CN105072025A - Safe protective gateway and system for modern industrial control system network communication - Google Patents

Safe protective gateway and system for modern industrial control system network communication Download PDF

Info

Publication number
CN105072025A
CN105072025A CN201510476034.2A CN201510476034A CN105072025A CN 105072025 A CN105072025 A CN 105072025A CN 201510476034 A CN201510476034 A CN 201510476034A CN 105072025 A CN105072025 A CN 105072025A
Authority
CN
China
Prior art keywords
data packet
communication data
communication
encryption
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510476034.2A
Other languages
Chinese (zh)
Other versions
CN105072025B (en
Inventor
解仑
邓祖兰
金良辰
马洪岳
王志良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bozhi Safety Technology Co ltd
Original Assignee
University of Science and Technology Beijing USTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology Beijing USTB filed Critical University of Science and Technology Beijing USTB
Priority to CN201510476034.2A priority Critical patent/CN105072025B/en
Publication of CN105072025A publication Critical patent/CN105072025A/en
Application granted granted Critical
Publication of CN105072025B publication Critical patent/CN105072025B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明提供一种针对现代工业控制系统网络通信的安全防护网关及系统,能够确保公共网络中用户和现场设备之间的通信安全。所述网关包括:通信控制单元,用于基础的通信控制以及根据联动单元发来的指令控制用户与现场设备之间的通信;数据包解析单元,用于对接收到的通信数据包进行选择性加解密和选择性深度解析;联动单元,用于根据解析结果向所述通信控制单元发送是否拒绝该用户以后的通信请求指令,并确定是否向目标现场设备发送解析后的通信数据包。本发明适用于通信技术领域。

The invention provides a security protection gateway and system aimed at network communication of a modern industrial control system, which can ensure communication security between users and field devices in a public network. The gateway includes: a communication control unit, which is used for basic communication control and to control the communication between the user and the field device according to the instructions sent by the linkage unit; Encryption and decryption and selective in-depth analysis; a linkage unit, used to send an instruction to the communication control unit whether to reject the user's future communication request according to the analysis result, and determine whether to send the analyzed communication data packet to the target field device. The invention is applicable to the technical field of communication.

Description

针对现代工业控制系统网络通信的安全防护网关及系统Security protection gateway and system for network communication of modern industrial control system

技术领域 technical field

本发明涉及通信技术领域,特别是指一种针对现代工业控制系统网络通信的安全防护网关及系统。 The invention relates to the field of communication technology, in particular to a security protection gateway and system for network communication of modern industrial control systems.

背景技术 Background technique

过去,工业生产环境相对独立,工业控制系统、通信协议都具有一定的独立性,且与其他公共网络之间没有任何连接,针对工业控制系统的攻击大多在工业生产过程中产生,如工作人员的误操作、自然灾害等。 In the past, the industrial production environment was relatively independent, and the industrial control system and communication protocols were independent to a certain extent, and there was no connection with other public networks. misuse, natural disasters, etc.

近年来,随着社会的进步和计算机技术的发展,工业控制系统从一个封闭、孤立的系统逐渐发展为更加开放、并与公共网络有多连接的系统。现代工业生产系统中不仅有工业控制系统,还结合了一般的操作系统,在现代工业生产中,我们经常需要远程监控工业现场生产情况和设备运行状态,而现代工业控制系统中广泛使用的工业通讯协议(如网络通讯协议(Modbus)、分布式网络协议(DNP3)等)均没有提供任何的安全控制,因此,这就涉及到工业生产数据在公共网络传输的安全问题。由于工业生产设备的特殊性,一旦受到攻击发生故障,将会给企业带来难以估量的损失。 In recent years, with the progress of society and the development of computer technology, the industrial control system has gradually developed from a closed and isolated system to a more open system with multiple connections to the public network. The modern industrial production system not only has an industrial control system, but also combines a general operating system. In modern industrial production, we often need to remotely monitor the production situation and equipment operation status of the industrial site, and the industrial communication widely used in the modern industrial control system Protocols (such as network communication protocol (Modbus), distributed network protocol (DNP3), etc.) do not provide any security control. Therefore, this involves the security issue of industrial production data transmission in public networks. Due to the particularity of industrial production equipment, once it is attacked and malfunctions, it will bring incalculable losses to the enterprise.

目前,市场上已有一些针对工业控制系统的安全防护产品,如多芬诺的工业防火墙、威努特的可信区间网关等。这些安全防护产品的主要特点是能够对多种工业通信协议进行深度报文解析,对协议内部的指令、数据等内容进行检测,从而检测基于工业通信协议的网络攻击。但现有的安全防护产品只是对报文进行了匹配检测,并未对报文本身进行一定的安全保护。 At present, there are some security protection products for industrial control systems on the market, such as Tofino's industrial firewall and Winnut's trusted interval gateway. The main feature of these security protection products is that they can perform in-depth message analysis on various industrial communication protocols, and detect the instructions and data inside the protocols, so as to detect network attacks based on industrial communication protocols. However, the existing security protection products only perform matching detection on the message, and do not perform certain security protection on the message itself.

发明内容 Contents of the invention

本发明要解决的技术问题是提供一种针对现代工业控制系统网络通信的安全防护网关及系统,以解决现有技术所存在的现有的安全防护产品由于其自身的不足,无法全方位地对现代工业控制系统进行安全保护,难以满足现代工业控制系统的安全要求的问题。 The technical problem to be solved by the present invention is to provide a security protection gateway and system for network communication of modern industrial control systems, so as to solve the problem that existing security protection products in the prior art cannot comprehensively protect It is difficult to meet the security requirements of modern industrial control systems for security protection of modern industrial control systems.

为解决上述技术问题,本发明实施例提供一种针对现代工业控制系统网络通信的安全防护网关,包括: In order to solve the above technical problems, an embodiment of the present invention provides a security protection gateway for network communication of modern industrial control systems, including:

通信控制单元,用于基础的通信控制以及根据联动单元发来的指令控制用户与现场设备之间的通信; The communication control unit is used for basic communication control and to control the communication between the user and the field device according to the instructions sent by the linkage unit;

数据包解析单元,用于对接收到的通信数据包进行选择性加解密和选择性深度解析; A data packet parsing unit is used for selectively encrypting and decrypting and selectively in-depth parsing the received communication data packets;

联动单元,用于根据解析结果向所述通信控制单元发送是否拒绝该用户以后的通信请求指令,并确定是否向目标现场设备发送解析后的通信数据包。 The linkage unit is used to send an instruction to the communication control unit whether to reject the user's subsequent communication request according to the analysis result, and determine whether to send the analyzed communication data packet to the target field device.

优选地,所述通信控制单元包括:白名单检测模块和通信控制模块; Preferably, the communication control unit includes: a whitelist detection module and a communication control module;

所述白名单检测模块,用于当用户向现场设备发送通信数据包时,判断该用户信息是否包含在预设的白名单中,若包含,则将该通信数据包发送至数据包解析单元,否则,丢弃该通信数据包; The white list detection module is used to determine whether the user information is included in the preset white list when the user sends a communication data packet to the field device, and if so, send the communication data packet to the data packet analysis unit, Otherwise, discard the communication data packet;

所述通信控制模块,用于根据联动单元发来的指令拒绝或接受该本次通信后的用户发送的通信请求,还用于将现场设备发来的通信数据包发送出去; The communication control module is used to reject or accept the communication request sent by the user after this communication according to the instruction sent by the linkage unit, and is also used to send out the communication data packet sent by the field device;

其中,所述用户信息包括:发送通信数据的用户的IP地址、MAC地址及端口信息。 Wherein, the user information includes: IP address, MAC address and port information of the user who sends the communication data.

