器名は、いずれか一方のみであってもよい。 <Information>
FIG. 4 is a diagram showing the revocation list 143 used in this embodiment. The revocation list 143 is information for identifying communication devices whose security has been lowered according to the communication method. For this reason, the revocation list 143 of this embodiment indicates security for each communication device. As shown in FIG. 4, the revocation list 143 of this embodiment has items of device ID, device name, and status. A device ID is information for identifying a communication device. The device name is information indicating the name of the communication device. Only one of the device ID and the device name may be used.
 また、状況は、該当の通信機器の通信方式に基づく安全性の状況を示す。つまり、安全性が失効したかを示す項目である。ここで、本実施形態では、安全性の低下を、安全性を確保するためのツールの一種である証明書が失効しているかで判定している。この場合、以下の条件のうち、少なくとも1つを満たす通信機器については、安全性が低下した判定される。つまり、監視部12により、失効通信機器として特定される。
・証明書が期限切れの通信機器
・証明書の正当性に疑義が生じた通信機器
・他装置から証明書の失効の通知があった通信機器
 なお、これら条件の他にも条件を設けてもよい。 In addition, the status indicates the safety status based on the communication method of the communication device. In other words, it is an item that indicates whether the security has expired. Here, in the present embodiment, a decrease in security is determined by whether or not a certificate, which is a kind of tool for ensuring security, has been revoked. In this case, a communication device that satisfies at least one of the following conditions is determined to have lowered security. In other words, the monitoring unit 12 identifies the device as a revoked communication device.
・Communication equipment whose certificate has expired ・Communication equipment whose validity has been questioned ・Communication equipment whose certificate has been notified of revocation by another device In addition to these conditions, conditions may be set .
 以下、図4に示す内容を具体的に説明する。図4では、機器ID=「0000」の「制御用サーバ」は、通信についての安全性は失効しておらず維持されていることを示している。これに対して、機器ID=「1234」の「ロボットA」は、通信についての安全性は失効していることを示している。また、機器ID=「2468」の「コントローラ」は、通信についての安全性が失効予定であることを示している。なお、図4の例では、状況が「維持」であるものも含まれているが、「失効」や「失効予定」に絞ったリストとしてもよい。 The contents shown in FIG. 4 will be specifically described below. FIG. 4 shows that the “control server” with the device ID=“0000” maintains the safety of the communication without revoking it. On the other hand, “robot A” with device ID=“1234” indicates that the safety of communication has been revoked. Also, the “controller” with the device ID=“2468” indicates that the safety of communication is scheduled to be revoked. In the example of FIG. 4, the list includes items whose status is "maintenance", but the list may be narrowed down to "expired" or "scheduled to expire".
 この失効リスト143は、通信管理装置1が作成してもよいし、端末装置6や内部CA21など他の装置で作成してもよい。通信管理装置1が作成する場合、内部CA21や外部CA31から証明書の有効性に関する情報を受信して作成できる。また、制御ネットワーク41等への通信機器の通信状態や接続状態を確認して作成することも可能である。 This revocation list 143 may be created by the communication management device 1, or may be created by another device such as the terminal device 6 or the internal CA 21. When the communication management device 1 creates it, it can receive information about the validity of the certificate from the internal CA 21 or the external CA 31 and create it. Also, it is possible to check the communication state and connection state of the communication device to the control network 41 and the like and create it.
 そして、通信管理装置1は、この失効リスト143を用いて、通信方式を決定することになる。この決定の詳細については、フローチャートを用いて、後述する。 Then, the communication management device 1 uses this revocation list 143 to determine the communication method. The details of this determination will be described later using a flowchart.
 次に、図5は、本実施形態で用いられる機器管理テーブル144を示す図である。機器管理テーブル144は、通信機器ごとの通信に関する情報が登録されているテーブルである。図5に示すように、本実施形態の機器管理テーブル144は、機器ID、機器名、IPアドレス、MACアドレス、通信方式、期限、機能、通信状態を有する。 Next, FIG. 5 is a diagram showing the device management table 144 used in this embodiment. The device management table 144 is a table in which information related to communication for each communication device is registered. As shown in FIG. 5, the device management table 144 of this embodiment has device IDs, device names, IP addresses, MAC addresses, communication methods, time limits, functions, and communication states.
 ここで、機器IDおよび機器名は、失効リスト143のそれと同じである。IPアドレスおよびMACアドレスは、それぞれ対象の通信機器の通信に関わるアドレスを示すもので、少なくとも一方を設ければよい。また、通信方式は、対象の通信機器で対応可能な通信方式を示している。 Here, the device ID and device name are the same as those in the revocation list 143. The IP address and MAC address each indicate an address related to communication of the target communication device, and at least one of them may be provided. Further, the communication method indicates a communication method that can be supported by the target communication device.
 また、期限は、対象の通信機器の共通鍵や証明書の有効期限(失効するまでの期限)を示している。また、機能は、対象の通信機器が実行可能な機能について、当該機能が停止可能か(無停止稼働が要求されるか)を示している。この機能としては、特に、通信に関する機能であることが望ましい。また、通信状態は、対象の通信機器の通信の安全性に関わる通信状態を示している。 In addition, the expiration date indicates the expiration date (expiration date) of the common key and certificate of the target communication device. Also, the function indicates whether the function can be stopped by the target communication device (whether non-stop operation is required). It is particularly desirable that this function is a function related to communication. Also, the communication state indicates a communication state related to the safety of communication of the target communication device.
 図5に示す例では、機器ID=「0000」の「制御用サーバ」は、IPアドレスやMACアドレスは図に示す内容である。そして、通信方式は、証明書通信(その一例であるSSL通信を含む)と共通鍵通信の両方に対応可能であることを示ししている。そして、証明書および共通鍵の有効期限のそれぞれが、3/31の00:00と12/1の00:00であり、全機能とも無停止稼働が要求されていることを示している。そして、現在の通信状態は通常であり、通信の安全性が確保されていることを示している。つまり、「制御用サーバ」は、この時点で失効の必要がないことを示している。 In the example shown in FIG. 5, the IP address and MAC address of the "control server" with device ID = "0000" are shown in the figure. The communication method indicates that both certificate communication (including SSL communication, which is an example thereof) and common key communication can be supported. The expiration dates of the certificate and common key are 00:00 on 3/31 and 00:00 on 12/1, respectively, indicating that non-stop operation is required for all functions. The current communication state is normal, indicating that the safety of communication is ensured. In other words, the "control server" indicates that there is no need for revocation at this point.
