CN105577705B - For the safety protecting method and system of IEC60870-5-104 agreements - Google Patents
For the safety protecting method and system of IEC60870-5-104 agreements Download PDFInfo
- Publication number
- CN105577705B CN105577705B CN201610166403.2A CN201610166403A CN105577705B CN 105577705 B CN105577705 B CN 105577705B CN 201610166403 A CN201610166403 A CN 201610166403A CN 105577705 B CN105577705 B CN 105577705B
- Authority
- CN
- China
- Prior art keywords
- access request
- outside access
- white list
- tcp
- outside
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The present invention provides a kind of safety protecting method for 5 104 agreements of IEC60870, including:TCP/IP layer protocol analysis is carried out to external access request, the TCP/IP layer legitimacy of the outside access request is determined according to the first default white list;It packages to outside access request, detects the integrality of the frame of the outside access request composition;Determine the frame type of the outside access request;When outside access request is S format frames or U format frames, allows the outside access request according to ICP/IP protocol group packet and be forwarded to internal communication port;When outside access request is I format frame, the application layer legitimacy of the outside access request is determined according to the second default white list.The present invention also provides corresponding security protection systems.The present invention has carried out multilevel security protection in TCP/IP layer and application layer, can effectively resist the various attacks for industrial control equipment or system using the agreement, efficiently avoid not having security risk caused by safety precaution mechanism in the prior art.
Description
Technical field
The present invention relates to industrial information technology field, more particularly to a kind of safety for IEC60870-5-101 agreements is anti-
Maintaining method and system.
Background technology
IEC60870-5-104 agreements (IEC104) be IEC60870-5-104 be IEC TC57 be meet network technology
Application in the power system, using network transmission telecontrol information, in the basic telemechanical task planning standards of IEC60870-5-101
On the basis of formulate.Its entitled " being accessed with the IEC60870-5-101 networks of standard transmission file set ", this agreement will
The application layer of IEC60870-5-101 and TCP/IP (Transmission Control Protocol/Internet
Protocol the transfer function) provided is combined.In TCP/IP various network types all can be used, including X.25, FR
(Frame Relay), ATM (Asynchronous TransferMode) and ISDN (Integrated Service Data
Network)。
Currently, industrial control network mostly uses the equipment such as traditional fire wall transmits progress to IEC60870-5-104 agreements
Security protection.The basic principle of these equipment is to detect and isolate to flow through the exception information stream of safeguard in TCP/IP layer, is prevented
The only invasion of known viruse and attack.But this mode (can not such as carry the risky operation included in legitimate traffic
The control command of risky operation) it is identified and prevents, i.e., exception information stream cannot be filtered in application layer, this may
The operation of equipment is caused abnormal even damage occur.It is mainly characterized by reaching destruction object by distorting normal industry control protocol parameter
Manage the purpose of equipment.
Invention content
Embodiments of the present invention provide a kind of safety protecting method and system for IEC60870-5-104 agreements, use
Reliability is low when solving the problems, such as that the industrial control system based on IEC60870-5-104 agreements communicates in the prior art.
According to an aspect of the invention, there is provided a kind of safety protecting method, the method includes:
TCP/IP layer protocol analysis is carried out to the outside access request received, according to the first default white list determination
Outside access asks the legitimacy of TCP/IP layer;
If legal, package to outside access request, detects the complete of the frame of the outside access request composition
Property;
If complete, the frame type of the outside access request is determined, the frame type includes I format frame, S format frames and U
Format frame;
When outside access request is S format frames or U format frames, allow the outside access request according to TCP/IP
Protocol groups packet is simultaneously forwarded to internal communication port;
When outside access request is I format frame, determine that the outside access is asked according to the second default white list
The legitimacy of application layer allows the outside access request according to ICP/IP protocol group packet and is forwarded to internal logical if legal
Interrogate port;Otherwise the TCP/IP connections of the outside access request are blocked.
According to another aspect of the present invention, a kind of security protection system is additionally provided, including:
Access request receiving port, configuration is to receive outside access request;
Parsing module, configuration are default white according to first to ask the outside access to carry out TCP/IP layer protocol analysis
List determines the TCP/IP layer legitimacy of the outside access request;
Group packet module, configuration is to package to outside access request;
Detection module, configuration is to detect the integrality for the frame that the outside access request forms;
Frame determination type module, with the frame type of the determination outside access request, the frame type includes I format for configuration
Frame, S format frames and U format frames;
Application layer determining module, configuration with when the outside access request be I format frame when, according to the second default white list
Determine the application layer legitimacy of the outside access request;
Sending module, configuration are that S format frames or U format frames or the outside access are asked to work as the outside access request
When asking legal, internal communication port will be forwarded to according to the outside access request after ICP/IP protocol group packet;
Module is blocked, configuration is when outside access request is illegal, to block the TCP/ of the outside access request
IP connections.
The safety protecting method and system for IEC60870-5-104 agreements of embodiments of the present invention, in TCP/IP
Layer and application layer have carried out multilevel security protection, can effectively resist and be set for using the industry control of IEC60870-5-104 agreements
Standby or system various attacks, it is ensured that using the various industrial control equipments of IEC60870-5-104 agreements and the confidentiality, complete of system
Whole property and availability, efficiently avoid traditional industrial control equipment using IEC60870-5-104 agreements or system does not have peace
Security risk caused by full prevention mechanism.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described.It is to be appreciated that the content described with reference to the accompanying drawings is only some embodiments of the present invention, this
Field those of ordinary skill according to these attached drawings and its can illustrate to obtain other embodiments.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention;
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 3 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention;
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
In the every other embodiment obtained without creative work, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the application can
To be combined with each other.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise", include not only those elements, but also
Including other elements that are not explicitly listed, or further include for this process, method, article or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including the element
There is also other identical elements in process, method, article or equipment.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention.As shown in Figure 1, the implementation of the present invention
The safety protecting method of mode includes:
S11:TCP/IP layer protocol analysis is carried out to the outside access request received, is determined according to the first default white list
The TCP/IP layer legitimacy of the outside access request;
S12:If legal, package to outside access request, detects the frame of the outside access request composition
Integrality;
S13:If frame is complete, the frame type of the outside access request is determined, the frame type includes I format frame, S formats
Frame and U format frames;
S14:When outside access request is S format frames or U format frames, allow the outside access request basis
ICP/IP protocol group packet is simultaneously forwarded to internal communication port;
S15:When outside access request is I format frame, the outside access is determined according to the second default white list
The application layer legitimacy of request;If legal, allow the outside access request according to ICP/IP protocol group packet and be forwarded to interior
Portion's PORT COM;Otherwise the TCP/IP connections of the outside access request are blocked.
Wherein, group packet/frame integrity detection process in present embodiment is as follows:
Step 1:Application layer byte stream will be received to preserve in the buffer;
Step 2:Starting character is found, if not finding starting character in the buffer, by buffer empty, generates daily record
Record, process terminate;If finding starting character, extra byte is checked whether there is, if having redundant character before starting character, by this
Partial words throttling, which is postponed, rushes area and removes and abandon, and generates log recording, then since starting character, taking-up frame length, if sentenced
Byte number in disconnected buffering area is inadequate, then the new byte stream of information to be received such as, goes to step 1, otherwise enters step 3;
Step 3:Since starting character, byte stream is taken out by frame length, is examined by the control domain format of IEC104 protocol definitions
Look into frame, if meeting the format that control domain defines, for legal whole frame, into next validity judgement step, otherwise for
Erroneous frame then abandons, and generates log recording.
Present embodiment can package to frame structure according to IEC104 agreements, for that can not pass through CRC check or frame
The incomplete message of structure, carries out blocking filtering;White list technology can resist Malware and targetedly attack, because
In default situations, any unauthorized software, tool and process cannot all be run on endpoint.If Malware attempts
In the endpoint installation for enabling white list, it is trusted process that white list technology, which can determine whether this not, and negates that it runs permission.
Present embodiment can be effectively prevented from use by the integrity checking of introducing IEC60870-5-104 protocol frames
Non- IEC104 protocol massages continue to initiate communication request to industrial control equipment or system and device, cause under industrial control equipment and system performance
The situation of drop.
Safety protecting method in present embodiment, for IEC60870-5-104 agreements TCP/IP layer and application layer into
Gone multilevel security protection, can effectively resist for using IEC60870-5-104 agreements industrial control equipment or system it is more
Kind attack, it is ensured that confidentiality, integrality and the availability of the various industrial control equipments and system of IEC60870-5-104 agreements are used,
It efficiently avoids traditional industrial control equipment using IEC60870-5-104 agreements or system does not have safety precaution mechanism and leads
The security risk of cause.
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in Fig. 2, in some embodiment party
In formula, wherein the first default white list is client address white list.
S21:To from client outside access request carry out TCP/IP layer protocol analysis, determine client ip address and
Access end slogan;
S22:Determine whether the client ip address and the access end slogan are being permitted according to client address white list
Perhaps in the range of accessing;
S23:If the client ip address and the access end slogan not in the range of allowing access, block described outer
The TCP/IP connections of portion's access request.
For the outside access request received, such as network interface message in present embodiment, TCP/IP layer agreement has been carried out
Analysis, for non-Transmission Control Protocol or its client ip address and port numbers not in client address white list, then generates alarm
And log recording, and the packet is abandoned, if TCP connection has been established, block the connection.Present embodiment is by introducing TCP/IP
Layer protocol filters, and can be effectively prevented the unauthorized access at unauthorized client end.
Further, it is also possible in the default white list for application layer, the filtering to external request is realized in application layer.
Fig. 3 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 3, in some embodiment party
In formula, the second default white list includes application function white list, and the application function white list includes the application work(for allowing to access
It can corresponding ASDU type identifications, transmission reason code and information object address range.This method includes:
S31:When outside access request is I format frame, extract outside access request ASDU type identifications,
Reason code and information object address are transmitted, the application function of the outside access request is determined according to the application function white list
Whether it is the application function for allowing to access;
S32:If the application function of the outside access request is not in the range of the application function white list defines, resistance
The TCP/IP connections of the disconnected outside access request;
S33:Otherwise, judge the application function of outside access request whether in order to control function.
In IEC60870-5-104 agreements, frame format includes I format frame, S format frames and U format frames, three kinds of formats
Frame includes APCI (controlling information using stipulations), but only I format frame includes ASDU (Application service data unit), wherein
ASDU is made of data cell mark and multiple information objects.Data cell mark include type identification, varistructure determiner,
It includes information object address, information object element and information object markers to transmit reason and public address, information object.Due to answering
The diligent combination application that can relate to multiple contents such as ASDU types, transmission reason, therefore, present embodiment combination IEC104 agreements
The application transport function of offer, the transfer function of IEC104 agreements is classified by application scenarios, such as is divided into:Total calling
Function, grouping calling function, electric flux calling function, background scans function, distant control function, step position adjustment function, setting work(
Function, event transfer function, file transmitting function etc. application function when energy, parameter setting function, school, and by these functions with
It is related to ASDU types, incidence relation is established in possible transmission reason combination etc..For the communication link between specific main website and substation,
" application function and its message address range " allowed by transmission link defined in white list, to which remote definition allows to pass through
ASDU types, transmission reason and information object.
By the way that white list is divided into client address white list and application function white list in present embodiment, and respectively
White list filtering is carried out to access request in TCP/IP layer and application layer, further ensures the safety of entire industrial control system network
Property and reliability;It, will be in common application function in practical application and communication transfer agreement as a result of packet mode
ASDU types and transmission reason establish correspondence, and establish white list for application function, avoid traditional with ASDU
Type, transmission reason are that ease for use is poor, it is low to be easy omission filtering rule, system treatment effeciency caused by unit setting filtering rule
The problems such as, it can be effectively prevented the availability destruction to industrial control equipment or system, such as illegal change unit address illegally uploads
Configuration file, illegal issue control operational order etc., to ensure that the safety communicated between industrial control system.
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in figure 4, wherein second is default
White list includes data access range white list and control object white list, and this method includes:
S411:When the outside access request ASDU belonging to application function be control function when, extract the ASDU
Information object address and controlling value, and together with client ip address, the control is determined according to the control object white list
Within the allowable range whether value processed;
S412:If the controlling value is within the allowable range, allow the outside access request according to ICP/IP protocol group packet
And it is forwarded to internal communication port;
S413:Otherwise, the TCP/IP connections of the outside access request are blocked;
S421:When application function belonging to the ASDU of outside access request is not control function, described in extraction
The information object address of ASDU, and together with client ip address, determined according to the data access range white list described outer
Whether the information object address of the ASDU of portion's access request is in the range of allowing access;
S422:If described information object address in the range of allowing access, allows the outside access request basis
ICP/IP protocol group packet is simultaneously forwarded to internal communication port;
S423:Otherwise, the TCP/IP connections of the outside access request are blocked.
Present embodiment is filtered by data access range white list, can be effectively protected control system significant data
Secret avoids system data from being illegally accessed;The control object address and its controlling value that operating process includes are controlled by extraction,
And controlling value is compared with the corresponding range for allowing controlling value, the legitimacy and just of control operation can be effectively protected
True property.
In some embodiments, after blocking the outside access request, system log record and alarm output are generated
Signal.
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 5, this method include with
Lower step:
S101:Data request packet is received from outside port;
S102:TCP/CP protocol filterings are carried out to the data request packet;
S103:Determine whether to allow the client ip address accessed and port numbers;If so, executing step S104, otherwise
Execute step S114;
S104:It packages to external data request according to the frame structure of IEC101 protocol definitions;
S105:Detect whether the external data request forms whole frame;If so, executing step S106;Otherwise step is executed
Rapid S114;
S106:Determine whether the frame of the external data request composition includes ASDU;If no including execute step S107
Then follow the steps S114;
S107:It compares the type identification for the ASDU for including in the frame of the external data request composition and transmits reason and answer
Corresponding ASDU types and transmission reason are concentrated with function, is obtained belonging to the ASDU in the frame of the external data request composition
Application function;
S108:Answering belonging to ASDU that the frame of external data request composition includes is determined according to application function white list
Whether it is the application function for allowing to access with function, if so, step S109 is executed, it is no to then follow the steps S114;
S109:Determine whether the application function belonging to ASDU that the frame of external data request composition includes is grasped in order to control
Make application function, if so, step S110 is executed, it is no to then follow the steps S112;
S110:Control operation application function belonging to the ASDU that the frame for extracting the external data request composition includes corresponds to
Information object address and controlling value;
S111:Determine whether the controlling value in step S110 is allowing in opereating specification according to control object white list, if
Within the allowable range, execution step S113, it is no to then follow the steps S114;
S112:Determine that the non-controlling operates the information of the application function of application function according to data access range white list
Whether object address is allowing in access profile, if allowing in access profile, executes step S113, no to then follow the steps
S114;
S113:It will be forwarded to internal communication port according to the request of the external data of ICP/IP protocol group packet;
S114:Block the TCP/IP connections of the external data request
S115:Generate system log record and alarm output signal.
It is also needed to before the above embodiment:
1.1 pre-defined client address white lists:Establish the client address for allowing to access and access end slogan list;
1.2 pre-establish the correspondence of IEC104 agreements application function and ASDU types, transmission reason;
1.3 pre-defined application function white lists:As unit of client ip address and application function title, pre-define
Allow the application function collection accessed;
1.4 pre-defined data access range white lists:With client ip address, information object address (public address, letter
Cease body address) it is unit, definition allows the information object address set accessed;
1.5 pre-defined control object white lists:(publicly with client ip address, control object information object address
Location, information body address) it is unit, definition allows the range of the control object of operation and the controlling value of permission.
In the above embodiment, the communication request for being unsatisfactory for white list requirement is being detected, and implementing after communicating blocking, it will
Generation system log recording and alarm output, alarm output method include:Pass through device indicator light and the background monitoring of connection
Software.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of
Action merge, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because
According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know
It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.As shown in fig. 6, the present invention is another
A aspect additionally provides a kind of security protection system, including:
Access request receiving port 1, for receiving outside access request;
Parsing module 2 carries out TCP/IP layer protocol analysis for asking the outside access, white name is preset according to first
Single TCP/IP layer legitimacy for determining the outside access request;
Group packet/detection module 3, for the outside access request to be packaged and detected to outside access request
Frame integrality;
Frame determination type module 4, the frame type for determining the outside access request, the frame type includes I format
Frame, S format frames and U format frames;
Application layer determining module 5 is used for when outside access request is I format frame, according to the second default white list
Determine the application layer legitimacy of the outside access request;
Sending module 6, for being S format frames or U format frames or outside access request when outside access request
When legal, internal communication port will be forwarded to according to the outside access request after ICP/IP protocol group packet;
Module 7 is blocked, for when outside access request is illegal, blocking the TCP/IP of the outside access request
Connection.
In some embodiments, the first default white list is client address white list, and parsing module 2 is used for coming from
The outside access request of client carries out TCP/IP layer protocol analysis, determines the client ip address and access end slogan;
When module 7 being blocked to be used to ask TCP/IP layer illegal according to the outside access that parsing module 2 determines, block
The TCP/IP connections of the outside access request.
In some embodiments, the second default white list includes application function white list, and application function white list includes
The corresponding ASDU type identifications of application function accessed, transmission reason code and information object address range, application layer is allowed to determine
Module 5 includes:
Application function judging unit 51, for when outside access request is I format frame, extracting the outside access
ASDU types, transmission reason code and the information object address of request determine the external visit according to the application function white list
Ask whether the application function of request is the application function for allowing to access;When the application function of outside access request is answered described
When in the range of being defined with function white list, the application function of outside access request whether in order to control function is judged;
Wherein, block application function of the module 7 for being asked in the outside access not in the application function white list
When in the range of definition, the TCP/IP connections of the outside access request are blocked.
In some embodiments, the second default white list includes data access range white list and the white name of control object
Single, the application layer determining module 5 further includes:
Control object unit 52, the application function belonging to ASDU for being asked when the outside access is control function
When, information object address and the controlling value of the ASDU are extracted, determines that the controlling value is according to the control object white list
It is no within the allowable range;
Sending module 6 be used for when the controlling value within the allowable range when, will be according to described in after ICP/IP protocol group packet
Outside access request is forwarded to internal communication port;
Block module 7 be used for when the controlling value not within the allowable range when, block the TCP/ of outside access request
IP connections;
The application function that application layer determining module 5 is used to work as belonging to the ASDU of outside access request is not control function
When, determine whether the information object address of the ASDU of the outside access request is permitting according to the data access range white list
Perhaps in the range of accessing;
Sending module 6 is used for when the information object address of the ASDU is in the range of allowing access, will be according to TCP/
Outside access request after IP agreement group packet is forwarded to internal communication port;
It blocks module 7 to be used for when described information object address is not in the range of allowing access, blocks the external visit
Ask the TCP/IP connections of request.
In some embodiments, system of the invention further includes warning module 8, for being blocked in the blocking module 7
After the TCP/IP connections of the outside access request, system log record and alarm output signal are generated.
Embodiment of the method described above is only schematical, wherein the unit illustrated as separating component can
It is physically separated with being or may not be, the component shown as unit may or may not be physics list
Member, you can be located at a place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of module achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
It should be understood by those skilled in the art that, embodiments of the present invention can be provided as method, system or computer journey
Sequence product.Therefore, the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware side
The form of the embodiment in face.
The present invention is reference according to the method for embodiment of the present invention, the stream of equipment (system) and computer program product
Journey figure and/or block diagram describe.It should be understood that can be realized by computer program instructions each in flowchart and/or the block diagram
The combination of flow and/or box in flow and/or box and flowchart and/or the block diagram.These computer journeys can be provided
Sequence instruct to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with
Generate a machine so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for
Realize the dress for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes
It sets.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.These computer program instructions can also be loaded into computer or the processing of other programmable datas is set
It is standby upper so that series of operation steps are executed on a computer or other programmable device to generate computer implemented processing,
To which instruction executed on a computer or other programmable device is provided for realizing in one flow of flow chart or multiple streams
The step of function of being specified in one box of journey and/or block diagram or multiple boxes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used
With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features;
And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of safety protecting method for IEC60870-5-104 agreements, including:
TCP/IP layer protocol analysis is carried out to the outside access request received, the outside is determined according to the first default white list
The TCP/IP layer legitimacy of access request, the first default white list are client address white list;
If legal, package to outside access request, detects the integrality of the frame of the outside access request composition;
If frame is complete, the frame type of the outside access request is determined, the frame type includes I format frame, S format frames and U lattice
Formula frame;
When outside access request is S format frames or U format frames, allow the outside access request according to ICP/IP protocol
Group wraps and is forwarded to internal communication port;
When outside access request is I format frame, answering for the outside access request is determined according to the second default white list
Allowed the outside access request if legal with lamination according to ICP/IP protocol group packet and be forwarded to internal communication end
Mouthful;Otherwise the TCP/IP connections of the outside access request are blocked;The second default white list includes application function white list,
The application function white list includes the corresponding ASDU type identifications of application function for allowing to access, transmission reason code and information pair
As address range.
2. safety protecting method according to claim 1, wherein carry out TCP/IP layer to the outside access request received
Protocol analysis determines that the TCP/IP layer legitimacy of the outside access request includes according to the first default white list:
TCP/IP layer protocol analysis is carried out to the outside access request from client, determines client ip address and access port
Number;
Determine whether the client ip address and the access end slogan are allowing access according to client address white list
In range;
If the client ip address and the access end slogan block the outside access to ask not in the range of allowing access
The TCP/IP connections asked.
3. safety protecting method according to claim 2, wherein
When outside access request is I format frame, answering for the outside access request is determined according to the second default white list
Include with lamination:
ASDU type identifications, transmission reason code and the information object address for extracting the outside access request, according to the application
Function white list determines whether the application function of the outside access request is the application function for allowing to access;
If the application function of the outside access request not in the range of the application function white list defines, blocks described outer
The TCP/IP connections of portion's access request;Otherwise
Judge the application function of outside access request whether in order to control function.
4. safety protecting method according to claim 3, wherein the second default white list further includes data access model
White list and control object white list are enclosed, whether in order to control the application function for judging the outside access request after function
Including:
When the outside access request ASDU belonging to application function be control function when, extract the information object of the ASDU
Address and controlling value, and together with client ip address, according to the control object white list determine the controlling value whether
In allowable range:
If the controlling value is within the allowable range, allows the outside access request according to ICP/IP protocol group packet and be forwarded to
To internal communication port;Otherwise
Block the TCP/IP connections of the outside access request;
When the outside access request ASDU belonging to application function be not control function when, extract the information pair of the ASDU
As address, and together with client ip address, the outside access request is determined according to the data access range white list
Whether the information object address of ASDU is in the range of allowing access:
If described information object address in the range of allowing access, allows the outside access request according to ICP/IP protocol
Group wraps and is forwarded to internal communication port;Otherwise
Block the TCP/IP connections of the outside access request.
5. according to the safety protecting method described in any one of claim 1-4, after blocking the outside access request, generate
System log record and alarm output signal.
6. a kind of security protection system for IEC60870-5-104 agreements, the system comprises:
Access request receiving port, configuration is to receive outside access request;
Parsing module, configuration is to ask the outside access to carry out TCP/IP layer protocol analysis, according to the first default white list
Determine that the TCP/IP layer legitimacy of the outside access request, the first default white list are client address white list;
Group packet module, configuration is to package to outside access request;
Detection module, configuration is to detect the integrality for the frame that the outside access request forms;
Frame determination type module, with the frame type of the determination outside access request, the frame type includes I format frame, S for configuration
Format frame and U format frames;
Application layer determining module, configuration according to the second default white list when outside access request is I format frame, to determine
The application layer legitimacy of the outside access request, the second default white list includes application function white list, the application
Function white list includes the corresponding ASDU type identifications of application function for allowing to access, transmission reason code and information object address model
It encloses;
Sending module, configuration are that S format frames or U format frames or outside access request are closed to work as the outside access request
When method, internal communication port will be forwarded to according to the outside access request after ICP/IP protocol group packet;
Module is blocked, configuration is when outside access request is illegal, to block the TCP/IP of the outside access request to connect
It connects.
7. security protection system according to claim 6, wherein the parsing module configuration is with to outer from client
Portion's access request carries out TCP/IP layer protocol analysis, determines the client ip address and access end slogan;
When the outside access for blocking module configuration to be determined according to parsing module asks TCP/IP layer illegal, block
The TCP/IP connections of the outside access request.
8. security protection system according to claim 7, wherein the application layer determining module includes:
Application function judging unit, configuration is when outside access request is I format frame, to extract the outside access request
ASDU types, transmission reason code and information object address, determine that the outside access is asked according to the application function white list
Whether the application function asked is the application function for allowing to access;When the application function of outside access request applies work(described
When can be in the range of white list definition, the application function of outside access request whether in order to control function be judged;
Wherein, the application function for blocking module configuration to be asked in the outside access is not in the application function white list
When in the range of definition, the TCP/IP connections of the outside access request are blocked.
9. security protection system according to claim 8, wherein the second default white list includes data access range
White list and control object white list, the application layer determining module further include:
When control object unit, configuration with the application function belonging to the ASDU that is asked when the outside access are control functions, carry
Information object address and the controlling value for taking the ASDU determine whether the controlling value is permitting according to the control object white list
Perhaps in range;
Sending module configuration with when the controlling value within the allowable range when, will be according to described in after ICP/IP protocol group packet
Outside access request is forwarded to internal communication port;
Blocking module configuration with when the controlling value not within the allowable range when, block the TCP/ of the outside access request
IP connections;
It is not control that the application layer determining module, which is additionally configured to work as the application function belonging to the ASDU of outside access request,
When function, determined according to the data access range white list ASDU of outside access request information object address whether
In the range of allowing access;
Sending module configuration, will be according to TCP/ with when the information object address of the ASDU is in the range of allowing access
Outside access request after IP agreement group packet is forwarded to internal communication port;
The blocking module configuration is when described information object address is not in the range of allowing access, to block the external visit
Ask the TCP/IP connections of request.
Further include warning module 10. according to the security protection system described in any one of claim 6-9, configures with described
After blocking the TCP/IP connections of outside access request described in module blocks, system log record and alarm output signal are generated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610166403.2A CN105577705B (en) | 2016-03-22 | 2016-03-22 | For the safety protecting method and system of IEC60870-5-104 agreements |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610166403.2A CN105577705B (en) | 2016-03-22 | 2016-03-22 | For the safety protecting method and system of IEC60870-5-104 agreements |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105577705A CN105577705A (en) | 2016-05-11 |
CN105577705B true CN105577705B (en) | 2018-08-21 |
Family
ID=55887360
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610166403.2A Active CN105577705B (en) | 2016-03-22 | 2016-03-22 | For the safety protecting method and system of IEC60870-5-104 agreements |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105577705B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106982219A (en) * | 2017-04-20 | 2017-07-25 | 电子科技大学 | A kind of IEC104 communications access control method |
CN107547540B (en) * | 2017-08-30 | 2020-06-26 | 上海许继电气有限公司 | IEC-60870-5-104 protocol message monitoring method |
CN115208593B (en) * | 2021-03-26 | 2023-08-18 | 南宁富联富桂精密工业有限公司 | Security monitoring method, terminal and computer readable storage medium |
CN115118674A (en) * | 2022-06-22 | 2022-09-27 | 深圳市沃特沃德信息有限公司 | Application program networking monitoring method, device, equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102255924A (en) * | 2011-08-29 | 2011-11-23 | 浙江中烟工业有限责任公司 | Multi-stage security interconnection platform based on trusted computing and processing flow thereof |
CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
CN105337986A (en) * | 2015-11-20 | 2016-02-17 | 英赛克科技(北京)有限公司 | Credible protocol conversion method and credible protocol conversion system |
-
2016
- 2016-03-22 CN CN201610166403.2A patent/CN105577705B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102255924A (en) * | 2011-08-29 | 2011-11-23 | 浙江中烟工业有限责任公司 | Multi-stage security interconnection platform based on trusted computing and processing flow thereof |
CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
CN105337986A (en) * | 2015-11-20 | 2016-02-17 | 英赛克科技(北京)有限公司 | Credible protocol conversion method and credible protocol conversion system |
Also Published As
Publication number | Publication date |
---|---|
CN105577705A (en) | 2016-05-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101977731B1 (en) | Apparatus and method for detecting anomaly in a controller system | |
CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
CN105337986B (en) | Credible protocol conversion method and system | |
CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
EP2945350B1 (en) | Protocol splitter and corresponding communication method | |
CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
KR20160002058A (en) | Modbus Communication Pattern Learning Based Abnormal Traffic Detection Apparatus and Method | |
CN107864162B (en) | fusion gateway dual system and communication safety protection method thereof | |
KR20120058913A (en) | Intelligent Electric Device, network system including the device and the protecting method for the network | |
EP3675455B1 (en) | Bi-directional data security for supervisor control and data acquisition networks | |
CN114143068A (en) | Electric power internet of things gateway equipment container safety protection system and method thereof | |
CN106888185B (en) | industrial network safety protection method based on serial link | |
Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
CN105812338B (en) | Data access control method and network management equipment | |
CN106161330A (en) | A kind of security isolation system being applied to PROFINET EPA | |
US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
CN104601578A (en) | Recognition method and device for attack message and core device | |
CN105577704B (en) | For the safety protecting method and system of IEC60870-5-101 agreements | |
CN104735043A (en) | Method for preventing suspicious data package from attacking PLC via industrial Ethernet | |
KR101606090B1 (en) | Apparatus and method for protecting network | |
KR101440154B1 (en) | Apparatus and method for user authentication of network security system | |
CN105721334B (en) | Method and equipment for determining transmission path and updating ACL | |
RU2509425C1 (en) | Method and apparatus for controlling distributed information system data streams | |
CN113794563A (en) | Communication network security control method and system | |
US10972486B2 (en) | Cyber security system for internet of things connected devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |