CN103036886B - Industrial control network security protection method - Google Patents

Industrial control network security protection method Download PDF

Info

Publication number
CN103036886B
CN103036886B CN201210553196.8A CN201210553196A CN103036886B CN 103036886 B CN103036886 B CN 103036886B CN 201210553196 A CN201210553196 A CN 201210553196A CN 103036886 B CN103036886 B CN 103036886B
Authority
CN
China
Prior art keywords
network
industrial
control
communication
industrial control
Prior art date
Application number
CN201210553196.8A
Other languages
Chinese (zh)
Other versions
CN103036886A (en
Inventor
刘智勇
陈良汉
Original Assignee
珠海市鸿瑞软件技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 珠海市鸿瑞软件技术有限公司 filed Critical 珠海市鸿瑞软件技术有限公司
Priority to CN201210553196.8A priority Critical patent/CN103036886B/en
Publication of CN103036886A publication Critical patent/CN103036886A/en
Application granted granted Critical
Publication of CN103036886B publication Critical patent/CN103036886B/en

Links

Abstract

The present invention discloses and provides one and can improve industrial control network safety, and communication is convenient, can also prevent external attack and invasion, the industrial control network security protection method of available protecting industrial control system and industrial equipment safety.The method comprises the following steps: carry out layered shaping to industrial enterprise's information system, takes Safeguard tactics measure to the exchanges data of described Industry Control layer; Described Industry Control layer is divided into multiple different automation cell region and adopts fire compartment wall to carry out zone isolation; Block the potential avenues of communication of described production execution level to described Industry Control layer; Industrial safety management platform module is adopted to set up the configuration of described Industry Control layer network, management, analysis, alarm and audit center.The present invention is applied to industrial control network field.

Description

Industrial control network security protection method

Technical field

The present invention relates to industrial control network security protection method.

Background technology

Industrial control system is by various automatic control assembly and gathers real time data, the system of the process control modules composition of monitoring, the critical infrastructures of China more than 80 percent rely on industrial control system to realize automated job, industrial control network has been the important component part of National Security Strategy, once industrial control network information security starts a leak, to run industrial production and economic security of the country causes major hidden danger, therefore, government agencies at all levels of China pay much attention to, emphasize that industrial control system information security is run concerning industrial production, economic security of the country and people life property safety, conscientiously industrial control network information security management must be strengthened.

At present in the security protection of universal industrial Control System NetWork, the technical safeguard adopted is fewer, and the mode not forming system of systems carries out protective overall, along with the control integration of industrial control system, industrial control system is connected with conventional I T management system and the Internet, inside also have employed common software, common hardware and puppy parc more and more, directly in the face of all threats from the external world, adds the potential safety hazard of industrial control network information.The awareness of safety of Industry Control industry user is not enough simultaneously, entire system safe design is not considered among system, exist and only pay attention to functional realiey, think little of safe phenomenon, and in operation maintenance, safety management is also paid little attention to, add the possibility that industrial control system suffers virus, Trojan attack.

Publication number is that a Chinese patent of 102438026A discloses a kind of industrial control network security protection method and system, said method comprising the steps of: attack for external network, front main frame carries out ground floor data filtering and access control to external network data, security control main frame comes data cached by common storage area, intrusion detection is carried out to data, invalid data is carried out and alarm notify both sides main frame, rear main frame carries out in-depth filtration and access control to data, and valid data enters into internal network; Attack for internal network, rear main frame carries out ground floor data filtering and access control to inner network data, security control main frame comes data cached by common storage area, intrusion detection is carried out to data, invalid data is carried out and alarm notify both sides main frame, front main frame carries out in-depth filtration and access control to data, and valid data enters into external network.This patent adopts 3 main machine structures and three-layer protection strategy, cost of investment and management cost high, and adopt various watch-dog more complicated, the wilderness demand of industrial control network can not be met.

At present, production management system and control system are co-located in production control network, support one another information mutual communication, there is no logic isolation and infomation detection measure, as shown in Figure 1, described production control network and management network carry out logic isolation measure by fire compartment wall, and monitoring communication data each other, but this structure to exist from the virus of the Internet or other medium or wooden horse with described management network for base is by the information security hidden danger of described fire compartment wall to described production control network offensive attack.

Summary of the invention

Technical problem to be solved by this invention overcomes the deficiencies in the prior art; there is provided one can improve industrial control network safety; and communication is convenient, can also prevent external attack and invasion, the industrial control network security protection method of available protecting industrial control system and industrial equipment safety.

