CN105072025A - Safe protective gateway and system for modern industrial control system network communication - Google Patents
Safe protective gateway and system for modern industrial control system network communication Download PDFInfo
- Publication number
- CN105072025A CN105072025A CN201510476034.2A CN201510476034A CN105072025A CN 105072025 A CN105072025 A CN 105072025A CN 201510476034 A CN201510476034 A CN 201510476034A CN 105072025 A CN105072025 A CN 105072025A
- Authority
- CN
- China
- Prior art keywords
- data packet
- communication data
- communication
- encryption
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a safe protective gateway and system for modern industrial control system network communication, which can guarantee safe communication between users and field devices in a public network. The gateway comprises a communication control unit, a data package analysis unit and a linkage unit. The communication control unit is used for basic communication control and control of communication between the users and the field devices according to a command sent from the linkage unit. The data package analysis unit is used for performing selective encryption and decryption and selective deep analysis on a received communication data package. The linkage unit is used for sending a command whether to refuse subsequent communication requests of the user to the communication control unit according to an analysis result, and determining whether to send the analyzed communication data package to a target field device. The safe protective gateway and system are applicable to the technical field of communication.
Description
Technical field
The present invention relates to communication technical field, refer to a kind of security protection gateway for modern industrial control system network service and system especially.
Background technology
Past, industrial production environment is relatively independent, and industrial control system, communication protocol all have certain independence, and with between other public networks without any being connected, attack for industrial control system produces mostly in industrial processes, as the misoperation, natural calamity etc. of staff.
In recent years, along with the progress of society and the development of computer technology, industrial control system system that is closed from, that isolate develops into more open gradually and has multi-link system with public network.Not only industrial control system is had in modern industry production system, also combine general operating system, in modern industry is produced, we often need the remote monitoring industry spot condition of production and equipment running status, and widely used industry communications protocol (as network communication protocol (Modbus), distributed networking protocol (DNP3) etc.) does not all provide any security control in modern industrial control system, therefore, this just relates to the safety problem of industrial production data in public network transmissions.Due to the particularity of the equipment of industrial product, break down once under attack, loss difficult to the appraisal will be brought to enterprise.
At present, more existing security protection products for industrial control system on market, as the industrial fireproof wall of Dove promise, the credibility interval gateway etc. of Wei Nute.The main feature of these security protection products can carry out deep message parsing to multiple industrial communication protocol, detects the content such as instruction, data of agreement inside, thus detect the network attack based on industrial communication protocol.But existing security protection product has just carried out matching detection to message, does not carry out certain safeguard protection to message itself.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of security protection gateway for modern industrial control system network service and system; to solve existing security protection product existing for the prior art deficiency due to himself; safeguard protection cannot be carried out to modern industrial control system in all directions, be difficult to the problem of the safety requirements meeting modern industrial control system.
For solving the problems of the technologies described above, the embodiment of the present invention provides a kind of security protection gateway for modern industrial control system network service, comprising:
Communication control unit, controls the communication between user and field apparatus for the Control on Communication on basis and the instruction of sending according to linkage unit;
Packet resolution unit, for carrying out selectivity encryption and decryption and selectivity deep analysis to the communication data packet received;
Linkage unit, for sending whether refuse the later communication request instruction of this user according to analysis result to described communication control unit, and determines whether to send the communication data packet after resolving to target field devices.
Preferably, described communication control unit comprises: white list detection module and communication control module;
Described white list detection module, for when user sends communication data packet to field apparatus, judges whether this user profile is included in default white list, if comprise, then this communication data packet is sent to packet resolution unit, otherwise, abandon this communication data packet;
Described communication control module, for send according to linkage unit instruction refusal or accept this this communication after user send communication request, the communication data packet also for being sent by field apparatus sends;
Wherein, described user profile comprises: send the IP address of the user of communication data, MAC Address and port information.
Preferably, described packet resolution unit comprises: encryption/decryption module and packet deep analysis module;
Described encryption/decryption module: for when user sends communication data packet to field apparatus, judge whether to need to be decrypted this communication data packet according to the encrypted bits in the communication data packet that described communication control unit is sent, also for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then this communication data packet is encrypted;
Described packet deep analysis module, need to carry out deep analysis to the communication data packet received for judging whether according to user operation authority, if desired, then deep analysis is carried out to this communication data packet, and described communication data packet and analysis result are passed to linkage unit; Otherwise, then analysis result is set to without attacking, and communication data packet and analysis result is passed to linkage unit;
Wherein, described source field device information comprises: send the IP address of the field apparatus of communication data packet, MAC Address and port information.
Preferably, described encryption/decryption module comprises: encryption and decryption judges submodule and encryption and decryption operator module;
Described encryption and decryption judges submodule, for judging the communication data packet received, determines that this communication data packet is the need of encryption or decryption oprerations, and will the communication data packet of encrypting or deciphering not needed directly to send;
Described encryption and decryption operator module, for being encrypted respectively or decryption oprerations the communication data packet of needs encryption or deciphering, and sends encryption or decrypted result.