 これに対して、機器ID=「2400」の「コントローラD」は、通信方式として共有鍵通信のみに対応でき、その共通鍵の期限が12/1の00:00である。また、「コントローラD」の機能として、コマンド通知、緊急受信および通常受信が可能である。そして、コマンド通知および緊急受信は、無停止稼働が求められ、通常受信は、停止が可能であることを示す。なお、コマンド通知とは、コントローラからのロボットへのコマンド(制御信号)の出力を示す。また、緊急受信とは、事故防止等のための緊急停止指令を受信することである。さらに、通常受信とは、緊急受信以外の通常稼働について受信することである。 On the other hand, "controller D" with device ID = "2400" can only support shared key communication as a communication method, and the expiration date of the common key is 12/1 00:00. Also, as functions of the "controller D", command notification, emergency reception and normal reception are possible. Command notification and emergency reception indicate that non-stop operation is required, and normal reception indicates that suspension is possible. Note that the command notification indicates output of a command (control signal) from the controller to the robot. Also, emergency reception means receiving an emergency stop command for accident prevention or the like. Furthermore, normal reception is reception for normal operations other than emergency reception.
 また、「コントローラD」の通信状態は、通常であり、共通鍵の安全性が維持されていることを示している。但し、機器ID=「2468」の「コントローラC」については、通信管理装置1が内部CA21から失効通知を受信し、その証明書が失効予定であることを示している。 Also, the communication status of "controller D" is normal, indicating that the security of the common key is maintained. However, for “controller C” with device ID=“2468”, the communication management device 1 has received a revocation notice from the internal CA 21, indicating that the certificate is scheduled to be revoked.
 そして、通信管理装置1は、この機器管理テーブル144も用いて、通信方式を決定することになる。この決定の詳細については、フローチャートを用いて、後述する。なお、機器管理テーブル144のうち、機能の項目については、外出しして後述する機能管理テーブル146で管理してもよい。この場合、機器管理テーブル144から機能の項目を省略できる。 Then, the communication management device 1 also uses this device management table 144 to determine the communication method. The details of this determination will be described later using a flowchart. It should be noted that items of functions in the device management table 144 may be managed in a function management table 146 to be described later. In this case, the function item can be omitted from the device management table 144 .
 次に、図6は、本実施形態で用いられる通信方式管理テーブル145を示す図である。
通信方式管理テーブル145は、通信機器間での通信方式を管理する情報が登録されているテーブルである。図6に示すように、本実施形態の通信方式管理テーブル145は、通信機器ごとに、機器ID、相手機器、通信方式、通信状態を有する。
機器IDは、失効リスト143と同様の情報である。相手機器は対象の通信機器と通信を行う通信機器の機器IDを示している。通信方式は、対象の通信機器と相手機器の現状の通信方式を示している。またさらに、通信状態は、対象の通信機器と相手機器の現状の通信状態を示しており、これは機器管理テーブル144と同様の情報である。 Next, FIG. 6 is a diagram showing the communication method management table 145 used in this embodiment.
The communication method management table 145 is a table in which information for managing communication methods between communication devices is registered. As shown in FIG. 6, the communication method management table 145 of this embodiment has a device ID, partner device, communication method, and communication state for each communication device.
The device ID is information similar to the revocation list 143 . The partner device indicates the device ID of the communication device that communicates with the target communication device. The communication method indicates the current communication method of the target communication device and the counterpart device. Furthermore, the communication state indicates the current communication state of the target communication device and the partner device, which is the same information as the device management table 144 .
 通信管理装置1は、この通信方式管理テーブル145を用いることで、通信方式の決定結果の通知先である関連通信機器を特定できる。例えば、機器ID=「0000」の通信方式を決定した場合、相手機器を関連通信機器として特定し、これらに対して決定した通信方式が通知される。 By using this communication method management table 145, the communication management device 1 can identify the related communication device to which the communication method determination result is notified. For example, when the communication method with the device ID=“0000” is determined, the partner device is specified as the related communication device, and the determined communication method is notified to them.
 またさらに、通信方式管理テーブル145により、現在の通信方式を把握できる。このため、ある通信機器の証明書が失効した場合に、通信相手ごとに通信方式を決定できる。
例えば、機器ID=「1234」の証明書が失効した場合、相手機器=「0000」「1357」については証明書通信を行っているため何らかの対応が必要である。これに対して、相手機器=「2468」とは共通鍵通信を行っているので、共通鍵通信を維持できる、と判定できる。この判定の詳細については、フローチャートを用いて後述する。なお、本実施形態では、通信方式管理テーブル145を用いた判定処理を行うが、この判定処理を省略してもよい。なお、通信方式管理テーブル145を用いた処理の詳細は、フローチャートを用いて後述する。 Furthermore, the current communication method can be grasped from the communication method management table 145 . Therefore, when the certificate of a certain communication device is revoked, the communication method can be determined for each communication partner.
For example, if the certificate of device ID=“1234” is revoked, some sort of response is required because the partner device=“0000” and “1357” are performing certificate communication. On the other hand, since common key communication is being performed with the partner device=“2468”, it can be determined that common key communication can be maintained. The details of this determination will be described later using a flowchart. In this embodiment, determination processing using the communication method management table 145 is performed, but this determination processing may be omitted. Details of the processing using the communication method management table 145 will be described later using a flowchart.
 最後に、図7は、本実施形態で用いられる機能管理テーブル146を示す図である。機能管理テーブル146は、通信機器の種別ごとに、その機能に情報が登録されているテーブルである。図7に示すように、本実施形態の機能管理テーブル146は、通信機器の種別ごとに、機器種別、機能、停止可否、対応策を有する。機器種別は、通信機器の種別を示すが、通信機器ごととしてもよい。 Finally, FIG. 7 is a diagram showing the function management table 146 used in this embodiment. The function management table 146 is a table in which information is registered in the function for each type of communication device. As shown in FIG. 7, the function management table 146 of the present embodiment has device type, function, stop possibility, and countermeasure for each type of communication device. The device type indicates the type of communication device, but may be for each communication device.