The technical solution adopted in the present invention is: the method comprises the following steps:

(1) according to the technical requirement of industrial control system information security, layered shaping is carried out to industrial enterprise's information system, described industrial enterprise information system is divided into three trouble free service levels, namely Industry Control layer, production execution level and management layer, take Safeguard tactics measure to the exchanges data of described Industry Control layer;

(2) according to functional characteristics and the control range of described industrial control system, described Industry Control layer is divided into multiple different automation cell region and adopts fire compartment wall to carry out zone isolation, realize packet filtering and access control, Inspection and analysis is carried out to industrial communication protocol, realize the Realtime Alerts to illegal communication, come source acknowledgement, historical record, ensure the real-time diagnosis of net control;

(3) Network Isolation module is adopted to realize the exchanges data of the safety of the non-network mode between described Industry Control layer and described production execution level, and be communicated with when ensureing that inside and outside Secure isolation module, two treatment systems are different, connect and access control technology in conjunction with anti-penetration TCP, block the potential avenues of communication of described production execution level to described Industry Control layer, thus realize the unidirectional isolation between described Industry Control layer and described production execution level;

(4) industrial safety management platform module is adopted to set up the configuration of described Industry Control layer network, management, analyze, alarm and audit center, fire compartment wall and network isolating device are configured and are managed, collection network affair alarm information also stores, retrieval and divided rank are reported to the police, communication is allowed to the terminal applies be defined within the scope of white list, Network anomalous behaviors is caught to the depth analysis of industrial control protocols, analyze potential risk, accurately catch on-the-spot virus, worm and illegal invasion, for the investigation of industrial control system network failure, analysis and security audit provide reliable basis.

In described step (1), the two ends communications network system between described Industry Control layer with described production execution level is connected by wired or wireless network mode.

In described step (2), the mode of described Inspection and analysis is that comprehensive using state detects and application layer protocol detects, and carries out multistage filtering, forms the protective barrier in comprehensive access control mechanisms and automation cell region, stop unauthorized person and use message.

In described step (2), be flow collection identification based on industrial control network to the packet filtering of communication, the described access control carried out communicating controls based on the terminal applies of white list.

In described step (3), described Network Isolation module adopts Secure isolation technology by the Reverse Turning Control abrogation of agreement of data communication, and oppositely both do not had data channel also not have control channel, forward is in blind state completely, realizes information flow one-way transmission.

The invention has the beneficial effects as follows: because the present invention adopts system layer, point territory in layer, the method of unidirectional isolation and security management and control, described system layer effectively reduces the order of severity and the damage envelope of threat, in described layer, point territory is to data zone isolation, realize the Realtime Alerts to illegal communication, carry out source acknowledgement, historical record, ensure the real-time diagnosis of net control, described unidirectional isolation achieves the unidirectional isolation between described Industry Control layer and described production execution level, described security management and control is the investigation of described industrial control system network failure, analysis and security audit provide reliable basis, it communicates conveniently for electric power system provides a kind of, use safety, do not subject to the public network communication means attacked, and the host-host protocol of electric power system is analyzed and control of authority, also for the communication of power network schedule automation public network provides safe and reliable transmission channel, thus realize using public network communication the prerequisite ensured information security carries out data communication whenever and wherever possible, resist hacker, virus, the malicious sabotage that worm etc. are initiated industrial control system by various forms and attack, prevent unauthorized user access system or illegal obtaining information and intrusion and great illegal operation and by the outside attack initiated and invasion, therefore, the present invention can improve industrial control network safety, and communication is convenient, external attack and invasion can also be prevented, available protecting industrial control system and industrial equipment safety.

Accompanying drawing explanation

Fig. 1 is the environment schematic before the present invention applies;

Fig. 2 is the environment schematic after the present invention applies;

Fig. 3 is workflow diagram of the present invention.

Embodiment

As shown in Figures 2 and 3, the technical solution adopted in the present invention is: the method comprises the following steps:

(1) according to the technical requirement of industrial control system information security, layered shaping is carried out to industrial enterprise's information system, by analyzing the risk analysis of factory, described industrial enterprise information system is divided into three trouble free service levels, i.e. Industry Control layer, production execution level and management layer, the safeguard protection emphasis of described Industry Control Ceng Shi industrial enterprise and core, take Safeguard tactics measure to the exchanges data of described Industry Control layer;

(2) according to functional characteristics and the control range of described industrial control system, described Industry Control layer is divided into multiple different automation cell region and adopts fire compartment wall to carry out zone isolation, realize packet filtering and access control, Inspection and analysis is carried out to industrial communication protocol, realize the Realtime Alerts to illegal communication, carry out source acknowledgement, historical record, ensure the real-time diagnosis of net control, described industrial control system single independently System Development of normally conforming to the principle of simplicity becomes complex network, without isolating and being seldom designed with safeguard measure between each subsystem in described network, described Industry Control layer is divided into multiple different automation cell region and adopts fire compartment wall to carry out zone isolation and efficiently solve the problem spreading to whole industrial control system network from the problem in a region,

(3) Network Isolation module is adopted to realize the exchanges data of the safety of the non-network mode between described Industry Control layer and described production execution level, and be communicated with when ensureing that inside and outside Secure isolation module, two treatment systems are different, connect and access control technology in conjunction with anti-penetration TCP, block the potential avenues of communication of described production execution level to described Industry Control layer, thus realize the unidirectional isolation between described Industry Control layer and described production execution level;

(4) industrial safety management platform module is adopted to set up the configuration of described Industry Control layer network, management, analyze, alarm and audit center, fire compartment wall and network isolating device are configured and are managed, collection network affair alarm information also stores, retrieval and divided rank are reported to the police, communication is allowed to the terminal applies be defined within the scope of white list, Network anomalous behaviors is caught to the depth analysis of industrial control protocols, analyze potential risk, accurately catch on-the-spot virus, worm and illegal invasion etc., for the investigation of industrial control system network failure, analysis and security audit provide reliable basis.

In described step (1), the two ends communications network system between described Industry Control layer with described production execution level is connected by wired or wireless network mode.

In described step (2), the mode of described Inspection and analysis is that comprehensive using state detects and application layer protocol detects, and carries out multistage filtering, forms the protective barrier in comprehensive access control mechanisms and automation cell region, stop unauthorized person and use message.

In described step (2), be flow collection identification based on industrial control network to the packet filtering of communication, the described access control carried out communicating controls based on the terminal applies of white list.

In described step (3), described Network Isolation module adopts Secure isolation technology by the Reverse Turning Control abrogation of agreement of data communication, oppositely data channel had not both been had not have control channel yet, forward is in blind state completely, realize information flow one-way transmission, both can ensure the online data of described production execution level and be transferred to described production execution level in real time, can ensure again that the data of described production execution level cannot enter described Industry Control layer.

Described industrial control system refers to by various automatic control assembly and the process control modules that gathers real time data, monitor, the common operation flow managing and control system guaranteeing industrial infrastructure automatic operating, process control and monitoring formed.Its core component comprises data acquisition analysis system (SCADA), dcs (DCS), programmable logic controller (PLC) (PLC), remote terminal (RTU), intelligent electronic device (IED) and communication interface technique etc.

Described industrial enterprise information system is carried out reasonable layering by the present invention, in order to described Industry Control layer, described production execution level and described management layer, to solve management, the system such as execution, Industry Control of producing is in consolidated network plane and causes the invasion hidden danger from management information system.Then in described Industry Control layer, be divided into multiple control area according to the functional characteristics of subsystem, control range and application need etc. situation, thus prevent the information security issue of a control area from spreading to the risk of whole industrial control system network.Between different described control areas, set up fire compartment wall to carry out logic isolation, analysis and filter is carried out to Industry Control Application layer communication protocol.Between described Industry Control layer and the network boundary of described production execution level, dispose isolation module carry out unidirectional isolation, block the potential data communication approach of described production execution level to described Industry Control layer.In Industry Control layer, set up safety management platform data collection and analysis process is carried out to described Industry Control layer network, realize " multi-point monitoring, unified coordination ".

The present invention is applied to industrial control network field.

It should be noted that, above-mentionedly only to describe the present invention with preferred embodiment, interest field of the present invention can not be limited at this point, therefore when not departing from inventive concept, the equivalence that the content of all utilizations specification of the present invention and accompanying drawing part is carried out changes, and all reason is with being included in right of the present invention.

Claims (3)

1. an industrial control network security protection method, is characterized in that: described industrial control network security protection method comprises the following steps:
(1) according to the technical requirement of industrial control system information security, layered shaping is carried out to industrial enterprise's information system, described industrial enterprise information system is divided into three trouble free service levels, namely Industry Control layer, production execution level and management layer, take Safeguard tactics measure to the exchanges data of described Industry Control layer;
(2) according to functional characteristics and the control range of described industrial control system, described Industry Control layer is divided into multiple different automation cell region and adopts fire compartment wall to carry out zone isolation, realize packet filtering and access control, Inspection and analysis is carried out to industrial communication protocol, realize the Realtime Alerts to illegal communication, come source acknowledgement, historical record, ensure the real-time diagnosis of net control; The mode of described Inspection and analysis is that comprehensive using state detects and application layer protocol detects, and carries out multistage filtering, forms the protective barrier in comprehensive access control mechanisms and automation cell region, stop unauthorized person and use message;
(3) Network Isolation module is adopted to realize the exchanges data of the safety of the non-network mode between described Industry Control layer and described production execution level, and be communicated with when ensureing that inside and outside Secure isolation module, two treatment systems are different, connect and access control technology in conjunction with anti-penetration TCP, block the potential avenues of communication of described production execution level to described Industry Control layer, thus the unidirectional isolation realized between described Industry Control layer and described production execution level, described Network Isolation module adopts Secure isolation technology by the Reverse Turning Control abrogation of agreement of data communication, oppositely data channel had not both been had not have control channel yet, forward is in blind state completely, realize information flow one-way transmission,
(4) industrial safety management platform module is adopted to set up the configuration of described Industry Control layer network, management, analyze, alarm and audit center, fire compartment wall and network isolating device are configured and are managed, collection network affair alarm information also stores, retrieval and divided rank are reported to the police, communication is allowed to the terminal applies be defined within the scope of white list, Network anomalous behaviors is caught to the depth analysis of industrial control protocols, analyze potential risk, accurately catch on-the-spot virus, worm and illegal invasion, for the investigation of industrial control system network failure, analysis and security audit provide reliable basis.
2. industrial control network security protection method according to claim 1, is characterized in that: in described step (1), and the two ends communications network system between described Industry Control layer with described production execution level is connected by wired or wireless network mode.
3. industrial control network security protection method according to claim 1, it is characterized in that: in described step (2), be flow collection identification based on industrial control network to the packet filtering of communication, the access control carried out communicating controls based on the terminal applies of white list.
CN201210553196.8A 2012-12-19 2012-12-19 Industrial control network security protection method CN103036886B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210553196.8A CN103036886B (en) 2012-12-19 2012-12-19 Industrial control network security protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210553196.8A CN103036886B (en) 2012-12-19 2012-12-19 Industrial control network security protection method

Publications (2)

Publication Number Publication Date
CN103036886A CN103036886A (en) 2013-04-10
CN103036886B true CN103036886B (en) 2016-02-24

Family

ID=48023369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210553196.8A CN103036886B (en) 2012-12-19 2012-12-19 Industrial control network security protection method

Country Status (1)

Country Link
CN (1) CN103036886B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10268170B2 (en) 2017-01-03 2019-04-23 General Electric Company Validation of control command in substantially real time for industrial asset control system threat detection

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491108B (en) * 2013-10-15 2016-08-24 浙江中控研究院有限公司 A kind of industrial control network security protection method and system
CN104883348A (en) * 2014-09-28 2015-09-02 宁波匡恩网络科技有限公司 Network security regulation automatic deployment method and system
CN106161330A (en) * 2015-03-16 2016-11-23 机械工业仪器仪表综合技术经济研究所 A kind of security isolation system being applied to PROFINET EPA
CN106411816A (en) * 2015-07-29 2017-02-15 研祥智能科技股份有限公司 Industrial control system, secure interconnection system and processing method thereof
CN106411818A (en) * 2015-07-30 2017-02-15 中国移动通信集团河北有限公司 Security domain structure inspection method and device
CN105208018B (en) * 2015-09-09 2018-08-17 上海三零卫士信息安全有限公司 A kind of industry control network information spy method based on funneling white list
CN105323255A (en) * 2015-11-24 2016-02-10 北京交控科技有限公司 Rail traffic information security defending system
US9967274B2 (en) * 2015-11-25 2018-05-08 Symantec Corporation Systems and methods for identifying compromised devices within industrial control systems
CN105573291B (en) * 2015-12-24 2018-05-18 中国信息安全测评中心 A kind of threat detection method and safety device based on key parameter fusion verification
CN105871620B (en) * 2016-05-05 2019-04-16 中国科学院信息工程研究所 A kind of quick detection recognition method of cyberspace industrial control equipment
CN105959144B (en) * 2016-06-02 2019-08-06 中国科学院信息工程研究所 Secure data acquisition and method for detecting abnormality and system towards industrial control network
CN106789932B (en) * 2016-11-29 2020-04-21 中国电子科技集团公司第二十九研究所 Network system safety protection method and device based on component hopping
CN106559432A (en) * 2016-12-06 2017-04-05 山东省电子信息产品检验院 A kind of industrial control system and its safety device
CN106651183B (en) * 2016-12-26 2020-04-10 英赛克科技(北京)有限公司 Communication data security audit method and device of industrial control system
CN107276987A (en) 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
CN107360134B (en) * 2017-06-08 2020-04-17 杭州谷逸网络科技有限公司 Method for realizing safety remote control terminal and safety system thereof
CN108170105A (en) * 2017-11-22 2018-06-15 东莞理工学院 A kind of industrial control network guard system and method
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN108055261B (en) * 2017-12-11 2020-11-06 中车青岛四方机车车辆股份有限公司 Industrial network security system deployment method and security system
CN108712425A (en) * 2018-05-21 2018-10-26 南京南瑞集团公司 A kind of analysis monitoring and managing method towards industrial control system network security threats event
CN108924160B (en) * 2018-08-06 2019-04-16 北京捷诺视讯数码科技有限公司 A kind of industrial data collection analysis process system of high security
CN109507975A (en) * 2018-12-28 2019-03-22 飞马智科信息技术股份有限公司 A kind of acquisition network system of industry big data
CN110769067B (en) * 2019-10-30 2020-08-04 任子行网络技术股份有限公司 SD-WAN-based industrial internet security supervision system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295164A1 (en) * 2007-05-24 2008-11-27 International Business Machines Corporation Mashup component isolation via server-side analysis and instrumentation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
信息安全新焦点——工业控制系统安全;张晔;《方案应用》;20120430;"工控系统安全防护设计"节及图1和图3 *
网络隔离系统通道协议设计与实现;张锦玉;《中国优秀硕士学位论文全文数据库信息科技辑》;20090715;第4页第2.1.1节第2段 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10268170B2 (en) 2017-01-03 2019-04-23 General Electric Company Validation of control command in substantially real time for industrial asset control system threat detection

Also Published As

Publication number Publication date
CN103036886A (en) 2013-04-10

Similar Documents

Publication Publication Date Title
CN105119750B (en) A kind of safe operation management platform system of distributed information based on big data
Yang et al. Multidimensional intrusion detection system for IEC 61850-based SCADA networks
Khatoun et al. Cybersecurity and privacy solutions in smart cities
CN103578240B (en) A kind of security protection service network based on Internet of Things
CN102857486B (en) Application firewall system of future generation and defence method
Slay et al. Lessons learned from the maroochy water breach
US20170054751A1 (en) Method for mitigation of cyber attacks on industrial control systems
Mallouhi et al. A testbed for analyzing security of SCADA control systems (TASSCS)
CN203732971U (en) System for monitoring outdoor machine rooms and outdoor equipment cabinets of electric power system
CN102438026B (en) Industrial control network security protection method and system
CN103269332B (en) Safeguard system for power secondary system
CN103457791B (en) A kind of intelligent substation network samples and the self-diagnosing method of control link
Yang et al. Impact of cyber-security issues on smart grid
Ganame et al. A global security architecture for intrusion detection on computer networks
CN202059516U (en) Intelligent building monitoring system
Barbosa et al. Intrusion detection in SCADA networks
CN100384153C (en) Network performance analysis report system based on IPv6 and its implementing method
CN107493265B (en) A kind of network security monitoring method towards industrial control system
CN203299604U (en) Home safety intelligent monitoring system based on property management
KR20140118494A (en) Apparatus and method for detecting anomaly in a controller system
CN104468631A (en) Network intrusion identification method based on anomaly flow and black-white list library of IP terminal
CN101355463B (en) Method, system and equipment for judging network attack
CN101854269A (en) Information safety operation and maintenance supervising platform of electric power secondary system
CN103441926B (en) Security gateway system of numerically-controllmachine machine tool network
CN101399658B (en) Safe log analyzing method and system

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model
TR01 Transfer of patent right

Effective date of registration: 20191113

Address after: 519000 605, block a, entrepreneurship building, Tsinghua Science Park, No. 101, University Road, Tangjiawan Town, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Hongrui information technology Limited by Share Ltd

Address before: 519080 Tsinghua Science Park A605, 101 Tang Cheng Road, Zhuhai, Guangdong

Patentee before: Zhuhai Hongrui Software Technology Co., Ltd.

TR01 Transfer of patent right