Preferably, described encryption and decryption judges that submodule comprises: encryption judges that submodule and deciphering judge submodule;
Encryption judges submodule: for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then by the encrypted location encryption label in this communication data packet, and this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to communication control unit;
Deciphering judges submodule: for when user sends communication data packet to field apparatus, encrypted bits in this communication data packet is judged, when this encrypted bits is for encryption label, then this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to packet deep analysis module.
Preferably, described encryption and decryption operator module, for by the key feed generation module based on Time Synchronization Mechanism, is encrypted or decryption oprerations respectively to needing the communication data packet of encryption or deciphering;
Described encryption and decryption operator module comprises: cryptographic operation submodule and deciphering operator module;
Cryptographic operation submodule: during for needing when communication data packet to encrypt, random number generating algorithm is utilized to generate a series of uncertain random digit combination as key by described key feed generation module, and need the communication data packet of encryption to be encrypted by described double secret key, then the communication data packet after encryption is sent;
Decryption oprerations submodule: during for needing when communication data packet to decipher, utilize the history key time table that described key feed generation module is set up, according to the encryption times label in communication data packet, corresponding key is found in described history key time table, and utilize the communication data packet after this key pair encryption to be decrypted, then the communication data packet after deciphering is sent to packet deep analysis module.
Preferably, described packet deep analysis module, also for when user sends communication data packet to field apparatus, the industrial communication protocol stem of communication data packet application data part encryption/decryption module sent is separated with data, the industrial communication protocol stem and the combination of ICP/IP protocol stem that obtain will be separated, judge whether to there is offside operation, and carry out attack detecting to being separated the data obtained, judge whether this communication data packet exists attack.
Preferably, described linkage unit comprises:
Attack control module: for when analysis result is for existence attack, sends refusal to described communication control unit and initiate the later communication request instruction of this user communicated, and abandon this communication data packet;
The offside control module of authority, for when analysis result be operating right offside time, be sent in Preset Time the communication request instruction refusing this user to described communication control unit, and abandon this communication data packet;
Safety control module, for being without when attacking when analysis result, is sent to target field devices by this communication data packet.
The embodiment of the present invention also provides a kind of security protection gateway system for modern industrial control system network service, comprising: the industrial control system network at the public network at user place, internet and the security protection gateway place for modern industrial control system network service described in any one of claim 1-8;
The public network at user place comprises: user and encryption and decryption equipment;
Described encryption and decryption equipment, for carrying out the operation of selectivity encryption and decryption to the communication data packet between user and field apparatus.
Preferably, described encryption and decryption equipment, judge whether to need to be decrypted this communication data packet for the encrypted bits in the communication data packet sent according to field apparatus, also for when user sends communication data packet to field apparatus, judge whether the target field devices information in communication data packet is included in default devices encrypt list, if comprise, then this communication data packet is encrypted;
Wherein, described target field devices information comprises: the IP address of the field apparatus of received communication packet, MAC Address and port information.
The beneficial effect of technique scheme of the present invention is as follows:
In such scheme, by packet resolution unit, selectivity encryption and decryption is carried out to the communication data packet between user's (described user is the user in public network) and field apparatus, ensure that the safe transmission of communication data packet, and by this packet resolution unit, selectivity deep analysis is carried out to the communication data packet between user and field apparatus, carry out attack detecting selectively, improve the automatic defense ability to attack, also according to the testing result of packet resolution unit, determine whether to send the communication data packet after resolving to target field devices by linkage unit, and to communication control unit sending controling instruction, communication between this user and field apparatus is controlled according to the control command received by this communication control unit, compare with intrusion detection with traditional encryption gateway, not only increase the communication security between user and field apparatus, the performance of this industrial control system network can also be improved, and this security protection gateway has very high versatility in industrial control system.
Accompanying drawing explanation
The system deployment diagram of the security protection gateway that Fig. 1 provides for the embodiment of the present invention and encryption and decryption equipment;
Fig. 2 for the embodiment of the present invention provide when user to field apparatus send communication data packet time, the workflow schematic diagram of security protection gateway;
The workflow schematic diagram of the white list detection module that Fig. 3 provides for the embodiment of the present invention;
The workflow schematic diagram of the packet resolution unit that Fig. 4 provides for the embodiment of the present invention;
The workflow diagram of the encryption/decryption module that Fig. 5 provides for the embodiment of the present invention.
Embodiment
For making the technical problem to be solved in the present invention, technical scheme and advantage clearly, be described in detail below in conjunction with the accompanying drawings and the specific embodiments.
The present invention is directed to the deficiency of existing security protection product due to himself; safeguard protection cannot be carried out in all directions to modern industrial control system; be difficult to the problem of the safety requirements meeting modern industrial control system, a kind of security protection gateway for modern industrial control system network service and system are provided.
Embodiment one
A kind of security protection gateway for modern industrial control system network service that the embodiment of the present invention provides, comprising:
Communication control unit, controls the communication between user and field apparatus for the Control on Communication on basis and the instruction of sending according to linkage unit;
Packet resolution unit, for carrying out selectivity encryption and decryption and selectivity deep analysis to the communication data packet received;
Linkage unit, for sending whether refuse the later communication request instruction of this user according to analysis result to described communication control unit, and determines whether to send the communication data packet after resolving to target field devices.