 また、機能および停止可否は、機器管理テーブル144の機能と同じく、対象の通信機器が実行可能な機能について、当該機能が停止可能か(無停止稼働が要求されるか)を示している。さらに、対応策は、通信について失効した場合における該当機能への対応策が示される。例えば、機器種別=「ロボット」の起動機能は無停止稼働が要求されるので、通信方式を変更して対応する必要がある。また、同じ表示機能は、停止が可能であるため、表示に関する通信を抑止(停止)することが可能であることを示す。なお、対応策は、停止可否の裏返しの情報であるため、本項目を省略できる。さらに、機器管理テーブル144を用いることが可能であるため、機能管理テーブル146は省略可能である。この場合、機器管理テーブル144に対応策の項目を設けてもよい。 Also, like the functions in the device management table 144, the function and whether it can be stopped indicates whether the function can be stopped (whether non-stop operation is required) for the function that can be executed by the target communication device. Furthermore, countermeasures indicate countermeasures for the corresponding function when communication is invalidated. For example, since non-stop operation is required for the activation function of the device type=“robot”, it is necessary to change the communication method. In addition, since the same display function can be stopped, it indicates that communication regarding display can be suppressed (stopped). Note that this item can be omitted because the countermeasure is the reversed information about whether or not to stop. Furthermore, since the device management table 144 can be used, the function management table 146 can be omitted. In this case, the device management table 144 may be provided with items for countermeasures.
 以上で本実施形態の情報の説明を終わり、次に、本実施形態における処理フローを、フローチャートを用いて説明する。 This concludes the explanation of the information in this embodiment, and next, the processing flow in this embodiment will be explained using a flowchart.
 <処理フロー>
 図8は、本実施形態における処理フローを示すフローチャートである。以下、図8に従って、通信管理装置1の処理を説明するが、その際、各ステップの処理主体は、図2に示す各部を用いて説明する。 <Processing flow>
FIG. 8 is a flow chart showing the processing flow in this embodiment. The processing of the communication management apparatus 1 will be described below with reference to FIG. 8. At that time, the main body of processing in each step will be described using the units shown in FIG.
 まず、ステップS1において、監視部12が、通信機器における通信についての安全性の監視を開始する。これは、端末装置6から指示に応じて実行してもよいし、所定周期などの起動条件を満たした場合に実行してもよい。なお、通信管理装置1を連続稼働させて、継続的にステップS2以降の処理を実行してもよい。 First, in step S1, the monitoring unit 12 starts monitoring the safety of communication in the communication device. This may be executed in response to an instruction from the terminal device 6, or may be executed when an activation condition such as a predetermined cycle is satisfied. Note that the communication management device 1 may be operated continuously to continuously execute the processes after step S2.
 次に、ステップS2において、監視部12が、監視の結果、通信機器のいずれかで安全性が低下しているかを判定する。本実施形態においては、監視部12は、証明書等が失効したか監視する。このために、監視部12は、失効リスト143を確認する。この結果、失効リスト143の状況に失効ないし失効予定(以下、単に失効とも称する)があれば(YES)、ステップS3に遷移する。失効リスト143の状況に失効ないし失効予定がなければ(NO)、ステップS1に戻り監視を継続する。ここで、失効リスト143の状況については、ステップS2で確認されたレコードを適宜削除して、未確認のレコードを残す構成としてもよいし、確認済を示すフラグを記録してもよい。この結果、ステップS3以降を重複処理することを防止できる。 Next, in step S2, the monitoring unit 12 determines whether any of the communication devices has deteriorated in safety as a result of monitoring. In this embodiment, the monitoring unit 12 monitors whether the certificate or the like has been revoked. For this purpose, the monitoring unit 12 checks the revocation list 143 . As a result, if the status of the revocation list 143 includes revocation or scheduled revocation (hereinafter simply referred to as revocation) (YES), the process proceeds to step S3. If there is no revocation or revocation schedule in the revocation list 143 (NO), the process returns to step S1 to continue monitoring. Here, regarding the status of the revocation list 143, the records confirmed in step S2 may be appropriately deleted and unconfirmed records may be left, or a flag indicating confirmation may be recorded. As a result, redundant processing after step S3 can be prevented.
 なお、失効とは証明書や鍵が時効などにより失効することや通信機器のふるまいなどにより、証明書や鍵の正当性に疑義が生じることを示し、失効予定も含まれる。鍵には、公開鍵の他、秘密鍵や共通鍵が含まれる。またさらに、失効にはウイルス等での安全性の低下も含めてもよい。 In addition, revocation indicates that the validity of a certificate or key is questioned due to the expiration of the certificate or key due to the expiration of the statute of limitations, etc., or the behavior of communication equipment, etc., and includes the scheduled revocation. The key includes a private key and a common key in addition to the public key. Further, revocation may also include reduced safety due to viruses and the like.
 次に、ステップS3において、監視部12が、失効リスト143から、失効ないし失効予定の機器IDの示す通信機器を、失効通信機器として特定する。図4の例では、失効通信機器として、機器ID=「1234」のロボットAと「2468」のコントローラCが特定される。 Next, in step S3, the monitoring unit 12 identifies, from the revocation list 143, the communication device indicated by the revoked or scheduled revocation device ID as a revoked communication device. In the example of FIG. 4, the robot A with the device ID=“1234” and the controller C with the device ID=“2468” are identified as the revoked communication devices.
 次に、ステップS4において、通信方式決定部13が、失効通信機器で失効した通信方式および対応可能な通信方式を特定する。ここで、失効した通信方式を特定するために、通信方式決定部13は、機器管理テーブル144の通信状態を用いてもよいし、通信方式管理テーブル145の通信方式および通信状態を確認してもよい。また、失効リスト143に、失効ないし失効予定の通信方式を記録しておき、これを用いてもよい。また、対応可能な通信方式を特定するために、通信方式決定部13は、機器管理テーブル144の通信方式を用いることになる。 Next, in step S4, the communication method determination unit 13 identifies the communication method that has been revoked by the revoked communication device and the communication method that can be supported. Here, in order to identify the invalid communication method, the communication method determination unit 13 may use the communication state of the device management table 144, or check the communication method and communication state of the communication method management table 145. good. In addition, the revocation list 143 may be used to record communication methods that have been revoked or are scheduled to be revoked. Also, in order to specify a compatible communication method, the communication method determining unit 13 uses the communication method of the device management table 144 .