优选地,所述数据包解析单元包括:加解密模块和数据包深度解析模块; Preferably, the packet parsing unit includes: an encryption and decryption module and a packet depth parsing module;

所述加解密模块:用于当用户向现场设备发送通信数据包时,根据所述通信控制单元发来的通信数据包中的加密位判断是否需要对该通信数据包进行解密,还用于当现场设备向用户发送通信数据包时,判断通信数据包中的源现场设备信息是否包含在预设的设备加密名单中,若包含,则对该通信数据包进行加密; The encryption and decryption module: used to determine whether the communication data packet needs to be decrypted according to the encryption bit in the communication data packet sent by the communication control unit when the user sends the communication data packet to the field device, and is also used to When the field device sends a communication data packet to the user, it is judged whether the source field device information in the communication data packet is included in the preset device encryption list, and if so, the communication data packet is encrypted;

所述数据包深度解析模块,用于根据用户操作权限判断是否需要对接收到的通信数据包进行深度解析,若需要,则对该通信数据包进行深度解析,并将所述通信数据包和解析结果传递给联动单元;否则,则将解析结果设为无攻击,并将通信数据包和解析结果传递给联动单元; The data packet deep analysis module is used to judge whether it is necessary to perform deep analysis on the received communication data packet according to the user operation authority, and if necessary, perform deep analysis on the communication data packet, and combine the communication data packet and the analysis The result is passed to the linkage unit; otherwise, the analysis result is set as no attack, and the communication data packet and the analysis result are passed to the linkage unit;

其中,所述源现场设备信息包括:发送通信数据包的现场设备的IP地址、MAC地址及端口信息。 Wherein, the source field device information includes: IP address, MAC address and port information of the field device sending the communication data packet.

优选地,所述加解密模块包括:加解密判断子模块和加解密操作子模块; Preferably, the encryption and decryption module includes: an encryption and decryption judgment submodule and an encryption and decryption operation submodule;

所述加解密判断子模块,用于对接收到的通信数据包进行判断,确定该通信数据包是否需要加密或解密操作,并将不需加密或解密的通信数据包直接发送出去; The encryption and decryption judging submodule is used to judge the received communication data packet, determine whether the communication data packet needs to be encrypted or decrypted, and directly send out the communication data packet that does not need to be encrypted or decrypted;

所述加解密操作子模块,用于对需要加密或解密的通信数据包分别进行加密或解密操作,并将加密或解密结果发送出去。 The encryption and decryption operation sub-module is used to perform encryption or decryption operations on communication data packets that need to be encrypted or decrypted, and send out the encryption or decryption results.

优选地,所述加解密判断子模块包括:加密判断子模块和解密判断子模块; Preferably, the encryption and decryption judging submodule includes: an encryption judging submodule and a decryption judging submodule;

加密判断子模块:用于当现场设备向用户发送通信数据包时,判断通信数据包中的源现场设备信息是否包含在预设的设备加密名单中,若包含,则将该通信数据包中的加密位置加密标号,并将该通信数据包发送至加解密操作子模块,否则,则将该通信数据包发送至通信控制单元; Encryption judging sub-module: used to determine whether the source field device information in the communication data packet is included in the preset device encryption list when the field device sends the communication data packet to the user, and if it is included, the information in the communication data packet will be Encrypting the position and encrypting the label, and sending the communication data packet to the encryption and decryption operation sub-module, otherwise, sending the communication data packet to the communication control unit;

解密判断子模块:用于当用户向现场设备发送通信数据包时,对该通信数据包中的加密位进行判断,当该加密位为加密标号时,则将该通信数据包发送至加解密操作子模块,否则,则将该通信数据包发送至数据包深度解析模块。 Decryption judgment sub-module: used to judge the encryption bit in the communication data packet when the user sends the communication data packet to the field device, and when the encryption bit is an encryption label, then send the communication data packet to the encryption and decryption operation sub-module, otherwise, the communication data packet is sent to the data packet deep analysis module.

优选地,所述加解密操作子模块,用于通过基于时间同步机制的密钥动态生成模块,对需要加密或解密的通信数据包分别进行加密或解密操作; Preferably, the encryption and decryption operation sub-module is used to perform encryption or decryption operations on the communication data packets that need to be encrypted or decrypted through the key dynamic generation module based on the time synchronization mechanism;

所述加解密操作子模块包括:加密操作子模块和解密操作子模块; The encryption and decryption operation submodule includes: an encryption operation submodule and a decryption operation submodule;

加密操作子模块:用于当通信数据包需要加密时,通过所述密钥动态生成模块利用随机数产生算法生成一系列不可预测的随机数字组合作为密钥,并通过所述密钥对需要加密的通信数据包进行加密,再将加密后的通信数据包发送出去; Encryption operation sub-module: used to generate a series of unpredictable random number combinations as keys through the dynamic key generation module using the random number generation algorithm when the communication data packet needs to be encrypted, and the key pair needs to be encrypted Encrypt the communication data packet, and then send the encrypted communication data packet;

解密操作子模块:用于当通信数据包需要解密时,利用所述密钥动态生成模块建立的历史密钥时间表,根据通信数据包中的加密时间标签,在所述历史密钥时间表中找到对应的密钥,并利用该密钥对加密后的通信数据包进行解密,再将解密后的通信数据包发送至数据包深度解析模块。 Decryption operation sub-module: used to use the historical key schedule established by the key dynamic generation module when the communication data packet needs to be decrypted, according to the encryption time stamp in the communication data packet, in the historical key schedule Find the corresponding key, and use the key to decrypt the encrypted communication data packet, and then send the decrypted communication data packet to the data packet deep analysis module.

优选地,所述数据包深度解析模块,还用于当用户向现场设备发送通信数据包时,将加解密模块发来的通信数据包应用数据部分的工业通信协议首部和数据进行分离,将分离得到的工业通信协议首部和TCP/IP协议首部结合,判断是否存在越位操作,并对分离得到的数据进行攻击检测,判断该通信数据包是否存在攻击。 Preferably, the data packet depth analysis module is also used to separate the industrial communication protocol header and data of the application data part of the communication data packet sent by the encryption and decryption module when the user sends the communication data packet to the field device, and separate the The obtained industrial communication protocol header is combined with the TCP/IP protocol header to determine whether there is an offside operation, and conduct attack detection on the separated data to determine whether there is an attack in the communication data packet.

优选地,所述联动单元包括: Preferably, the linkage unit includes:

攻击控制模块:用于当解析结果为存在攻击时,向所述通信控制单元发送拒绝发起此次通信的用户以后的通信请求指令,并丢弃此次通信数据包; Attack control module: used to send to the communication control unit a communication request instruction after rejecting the user who initiated the communication when the analysis result shows that there is an attack, and discard the communication data packet;

权限越位控制模块,用于当解析结果为操作权限越位时,向所述通信控制单元发送在预设时间内拒绝该用户的通信请求指令,并丢弃此次通信数据包; The authority offside control module is used to send the communication request instruction of rejecting the user within a preset time to the communication control unit when the analysis result is that the operation authority is offside, and discard the communication data packet;

安全控制模块,用于当解析结果为无攻击时,将该通信数据包发送至目标现场设备。 The security control module is used to send the communication data packet to the target field device when the analysis result is no attack.

本发明实施例还提供一种针对现代工业控制系统网络通信的安全防护网关系统,包括:用户所在的公共网络、英特网和权利要求1-8任一项所述的针对现代工业控制系统网络通信的安全防护网关所在的工业控制系统网络; The embodiment of the present invention also provides a security protection gateway system for network communications of modern industrial control systems, including: the public network where the user is located, the Internet, and the network for modern industrial control systems described in any one of claims 1-8 The industrial control system network where the communication security protection gateway is located;

用户所在的公共网络包括:用户和加解密设备; The public network where the user is located includes: users and encryption and decryption devices;

所述加解密设备,用于对用户与现场设备之间的通信数据包进行选择性加解密操作。 The encryption and decryption device is used for selectively encrypting and decrypting the communication data packets between the user and the field device.

优选地,所述加解密设备,用于根据现场设备发来的通信数据包中的加密位判断是否需要对该通信数据包进行解密,还用于当用户向现场设备发送通信数据包时,判断通信数据包中的目标现场设备信息是否包含在预设的设备加密名单中,若包含,则对该通信数据包进行加密; Preferably, the encryption and decryption device is used to determine whether the communication data packet needs to be decrypted according to the encryption bit in the communication data packet sent by the field device, and is also used to determine whether the communication data packet needs to be decrypted when the user sends the communication data packet to the field device. Whether the target field device information in the communication data packet is included in the preset device encryption list, if included, the communication data packet is encrypted;

其中,所述目标现场设备信息包括:接收通信数据包的现场设备的IP地址、MAC地址及端口信息。 Wherein, the target field device information includes: IP address, MAC address and port information of the field device receiving the communication data packet.

本发明的上述技术方案的有益效果如下: The beneficial effects of above-mentioned technical scheme of the present invention are as follows:

上述方案中,通过数据包解析单元对用户(所述用户为公共网络中的用户)和现场设备之间的通信数据包进行选择性加解密,保证了通信数据包的安全传输,并通过该数据包解析单元对用户和现场设备之间的通信数据包进行选择性深度解析,有选择性地进行攻击检测,提高了对攻击行为的自动防御能力,还根据数据包解析单元的检测结果,通过联动单元确定是否向目标现场设备发送解析后的通信数据包,并向通信控制单元发送控制指令,由该通信控制单元根据接收到的控制指令对该用户与现场设备之间的通信进行控制,与传统的加密网关和入侵检测相比,不仅提高了用户和现场设备之间的通信安全,还能提高该工业控制系统网络的性能,且该安全防护网关在工业控制系统中具有很高的通用性。 In the above scheme, the communication data packet between the user (the user is a user in the public network) and the field device is selectively encrypted and decrypted by the data packet analysis unit, so as to ensure the safe transmission of the communication data packet, and pass the data The packet analysis unit conducts selective in-depth analysis of the communication data packets between the user and the field equipment, and selectively detects attacks, which improves the automatic defense capability against attacks. The unit determines whether to send the analyzed communication data packet to the target field device, and sends a control command to the communication control unit, and the communication control unit controls the communication between the user and the field device according to the received control command, which is different from the traditional Compared with intrusion detection, the encryption gateway not only improves the communication security between users and field devices, but also improves the performance of the industrial control system network, and the security protection gateway has high versatility in industrial control systems.

附图说明 Description of drawings

图1为本发明实施例提供的安全防护网关与加解密设备的系统部署图; Fig. 1 is a system deployment diagram of a security protection gateway and an encryption and decryption device provided by an embodiment of the present invention;

图2为本发明实施例提供的当用户向现场设备发送通信数据包时,安全防护网关的工作流程示意图; FIG. 2 is a schematic diagram of the workflow of the security protection gateway when the user sends a communication data packet to the field device provided by the embodiment of the present invention;

图3为本发明实施例提供的白名单检测模块的工作流程示意图; 3 is a schematic diagram of the workflow of the whitelist detection module provided by the embodiment of the present invention;

图4为本发明实施例提供的数据包解析单元的工作流程示意图; FIG. 4 is a schematic diagram of the workflow of the data packet parsing unit provided by the embodiment of the present invention;

图5为本发明实施例提供的加解密模块的工作流程图。 Fig. 5 is a working flowchart of the encryption and decryption module provided by the embodiment of the present invention.

具体实施方式 detailed description

为使本发明要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。 In order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, the following will describe in detail with reference to the drawings and specific embodiments.

本发明针对现有的安全防护产品由于其自身的不足,无法全方位地对现代工业控制系统进行安全保护,难以满足现代工业控制系统的安全要求的问题,提供一种针对现代工业控制系统网络通信的安全防护网关及系统。 The present invention aims at the problem that the existing safety protection products cannot comprehensively protect the modern industrial control system due to their own deficiencies, and it is difficult to meet the safety requirements of the modern industrial control system. security gateway and system.

实施例一 Embodiment one

本发明实施例提供的一种针对现代工业控制系统网络通信的安全防护网关,包括: A security protection gateway for network communication of modern industrial control systems provided by an embodiment of the present invention includes:

通信控制单元,用于基础的通信控制以及根据联动单元发来的指令控制用户与现场设备之间的通信; The communication control unit is used for basic communication control and to control the communication between the user and the field device according to the instructions sent by the linkage unit;

数据包解析单元,用于对接收到的通信数据包进行选择性加解密和选择性深度解析; A data packet parsing unit is used for selectively encrypting and decrypting and selectively in-depth parsing the received communication data packets;

联动单元,用于根据解析结果向所述通信控制单元发送是否拒绝该用户以后的通信请求指令,并确定是否向目标现场设备发送解析后的通信数据包。 The linkage unit is used to send an instruction to the communication control unit whether to reject the user's subsequent communication request according to the analysis result, and determine whether to send the analyzed communication data packet to the target field device.

本发明实施例所述的针对现代工业控制系统网络通信的安全防护网关,通过数据包解析单元对用户(所述用户为公共网络中的用户)和现场设备之间的通信数据包进行选择性加解密,保证了通信数据包的安全传输,并通过该数据包解析单元对用户和现场设备之间的通信数据包进行选择性深度解析,有选择性地进行攻击检测,提高了对攻击行为的自动防御能力,还根据数据包解析单元的检测结果,通过联动单元确定是否向目标现场设备发送解析后的通信数据包,并向通信控制单元发送控制指令,由该通信控制单元根据接收到的控制指令对该用户与现场设备之间的通信进行控制,与传统的加密网关和入侵检测相比,不仅提高了用户和现场设备之间的通信安全,还能提高该工业控制系统网络的性能,且该安全防护网关在工业控制系统中具有很高的通用性。 The security protection gateway for the network communication of the modern industrial control system described in the embodiment of the present invention selectively encrypts the communication data packets between the user (the user is a user in the public network) and the field device through the data packet analysis unit. Decryption ensures the safe transmission of communication data packets, and selectively in-depth analysis of communication data packets between users and field devices through the data packet analysis unit, selectively detects attacks, and improves the automatic detection of attack behaviors. Defensive capability, according to the detection result of the data packet analysis unit, through the linkage unit to determine whether to send the analyzed communication data packet to the target field device, and send a control command to the communication control unit, and the communication control unit according to the received control command Controlling the communication between the user and the field device, compared with the traditional encryption gateway and intrusion detection, not only improves the communication security between the user and the field device, but also improves the performance of the industrial control system network, and the Security protection gateways are highly versatile in industrial control systems.

本发明实施例中,参看图1所示,公共网络包括:位于公共网络中的用户和加解密设备;工业控制系统网络包括:安全防护网关和工业控制系统,所述安全防护网关位于工业控制系统和英特网之间,负责工业控制系统的安全防御工作,下面对位于工业控制系统和英特网之间的安全防护网关进行详细说明。 In the embodiment of the present invention, as shown in Figure 1, the public network includes: users and encryption and decryption devices located in the public network; the industrial control system network includes: a security protection gateway and an industrial control system, and the security protection gateway is located in the industrial control system Between the industrial control system and the Internet, it is responsible for the security defense of the industrial control system. The security protection gateway between the industrial control system and the Internet will be described in detail below.

本发明实施例中,参看图2所示,用户与现场设备之间的进行通信的通信数据包可以包括:首部信息、应用数据和尾部信息,其中,所述首部信息包括:以太网首部、网络之间互连的协议(InternetProtocol、IP)首部、传输控制协议(TransmissionControlProtocol,TCP)首部,所述应用数据包括:工业通信协议首部和数据,尾部信息包括:以太网尾部。 In the embodiment of the present invention, as shown in FIG. 2, the communication data packet for communication between the user and the field device may include: header information, application data and tail information, wherein the header information includes: Ethernet header, network Interconnected protocol (Internet Protocol, IP) header, transmission control protocol (Transmission Control Protocol, TCP) header, the application data includes: industrial communication protocol header and data, tail information includes: Ethernet tail.

在前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式中,可选地,所述通信控制单元包括:白名单检测模块和通信控制模块; In the aforementioned specific implementation of the security protection gateway for network communication of modern industrial control systems, optionally, the communication control unit includes: a whitelist detection module and a communication control module;

所述白名单检测模块,用于当用户向现场设备发送通信数据包时,判断该用户信息是否包含在预设的白名单中,若包含,则将该通信数据包发送至数据包解析单元,否则,丢弃该通信数据包; The white list detection module is used to determine whether the user information is included in the preset white list when the user sends a communication data packet to the field device, and if so, send the communication data packet to the data packet analysis unit, Otherwise, discard the communication data packet;

所述通信控制模块,用于基础的通信控制以及根据联动单元发来的指令拒绝或接受该本次通信后的用户发送的通信请求,还用于将现场设备发来的通信数据包发送出去; The communication control module is used for basic communication control and rejecting or accepting the communication request sent by the user after this communication according to the instruction sent by the linkage unit, and is also used for sending the communication data packet sent by the field device;

其中,所述用户信息包括:发送通信数据的用户的IP地址、媒体访问控制(MAC,MediaAccessControl)地址及端口信息。 Wherein, the user information includes: IP address, Media Access Control (MAC, MediaAccessControl) address and port information of the user who sends the communication data.

本发明实施例中,所述通信控制单元包括:白名单检测模块和通信控制模块,由于工业控制系统的特殊性,在一定时间内,公共网络中能够与工业控制系统网络进行通信的用户是十分稳定的,因此,可以通过该白名单检测模块对访问该工业控制系统的用户进行过滤,同时将通信默认策略设置为拒绝通信。白名单检测模块的具体检测过程包括:将允许与现场设备通信的用户信息(所述用户信息包括:IP地址、MAC地址、端口信息等)利用白名单技术进行记录,参看图2和图3所示,当用户发送的通信数据包进入安全防护网关时,白名单检测模块首先将该通信数据包的首部信息(所述首部信息包括:以太网首部、IP首部、TCP首部等,从该首部信息中能够获取用户信息)与白名单记录的用户信息进行查询对比,若在白名单中找到相应的首部信息,则初步决定接收该通信数据包,并将该通信数据包传递给数据包解析单元;若在白名单中没有查询到该用户信息,则丢弃该通信数据包。 In the embodiment of the present invention, the communication control unit includes: a whitelist detection module and a communication control module. Due to the particularity of the industrial control system, within a certain period of time, users in the public network who can communicate with the industrial control system network are very limited. Stable, therefore, users who access the industrial control system can be filtered through the whitelist detection module, and at the same time, the communication default policy is set to deny communication. The specific detection process of the whitelist detection module includes: using whitelist technology to record the user information (the user information includes: IP address, MAC address, port information, etc.) that is allowed to communicate with the field device, see Figure 2 and Figure 3 shows that when the communication data packet sent by the user enters the security protection gateway, the whitelist detection module firstly uses the header information of the communication data packet (the header information includes: Ethernet header, IP header, TCP header, etc., from the header information can obtain user information) and the user information recorded in the whitelist to query and compare, if the corresponding header information is found in the whitelist, then initially decide to receive the communication data packet, and pass the communication data packet to the data packet analysis unit; If the user information is not found in the white list, the communication data packet is discarded.

本发明实施例中,参看图2所示,根据联动单元发来的指令,通过所述通信控制模块拒绝或接受本次通信后该用户发送的通信请求,还通过所述通信控制模块将现场设备发来的通信数据包发送出去。 In the embodiment of the present invention, as shown in Figure 2, according to the instruction sent by the linkage unit, the communication request sent by the user after this communication is rejected or accepted by the communication control module, and the field device is also sent by the communication control module Incoming communication packets are sent out.

在前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式中,可选地,所述数据包解析单元包括:加解密模块和数据包深度解析模块; In the aforementioned specific implementation of the security protection gateway for network communication of modern industrial control systems, optionally, the data packet parsing unit includes: an encryption and decryption module and a data packet deep parsing module;

所述加解密模块:用于当用户向现场设备发送通信数据包时,根据所述通信控制单元发来的通信数据包中的加密位判断是否需要对该通信数据包进行解密,还用于当现场设备向用户发送通信数据包时,判断通信数据包中的源现场设备信息是否包含在预设的设备加密名单中,若包含,则对该通信数据包进行加密; The encryption and decryption module: used to determine whether the communication data packet needs to be decrypted according to the encryption bit in the communication data packet sent by the communication control unit when the user sends the communication data packet to the field device, and is also used to When the field device sends a communication data packet to the user, it is judged whether the source field device information in the communication data packet is included in the preset device encryption list, and if so, the communication data packet is encrypted;

所述数据包深度解析模块,用于根据用户操作权限判断是否需要对接收到的通信数据包进行深度解析,若需要,则对该通信数据包进行深度解析,并将所述通信数据包和解析结果传递给联动单元;否则,则将解析结果设为无攻击,并将通信数据包和解析结果传递给联动单元; The data packet deep analysis module is used to judge whether it is necessary to perform deep analysis on the received communication data packet according to the user operation authority, and if necessary, perform deep analysis on the communication data packet, and combine the communication data packet and the analysis The result is passed to the linkage unit; otherwise, the analysis result is set as no attack, and the communication data packet and the analysis result are passed to the linkage unit;

其中,所述源现场设备信息包括:发送通信数据包的现场设备的IP地址、MAC地址及端口信息。 Wherein, the source field device information includes: IP address, MAC address and port information of the field device sending the communication data packet.

本发明实施例中,参看图2所示,所述数据包解析单元包括:加解密模块和数据包深度解析模块,位于工业控制系统的现场设备多种多样,与工业控制系统的安全运行的关联性也各不相同,针对工业控制系统网络流向公共网络(也可称为现场设备流向用户)的通信数据包,根据现场设备在工业控制系统中的重要性比重(通信级别)决定此次通信数据包是否需要加密。 In the embodiment of the present invention, as shown in FIG. 2, the data packet analysis unit includes: an encryption and decryption module and a data packet depth analysis module. There are various field devices located in the industrial control system, and the association with the safe operation of the industrial control system The characteristics are also different. For the communication data packets from the industrial control system network to the public network (also known as the field device to the user), the communication data is determined according to the importance of the field device in the industrial control system (communication level). Whether the package needs to be encrypted.

本发明实施例中,例如,可以对现场设备进行加密需要分类,形成一个现场设备是否需要加密的设备加密名单,当现场设备向用户发送通信数据包时,通过加解模块判断通信数据包中的源现场设备信息是否包含在预设的设备加密名单中,若包含,则对该通信数据包进行加密,当用户向现场设备发送通信数据包时,通过加解模块根据所述通信控制单元发来的通信数据包中的加密位判断是否需要对该通信数据包进行解密。这样,通过有选择性的加解密模块不仅可以保证重要现场设备发送的重要通信数据包的通信安全,还能有效提高网络性能,从而实现了安全与性能的平衡。 In the embodiment of the present invention, for example, the encryption needs of field devices can be classified to form a device encryption list of whether the field devices need to be encrypted. Whether the source field device information is included in the preset device encryption list, if so, the communication data packet will be encrypted, and when the user sends the communication data packet to the field device, it will be sent by the encryption module according to the communication control unit The encryption bit in the communication data packet judges whether the communication data packet needs to be decrypted. In this way, the selective encryption and decryption module can not only ensure the communication security of important communication data packets sent by important field devices, but also effectively improve network performance, thereby achieving a balance between security and performance.

本发明实施例中,所述加解密模块包括:加解密判断子模块和加解密操作子模块;所述加解密判断子模块,用于对接收到的通信数据包进行判断,确定该通信数据包是否需要加密或解密操作,并将不需加密或解密的通信数据包直接发送出去;所述加解密操作子模块,用于对需要加密或解密的通信数据包分别进行加密或解密操作,并将加密或解密结果发送出去。 In the embodiment of the present invention, the encryption and decryption module includes: an encryption and decryption judgment submodule and an encryption and decryption operation submodule; the encryption and decryption judgment submodule is used to judge the received communication data packet and determine the communication data packet Whether encryption or decryption operations are required, and the communication data packets that do not need to be encrypted or decrypted are sent directly; the encryption and decryption operation submodule is used to encrypt or decrypt the communication data packets that need to be encrypted or decrypted, and send The encrypted or decrypted result is sent out.

本发明实施例中,所述数据包深度解析模块能够根据用户的操作权限来决定是否对用户发送的通信数据包进行深度解析,从而有选择性地进行攻击检测,从而提高工业控制系统的自动防御能力。 In the embodiment of the present invention, the data packet deep analysis module can determine whether to perform deep analysis on the communication data packet sent by the user according to the user's operation authority, so as to selectively perform attack detection, thereby improving the automatic defense of the industrial control system ability.

在前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式中,可选地,所述加解密判断子模块包括:加密判断子模块和解密判断子模块; In the aforementioned specific implementation of the security protection gateway for network communication of modern industrial control systems, optionally, the encryption and decryption judging submodule includes: an encryption judging submodule and a decryption judging submodule;

加密判断子模块:用于当现场设备向用户发送通信数据包时,判断通信数据包中的源现场设备信息是否包含在预设的设备加密名单中,若包含,则将该通信数据包中的加密位置加密标号,并将该通信数据包发送至加解密操作子模块,否则,则将该通信数据包发送至通信控制单元; Encryption judging sub-module: used to determine whether the source field device information in the communication data packet is included in the preset device encryption list when the field device sends the communication data packet to the user, and if it is included, the information in the communication data packet will be Encrypting the position and encrypting the label, and sending the communication data packet to the encryption and decryption operation sub-module, otherwise, sending the communication data packet to the communication control unit;

解密判断子模块:用于当用户向现场设备发送通信数据包时,对该通信数据包中的加密位进行判断,当该加密位为加密标号时,则将该通信数据包发送至加解密操作子模块,否则,则将该通信数据包发送至数据包深度解析模块。 Decryption judgment sub-module: used to judge the encryption bit in the communication data packet when the user sends the communication data packet to the field device, and when the encryption bit is an encryption label, then send the communication data packet to the encryption and decryption operation sub-module, otherwise, the communication data packet is sent to the data packet deep analysis module.

本发明实施例中,所述加解密判断子模块包括:加密判断子模块和解密判断子模块,参看图1所示,当工业控制系统网络向公共网络(也可称为现场设备向用户)发送通信数据包时,或者说当通信数据包从eth0流向eth1时,通过所述加密判断子模块在预设的设备加密名单中查找数据通信包中的源现场设备信息,若在所述设备加密名单中找到发送本次通信的数据通信包的现场设备信息,可以将该通信数据包的加密位置1(1为加密标号),并将该通信数据包发送至加解密操作子模块,否则,则将该通信数据包的加密位置0(0为非加密标号),并将该通信数据包发送至通信控制单元,其中,所述源现场设备信息包括:发送通信数据包的现场设备的IP地址、MAC地址和端口信息等。 In the embodiment of the present invention, the encryption and decryption judging submodule includes: an encryption judging submodule and a decryption judging submodule, as shown in FIG. When communicating data packets, or in other words, when the communication data packets flow from eth0 to eth1, the source field device information in the data communication packet is searched in the preset device encryption list by the encryption judgment submodule, if in the device encryption list Find the field device information that sent the data communication packet of this communication in , you can set the encryption position of the communication data packet to 1 (1 is the encryption label), and send the communication data packet to the encryption and decryption operation sub-module, otherwise, the The encryption position of the communication data packet is 0 (0 is a non-encrypted label), and the communication data packet is sent to the communication control unit, wherein the source field device information includes: the IP address, the MAC address of the field device sending the communication data packet Address and port information, etc.

本发明实施例中,参看图1和图4所示,当公共网络向工业控制系统网络(也可称为用户向现场设备)发送通信数据包时,或者说当通信数据包从eth1流向eth0时,通过所述解密判断子模块对该通信数据包中的加密位进行判断,当该加密位为1时,则表明该通信数据包的数据部分被加密了,判定需对该通信数据包进行解密操作,并将该通信数据包发送至加解密操作子模块,当该加密位为0时,则表明该通信数据包没有被加密,则将该通信数据包直接发送至数据包深度解析模块。 In the embodiment of the present invention, as shown in Fig. 1 and Fig. 4, when the public network sends a communication data packet to the industrial control system network (also referred to as the user to the field device), or when the communication data packet flows from eth1 to eth0 , judging the encryption bit in the communication data packet through the decryption judging submodule, when the encryption bit is 1, it indicates that the data part of the communication data packet is encrypted, and it is determined that the communication data packet needs to be decrypted Operation, and send the communication data packet to the encryption and decryption operation sub-module, when the encryption bit is 0, it indicates that the communication data packet is not encrypted, then the communication data packet is directly sent to the data packet deep analysis module.

在前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式中,可选地,所述加解密操作子模块,用于通过基于时间同步机制的密钥动态生成模块,对需要加密或解密的通信数据包分别进行加密或解密操作; In the aforementioned specific implementation of the security protection gateway for network communication of modern industrial control systems, optionally, the encryption and decryption operation sub-module is used to use the key dynamic generation module based on the time synchronization mechanism to encrypt or decrypt the The communication data packets are encrypted or decrypted respectively;

所述加解密操作子模块包括:加密操作子模块和解密操作子模块; The encryption and decryption operation submodule includes: an encryption operation submodule and a decryption operation submodule;

加密操作子模块:用于当通信数据包需要加密时,通过所述密钥动态生成模块利用随机数产生算法生成一系列不可预测的随机数字组合作为密钥,并通过所述密钥对需要加密的通信数据包进行加密,再将加密后的通信数据包发送出去; Encryption operation sub-module: used to generate a series of unpredictable random number combinations as keys through the dynamic key generation module using the random number generation algorithm when the communication data packet needs to be encrypted, and the key pair needs to be encrypted Encrypt the communication data packet, and then send the encrypted communication data packet;

解密操作子模块:用于当通信数据包需要解密时,利用所述密钥动态生成模块建立的历史密钥时间表,根据通信数据包中的加密时间标签,在所述历史密钥时间表中找到对应的密钥,并利用该密钥对加密后的通信数据包进行解密,再将解密后的通信数据包发送至数据包深度解析模块。 Decryption operation sub-module: used to use the historical key schedule established by the key dynamic generation module when the communication data packet needs to be decrypted, according to the encryption time stamp in the communication data packet, in the historical key schedule Find the corresponding key, and use the key to decrypt the encrypted communication data packet, and then send the decrypted communication data packet to the data packet deep analysis module.

本发明实施例中,参看图5所示,该加解密操作子模块中的密钥生成采用了基于时间同步机制的密钥动态生成模块,在用户所在的公共网络中的加解密设备和工业控制系统网络中的安全防护网关中的密钥动态生成模块采用的算法和架构是一样的。 In the embodiment of the present invention, as shown in Figure 5, the key generation in the encryption and decryption operation sub-module adopts the key dynamic generation module based on the time synchronization mechanism, and the encryption and decryption equipment and industrial control in the public network where the user is located The algorithm and structure adopted by the key dynamic generation module in the security protection gateway in the system network are the same.

本发明实施例中,密钥的产生过程如下:所述密钥动态生成模块基于时间同步机制,采用随机数产生算法生成一系列不可预测的随机数字组合作为密钥,每个密钥只能使用一次,使用之后即刻失效,并由所述密钥动态生成模块定期更新密钥。因此,为了在解密操作时能够找到正确的、对应的密钥,且不用在网络中进行密钥的传输,在密钥动态生成模块中建立并维护了一个历史密钥时间表,通过历史密钥时间表对一定时期内动态生成的密钥和时间进行记录和维护。 In the embodiment of the present invention, the key generation process is as follows: the key dynamic generation module is based on a time synchronization mechanism, and uses a random number generation algorithm to generate a series of unpredictable random number combinations as keys, and each key can only be used Once, it becomes invalid immediately after use, and the key is periodically updated by the key dynamic generation module. Therefore, in order to find the correct and corresponding key during the decryption operation without transmitting the key in the network, a historical key schedule is established and maintained in the key dynamic generation module. The schedule records and maintains the dynamically generated keys and time within a certain period of time.

本发明实施例中,当通信数据包需要进行解密操作时,根据通信数据包中的加密时间标签,在所述历史密钥时间表中找到对应的密钥,然后利用该密钥对加密后的通信数据包进行解密。这样,通过基于时间同步机制的密钥动态生成模块,对需要加密或解密的通信数据包分别进行加密或解密操作,能够有效地保证了密钥的唯一性,大大提高了工业控制系统网络和公共网络通信的安全。 In the embodiment of the present invention, when the communication data packet needs to be decrypted, according to the encryption time stamp in the communication data packet, the corresponding key is found in the historical key time table, and then the encrypted key is used to decrypt the encrypted data. Communication packets are decrypted. In this way, through the key dynamic generation module based on the time synchronization mechanism, the communication data packets that need to be encrypted or decrypted are encrypted or decrypted respectively, which can effectively ensure the uniqueness of the key and greatly improve the industrial control system network and public security. Security of network communications.

在前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式中,可选地,所述数据包深度解析模块,还用于当用户向现场设备发送通信数据包时,将加解密模块发来的通信数据包应用数据部分的工业通信协议首部和数据进行分离,将分离得到的工业通信协议首部和TCP/IP协议首部结合,判断是否存在越位操作,并对分离得到的数据进行攻击检测,判断该通信数据包是否存在攻击。 In the aforementioned specific implementation of the security protection gateway for network communication of modern industrial control systems, optionally, the data packet deep analysis module is also used to send the encryption and decryption module to the The industrial communication protocol header of the application data part of the incoming communication data packet is separated from the data, and the separated industrial communication protocol header is combined with the TCP/IP protocol header to determine whether there is an offside operation, and to perform attack detection on the separated data. It is judged whether there is an attack on the communication data packet.

本发明实施例中,在工业控制系统中,不同安全等级的用户对不同现场设备的操作权限是不一样的,有些用户只能读取设备的数据,不能对设备进行控制,而有些用户对设备具有读写的操作权限。因此,例如,可以对只具有读数据权限的用户与现场设备之间的通信不用进行数据包深度解析,对具有读写操作权限的用户与现场设备之间的通信则需要进行深度解析操作。 In the embodiment of the present invention, in the industrial control system, users with different security levels have different operation rights to different field devices. Some users can only read the data of the device and cannot control the device, while some users have Has read and write operation permissions. Therefore, for example, the communication between the user who only has read data authority and the field device does not need to perform deep analysis of data packets, but the communication between the user with read and write operation authority and the field device needs to perform deep analysis operation.

本发明实施例中,当用户向现场设备发送通信数据包时,所述数据包深度解析模块接收到的通信数据包已经过解密操作子模块的解密操作,应用数据部分已属于明文数据。所述数据包深度解析模块根据用户信息(包括:用户的IP地址、MAC地址、端口等信息),即通信数据包的源端相关信息,以及工业通信协议首部,决定是否对此通信数据包进行深度解析。若需要进行深度解析,则将通信数据包进行深度解析,然后将通信数据包和解析结果传递给联动单元;若不需要进行深度解析,则将解析结果设为无攻击(或安全),然后再将通信数据包和解析结果传递给联动单元。 In the embodiment of the present invention, when the user sends a communication data packet to the field device, the communication data packet received by the data packet deep analysis module has been decrypted by the decryption operation sub-module, and the application data part already belongs to plaintext data. Described packet deep analysis module decides whether to carry out this communication packet according to user information (comprising: information such as user's IP address, MAC address, port), i.e. the source end related information of communication packet, and industrial communication protocol header In-depth analysis. If in-depth analysis is required, the communication data packet is subjected to in-depth analysis, and then the communication data packet and the analysis result are passed to the linkage unit; if no in-depth analysis is required, the analysis result is set as non-attack (or safe), and then Pass the communication data packet and analysis result to the linkage unit.

本发明实施例中,深度解析过程如下:所述数据包深度解析模块主要是根据已知的工业通信协议格式,对通信数据包的应用数据部分进行工业通信协议首部和数据的分离,再将分离得到的工业通信协议首部和TCP/IP协议首部结合,判断是否存在越位操作等;最后,并对分离得到的数据进行攻击检测,判断该通信数据包是否存在恶意代码等攻击操作。这样,通过深度解析操作对对多种工业通信协议进行数据拆包和分析,更深层次地检测攻击,实现全方位保护现代工业控制系统的网络通信安全,同时,深度解析操作还为未来的流量统计分析奠定了基础,具有很好的可扩展性。 In the embodiment of the present invention, the in-depth analysis process is as follows: the data packet in-depth analysis module mainly separates the industrial communication protocol header and data from the application data part of the communication data packet according to the known industrial communication protocol format, and then separates the The obtained industrial communication protocol header is combined with the TCP/IP protocol header to determine whether there is an offside operation, etc.; finally, attack detection is performed on the separated data to determine whether the communication data packet contains malicious code and other attack operations. In this way, data unpacking and analysis of various industrial communication protocols can be performed through in-depth analysis operations, and attacks can be detected at a deeper level, so as to realize comprehensive protection of the network communication security of modern industrial control systems. At the same time, in-depth analysis operations can also provide future traffic statistics Analytics lays the groundwork and is very scalable.

在前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式中,可选地,所述联动单元包括: In the aforementioned specific implementation of the security protection gateway for network communication of modern industrial control systems, optionally, the linkage unit includes:

攻击控制模块:用于当解析结果为存在攻击时,向所述通信控制单元发送拒绝发起此次通信的用户以后的通信请求指令,并丢弃此次通信数据包; Attack control module: used to send to the communication control unit a communication request instruction after rejecting the user who initiated the communication when the analysis result shows that there is an attack, and discard the communication data packet;

权限越位控制模块,用于当解析结果为操作权限越位时,向所述通信控制单元发送在预设时间内拒绝该用户的通信请求指令,并丢弃此次通信数据包; The authority offside control module is used to send the communication request instruction of rejecting the user within a preset time to the communication control unit when the analysis result is that the operation authority is offside, and discard the communication data packet;

安全控制模块,用于当解析结果为无攻击时,将该通信数据包发送至目标现场设备。 The security control module is used to send the communication data packet to the target field device when the analysis result is no attack.

本发明实施例中,联动单元的主要工作是根据通信数据包的解析结果来判断此次通信的相关操作。当解析结果为存在攻击时,联动单元向通信控制单元发送指令,拒绝发起此次通信的用户以后的通信请求和连接,并丢弃此次通信数据包;当解析结果为无攻击(安全)时,联动单元将此次通信数据包发送出去;当解析结果为操作权限越位时,联动单元向通信控制单元发送指令,在预设的一段时间内拒绝该用户的通信请求,并丢弃此次通信数据包。 In the embodiment of the present invention, the main job of the linkage unit is to judge the related operation of this communication according to the analysis result of the communication data packet. When the analysis result is that there is an attack, the linkage unit sends an instruction to the communication control unit, rejects the subsequent communication request and connection of the user who initiates this communication, and discards this communication data packet; when the analysis result is no attack (safety), The linkage unit sends out the communication data packet; when the analysis result is that the operation authority is offside, the linkage unit sends an instruction to the communication control unit to reject the user’s communication request within a preset period of time and discard the communication data packet .

本发明实施例中, In the embodiment of the present invention,

本发明所述的安全防护网关在工业控制系统中的通用性极高,而且利用加解密设备可以有效地确保用户和现场设备之间的通信安全,并且由于对通信数据包进行了可选择性的加解密和深度包解析,与传统的加密网关和入侵检测相比,既提高了系统的安全性,又提高了网络的性能。 The safety protection gateway described in the present invention has high versatility in industrial control systems, and the use of encryption and decryption equipment can effectively ensure the communication security between users and field devices, and because the communication data packets are selectively Encryption and decryption and deep packet analysis, compared with traditional encryption gateway and intrusion detection, not only improve the security of the system, but also improve the performance of the network.

这样,所述联动单元根据解析结果向通信控制单元发送控制指令,由该通信控制单元根据接收到的控制指令对该用户与现场设备之间的通信进行控制,从而提高工业控制系统网络自动防御的能力。 In this way, the linkage unit sends a control instruction to the communication control unit according to the analysis result, and the communication control unit controls the communication between the user and the field device according to the received control instruction, thereby improving the network automatic defense of the industrial control system. ability.

实施例二 Embodiment two

本发明还提供一种针对现代工业控制系统网络通信的安全防护网关系统的具体实施方式,由于本发明提供的针对现代工业控制系统网络通信的安全防护网关系统与前述针对现代工业控制系统网络通信的安全防护网关的具体实施方式相对应,该针对现代工业控制系统网络通信的安全防护网关系统可以通过执行上述方法具体实施方式中的流程步骤来实现本发明的目的,因此上述针对现代工业控制系统网络通信的安全防护网关具体实施方式中的解释说明,也适用于本发明提供的针对现代工业控制系统网络通信的安全防护网关系统的具体实施方式,在本发明以下的具体实施方式中将不再赘述。 The present invention also provides a specific embodiment of a security protection gateway system for network communication of modern industrial control systems, because the security protection gateway system for network communication of modern industrial control systems provided by the present invention is the same as the aforementioned system for network communication of modern industrial control systems Corresponding to the specific implementation of the security protection gateway, the security protection gateway system for modern industrial control system network communication can achieve the purpose of the present invention by executing the process steps in the specific implementation of the above method, so the above-mentioned network for modern industrial control system The explanations in the specific implementation of the communication security protection gateway are also applicable to the specific implementation of the security protection gateway system for modern industrial control system network communication provided by the present invention, and will not be repeated in the following specific implementation modes of the present invention .

参看图1所示,本发明实施例还提供一种针对现代工业控制系统网络通信的安全防护网关系统,包括:用户所在的公共网络、英特网和权利要求1-8任一项所述的针对现代工业控制系统网络通信的安全防护网关所在的工业控制系统网络; Referring to Fig. 1, an embodiment of the present invention also provides a security protection gateway system for network communication of modern industrial control systems, including: the public network where the user is located, the Internet and any one of claims 1-8 The industrial control system network where the security protection gateway for modern industrial control system network communication is located;

用户所在的公共网络包括:用户和加解密设备; The public network where the user is located includes: users and encryption and decryption devices;

所述加解密设备,用于对用户与现场设备之间的通信数据包进行选择性加解密操作。 The encryption and decryption device is used for selectively encrypting and decrypting the communication data packets between the user and the field device.

本发明实施例所述的针对现代工业控制系统网络通信的安全防护网关系统,通过权利要求1-8任一项所述的针对现代工业控制系统网络通信的安全防护负责工业控制系统的安全防御工作,并通过在公共网络中与安全防护网关配套使用的加解密设备负责用户与工业现场设备之间的通信加解密工作,从而确保用户和现场设备之间的通信安全。 The security protection gateway system for modern industrial control system network communication described in the embodiment of the present invention is responsible for the security defense work of the industrial control system through the security protection for modern industrial control system network communication described in any one of claims 1-8 , and through the encryption and decryption equipment used in conjunction with the security protection gateway in the public network, it is responsible for the encryption and decryption of the communication between the user and the industrial field equipment, so as to ensure the communication security between the user and the field equipment.

本发明实时例中,该加解密设备的工作原理与安全防护网关中的加解密模块一致,可以运行在嵌入式linux平台上,对通信实施全允许通过的策略,极大地提高了本加解密设备的通用性。 In the real-time example of the present invention, the working principle of the encryption and decryption device is consistent with that of the encryption and decryption module in the security protection gateway, and can run on an embedded linux platform, and implements a policy of full permission for communication, which greatly improves the encryption and decryption of the encryption and decryption device. versatility.

在前述针对现代工业控制系统网络通信的安全防护网关系统的具体实施方式中,可选地,所述加解密设备,用于根据现场设备发来的通信数据包中的加密位判断是否需要对该通信数据包进行解密,还用于当用户向现场设备发送通信数据包时,判断通信数据包中的目标现场设备信息是否包含在预设的设备加密名单中,若包含,则对该通信数据包进行加密; In the aforementioned specific implementation of the security protection gateway system for network communication of modern industrial control systems, optionally, the encryption and decryption device is used to judge whether the encryption bit in the communication data packet sent by the field device needs to The communication data packet is decrypted, and it is also used to determine whether the target field device information in the communication data packet is included in the preset device encryption list when the user sends the communication data packet to the field device. encrypt;

其中,所述目标现场设备信息包括:接收通信数据包的现场设备的IP地址、MAC地址及端口信息。 Wherein, the target field device information includes: IP address, MAC address and port information of the field device receiving the communication data packet.

本发明实施例中,参看图1和图2所示,在公共网络中,当公共网络向工业控制系统网络(也可称为用户向现场设备)发送通信数据包时,或者说当通信数据包从eth0流向eth1时,通过所述加解密设备在预设的设备加密名单中查找数据通信包中的目标现场设备信息,若在所述设备加密名单中找到接收本次通信的数据通信包的目标现场设备信息,可以将该通信数据包的加密位置1,并进行加密,否则,则将该通信数据包的加密位置0,并将该通信数据包发送至安全防护网关,其中,所述目标现场设备信息包括:接收通信数据包的现场设备的IP地址、MAC地址和端口信息等。 In the embodiment of the present invention, referring to Fig. 1 and Fig. 2, in the public network, when the public network sends a communication data packet to the industrial control system network (also referred to as the user to the field device), or when the communication data packet When flowing from eth0 to eth1, use the encryption and decryption device to search for the target field device information in the data communication packet in the preset device encryption list, if the target receiving the data communication packet of this communication is found in the device encryption list For field device information, the encryption position of the communication data packet can be set to 1 and encrypted, otherwise, the encryption position of the communication data packet can be set to 0, and the communication data packet can be sent to the security protection gateway, wherein the target site The device information includes: the IP address, MAC address and port information of the field device receiving the communication data packet.

本发明实施例中,参看图1所示,在公共网络中,当工业控制系统网络向公共网络(也可称为现场设备向用户)发送通信数据包时,或者说当通信数据包从eth1流向eth0时,通过所述加解密设备对该通信数据包中的加密位进行判断,当该加密位为1时,则对该加密后的通信数据包进行解密,当该加密位为0时,则表明该通信数据包没有被加密,直接将该通信数据包发送至安全防护网关。 In the embodiment of the present invention, as shown in FIG. 1, in the public network, when the industrial control system network sends communication data packets to the public network (also referred to as the field device to the user), or when the communication data packets flow from eth1 to When eth0, the encryption bit in the communication data packet is judged by the encryption and decryption device, when the encryption bit is 1, the encrypted communication data packet is decrypted, and when the encryption bit is 0, then It indicates that the communication data packet is not encrypted, and the communication data packet is directly sent to the security protection gateway.

以上所述是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。 The above description is a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (10)

1., for a security protection gateway for modern industrial control system network service, it is characterized in that, comprising:
Communication control unit, controls the communication between user and field apparatus for the Control on Communication on basis and the instruction of sending according to linkage unit;
Packet resolution unit, for carrying out selectivity encryption and decryption and selectivity deep analysis to the communication data packet received;
Linkage unit, for sending whether refuse the later communication request instruction of this user according to analysis result to described communication control unit, and determines whether to send the communication data packet after resolving to target field devices.
2. security protection gateway according to claim 1, is characterized in that, described communication control unit comprises: white list detection module and communication control module;
Described white list detection module, for when user sends communication data packet to field apparatus, judges whether this user profile is included in default white list, if comprise, then this communication data packet is sent to packet resolution unit, otherwise, abandon this communication data packet;
Described communication control module, for send according to linkage unit instruction refusal or accept this this communication after user send communication request, the communication data packet also for being sent by field apparatus sends;
Wherein, described user profile comprises: send the IP address of the user of communication data, MAC Address and port information.
3. security protection gateway according to claim 2, is characterized in that, described packet resolution unit comprises: encryption/decryption module and packet deep analysis module;
Described encryption/decryption module: for when user sends communication data packet to field apparatus, judge whether to need to be decrypted this communication data packet according to the encrypted bits in the communication data packet that described communication control unit is sent, also for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then this communication data packet is encrypted;
Described packet deep analysis module, need to carry out deep analysis to the communication data packet received for judging whether according to user operation authority, if desired, then deep analysis is carried out to this communication data packet, and described communication data packet and analysis result are passed to linkage unit; Otherwise, then analysis result is set to without attacking, and communication data packet and analysis result is passed to linkage unit;
Wherein, described source field device information comprises: send the IP address of the field apparatus of communication data packet, MAC Address and port information.
4. security protection gateway according to claim 3, is characterized in that, described encryption/decryption module comprises: encryption and decryption judges submodule and encryption and decryption operator module;
Described encryption and decryption judges submodule, for judging the communication data packet received, determines that this communication data packet is the need of encryption or decryption oprerations, and will the communication data packet of encrypting or deciphering not needed directly to send;
Described encryption and decryption operator module, for being encrypted respectively or decryption oprerations the communication data packet of needs encryption or deciphering, and sends encryption or decrypted result.
5. security protection gateway according to claim 4, is characterized in that, described encryption and decryption judges that submodule comprises: encryption judges that submodule and deciphering judge submodule;
Encryption judges submodule: for when field apparatus sends communication data packet to user, judge whether the source field device information in communication data packet is included in default devices encrypt list, if comprise, then by the encrypted location encryption label in this communication data packet, and this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to communication control unit;
Deciphering judges submodule: for when user sends communication data packet to field apparatus, encrypted bits in this communication data packet is judged, when this encrypted bits is for encryption label, then this communication data packet is sent to encryption and decryption operator module, otherwise, then this communication data packet is sent to packet deep analysis module.
6. security protection gateway according to claim 4, it is characterized in that, described encryption and decryption operator module, for by the key feed generation module based on Time Synchronization Mechanism, is encrypted or decryption oprerations respectively to needing the communication data packet of encryption or deciphering;
Described encryption and decryption operator module comprises: cryptographic operation submodule and deciphering operator module;
Cryptographic operation submodule: during for needing when communication data packet to encrypt, random number generating algorithm is utilized to generate a series of uncertain random digit combination as key by described key feed generation module, and need the communication data packet of encryption to be encrypted by described double secret key, then the communication data packet after encryption is sent;
Decryption oprerations submodule: during for needing when communication data packet to decipher, utilize the history key time table that described key feed generation module is set up, according to the encryption times label in communication data packet, corresponding key is found in described history key time table, and utilize the communication data packet after this key pair encryption to be decrypted, then the communication data packet after deciphering is sent to packet deep analysis module.
7. security protection gateway according to claim 3, it is characterized in that, described packet deep analysis module, also for when user sends communication data packet to field apparatus, the industrial communication protocol stem of communication data packet application data part encryption/decryption module sent is separated with data, the industrial communication protocol stem and the combination of ICP/IP protocol stem that obtain will be separated, judge whether to there is offside operation, and carry out attack detecting to being separated the data obtained, judge whether this communication data packet exists attack.
8. security protection gateway according to claim 1, is characterized in that, described linkage unit comprises:
Attack control module: for when analysis result is for existence attack, sends refusal to described communication control unit and initiate the later communication request instruction of this user communicated, and abandon this communication data packet;
The offside control module of authority, for when analysis result be operating right offside time, be sent in Preset Time the communication request instruction refusing this user to described communication control unit, and abandon this communication data packet;
Safety control module, for being without when attacking when analysis result, is sent to target field devices by this communication data packet.
9. the security protection gateway system for modern industrial control system network service, it is characterized in that, comprising: the industrial control system network at the public network at user place, internet and the security protection gateway place for modern industrial control system network service described in any one of claim 1-8;
The public network at user place comprises: user and encryption and decryption equipment;
Described encryption and decryption equipment, for carrying out the operation of selectivity encryption and decryption to the communication data packet between user and field apparatus.
10. security protection gateway system according to claim 9, it is characterized in that, described encryption and decryption equipment, judge whether to need to be decrypted this communication data packet for the encrypted bits in the communication data packet sent according to field apparatus, also for when user sends communication data packet to field apparatus, judge whether the target field devices information in communication data packet is included in default devices encrypt list, if comprise, is then encrypted this communication data packet;
Wherein, described target field devices information comprises: the IP address of the field apparatus of received communication packet, MAC Address and port information.
CN201510476034.2A 2015-08-05 2015-08-05 For the security protection gateway and system of modern industrial control system network service Active CN105072025B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510476034.2A CN105072025B (en) 2015-08-05 2015-08-05 For the security protection gateway and system of modern industrial control system network service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510476034.2A CN105072025B (en) 2015-08-05 2015-08-05 For the security protection gateway and system of modern industrial control system network service

Publications (2)

Publication Number Publication Date
CN105072025A true CN105072025A (en) 2015-11-18
CN105072025B CN105072025B (en) 2018-03-13

Family

ID=54501311

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510476034.2A Active CN105072025B (en) 2015-08-05 2015-08-05 For the security protection gateway and system of modern industrial control system network service

Country Status (1)

Country Link
CN (1) CN105072025B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791269A (en) * 2016-02-18 2016-07-20 南京富岛信息工程有限公司 Information security gateway based on data white list
CN106850601A (en) * 2017-01-20 2017-06-13 北京立思辰新技术有限公司 The safety protecting method of industrial control protocols in a kind of industrial control system
CN107483514A (en) * 2017-10-13 2017-12-15 北京知道创宇信息技术有限公司 Attack monitoring device and smart machine
CN108632201A (en) * 2017-03-16 2018-10-09 中兴通讯股份有限公司 Encryption device, decryption device and judge message whether the method that encrypt or decrypt
CN109327442A (en) * 2018-10-10 2019-02-12 杭州安恒信息技术股份有限公司 Method for detecting abnormality, device and the electronic equipment of Behavior-based control white list
CN109714767A (en) * 2019-02-25 2019-05-03 陈超 A kind of secure communication of network device
CN110825040A (en) * 2019-10-22 2020-02-21 中国科学院信息工程研究所 Process control attack detection method and device for industrial control system
CN111310213A (en) * 2020-02-20 2020-06-19 苏州浪潮智能科技有限公司 Service data protection method, device, equipment and readable storage medium
CN113162885A (en) * 2020-01-07 2021-07-23 中国石油天然气股份有限公司 Safety protection method and device for industrial control system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030126466A1 (en) * 2001-12-28 2003-07-03 So-Hee Park Method for controlling an internet information security system in an IP packet level
CN202856781U (en) * 2012-08-29 2013-04-03 广东电网公司电力科学研究院 Industrial control system main station safety device
CN103475478A (en) * 2013-09-03 2013-12-25 广东电网公司电力科学研究院 Terminal safety protection method and equipment
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied
CN104702584A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Modbus communication access control method based on rule self-learning

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030126466A1 (en) * 2001-12-28 2003-07-03 So-Hee Park Method for controlling an internet information security system in an IP packet level
CN202856781U (en) * 2012-08-29 2013-04-03 广东电网公司电力科学研究院 Industrial control system main station safety device
CN103475478A (en) * 2013-09-03 2013-12-25 广东电网公司电力科学研究院 Terminal safety protection method and equipment
CN104702584A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Modbus communication access control method based on rule self-learning
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791269A (en) * 2016-02-18 2016-07-20 南京富岛信息工程有限公司 Information security gateway based on data white list
CN105791269B (en) * 2016-02-18 2019-05-14 南京富岛信息工程有限公司 A kind of information security gateway based on data white list
CN106850601A (en) * 2017-01-20 2017-06-13 北京立思辰新技术有限公司 The safety protecting method of industrial control protocols in a kind of industrial control system
CN108632201A (en) * 2017-03-16 2018-10-09 中兴通讯股份有限公司 Encryption device, decryption device and judge message whether the method that encrypt or decrypt
CN107483514A (en) * 2017-10-13 2017-12-15 北京知道创宇信息技术有限公司 Attack monitoring device and smart machine
CN109327442A (en) * 2018-10-10 2019-02-12 杭州安恒信息技术股份有限公司 Method for detecting abnormality, device and the electronic equipment of Behavior-based control white list
CN109714767A (en) * 2019-02-25 2019-05-03 陈超 A kind of secure communication of network device
CN110825040A (en) * 2019-10-22 2020-02-21 中国科学院信息工程研究所 Process control attack detection method and device for industrial control system
CN113162885A (en) * 2020-01-07 2021-07-23 中国石油天然气股份有限公司 Safety protection method and device for industrial control system
CN113162885B (en) * 2020-01-07 2022-11-01 中国石油天然气股份有限公司 Safety protection method and device for industrial control system
CN111310213A (en) * 2020-02-20 2020-06-19 苏州浪潮智能科技有限公司 Service data protection method, device, equipment and readable storage medium

Also Published As

Publication number Publication date
CN105072025B (en) 2018-03-13

Similar Documents

Publication Publication Date Title
CN105072025B (en) For the security protection gateway and system of modern industrial control system network service
US7853783B2 (en) Method and apparatus for secure communication between user equipment and private network
KR101585936B1 (en) System for managing virtual private network and and method thereof
CN102347870B (en) A kind of flow rate security detection method, equipment and system
CN101299665B (en) Message processing method, system and apparatus
CN105610848B (en) Possess the centralized data security method and system of source data Security Assurance Mechanism
EP3461097B1 (en) Encrypted content detection method and apparatus
US7516485B1 (en) Method and apparatus for securely transmitting encrypted data through a firewall and for monitoring user traffic
CN102882789A (en) Data message processing method, system and equipment
CN102685119A (en) Data transmitting/receiving method, data transmitting/receiving device, transmission method, transmission system and server
TW200307423A (en) Password device and method, password system
CN1859291A (en) Method for safety packaging network message
CN101729871B (en) Method for safe cross-domain access to SIP video monitoring system
CN102891848A (en) Method for carrying out encryption and decryption by using IPSec security association
CN114422194A (en) Single package authentication method, device, server and storage medium
CN103227742A (en) Method for IPSec (Internet protocol security) tunnel to rapidly process messages
CN106657085A (en) Data processing method and device and encryption device
McGrew et al. Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
CN116321136A (en) Stealth gateway design method supporting multi-factor identity authentication
CN105812338B (en) A data access control method and network management device
Kumar et al. Cyber security threats in synchrophasor system in WAMS
Kumar et al. Encrypted traffic and IPsec challenges for intrusion detection system
CN110768958B (en) IPv4 data encryption method and IPv4 data decryption method
US20080059788A1 (en) Secure electronic communications pathway
KR101628094B1 (en) Security apparatus and method for permitting access thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20180615

Address after: 210000 5 floor, 3 software Avenue, Yuhuatai District, Nanjing, Jiangsu, 168

Patentee after: Jiangsu's software Polytron Technologies Inc

Address before: 100083 No. 30, Haidian District, Beijing, Xueyuan Road

Patentee before: University of Science and Technology Beijing

TR01 Transfer of patent right
CP01 Change in the name or title of a patent holder

Address after: 3, building 168, 5, 210000 software Avenue, Yuhuatai District, Jiangsu, Nanjing

Patentee after: Bozhi Safety Technology Co.,Ltd.

Address before: 3, building 168, 5, 210000 software Avenue, Yuhuatai District, Jiangsu, Nanjing

Patentee before: JIANGSU ELEX SOFTWARE TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder