CN104243294A - PROFIBUS embedded type Web gateway with security mechanism - Google Patents
PROFIBUS embedded type Web gateway with security mechanism Download PDFInfo
- Publication number
- CN104243294A CN104243294A CN201410414184.6A CN201410414184A CN104243294A CN 104243294 A CN104243294 A CN 104243294A CN 201410414184 A CN201410414184 A CN 201410414184A CN 104243294 A CN104243294 A CN 104243294A
- Authority
- CN
- China
- Prior art keywords
- profibus
- gateway
- embedded
- web server
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a PROFIBUS embedded type Web gateway with a security mechanism. By the adoption of the PROFIBUS embedded type Web gateway with the security mechanism, a PROFIBUS is made to have access to the Internet. Hardware mainly comprises an ARM9 processor, a PROFIBUS communication interface circuit, an Internet communication interface circuit and the like. A software structure comprises an embedded type Linux operation system, an embedded type Web server, a database and the like. When the PROFIBUS is made to have access to the Internet through the PROFIBUS embedded type Web gateway, the three measures that the mandatory access control concept is applied to user access control, the SSL protocol is applied to encryption transmission of data and a classification system log is used for providing non-repudiation services for a system are adopted by the gateway at the same time for protection of the system. By the adoption of the PROFIBUS embedded type Web gateway with the security mechanism, a user can conveniently and remotely monitor devices on the PROFIBUS in real time through the Internet and the gateway, and a high security guarantee is provided for the PROFIBUS system through the designed security mechanism.
Description
Technical field
The invention belongs to industrial automation (industrial communication) field, relate to a kind of based on ARM9 platform and built-in Linux operating system platform, by embedded-type security Web gateway apparatus during PROFIBUS-DP network insertion Internet the Internet, particularly based on the security access mechanism of the total built-in unit of technology of embedded Web access PROFIBUS-DP.
Background technology
PROFIBUS is one of current most popular fieldbus, is uniquely can be applied in the standard fashion in global range to comprise manufacturing industry, flow process industry and mixing automatic field and the single field bus technique running through whole technical process.Enterprise's field control system is connected with underlying device by it, forms the key-course network of enterprise.Traditional enterprise's key-course network is relative with Enterprise information system isolated closed, and the management level of enterprise and technical staff are only in the action or understand produced on-site situation by regular reporting file.In the epoch that information is fast changing, the survival and development of enterprise depend on to a great extent the understanding of field apparatus operation conditions and make correctly, decision-making timely.
Web technology just graphically, with platform has had nothing to do with it since issuing from 1992, distributed, dynamic, mutual feature obtains and favors, global people are exchanged mutually with beyond example scale, has become most important service and the most promising access tool in the Internet at present.And along with the fast development of embedded technology, embedded device builds the concern that embedded web server has more and more caused people.The embedded web server of some companies exploitation at present software realizes building embedded web server on embedded device.
The safe practice of Embedded Web System have also been obtained as a branch of network security technology and develops fast.But at present; also little for the research of Embedded Web System safety problem in industrial network; the feature such as the security threat faced according to Embedded Web System and embedded system resource-constrained, disposal ability are poor, can not use existing, the complicated network security technology of PC to protect its fail safe.
Current embedded-type security field is also in the exploratory stage, the safety research that there is embedded system is all study for some aspects, namely provide safety from certain angle to system, the application scenarios not for concrete embedded system provides fairly perfect security strategy.The present invention is directed to the application scenarios of the embedded Web gateway of PROFIBUS-DP network insertion Internet, describe a kind of there is security mechanism can by the embedded-type security Web gateway of PROFIBUS-DP network insertion Internet the Internet.Utilize this gateway, while providing effective safeguard protection for the equipment on PROFIBUS-DP, validated user only just need can carry out long-range real-time and security monitoring to the equipment on PROFIBUS-DP by Internet the Internet and general browser.
Summary of the invention
For realizing object of the present invention, the technical scheme taked is as follows.
A kind of Web of having function and safety precaution mechanism, for realizing PROFIBUS-DP network and the interconnected embedded gateway of Internet network.Its feature is as described below.
A kind of for realizing PROFIBUS-DP network and the interconnected gateway apparatus of Internet network, hardware mainly comprises with ARM9 the CPU of S3C2450 microprocessor as core of the Samsung being kernel, PROFIBUS-DP physical layer interface, network interface chip LAN91C111, memory etc.Intra-gateway implants embedded web server module, security management and control module.This embedded gateway utilizes CPU to carry out management and control to network connection, access rights and transfer of data.
The embedded web server module of intra-gateway, mainly realizes the dynamic interaction of user and equipment, and during user access device, facility information can be published to client by Web server in real time in the form of a web page.Gateway adopts B/S pattern to realize the access of client to embedded web server, client sends operation requests by browser, Internet network and gateway to the equipment in PROFIBUS-DP bus, embedded Web gateway is responsible for sending equipment query request to slave station or controlling request as main website, the request of slave station response main website transmits data to main website, and is released in the form of a web page by Web server by facility information.Web server framework of the present invention have employed two kinds of key technologies that Web server relates to: database technology and CGI dynamic web page technique.Database wherein in the present invention is used for managing user information and facility information, and CGI mainly realizes dynamic, the real-time, interactive of Web server and the total built-in unit of on-the-spot PROFIBUS-DP.
Security module in gateway devises security mechanism and preventing function from confidentiality, integrality, certification and non repudiation four aspects respectively, can effectively prevent from unauthorized access and the malicious attack of automatic network, ensure the safety of the total built-in unit of PROFIBUS-DP and company information.The security mechanism of this invention mainly comprises three aspects: first is be provided with suitable access control mechanisms, prevents the unauthorized access of disabled user and the unauthorized access of validated user; The present invention utilizes SQLite to set up an authorization database, and database comprises corresponding user name, password and user right; The CGI application program designed by this invention carries out the certification of user identity, and CGI application program reads the user profile that user inputs at browser end, and authorization database, determine the access rights of visitor.Second is data confidentiality transmission and certification (discriminating), active attack such as guaranteeing the authenticity of data, prevent from eavesdropping, alter, pretend to be; The present invention transplants embedded SSL(SSL in embedded Web gateway) agreement, ssl protocol carries out http communication, user name, password and device data become a part for encryption SSL data flow, ensure that the packet transmitted on the internet can not be revealed, eavesdrops, intercepts and captures or forged.3rd is the Security Assurance Mechanism of embedded gateway self, prevents assailant from being obtained classified papers in server by illegal operation, even being damaged server, and gateway also provides corresponding mechanism to realize non-repudiation sex service simultaneously.Concrete grammar is, first the critical file such as the configuration file of gateway server and customer data base will by modifying gateway through the terminal that serial ports is connected on computer and configuring, not by incredible Internet network environment amendment; Secondly, in the executive mode of CGI scripting, all CGI scripting are all placed under server configures the catalogue of specifying, under Linux command shell is placed on catalogue independent in addition; Finally establish book of final entry gateway system access log, store and comprise validated user access system record and the abnormal record logged in.The highest keeper of system can by checking that system journal carrys out the history log of surveillance, the behavior of supervision and management person user and domestic consumer, understand system exception and log in situation, or the vestige that when searching system is under attack, assailant stays, contributes to highest keeper's Timeliness coverage system vulnerability like this.
The present invention has following several advantage.
1) devise and realize PROFIBUS-DP fieldbus networks and the interconnected specialized protocol transfer gateway of Internet network; on the basis not changing two kinds of heterogeneous network existing structures; directly can realize the interconnected communication of two kinds of heterogeneous networks, protect enterprise's existing investment and reduce development cost.
2) realizing on protocol conversion function basis, the gateway of this invention, add Web server function, utilize embedded web server, user can by friendly graphical interface interface, carry out remote real-time monitoring and management to the equipment on PROFIBUS-DP fieldbus easily, this is also the inexorable trend that industrial control networkization develops later.
3) security strategy of the compact embedded Web gateway of the intra-gateway design of this invention, can provide comparatively comprehensively safety guarantee to system, take resource low simultaneously, be with a wide range of applications.
Accompanying drawing explanation
Fig. 1 is embedded Web gateway hardware structured flowchart in the present invention.
Fig. 2 is PROFIBUS-DP and ICP/IP protocol transfer principle figure in the present invention.
Fig. 3 is the architecture of the embedded Web gateway in the present invention with security mechanism.
Fig. 4 is embody rule scene schematic diagram of the present invention.
Embodiment
Below in conjunction with accompanying drawing, a preferred embodiment of the present invention is described.
Embedded Web gateway hardware structured flowchart of the present invention as shown in Figure 1, the present invention take ARM9 as the CPU of S3C2450 microprocessor as core of the Samsung of kernel, comprise network interface chip LAN91C111, reset circuit, power circuit and jumbo SDRAM and FLASH memory etc., possess PROFIBUS interface, digital serial port, jtag interface etc. simultaneously.
In the present invention, PROFIBUS-DP and ICP/IP protocol transfer principle are as shown in Figure 2, the process of protocol conversion is exactly the process of data encapsulation and decapsulation, namely the process of encapsulation is the protocol Data Unit PDU(Protocol Data Unit paid on upper strata) add that the control information of oneself forms the process of this layer of PDU, and the process of decapsulation is exactly the process removed this layer of PDU control information thus obtain upper strata PDU.
In the present invention, the security system framework of embedded Web gateway as shown in Figure 3, and the software systems of Web server comprise four parts: (1) HTTP engine; (2) security module; (3) configuration module; (4) application interface module.
(1) request such as the status poll to the total built-in unit of PROFIBUS-DP, control submitted to of the HTTP engine person that is responsible for response management.
(2) this invention utilizes SQLite to set up an authorization database in security module, database comprises corresponding user name, password and user right, the client log-in interface of design does not then show user right, only display username and password input area, this ensure that the disguise of information, prevent sabotaging of some disabled users.
This invention designs the certification that corresponding CGI application program carries out user identity, CGI application program reads the user profile that user inputs at browser end, and authorization database, see to be whether the corresponding authority of validated user and validated user, if not validated user then disable access, if validated user, then see that its authority is keeper or domestic consumer, and return corresponding operation interface according to corresponding authority.
This invention implants embedded ssl protocol in security module, and enables SSL in the configuration file of Appweb server.Ssl protocol carries out http communication, and user name, password and device data just become a part for encryption SSL data flow, so the packet transmitted on the internet can not be revealed, eavesdrops, intercepts and captures or forged, this ensure that the safety of transmission data.
(3) configuration module makes the highest keeper of system can arrange the parameter of embedded web server.In system starts, the configuration surroundings variable of definition comprises Socket port, Hostname, root file path, default original document etc.
(4) application interface module, this part is the core of embedded web server software systems, and it realizes the exchanges data with embedded OS.In embedded web server, application programming interfaces communicate with embedded OS, call CGI application program, CGI application program reads the various information come from Web server transmission according to CGI specification, and the request of client is made an explanation and processes, comprise operation embedded database and carry out authenticating user identification and mutual etc. with facility information in bus.Finally result is returned to Web server according to CGI specification.
Fig. 4 is embody rule scene schematic diagram of the present invention.The embedded Web gateway in this invention with security mechanism has the function of protocol conversion and Web server, also possess the interface of PROFIBUS-DP and Internet simultaneously, realize the object of by Internet, the equipment on PROFIBUS-DP fieldbus being carried out to monitoring in real time.In security strategy, by this embedded web server gateway, the Intranet of outer net and enterprise is isolated, for the user from the long-range access of Internet, will can executable operations after VPN cryptographic check and authentication and authority confirm, achieve the isolation of intranet and extranet, ensure that the safety of PROFIBUS-DP network.In intranet, prevent certain customers from even revising system file to the eavesdropping of other user profile, unauthorized access system resource by authentication and data encryption technology.
The embodiment more than provided is in order to illustrate the present invention and its practical application, not any pro forma restriction is done to the present invention, any one professional and technical personnel, not departing from the scope of technical solution of the present invention, does certain modification according to above techniques and methods and changes the Equivalent embodiments of working as and being considered as equivalent variations.
Claims (1)
1. have security mechanism, by an embedded Web gateway apparatus of PROFIBUS-DP network insertion Internet, it is characterized in that:
Hardware system structure selects the S3C2450 microprocessor of high performance ARM9 kernel, and Fast Ethernet controller LAN91C111 and jumbo SDRAM and FLASH memory, possess PROFIBUS interface simultaneously;
This intra-gateway implants embedded web server module, security management and control module;
This gateway adopts B/S pattern to realize the access of client to embedded web server, client sends operation requests by browser, Internet network and gateway to the equipment in PROFIBUS-DP bus, this embedded Web gateway is responsible for sending equipment query request to slave station or controlling request as main website, the request of slave station response main website transmits data to main website, and facility information is published to client in the form of a web page by this Web server;
This embedded gateway utilizes CPU to carry out management and control to network connection, access rights and transfer of data;
In the present invention, embedded web server module comprises HTTP engine, security module, configuration module and application interface module;
The request such as the status poll to the total built-in unit of PROFIBUS-DP, control of person's submission that the HTTP engine in gateway of the present invention is responsible for response management;
This invention utilizes SQLite to set up an authorization database in security module, and database comprises corresponding user name, password and user right;
This invention utilizes the CGI application program of design to carry out the certification of user identity, and CGI application program reads the user profile that user inputs at browser end, and authorization database, judge user identity and authority;
This invention implants embedded ssl protocol in security module, and enables SSL in the configuration file of Appweb server;
Ssl protocol carries out http communication, and user name, password and device data, as a part for encryption SSL data flow, this ensure that the safety of transmission data;
The parameter of configuration module in the present invention for making the highest keeper of system can arrange embedded web server;
Application interface module in the present invention is for realizing the exchanges data with embedded OS;
In this embedded web server, application programming interfaces communicate with embedded OS, call CGI application program, CGI application program reads the various information come from Web server transmission according to CGI specification, and the request of client is made an explanation and processes, comprise operation embedded database and carry out authenticating user identification and mutual etc. with facility information in bus, finally result is returned to Web server according to CGI specification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410414184.6A CN104243294A (en) | 2014-08-21 | 2014-08-21 | PROFIBUS embedded type Web gateway with security mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410414184.6A CN104243294A (en) | 2014-08-21 | 2014-08-21 | PROFIBUS embedded type Web gateway with security mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104243294A true CN104243294A (en) | 2014-12-24 |
Family
ID=52230683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410414184.6A Pending CN104243294A (en) | 2014-08-21 | 2014-08-21 | PROFIBUS embedded type Web gateway with security mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104243294A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107196853A (en) * | 2017-07-11 | 2017-09-22 | 吉林大学 | Embedded gateway based on 4G and FlexRay buses |
| CN108769005A (en) * | 2018-05-25 | 2018-11-06 | 深圳市量智信息技术有限公司 | A kind of cyberspace loophole merger platform web system |
| CN112363578A (en) * | 2020-11-13 | 2021-02-12 | 浪潮电子信息产业股份有限公司 | Server |
| CN112671898A (en) * | 2020-12-23 | 2021-04-16 | 浙江工业大学 | Remote communication control system based on embedded equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030140310A1 (en) * | 2002-01-23 | 2003-07-24 | Siemens Ag | Automation system and method for producing a documentation |
| CN102195946A (en) * | 2010-03-16 | 2011-09-21 | 上海交技发展股份有限公司 | Intelligent communication controller based on ARM (Advanced RISC Machines) technology |
| CN103401772A (en) * | 2013-07-30 | 2013-11-20 | 北京华电天仁电力控制技术有限公司 | Device for switching from ETHERNET/IP (Internet Protocol) industrial Ethernet to Profibus-DP |
| CN103973677A (en) * | 2014-06-04 | 2014-08-06 | 周原 | Protocol conversion device from IPv6 to PROFIBUS |
-
2014
- 2014-08-21 CN CN201410414184.6A patent/CN104243294A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030140310A1 (en) * | 2002-01-23 | 2003-07-24 | Siemens Ag | Automation system and method for producing a documentation |
| CN102195946A (en) * | 2010-03-16 | 2011-09-21 | 上海交技发展股份有限公司 | Intelligent communication controller based on ARM (Advanced RISC Machines) technology |
| CN103401772A (en) * | 2013-07-30 | 2013-11-20 | 北京华电天仁电力控制技术有限公司 | Device for switching from ETHERNET/IP (Internet Protocol) industrial Ethernet to Profibus-DP |
| CN103973677A (en) * | 2014-06-04 | 2014-08-06 | 周原 | Protocol conversion device from IPv6 to PROFIBUS |
Non-Patent Citations (1)
| Title |
|---|
| YUAN ZHOU, DAN CHAI, MINGSHAN LIU, ET AL.: "Research on the security mechanism for interconnection between PROFIBUS and Internet", 《 PROCEEDING OF THE 11TH WORLD CONGRESS ON INTELLIGENT CONTROL AND AUTOMATION》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107196853A (en) * | 2017-07-11 | 2017-09-22 | 吉林大学 | Embedded gateway based on 4G and FlexRay buses |
| CN108769005A (en) * | 2018-05-25 | 2018-11-06 | 深圳市量智信息技术有限公司 | A kind of cyberspace loophole merger platform web system |
| CN112363578A (en) * | 2020-11-13 | 2021-02-12 | 浪潮电子信息产业股份有限公司 | Server |
| CN112671898A (en) * | 2020-12-23 | 2021-04-16 | 浙江工业大学 | Remote communication control system based on embedded equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Drias et al. | Analysis of cyber security for industrial control systems | |
| Swamy et al. | Security threats in the application layer in IOT applications | |
| US9961099B2 (en) | Systems and methods for detecting and tracking adversary trajectory | |
| Wei et al. | Protecting smart grid automation systems against cyberattacks | |
| US20170214708A1 (en) | Detecting security threats by combining deception mechanisms and data science | |
| US20170149825A1 (en) | Modification of a Server to Mimic a Deception Mechanism | |
| Stout et al. | Challenges to securing the Internet of Things | |
| JP2017519388A (en) | Equipment and method for transmitting data | |
| CN110601889B (en) | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management | |
| CN104243294A (en) | PROFIBUS embedded type Web gateway with security mechanism | |
| Annor-Asante et al. | Development of smart grid testbed with low-cost hardware and software for cybersecurity research and education | |
| Bulbul et al. | Intrusion evaluation of communication network architectures for power substations | |
| Yang et al. | A Comprehensive Survey of Security Issues of Smart Home System:“Spear” and “Shields,” Theory and Practice | |
| Dineva et al. | Security in IoT systems | |
| Toutsop et al. | A comparative analyses of current IoT middleware platforms | |
| Ahn et al. | Blockchain-enabled security module for transforming conventional inverters toward firmware security-enhanced smart inverters | |
| KR101287220B1 (en) | Network security system for plant integrated control system | |
| Zhou et al. | Security in cyber-physical systems: challenges and solutions | |
| Zhou et al. | Construction and Evaluation of Defense-in-Depth architecture in SCADA System | |
| Xiong | Secured System Architecture for the Internet of Things Using a Two Factor Authentication Protocol | |
| Feng et al. | A survey on internet of things security based on smart home | |
| Falk et al. | System Integrity Monitoring for Industrial Cyber Physical Systems | |
| Kalhara et al. | Comprehensive Security Solution for an Industry 4.0 Garment Manufacturing System | |
| Zhou et al. | Research on the security mechanism for interconnection between PROFIBUS and Internet | |
| Tu et al. | Security framework based on trusted computing for industrial control systems of CNC machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141224 |
|
| WD01 | Invention patent application deemed withdrawn after publication |