 また、ステップS5において、通信方式決定部13が、ステップS3で特定された失効通信機器に関する関連通信機器を特定する。このために、通信方式決定部13は、通信方式管理テーブル145を用いる。つまり、監視部12は、失効通信機器の機器IDに対応する相手機器を、関連通信機器として特定する。本実施形態では、失効通信機器の通信先である相手機器を特定するが、関連通信機器はこれに限定されない。例えば、通信管理装置1で管理する各通信機器を関連通信機器としもよいし、失効通信機器と同じネットワークに接続する通信機器を関連通信機器としてもよい。 Also, in step S5, the communication method determining unit 13 identifies related communication devices related to the revoked communication device identified in step S3. For this purpose, the communication method determination unit 13 uses the communication method management table 145 . In other words, the monitoring unit 12 identifies the partner device corresponding to the device ID of the revoked communication device as the related communication device. In this embodiment, the partner device that is the communication destination of the revoked communication device is specified, but the related communication device is not limited to this. For example, each communication device managed by the communication management apparatus 1 may be the related communication device, or a communication device connected to the same network as the expired communication device may be the related communication device.
 また、ステップS6において、通信方式決定部13が、ステップS5で特定された関連通信機器で可能な通信方式を特定する。このために、通信方式決定部13は、機器管理テーブル144から関連通信機器の通信方式を特定する。 Also, in step S6, the communication method determination unit 13 identifies a communication method that can be used by the related communication device identified in step S5. For this purpose, the communication method determination unit 13 identifies the communication method of the related communication device from the device management table 144 .
 そして、ステップS7において、通信方式決定部13は、ステップS4~S6の結果を用いて、通信方式が決定される。以下、その詳細を説明する。 Then, in step S7, the communication method determining unit 13 uses the results of steps S4 to S6 to determine the communication method. The details are described below.
 この決定方法には、以下の(1)や(2)といった複数の方法が含まれる。 This decision method includes multiple methods such as (1) and (2) below.
 (1)関連通信機器の考慮
 まず、通信方式決定部13は、ステップS4で特定された対応可能な通信方式のうち、失効していない有効通信方式を特定する。次に、通信方式決定部13は、ステップS6で特定された関連通信機器で対応可能な通信方式と、特定された有効通信方式を突き合せる。
そして、通信方式決定部13は、突合せで一致する通信方式を決定する。 (1) Consideration of Related Communication Equipment First, the communication method determination unit 13 identifies a valid communication method that has not expired among the available communication methods identified in step S4. Next, the communication method determining unit 13 matches the communication method that can be supported by the associated communication device identified in step S6 with the identified effective communication method.
Then, the communication method determining unit 13 determines a matching communication method.
 (2)失効通信機器対応
 (1)と同様に、通信方式決定部13は、ステップS4で特定された対応可能な通信方式のうち、失効していない有効通信方式を特定し、これを通信方式として決定する。この場合、ステップS5やS6を省略できる。 (2) Correspondence to expired communication equipment As in (1), the communication method determination unit 13 identifies a valid communication method that has not expired among the available communication methods identified in step S4, and selects it as a communication method. Determined as In this case, steps S5 and S6 can be omitted.
 なお、ウイルス等により安全性が低下した場合、以下のとおり通信方式を決定することもできる。まず、各通信方式について、その要因に対応できるか否かを設定しておく。そして、ステップS4で、通信方式決定部13が、設定内容を用いて失効通信機器における当該要因に対応できる通信方式とできない通信方式を特定する。また、ステップS6で、通信方式決定部13が設定内容から設定内容を用いて関連通信機器における当該要因に対応できる通信方式とできない通信方式を特定する。その上で、本ステップにおいて、当該要因に対応できる通信方式同士を突き合せることで、通信方式を決定する。この場合、両者で対応できる通信方式のうち、最も安全性の高い通信方式を決定することが望ましい。  In addition, if security is compromised due to a virus, etc., the communication method can be determined as follows. First, for each communication method, it is set whether or not the factor can be dealt with. Then, in step S4, the communication method determination unit 13 uses the setting contents to identify the communication method that can and cannot cope with the factor in the expired communication device. Further, in step S6, the communication method determining unit 13 uses the setting contents to specify the communication method that can or cannot deal with the factor in the related communication device. Then, in this step, the communication method is determined by comparing the communication methods that can deal with the factor. In this case, it is desirable to determine the communication method with the highest security among the communication methods that can be supported by both parties.
 また、通信方式の決定としては、以下のような態様が含まれる。まず、通信の種類を変更する。例えば、証明書通信を共通鍵通信やプレーン通信に変更することや共通鍵通信をプレーン通信に変更する。これらのように、より安全性が高い通信からこれよりも低い通信に変更することが望ましいが、逆方向の変更を行ってもよい。 In addition, the determination of the communication method includes the following aspects. First, change the communication type. For example, changing certificate communication to common key communication or plain communication, or changing common key communication to plain communication. Although it is desirable to change from a communication with a higher security to a communication with a lower security like these, the change in the opposite direction may be performed.
 さらに、決定する通信方式として、失効通信機器の機能ごとに、通信を抑止するか、通信を維持するかを決定してもよい。このために、通信方式決定部13は、機器管理テーブル144の機能もしくは機能管理テーブル146を用いる。以上のように、通信方式には、通信方式自体(通信の種類)や通信機器のうち通信を行う機能を特定することが含まれる。また、これらの組合せで、通信方式を決定してもよい。 Furthermore, as the communication method to be determined, it may be determined whether to suppress communication or maintain communication for each function of the revoked communication device. For this purpose, the communication method determination unit 13 uses the functions of the device management table 144 or the function management table 146 . As described above, the communication method includes specifying the communication method itself (type of communication) and the communication function of the communication device. Also, the communication method may be determined by a combination of these.
 以上のように、ステップS7では、通信方式決定部13が、少なくとも失効通信機器で通信可能な通信方式を決定している。 As described above, in step S7, the communication method determining unit 13 determines at least the communication method that can communicate with the expired communication device.
 次に、ステップS8において、出力部14から、ステップS7で決定された通信方式を通知する。この際の通知先は、失効通信機器や関連通信機器である。なお、この際、通信方式決定部13は、通信方式管理テーブル145の通信方式を、決定された通信方式に更新することが望ましい。また、通信方式決定部13は、機器管理テーブル144や通信方式管理テーブル145の通信状態も更新することが望ましい。 Next, in step S8, the communication method determined in step S7 is notified from the output unit 14. The notification destination at this time is the revoked communication device or the related communication device. At this time, it is desirable that the communication method determination unit 13 updates the communication method of the communication method management table 145 to the determined communication method. In addition, it is desirable that the communication method determination unit 13 also updates the communication status of the device management table 144 and the communication method management table 145 .
 以上のステップS8の結果、失効通信機器や関連通信機器が、決定された通信方式での通信が行われることになる。次に、ステップS9において、決定された通信方式で通信を行う失効通信機器に対して、監視部12が監視を行う。そして、ステップS10において、監視部12が失効通信機器での失効が回復したかを監視する。これは、ステップS2と同様の処理で実現できる。つまり、監視部12は、失効リスト143の確認などで失効が回復したかを確認できる。この結果、回復した場合(YES)、ステップS11に遷移する。また、回復していない場合、ステップS9に遷移し、監視を継続する。 As a result of the above step S8, the revoked communication device and related communication devices will communicate with the determined communication method. Next, in step S9, the monitoring unit 12 monitors the expired communication device that communicates with the determined communication method. Then, in step S10, the monitoring unit 12 monitors whether or not the revocation of the revoked communication device has been restored. This can be realized by a process similar to that of step S2. In other words, the monitoring unit 12 can confirm whether the revocation has been restored by checking the revocation list 143 or the like. As a result, when it recovers (YES), it changes to step S11. On the other hand, if it has not recovered, the process proceeds to step S9 to continue monitoring.
 ここで、ステップS10での回復について、失効した証明書を更新する例を用いて説明する。後述のように、失効が発生した場合、各端末装置に対して警告が通知される。そこで、利用者から操作に応じて端末装置が、内部CA21もしくは外部CA31に対して証明書の更新要求を出力する。そして、内部CA21もしくは外部CA31において、更新要求に応じて、証明書が更新されると、本ステップでの回復がされたとの判定が行わることになる。なお、この回復は、内部CA21もしくは外部CA31が自動的に実行してもよい。 Here, the recovery in step S10 will be explained using an example of renewing a revoked certificate. As will be described later, when invalidation occurs, a warning is sent to each terminal device. Therefore, the terminal device outputs a certificate update request to the internal CA 21 or the external CA 31 according to the user's operation. Then, in the internal CA 21 or the external CA 31, when the certificate is updated in response to the update request, it is determined that the recovery in this step has been completed. Note that this recovery may be automatically executed by the internal CA 21 or the external CA 31 .
 次に、ステップS11において、通信方式決定部13が、失効通信機器の通信方式を再決定する。これは、ステップS2で失効したと判定された内容を回復させる処理である。
つまり、ステップS7で決定された結果、失効通信機器や関連通信機器が証明書通信から共通鍵通信に変更された場合、証明書通信に変更すると再決定(回復)する。 Next, in step S11, the communication method determination unit 13 re-determines the communication method of the expired communication device. This is the process of restoring the content determined to be invalid in step S2.
In other words, if the revoked communication device or related communication device is changed from certificate communication to common key communication as a result of determination in step S7, it is determined again (restored) to change to certificate communication.
 次に、ステップS12において、出力部14から、ステップS11で再決定された通信方式を通知する。この通知先は、ステップS8と同様に、失効通信機器や関連通信機器である。また、この際、ステップS8と同様に、通信方式決定部13は、通信方式管理テーブル145の通信方式を、再決定された通信方式に更新することが望ましい。また、通信方式決定部13は、機器管理テーブル144や通信方式管理テーブル145の通信状態も更新することが望ましい。この結果、失効通信機器や関連通信機器が、再決定された通信方式、つまり、元々の通信方式で通信が行われることになる。 Next, in step S12, the output unit 14 notifies the communication method re-determined in step S11. This notification destination is the revoked communication device or the related communication device, as in step S8. Also, at this time, it is desirable that the communication method determination unit 13 updates the communication method of the communication method management table 145 to the re-determined communication method, as in step S8. In addition, it is desirable that the communication method determination unit 13 also updates the communication status of the device management table 144 and the communication method management table 145 . As a result, the revoked communication device and the related communication device communicate with each other using the re-determined communication method, that is, the original communication method.
 なお、本フローは継続的に実行され、通信機器間の通信が可能な限り維持されることになる。この結果、生産設備における生産といった業務の停止を最小限に抑えることができ、業務活動の停滞を抑止することが可能となる。 Note that this flow will be executed continuously, and communication between communication devices will be maintained as much as possible. As a result, it is possible to minimize the stoppage of work such as production in the production equipment, and to prevent the stagnation of business activities.
 以上で、本フローチャートでの処理フローが終了するが、ステップS2、ステップS7、ステップS10での処理に応じて、出力部14から以下のような通知を実行してもよい。 With this, the processing flow in this flow chart ends, but the following notification may be executed from the output unit 14 according to the processing in steps S2, S7, and S10.
 まず、ステップS2で失効予定があると判定された場合、出力部14が警告を、端末装置6、端末装置22、端末装置34の少なくとも1つに通知する。これは、予告警告である。このため、失効があると判定された場合、さらに出力部14が警告を、端末装置6、端末装置22、端末装置34の少なくとも1つに通知することが望ましい。このようにして、通信の安全性が低下していることを、事前警告と本警告に分けて通知できる。以上により、通信や業務の管理者といった各端末の利用者が、通信の安全性が変化したこと、例えば、低下したこと把握できる。 First, when it is determined in step S2 that there is an expiration schedule, the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 of a warning. This is an advanced warning. Therefore, it is desirable that the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 of a warning when it is determined that there is an expiration. In this way, it is possible to notify the fact that the security of communication has been lowered by dividing it into an advance warning and a main warning. As described above, the user of each terminal, such as a communication or business manager, can grasp that the security of communication has changed, for example, has been lowered.
 また、ステップS7で決定された通信方式について、通信方式が変更されたことの警告を、端末装置6、端末装置22、端末装置34の少なくとも1つに通知する。これは、安全性が低下した場合に限定して行ってもよいし、特に条件を付けず行ってもよい。 Also, for the communication method determined in step S7, at least one of the terminal device 6, the terminal device 22, and the terminal device 34 is notified of a warning that the communication method has been changed. This may be done only when safety is compromised, or may be done without any particular conditions.
 さらに、ステップS11で回復する判定された場合、出力部14が、その旨を端末装置6、端末装置22、端末装置34の少なくとも1つに通知する。このことで各端末装置の利用者が通信の安全性が回復したことを把握できる。 Furthermore, when it is determined to recover in step S11, the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 to that effect. This allows the user of each terminal device to know that the safety of communication has been restored.
 また、本実施形態の通信管理装置1での管理は、管掌下にある通信機器の通信に限らない。例えば、生産管理サーバ23が通信管理装置1の管掌下でなく、これと制御用サーバ2が通信することを想定する。この場合、制御用サーバ2の機能として、生産管理サーバ23との通信機能を維持し、他の機能を無効化するとの通信方式の決定を行う。このことで、生産管理サーバ23はそれまでの通信を維持しているように振舞える。 Also, the management by the communication management device 1 of this embodiment is not limited to the communication of communication devices under its control. For example, it is assumed that the production management server 23 is not under the control of the communication management device 1 and that the control server 2 communicates with it. In this case, as a function of the control server 2, a communication method is determined such that the communication function with the production management server 23 is maintained and other functions are disabled. This allows the production control server 23 to behave as if it is maintaining the communication up to that point.
 本実施形態の処理フローでは、通信の安全性に関して失効された場合(含む失効予定・見込み)、通信方式の変更として、通信の種類を変更したり、通信機器の一部機能の通信を抑止したりすることになる。本実施形態の失効とは、失効それ自体の他、失効する可能性が所定以上であることを含む。以上の結果、通信の停止を抑止でき、業務の継続性を維持できる。以上により、本実施形態の処理フローの説明を終わり、次に、本実施形態のインターフェース(表示)について、説明する。 In the processing flow of this embodiment, when the communication security is revoked (including scheduled or expected revocation), the communication method is changed by changing the type of communication or inhibiting communication of some functions of the communication device. It will be Revocation in this embodiment includes not only the revocation itself but also the possibility of revocation being greater than or equal to a predetermined value. As a result of the above, stoppage of communication can be suppressed, and business continuity can be maintained. This completes the description of the processing flow of the present embodiment. Next, the interface (display) of the present embodiment will be described.
 <変形例(クラウド型)>
 図9は、本実施形態をクラウドシステムで実現した変形例を示す図である。本変形例では、通信管理装置1は、インターネット43に接続されている。そして、通信管理装置1は、インターネット43と接続する各ネットワークの通信機器を管理することになる。具体的には、FW30aを介して接続された制御情報ネットワーク42a、制御ネットワーク41aの通信機器やFW30bを介して接続された制御情報ネットワーク42b、制御ネットワーク41bの通信機器を管理する。なお、本変形例の構成や処理フローは上述したとおりであり、その内容は省略する。このような構成を採用することで、複数の組織の関する通信機器を管理したり、複数拠点ないし複数の業務システムにおける通信機器を管理したりすることが可能となる。なお、前者においては、通信機器の運用する組織とは別組織において、アウトソーシングとして通信機器の管理が可能となる。 <Modification (cloud type)>
FIG. 9 is a diagram showing a modification in which the present embodiment is realized by a cloud system. In this modified example, the communication management device 1 is connected to the Internet 43 . The communication management device 1 manages the communication devices of each network connected to the Internet 43 . Specifically, it manages communication devices of the control information network 42a and the control network 41a connected via the FW 30a and communication devices of the control information network 42b and the control network 41b connected via the FW 30b. Note that the configuration and processing flow of this modified example are as described above, and the details thereof will be omitted. By adopting such a configuration, it becomes possible to manage communication devices related to multiple organizations and to manage communication devices in multiple bases or multiple business systems. In the former case, it is possible to manage the communication equipment as outsourcing in an organization different from the organization that operates the communication equipment.
 また、通信管理装置1は、制御情報ネットワーク42aと制御情報ネットワーク42bをつなげるように設けてもよい。 Also, the communication management device 1 may be provided so as to connect the control information network 42a and the control information network 42b.
 以上で、本実施形態の説明を終了するが、本発明は本実施形態に限定されない。例えば、その適用先を、金融業務など生産とは別分野に適用可能である。また、通信機器としても、例示した通信機器以外にも制御に関係する各種機器、移動体、ATMなど様々な機器を用いることができる。また、本実施形態では通信として、暗号化通信を例に挙げたがこれに限定されない。さらに、暗号化通信も、証明書通信や共通鍵通信に限定されない。 This is the end of the description of this embodiment, but the present invention is not limited to this embodiment. For example, it can be applied to fields other than production, such as financial services. Also, as the communication equipment, various equipment related to control, mobile units, ATMs, etc. can be used in addition to the illustrated communication equipment. Also, in the present embodiment, encrypted communication is taken as an example of communication, but the communication is not limited to this. Furthermore, encrypted communication is not limited to certificate communication or common key communication.
1…通信管理装置、11…入力部、12…監視部、13…通信方式決定部、14…出力部、15…記憶部、2…制御用サーバ、3…ロボット、4…コントローラ、5…カメラ、6…端末装置、21…内部CA、22…端末装置、23…生産管理サーバ、30…FW、31…外部CA、32…業務サーバ、33…端末装置
34…端末装置、41…制御ネットワーク、42…制御情報ネットワーク、43…インターネット、50…外部生産拠点 DESCRIPTION OF SYMBOLS 1... Communication management apparatus, 11... Input part, 12... Monitoring part, 13... Communication method determination part, 14... Output part, 15... Storage part, 2... Control server, 3... Robot, 4... Controller, 5... Camera , 6... Terminal device, 21... Internal CA, 22... Terminal device, 23... Production control server, 30... FW, 31... External CA, 32... Business server, 33... Terminal device 34... Terminal device, 41... Control network, 42... Control information network, 43... Internet, 50... External production base

Claims (8)

  1.  ネットワークを介して接続される複数の通信機器であって、それぞれが複数の通信方式で通信が可能である複数の通信機器における通信を管理する通信管理装置において、
     前記複数の通信機器の通信方式に応じた通信の安全性を監視し、当該監視の結果、前記安全性が低下した失効通信機器を特定する監視部と、
     前記失効通信機器で可能な通信方式を決定する通信方式決定部と、
     前記失効通信機器に、決定された前記通信方式を通知する出力部を有する通信管理装置。     In a communication management device that manages communication in a plurality of communication devices connected via a network, each of which is capable of communicating by a plurality of communication methods,
    a monitoring unit that monitors the safety of communication according to the communication method of the plurality of communication devices, and identifies the revoked communication device whose safety has been lowered as a result of the monitoring;
    a communication method determination unit that determines a communication method that can be used by the revoked communication device;
    A communication management device having an output unit for notifying the revoked communication device of the determined communication method.
  2.  請求項1に記載の通信管理装置において、
     前記監視部は、前記複数の通信機器それぞれの安全性を示す失効リストを用いて、前記通信の安全を確保するためのツールが失効した通信機器を、前記失効通信機器として特定する通信管理装置。     The communication management device according to claim 1,
    The monitoring unit uses a revocation list indicating the safety of each of the plurality of communication devices to identify a communication device for which the tool for ensuring communication safety has been revoked as the revoked communication device.
  3.  請求項2に記載の通信管理装置において、
     前記ツールには、認証局で発行される証明書が含まれ、
     前記監視部は、前記失効リストを用いて、前記証明書が期限切れの通信機器、前記証明書の正当性に疑義が生じた通信機器、他装置から前記証明書についての失効の通知があった通信機器の少なくとも1つを前記失効通信機器として特定する通信管理装置。     In the communication management device according to claim 2,
    said tool includes a certificate issued by a certificate authority;
    The monitoring unit uses the revocation list to detect communication devices for which the certificate has expired, communication devices for which the authenticity of the certificate has been questioned, and communication for which a notice of revocation of the certificate has been received from another device. A communication management device that identifies at least one device as the revoked communication device.
  4.  請求項3に記載の通信管理装置において、
     前記通信方式決定部は、前記失効通信機器の通信方式を、前記証明書を用いた証明書通信から共通鍵を用いた共通鍵通信に変更する通信管理装置。     In the communication management device according to claim 3,
    The communication management device, wherein the communication method determination unit changes the communication method of the revoked communication device from certificate communication using the certificate to common key communication using a common key.
  5.  請求項2に記載の通信管理装置において、
     前記通信方式決定部は、前記失効通信機器の複数の機能のうち少なくとも一部を無効化して、他の機能についての通信を維持する通信管理装置。     In the communication management device according to claim 2,
    The communication method determination unit is a communication management device that disables at least some of the plurality of functions of the revoked communication device and maintains communication for other functions.
  6.  請求項1乃至5の何れかに記載の通信管理装置において、
     前記監視部は、前記失効通信機器に関連する関連通信機器として、当該失効通信機器の通信先の通信機器もしくは前記ネットワークに接続される通信機器を特定し、
     前記通信方式決定部は、前記失効通信機器と前記関連通信機器の間の通信における通信方式を決定し、
     前記出力部は、前記失効通信機器および前記関連通信機器に、決定された前記通信方式を通知する出力部を有する通信管理装置。     The communication management device according to any one of claims 1 to 5,
    The monitoring unit identifies a communication device to which the revoked communication device communicates or a communication device connected to the network as a related communication device related to the revoked communication device,
    The communication method determination unit determines a communication method for communication between the revoked communication device and the related communication device,
    The communication management device, wherein the output unit notifies the revoked communication device and the related communication device of the determined communication method.
  7.  請求項6に記載の通信管理装置において、
     前記出力部は、端末装置に対して、前記失効通信機器に関する情報を表示させる通信管理装置。     In the communication management device according to claim 6,
    The output unit is a communication management device that causes a terminal device to display information about the revoked communication device.
  8.  ネットワークを介して接続される複数の通信機器であって、それぞれが複数の通信方式で通信が可能である複数の通信機器における通信を、通信管理装置を用いて管理する通信管理方法において、
     監視部により、前記複数の通信機器の通信方式に応じた通信の安全性を監視し、当該監視の結果、前記安全性が低下した失効通信機器を特定し、
     通信方式決定部により、前記失効通信機器で可能な通信方式を決定し、
     出力部により、前記失効通信機器に、決定された前記通信方式を通知する通信管理方法。     In a communication management method for managing communication in a plurality of communication devices connected via a network, each of which is capable of communicating in a plurality of communication methods, using a communication management device,
    The monitoring unit monitors the safety of communication according to the communication method of the plurality of communication devices, and as a result of the monitoring, identifies the revoked communication device whose security has deteriorated,
    determining a communication method that can be used by the revoked communication device by a communication method determining unit;
    A communication management method in which an output unit notifies the revoked communication device of the determined communication method.
PCT/JP2022/038414 2021-11-19 2022-10-14 Communication management apparatus and method WO2023090012A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021-188482 2021-11-19
JP2021188482A JP2023075526A (en) 2021-11-19 2021-11-19 Communication management device and method

Publications (1)

Publication Number Publication Date
WO2023090012A1 true WO2023090012A1 (en) 2023-05-25

Family

ID=86396838

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/038414 WO2023090012A1 (en) 2021-11-19 2022-10-14 Communication management apparatus and method

Country Status (2)

Country Link
JP (1) JP2023075526A (en)
WO (1) WO2023090012A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007207088A (en) * 2006-02-03 2007-08-16 Hitachi Ltd Network system
JP5112498B2 (en) * 2010-11-09 2013-01-09 日本電信電話株式会社 Confirmation device, confirmation method and confirmation program
WO2016140198A1 (en) * 2015-03-04 2016-09-09 日本電信電話株式会社 Security measure invalidation prevention device, security measure invalidation prevention method, and security measure invalidation prevention program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007207088A (en) * 2006-02-03 2007-08-16 Hitachi Ltd Network system
JP5112498B2 (en) * 2010-11-09 2013-01-09 日本電信電話株式会社 Confirmation device, confirmation method and confirmation program
WO2016140198A1 (en) * 2015-03-04 2016-09-09 日本電信電話株式会社 Security measure invalidation prevention device, security measure invalidation prevention method, and security measure invalidation prevention program

Also Published As

Publication number Publication date
JP2023075526A (en) 2023-05-31

Similar Documents

Publication Publication Date Title
US11924345B2 (en) Server-client key escrow for applied key management system and process
AU2020200073B2 (en) Method and apparatus for multi-tenancy secrets management
CN111523108B (en) System and method for encryption key management, federation, and distribution
CN110391910B (en) Automated certificate management
CN110417843B (en) System and method for decentralized management of device assets outside a computer network
US20180322274A1 (en) Plant-Specific, Automated Certificate Management
CN104981784A (en) Software deployment and control method and system
WO2012039714A1 (en) Methods, apparatus and systems for monitoring locations of data within a network service
JP2009087035A (en) Encryption client device, encryption package distribution system, encryption container distribution system, encryption management server device, solftware module management device and software module management program
EP3042331B1 (en) Software revocation infrastructure
CN109657492A (en) Data base management method, medium and electronic equipment
JPWO2020080524A1 (en) Control method, control system, first server, and data structure
JP2007156669A (en) Remote maintenance system
Aladwan et al. Common security criteria for vehicular clouds and internet of vehicles evaluation and selection
CN114866346A (en) Password service platform based on decentralization
WO2023090012A1 (en) Communication management apparatus and method
JP5307238B2 (en) Intrusion prevention method and system for communication networks
JP6977740B2 (en) Computer systems, computer equipment and license management methods
CN114500049A (en) Mobile terminal equipment identity authentication method and system in Internet of things system
Chahal et al. A Comprehensive Study of Security in Cloud Computing
US11880709B2 (en) System and method for handling real-time transactional events
US11363072B1 (en) Identifying and mitigating vulnerable security policies
CN114697105B (en) Dynamic encryption method and device for CAN bus data interaction response of crane
US20230370270A1 (en) Anti-cloning architecture for device identity provisioning
US11463481B2 (en) System and method for certificate-less security management of interconnected hybrid resources

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22895298

Country of ref document: EP

Kind code of ref document: A1