The security protection gateway for modern industrial control system network service described in the embodiment of the present invention, by packet resolution unit, selectivity encryption and decryption is carried out to the communication data packet between user's (described user is the user in public network) and field apparatus, ensure that the safe transmission of communication data packet, and by this packet resolution unit, selectivity deep analysis is carried out to the communication data packet between user and field apparatus, carry out attack detecting selectively, improve the automatic defense ability to attack, also according to the testing result of packet resolution unit, determine whether to send the communication data packet after resolving to target field devices by linkage unit, and to communication control unit sending controling instruction, communication between this user and field apparatus is controlled according to the control command received by this communication control unit, compare with intrusion detection with traditional encryption gateway, not only increase the communication security between user and field apparatus, the performance of this industrial control system network can also be improved, and this security protection gateway has very high versatility in industrial control system.
In the embodiment of the present invention, shown in Fig. 1, public network comprises: the user and the encryption and decryption equipment that are arranged in public network; Industrial control system network comprises: security protection gateway and industrial control system, described safety guard net closes between industrial control system and internet, be responsible for the Prevention-Security work of industrial control system, the safety guard net between industrial control system and internet closed be described in detail below.
In the embodiment of the present invention, shown in Fig. 2, the communication data packet that carrying out between user with field apparatus communicates can comprise: header message, application data and trailer information, wherein, described header message comprises: agreement (InternetProtocol, IP) stem, the transmission control protocol (TransmissionControlProtocol that interconnect between Ethernet stem, network, TCP) stem, described application data comprises: industrial communication protocol stem and data, and trailer information comprises: Ethernet afterbody.
In the embodiment of the aforementioned security protection gateway for modern industrial control system network service, alternatively, described communication control unit comprises: white list detection module and communication control module;
Described white list detection module, for when user sends communication data packet to field apparatus, judges whether this user profile is included in default white list, if comprise, then this communication data packet is sent to packet resolution unit, otherwise, abandon this communication data packet;
Described communication control module, for the communication request that the Control on Communication on basis and the instruction refusal sent according to linkage unit or the user after accepting this this communication send, the communication data packet also for being sent by field apparatus sends;
Wherein, described user profile comprises: send the IP address of the user of communication data, media interviews control (MAC, MediaAccessControl) address and port information.
In the embodiment of the present invention, described communication control unit comprises: white list detection module and communication control module, due to the particularity of industrial control system, within a certain period of time, the user that can carry out communicating with industrial control system network in public network is very stable, therefore, can being filtered by the user of this white list detection module to this industrial control system of access, communication defaults strategy setting being communicated for refusing simultaneously.The concrete testing process of white list detection module comprises: by allowing with the user profile of field device communicating, (described user profile comprises: IP address, MAC Address, port information etc.) utilize white list technology to carry out record, shown in Fig. 2 and Fig. 3, when the communication data packet that user sends enters security protection gateway, first by the header message of this communication data packet, (described header message comprises white list detection module: Ethernet stem, IP stem, TCP stem etc., can user profile be obtained from this header message) carry out inquiry with the user profile of white list record and contrast, if find corresponding header message in white list, then preliminary decision receives this communication data packet, and this communication data packet is passed to packet resolution unit, if do not inquire this user profile in white list, then abandon this communication data packet.
In the embodiment of the present invention, shown in Fig. 2, according to the instruction that linkage unit is sent, the communication request that after refusing or accept this communication by described communication control module, this user sends, the communication data packet also sent by field apparatus by described communication control module is sent.
In the embodiment of the aforementioned security protection gateway for modern industrial control system network service, alternatively, described packet resolution unit comprises: encryption/decryption module and packet deep analysis module;
Described encryption/decryption module: for when user sends communication data packet to field apparatus, judge whether to need to be decrypted this communication data packet according to the encrypted bits in the communication data packet that described communication control unit is sent, also for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then this communication data packet is encrypted;
Described packet deep analysis module, need to carry out deep analysis to the communication data packet received for judging whether according to user operation authority, if desired, then deep analysis is carried out to this communication data packet, and described communication data packet and analysis result are passed to linkage unit; Otherwise, then analysis result is set to without attacking, and communication data packet and analysis result is passed to linkage unit;
Wherein, described source field device information comprises: send the IP address of the field apparatus of communication data packet, MAC Address and port information.
In the embodiment of the present invention, shown in Fig. 2, described packet resolution unit comprises: encryption/decryption module and packet deep analysis module, the field apparatus being positioned at industrial control system is varied, also different with the relevance of the safe operation of industrial control system, for the communication data packet of industrial control system network flow to public network (also can be described as field apparatus and flow to user), determine that this communication data packet is the need of encryption according to the importance proportion of field apparatus in industrial control system (communication rank).
In the embodiment of the present invention, such as, can be encrypted field apparatus and need classification, form the devices encrypt list of a field apparatus the need of encryption, when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list by adding solution module, if comprise, then this communication data packet is encrypted, when user sends communication data packet to field apparatus, judge whether that needs are decrypted this communication data packet by adding the encrypted bits of separating in communication data packet that module sends according to described communication control unit.Like this, not only can ensure the communication security of the important communication packet that important field apparatus sends by selectively encryption/decryption module, effectively can also improve network performance, thus achieve the balance of security & performance.
In the embodiment of the present invention, described encryption/decryption module comprises: encryption and decryption judges submodule and encryption and decryption operator module; Described encryption and decryption judges submodule, for judging the communication data packet received, determines that this communication data packet is the need of encryption or decryption oprerations, and will the communication data packet of encrypting or deciphering not needed directly to send; Described encryption and decryption operator module, for being encrypted respectively or decryption oprerations the communication data packet of needs encryption or deciphering, and sends encryption or decrypted result.
In the embodiment of the present invention, according to the operating right of user, described packet deep analysis module can determine whether that the communication data packet to user sends carries out deep analysis, thus carry out attack detecting selectively, thus improve the automatic defense ability of industrial control system.
In the embodiment of the aforementioned security protection gateway for modern industrial control system network service, alternatively, described encryption and decryption judges that submodule comprises: encryption judges that submodule and deciphering judge submodule;
Encryption judges submodule: for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then by the encrypted location encryption label in this communication data packet, and this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to communication control unit;
Deciphering judges submodule: for when user sends communication data packet to field apparatus, encrypted bits in this communication data packet is judged, when this encrypted bits is for encryption label, then this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to packet deep analysis module.
In the embodiment of the present invention, described encryption and decryption judges that submodule comprises: encryption judges that submodule and deciphering judge submodule, shown in Fig. 1, when industrial control system network sends communication data packet to public network (also can be described as field apparatus to user), in other words when communication data packet flows to eth1 from eth0, judge that submodule searches the source field device information in data communications packets in the devices encrypt list preset by described encryption, if find the field device information of the data communications packets sending this communication in described devices encrypt list, can by the encrypted location 1 (1 is encryption label) of this communication data packet, and this communication data packet is sent to encryption and decryption operator module, otherwise, then by the encrypted location 0 (0 is non-encrypted label) of this communication data packet, and this communication data packet is sent to communication control unit, wherein, described source field device information comprises: the IP address sending the field apparatus of communication data packet, MAC Address and port information etc.
In the embodiment of the present invention, shown in Fig. 1 and Fig. 4, when public network sends communication data packet to industrial control system network (also can be described as user to field apparatus), in other words when communication data packet flows to eth0 from eth1, judge that submodule judges the encrypted bits in this communication data packet by described deciphering, when this encrypted bits is 1, then show that the data division of this communication data packet is encrypted, judgement need be decrypted operation to this communication data packet, and this communication data packet is sent to encryption and decryption operator module, when this encrypted bits is 0, then show that this communication data packet is not encrypted, then this communication data packet is directly sent to packet deep analysis module.
In the embodiment of the aforementioned security protection gateway for modern industrial control system network service, alternatively, described encryption and decryption operator module, for by the key feed generation module based on Time Synchronization Mechanism, be encrypted respectively or decryption oprerations needing the communication data packet of encryption or deciphering;
Described encryption and decryption operator module comprises: cryptographic operation submodule and deciphering operator module;
Cryptographic operation submodule: during for needing when communication data packet to encrypt, random number generating algorithm is utilized to generate a series of uncertain random digit combination as key by described key feed generation module, and need the communication data packet of encryption to be encrypted by described double secret key, then the communication data packet after encryption is sent;
Decryption oprerations submodule: during for needing when communication data packet to decipher, utilize the history key time table that described key feed generation module is set up, according to the encryption times label in communication data packet, corresponding key is found in described history key time table, and utilize the communication data packet after this key pair encryption to be decrypted, then the communication data packet after deciphering is sent to packet deep analysis module.
In the embodiment of the present invention, shown in Fig. 5, secret generating in this encryption and decryption operator module have employed the key feed generation module based on Time Synchronization Mechanism, and the algorithm that the encryption and decryption equipment in the public network at user place and the key feed generation module in the safety guard net Central Shanxi Plain in industrial control system network adopt is the same with framework.
In the embodiment of the present invention, the production process of key is as follows: described key feed generation module is based on Time Synchronization Mechanism, random number generating algorithm is adopted to generate a series of uncertain random digit combination as key, each key can only use once, at once lost efficacy after use, and by described key feed generation module regular update key.Therefore, in order to find correct, corresponding key when decryption oprerations, and the transmission of key need not be carried out in a network, set up in key feed generation module and maintain a history key time table, by history key time table, the key dynamically generated in the regular period and time recorded and safeguarded.
In the embodiment of the present invention, when communication data packet needs to be decrypted operation, according to the encryption times label in communication data packet, in described history key time table, find corresponding key, then utilize the communication data packet after this key pair encryption to be decrypted.Like this, by the key feed generation module based on Time Synchronization Mechanism, to needing the communication data packet of encryption or deciphering to be encrypted respectively or decryption oprerations, effectively can ensure that the uniqueness of key, substantially increasing the safety of industrial control system network and public network communication.
In the embodiment of the aforementioned security protection gateway for modern industrial control system network service, alternatively, described packet deep analysis module, also for when user sends communication data packet to field apparatus, the industrial communication protocol stem of communication data packet application data part encryption/decryption module sent is separated with data, the industrial communication protocol stem and the combination of ICP/IP protocol stem that obtain will be separated, judge whether to there is offside operation, and carry out attack detecting to being separated the data obtained, judge whether this communication data packet exists attack.
In the embodiment of the present invention, in industrial control system, the operating right of user to Different field equipment of different safety class is different, and some user can only the data of fetch equipment, can not control equipment, and some user has the operating right of read-write to equipment.Therefore, such as, can need not carry out packet deep analysis to the communication only had between the user of read data authority and field apparatus, then need to carry out deep analysis operation to the communication had between the user of read-write operation authority and field apparatus.
In the embodiment of the present invention, when user sends communication data packet to field apparatus, the communication data packet that described packet deep analysis module receives is through the decryption oprerations of decryption oprerations submodule, and application data part belongs to clear data.Described packet deep analysis module is according to user profile (comprising: the information such as IP address, MAC Address, port of user), the i.e. source relevant information of communication data packet, and industrial communication protocol stem, determine whether deep analysis is carried out to this communication data packet.If desired carry out deep analysis, then communication data packet is carried out deep analysis, then communication data packet and analysis result are passed to linkage unit; Carry out deep analysis if do not need, then analysis result is set to without attacking (or safety), and then communication data packet and analysis result are passed to linkage unit.
In the embodiment of the present invention, deep analysis process is as follows: described packet deep analysis module is mainly according to known industrial communication protocol form, being separated of industrial communication protocol stem and data is carried out to the application data part of communication data packet, to the industrial communication protocol stem and the combination of ICP/IP protocol stem that obtain be separated again, judge whether to there is offside operation etc.; Finally, and carrying out attack detecting to being separated the data obtained, judging whether this communication data packet exists the attack operation such as malicious code.Like this; unpack by deep analysis operation to carrying out data to multiple industrial communication protocol and analyze; detect attack to a deeper level; realize the Network Communicate Security of omnibearing protection modern industrial control system; simultaneously; deep analysis operation also for following traffic statistics analysis is laid a good foundation, has good extensibility.
In the embodiment of the aforementioned security protection gateway for modern industrial control system network service, alternatively, described linkage unit comprises:
Attack control module: for when analysis result is for existence attack, sends refusal to described communication control unit and initiate the later communication request instruction of this user communicated, and abandon this communication data packet;
The offside control module of authority, for when analysis result be operating right offside time, be sent in Preset Time the communication request instruction refusing this user to described communication control unit, and abandon this communication data packet;
Safety control module, for being without when attacking when analysis result, is sent to target field devices by this communication data packet.
In the embodiment of the present invention, the groundwork of linkage unit is the associative operation judging this time communication according to the analysis result of communication data packet.When analysis result is attacked for existence, linkage unit sends instruction to communication control unit, the communication request that the user that refusal initiation this time communicates is later and connection, and abandons this communication data packet; When analysis result is that this communication data packet sends by linkage unit without when attacking (safety); When analysis result be operating right offside time, linkage unit sends instruction to communication control unit, refuses the communication request of this user, and abandon this communication data packet within a period of time of presetting.
In the embodiment of the present invention,
The versatility of security protection gateway of the present invention in industrial control system is high, and the communication security utilizing encryption and decryption equipment can effectively guarantee between user and field apparatus, and owing to having carried out communication data packet, optionally encryption and decryption and deep packet are resolved, compare with intrusion detection with traditional encryption gateway, both improve the fail safe of system, turn improve the performance of network.
Like this, described linkage unit according to analysis result to communication control unit sending controling instruction, according to the control command received, the communication between this user and field apparatus is controlled by this communication control unit, thus improve the ability of industrial control system network automatic defense.
Embodiment two
The present invention also provides a kind of embodiment of the security protection gateway system for modern industrial control system network service, because the security protection gateway system for modern industrial control system network service provided by the invention is corresponding with the embodiment of the aforementioned security protection gateway for modern industrial control system network service, object of the present invention should can be realized by the process step performed in said method embodiment for the security protection gateway system of modern industrial control system network service, therefore above-mentionedly to illustrate for the explanation in the security protection gateway embodiment of modern industrial control system network service, also the embodiment of the security protection gateway system for modern industrial control system network service provided by the invention is applicable to, to repeat no more in embodiment below the present invention.
Shown in Fig. 1, the embodiment of the present invention also provides a kind of security protection gateway system for modern industrial control system network service, comprising: the industrial control system network at the public network at user place, internet and the security protection gateway place for modern industrial control system network service described in any one of claim 1-8;
The public network at user place comprises: user and encryption and decryption equipment;
Described encryption and decryption equipment, for carrying out the operation of selectivity encryption and decryption to the communication data packet between user and field apparatus.
The security protection gateway system for modern industrial control system network service described in the embodiment of the present invention, the Prevention-Security work of industrial control system is responsible for by the security protection for modern industrial control system network service described in any one of claim 1-8, and by the public network and the matching used encryption and decryption equipment of security protection gateway be responsible between user and industrial field device the work of communication encryption and decryption, thus guarantee the communication security between user and field apparatus.
In the real-time example of the present invention, the operation principle of this encryption and decryption equipment is consistent with the encryption/decryption module in the safety guard net Central Shanxi Plain, may operate on embedded Linux platform, communication is implemented to the strategy entirely allowing to pass through, drastically increases the versatility of this encryption and decryption equipment.
In the embodiment of the aforementioned security protection gateway system for modern industrial control system network service, alternatively, described encryption and decryption equipment, judge whether to need to be decrypted this communication data packet for the encrypted bits in the communication data packet sent according to field apparatus, also for when user sends communication data packet to field apparatus, judge whether the target field devices information in communication data packet is included in default devices encrypt list, if comprise, then this communication data packet is encrypted;
Wherein, described target field devices information comprises: the IP address of the field apparatus of received communication packet, MAC Address and port information.
In the embodiment of the present invention, shown in Fig. 1 and Fig. 2, in the public network, when public network sends communication data packet to industrial control system network (also can be described as user to field apparatus), in other words when communication data packet flows to eth1 from eth0, in the devices encrypt list preset, the target field devices information in data communications packets is searched by described encryption and decryption equipment, if find the target field devices information of the data communications packets receiving this communication in described devices encrypt list, can by the encrypted location 1 of this communication data packet, and be encrypted, otherwise, then by the encrypted location 0 of this communication data packet, and this communication data packet is sent to security protection gateway, wherein, described target field devices information comprises: the IP address of the field apparatus of received communication packet, MAC Address and port information etc.
In the embodiment of the present invention, shown in Fig. 1, in the public network, when industrial control system network sends communication data packet to public network (also can be described as field apparatus to user), in other words when communication data packet flows to eth0 from eth1, by described encryption and decryption equipment, the encrypted bits in this communication data packet is judged, when this encrypted bits is 1, then the communication data packet after this encryption is decrypted, when this encrypted bits is 0, then show that this communication data packet does not have encrypted, directly this communication data packet is sent to security protection gateway.
The above is the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the prerequisite not departing from principle of the present invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1., for a security protection gateway for modern industrial control system network service, it is characterized in that, comprising:
Communication control unit, controls the communication between user and field apparatus for the Control on Communication on basis and the instruction of sending according to linkage unit;
Packet resolution unit, for carrying out selectivity encryption and decryption and selectivity deep analysis to the communication data packet received;
Linkage unit, for sending whether refuse the later communication request instruction of this user according to analysis result to described communication control unit, and determines whether to send the communication data packet after resolving to target field devices.
2. security protection gateway according to claim 1, is characterized in that, described communication control unit comprises: white list detection module and communication control module;
Described white list detection module, for when user sends communication data packet to field apparatus, judges whether this user profile is included in default white list, if comprise, then this communication data packet is sent to packet resolution unit, otherwise, abandon this communication data packet;
Described communication control module, for send according to linkage unit instruction refusal or accept this this communication after user send communication request, the communication data packet also for being sent by field apparatus sends;
Wherein, described user profile comprises: send the IP address of the user of communication data, MAC Address and port information.
3. security protection gateway according to claim 2, is characterized in that, described packet resolution unit comprises: encryption/decryption module and packet deep analysis module;
Described encryption/decryption module: for when user sends communication data packet to field apparatus, judge whether to need to be decrypted this communication data packet according to the encrypted bits in the communication data packet that described communication control unit is sent, also for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then this communication data packet is encrypted;
Described packet deep analysis module, need to carry out deep analysis to the communication data packet received for judging whether according to user operation authority, if desired, then deep analysis is carried out to this communication data packet, and described communication data packet and analysis result are passed to linkage unit; Otherwise, then analysis result is set to without attacking, and communication data packet and analysis result is passed to linkage unit;
Wherein, described source field device information comprises: send the IP address of the field apparatus of communication data packet, MAC Address and port information.
4. security protection gateway according to claim 3, is characterized in that, described encryption/decryption module comprises: encryption and decryption judges submodule and encryption and decryption operator module;
Described encryption and decryption judges submodule, for judging the communication data packet received, determines that this communication data packet is the need of encryption or decryption oprerations, and will the communication data packet of encrypting or deciphering not needed directly to send;
Described encryption and decryption operator module, for being encrypted respectively or decryption oprerations the communication data packet of needs encryption or deciphering, and sends encryption or decrypted result.
5. security protection gateway according to claim 4, is characterized in that, described encryption and decryption judges that submodule comprises: encryption judges that submodule and deciphering judge submodule;
Encryption judges submodule: for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then by the encrypted location encryption label in this communication data packet, and this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to communication control unit;
Deciphering judges submodule: for when user sends communication data packet to field apparatus, encrypted bits in this communication data packet is judged, when this encrypted bits is for encryption label, then this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to packet deep analysis module.
6. security protection gateway according to claim 4, it is characterized in that, described encryption and decryption operator module, for by the key feed generation module based on Time Synchronization Mechanism, is encrypted or decryption oprerations respectively to needing the communication data packet of encryption or deciphering;
Described encryption and decryption operator module comprises: cryptographic operation submodule and deciphering operator module;
Cryptographic operation submodule: during for needing when communication data packet to encrypt, random number generating algorithm is utilized to generate a series of uncertain random digit combination as key by described key feed generation module, and need the communication data packet of encryption to be encrypted by described double secret key, then the communication data packet after encryption is sent;
Decryption oprerations submodule: during for needing when communication data packet to decipher, utilize the history key time table that described key feed generation module is set up, according to the encryption times label in communication data packet, corresponding key is found in described history key time table, and utilize the communication data packet after this key pair encryption to be decrypted, then the communication data packet after deciphering is sent to packet deep analysis module.
7. security protection gateway according to claim 3, it is characterized in that, described packet deep analysis module, also for when user sends communication data packet to field apparatus, the industrial communication protocol stem of communication data packet application data part encryption/decryption module sent is separated with data, the industrial communication protocol stem and the combination of ICP/IP protocol stem that obtain will be separated, judge whether to there is offside operation, and carry out attack detecting to being separated the data obtained, judge whether this communication data packet exists attack.
8. security protection gateway according to claim 1, is characterized in that, described linkage unit comprises:
Attack control module: for when analysis result is for existence attack, sends refusal to described communication control unit and initiate the later communication request instruction of this user communicated, and abandon this communication data packet;
The offside control module of authority, for when analysis result be operating right offside time, be sent in Preset Time the communication request instruction refusing this user to described communication control unit, and abandon this communication data packet;
Safety control module, for being without when attacking when analysis result, is sent to target field devices by this communication data packet.
9. the security protection gateway system for modern industrial control system network service, it is characterized in that, comprising: the industrial control system network at the public network at user place, internet and the security protection gateway place for modern industrial control system network service described in any one of claim 1-8;
The public network at user place comprises: user and encryption and decryption equipment;
Described encryption and decryption equipment, for carrying out the operation of selectivity encryption and decryption to the communication data packet between user and field apparatus.
10. security protection gateway system according to claim 9, it is characterized in that, described encryption and decryption equipment, judge whether to need to be decrypted this communication data packet for the encrypted bits in the communication data packet sent according to field apparatus, also for when user sends communication data packet to field apparatus, judge whether the target field devices information in communication data packet is included in default devices encrypt list, if comprise, is then encrypted this communication data packet;
Wherein, described target field devices information comprises: the IP address of the field apparatus of received communication packet, MAC Address and port information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510476034.2A CN105072025B (en) | 2015-08-05 | 2015-08-05 | For the security protection gateway and system of modern industrial control system network service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510476034.2A CN105072025B (en) | 2015-08-05 | 2015-08-05 | For the security protection gateway and system of modern industrial control system network service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105072025A true CN105072025A (en) | 2015-11-18 |
| CN105072025B CN105072025B (en) | 2018-03-13 |
Family
ID=54501311
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510476034.2A Active CN105072025B (en) | 2015-08-05 | 2015-08-05 | For the security protection gateway and system of modern industrial control system network service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105072025B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791269A (en) * | 2016-02-18 | 2016-07-20 | 南京富岛信息工程有限公司 | Information security gateway based on data white list |
| CN106850601A (en) * | 2017-01-20 | 2017-06-13 | 北京立思辰新技术有限公司 | The safety protecting method of industrial control protocols in a kind of industrial control system |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN108632201A (en) * | 2017-03-16 | 2018-10-09 | 中兴通讯股份有限公司 | Encryption device, decryption device and judge message whether the method that encrypt or decrypt |
| CN109327442A (en) * | 2018-10-10 | 2019-02-12 | 杭州安恒信息技术股份有限公司 | Method for detecting abnormality, device and the electronic equipment of Behavior-based control white list |
| CN109714767A (en) * | 2019-02-25 | 2019-05-03 | 陈超 | A kind of secure communication of network device |
| CN110825040A (en) * | 2019-10-22 | 2020-02-21 | 中国科学院信息工程研究所 | Process control attack detection method and device for industrial control system |
| CN111310213A (en) * | 2020-02-20 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Service data protection method, device, equipment and readable storage medium |
| CN113162885A (en) * | 2020-01-07 | 2021-07-23 | 中国石油天然气股份有限公司 | Safety protection method and device for industrial control system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030126466A1 (en) * | 2001-12-28 | 2003-07-03 | So-Hee Park | Method for controlling an internet information security system in an IP packet level |
| CN202856781U (en) * | 2012-08-29 | 2013-04-03 | 广东电网公司电力科学研究院 | Industrial control system main station safety device |
| CN103475478A (en) * | 2013-09-03 | 2013-12-25 | 广东电网公司电力科学研究院 | Terminal safety protection method and equipment |
| CN104320332A (en) * | 2014-11-13 | 2015-01-28 | 济南华汉电气科技有限公司 | Multi-protocol industrial communication safety gateway and communication method with gateway applied |
| CN104702584A (en) * | 2013-12-10 | 2015-06-10 | 中国科学院沈阳自动化研究所 | Modbus communication access control method based on rule self-learning |
-
2015
- 2015-08-05 CN CN201510476034.2A patent/CN105072025B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030126466A1 (en) * | 2001-12-28 | 2003-07-03 | So-Hee Park | Method for controlling an internet information security system in an IP packet level |
| CN202856781U (en) * | 2012-08-29 | 2013-04-03 | 广东电网公司电力科学研究院 | Industrial control system main station safety device |
| CN103475478A (en) * | 2013-09-03 | 2013-12-25 | 广东电网公司电力科学研究院 | Terminal safety protection method and equipment |
| CN104702584A (en) * | 2013-12-10 | 2015-06-10 | 中国科学院沈阳自动化研究所 | Modbus communication access control method based on rule self-learning |
| CN104320332A (en) * | 2014-11-13 | 2015-01-28 | 济南华汉电气科技有限公司 | Multi-protocol industrial communication safety gateway and communication method with gateway applied |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791269A (en) * | 2016-02-18 | 2016-07-20 | 南京富岛信息工程有限公司 | Information security gateway based on data white list |
| CN105791269B (en) * | 2016-02-18 | 2019-05-14 | 南京富岛信息工程有限公司 | A kind of information security gateway based on data white list |
| CN106850601A (en) * | 2017-01-20 | 2017-06-13 | 北京立思辰新技术有限公司 | The safety protecting method of industrial control protocols in a kind of industrial control system |
| CN108632201A (en) * | 2017-03-16 | 2018-10-09 | 中兴通讯股份有限公司 | Encryption device, decryption device and judge message whether the method that encrypt or decrypt |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN109327442A (en) * | 2018-10-10 | 2019-02-12 | 杭州安恒信息技术股份有限公司 | Method for detecting abnormality, device and the electronic equipment of Behavior-based control white list |
| CN109714767A (en) * | 2019-02-25 | 2019-05-03 | 陈超 | A kind of secure communication of network device |
| CN110825040A (en) * | 2019-10-22 | 2020-02-21 | 中国科学院信息工程研究所 | Process control attack detection method and device for industrial control system |
| CN113162885A (en) * | 2020-01-07 | 2021-07-23 | 中国石油天然气股份有限公司 | Safety protection method and device for industrial control system |
| CN113162885B (en) * | 2020-01-07 | 2022-11-01 | 中国石油天然气股份有限公司 | Safety protection method and device for industrial control system |
| CN111310213A (en) * | 2020-02-20 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Service data protection method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105072025B (en) | 2018-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105072025A (en) | Safe protective gateway and system for modern industrial control system network communication | |
| Alves et al. | Embedding encryption and machine learning intrusion prevention systems on programmable logic controllers | |
| Shah et al. | A survey on Classification of Cyber-attacks on IoT and IIoT devices | |
| CN1917426B (en) | Port scanning method and device, port scanning detection method and device, port scanning system | |
| US9699204B2 (en) | Abnormal traffic detection apparatus and method based on modbus communication pattern learning | |
| CN110996318A (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| CN104580233A (en) | Internet of Things smart home security gateway system | |
| CN101621428B (en) | Botnet detection method, botnet detection system and related equipment | |
| CN102685119A (en) | Data transmitting/receiving method, data transmitting/receiving device, transmission method, transmission system and server | |
| KR101711022B1 (en) | Detecting device for industrial control network intrusion and detecting method of the same | |
| CN103475478A (en) | Terminal safety protection method and equipment | |
| CN104753953A (en) | Access control system | |
| RU2496136C1 (en) | Method for interaction of terminal client device with server over internet with high level of security from ddos attack and system for realising said method | |
| CN108848107A (en) | A kind of method of secure transmission web information | |
| CN107172030B (en) | High-privacy and anti-tracing communication method | |
| CN108712364A (en) | A kind of safety defense system and method for SDN network | |
| CN108259460A (en) | Apparatus control method and device | |
| US8429393B1 (en) | Method for obscuring a control device's network presence by dynamically changing the device's network addresses using a cryptography-based pattern | |
| CN114499915B (en) | Trapping attack method, device and system combining virtual nodes and honeypots | |
| KR101959686B1 (en) | L2 switch for network security, and remote supervisory system using the same | |
| Alsabbagh et al. | Silent Sabotage: A Stealthy Control Logic Injection in IIoT Systems | |
| CN105812338B (en) | Data access control method and network management equipment | |
| RU2684575C1 (en) | METHOD FOR CONTROL OF DISTRIBUTED INFORMATION SYSTEM DATA STREAMS IN DDoS ATTACKS | |
| Patel et al. | Analysis of SCADA Security models | |
| CN102932354A (en) | Verification method and device for internet protocol (IP) address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180615 Address after: 210000 5 floor, 3 software Avenue, Yuhuatai District, Nanjing, Jiangsu, 168 Patentee after: Jiangsu's software Polytron Technologies Inc Address before: 100083 No. 30, Haidian District, Beijing, Xueyuan Road Patentee before: University of Science and Technology Beijing |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 3, building 168, 5, 210000 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee after: Bozhi Safety Technology Co.,Ltd. Address before: 3, building 168, 5, 210000 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee before: JIANGSU ELEX SOFTWARE TECHNOLOGY Co.,Ltd. |