CN105577705B - For the safety protecting method and system of IEC60870-5-104 agreements - Google Patents

For the safety protecting method and system of IEC60870-5-104 agreements Download PDF

Info

Publication number
CN105577705B
CN105577705B CN201610166403.2A CN201610166403A CN105577705B CN 105577705 B CN105577705 B CN 105577705B CN 201610166403 A CN201610166403 A CN 201610166403A CN 105577705 B CN105577705 B CN 105577705B
Authority
CN
China
Prior art keywords
access request
outside access
white list
tcp
outside
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610166403.2A
Other languages
Chinese (zh)
Other versions
CN105577705A (en
Inventor
陈惠欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Master Technology (beijing) Co Ltd
Original Assignee
Master Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Master Technology (beijing) Co Ltd filed Critical Master Technology (beijing) Co Ltd
Priority to CN201610166403.2A priority Critical patent/CN105577705B/en
Publication of CN105577705A publication Critical patent/CN105577705A/en
Application granted granted Critical
Publication of CN105577705B publication Critical patent/CN105577705B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The present invention provides a kind of safety protecting method for 5 104 agreements of IEC60870, including:TCP/IP layer protocol analysis is carried out to external access request, the TCP/IP layer legitimacy of the outside access request is determined according to the first default white list;It packages to outside access request, detects the integrality of the frame of the outside access request composition;Determine the frame type of the outside access request;When outside access request is S format frames or U format frames, allows the outside access request according to ICP/IP protocol group packet and be forwarded to internal communication port;When outside access request is I format frame, the application layer legitimacy of the outside access request is determined according to the second default white list.The present invention also provides corresponding security protection systems.The present invention has carried out multilevel security protection in TCP/IP layer and application layer, can effectively resist the various attacks for industrial control equipment or system using the agreement, efficiently avoid not having security risk caused by safety precaution mechanism in the prior art.

Description

For the safety protecting method and system of IEC60870-5-104 agreements
Technical field
The present invention relates to industrial information technology field, more particularly to a kind of safety for IEC60870-5-101 agreements is anti- Maintaining method and system.
Background technology
IEC60870-5-104 agreements (IEC104) be IEC60870-5-104 be IEC TC57 be meet network technology Application in the power system, using network transmission telecontrol information, in the basic telemechanical task planning standards of IEC60870-5-101 On the basis of formulate.Its entitled " being accessed with the IEC60870-5-101 networks of standard transmission file set ", this agreement will The application layer of IEC60870-5-101 and TCP/IP (Transmission Control Protocol/Internet Protocol the transfer function) provided is combined.In TCP/IP various network types all can be used, including X.25, FR (Frame Relay), ATM (Asynchronous TransferMode) and ISDN (Integrated Service Data Network)。
Currently, industrial control network mostly uses the equipment such as traditional fire wall transmits progress to IEC60870-5-104 agreements Security protection.The basic principle of these equipment is to detect and isolate to flow through the exception information stream of safeguard in TCP/IP layer, is prevented The only invasion of known viruse and attack.But this mode (can not such as carry the risky operation included in legitimate traffic The control command of risky operation) it is identified and prevents, i.e., exception information stream cannot be filtered in application layer, this may The operation of equipment is caused abnormal even damage occur.It is mainly characterized by reaching destruction object by distorting normal industry control protocol parameter Manage the purpose of equipment.
Invention content
Embodiments of the present invention provide a kind of safety protecting method and system for IEC60870-5-104 agreements, use Reliability is low when solving the problems, such as that the industrial control system based on IEC60870-5-104 agreements communicates in the prior art.
According to an aspect of the invention, there is provided a kind of safety protecting method, the method includes:
TCP/IP layer protocol analysis is carried out to the outside access request received, according to the first default white list determination Outside access asks the legitimacy of TCP/IP layer;
If legal, package to outside access request, detects the complete of the frame of the outside access request composition Property;
If complete, the frame type of the outside access request is determined, the frame type includes I format frame, S format frames and U Format frame;
When outside access request is S format frames or U format frames, allow the outside access request according to TCP/IP Protocol groups packet is simultaneously forwarded to internal communication port;
When outside access request is I format frame, determine that the outside access is asked according to the second default white list The legitimacy of application layer allows the outside access request according to ICP/IP protocol group packet and is forwarded to internal logical if legal Interrogate port;Otherwise the TCP/IP connections of the outside access request are blocked.
According to another aspect of the present invention, a kind of security protection system is additionally provided, including:
Access request receiving port, configuration is to receive outside access request;
Parsing module, configuration are default white according to first to ask the outside access to carry out TCP/IP layer protocol analysis List determines the TCP/IP layer legitimacy of the outside access request;
Group packet module, configuration is to package to outside access request;
Detection module, configuration is to detect the integrality for the frame that the outside access request forms;
Frame determination type module, with the frame type of the determination outside access request, the frame type includes I format for configuration Frame, S format frames and U format frames;
Application layer determining module, configuration with when the outside access request be I format frame when, according to the second default white list Determine the application layer legitimacy of the outside access request;
Sending module, configuration are that S format frames or U format frames or the outside access are asked to work as the outside access request When asking legal, internal communication port will be forwarded to according to the outside access request after ICP/IP protocol group packet;
Module is blocked, configuration is when outside access request is illegal, to block the TCP/ of the outside access request IP connections.
The safety protecting method and system for IEC60870-5-104 agreements of embodiments of the present invention, in TCP/IP Layer and application layer have carried out multilevel security protection, can effectively resist and be set for using the industry control of IEC60870-5-104 agreements Standby or system various attacks, it is ensured that using the various industrial control equipments of IEC60870-5-104 agreements and the confidentiality, complete of system Whole property and availability, efficiently avoid traditional industrial control equipment using IEC60870-5-104 agreements or system does not have peace Security risk caused by full prevention mechanism.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described.It is to be appreciated that the content described with reference to the accompanying drawings is only some embodiments of the present invention, this Field those of ordinary skill according to these attached drawings and its can illustrate to obtain other embodiments.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention;
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 3 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention;
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art In the every other embodiment obtained without creative work, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the application can To be combined with each other.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise", include not only those elements, but also Including other elements that are not explicitly listed, or further include for this process, method, article or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including the element There is also other identical elements in process, method, article or equipment.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention.As shown in Figure 1, the implementation of the present invention The safety protecting method of mode includes:
S11:TCP/IP layer protocol analysis is carried out to the outside access request received, is determined according to the first default white list The TCP/IP layer legitimacy of the outside access request;
S12:If legal, package to outside access request, detects the frame of the outside access request composition Integrality;
S13:If frame is complete, the frame type of the outside access request is determined, the frame type includes I format frame, S formats Frame and U format frames;
S14:When outside access request is S format frames or U format frames, allow the outside access request basis ICP/IP protocol group packet is simultaneously forwarded to internal communication port;
S15:When outside access request is I format frame, the outside access is determined according to the second default white list The application layer legitimacy of request;If legal, allow the outside access request according to ICP/IP protocol group packet and be forwarded to interior Portion's PORT COM;Otherwise the TCP/IP connections of the outside access request are blocked.
Wherein, group packet/frame integrity detection process in present embodiment is as follows:
Step 1:Application layer byte stream will be received to preserve in the buffer;
Step 2:Starting character is found, if not finding starting character in the buffer, by buffer empty, generates daily record Record, process terminate;If finding starting character, extra byte is checked whether there is, if having redundant character before starting character, by this Partial words throttling, which is postponed, rushes area and removes and abandon, and generates log recording, then since starting character, taking-up frame length, if sentenced Byte number in disconnected buffering area is inadequate, then the new byte stream of information to be received such as, goes to step 1, otherwise enters step 3;
Step 3:Since starting character, byte stream is taken out by frame length, is examined by the control domain format of IEC104 protocol definitions Look into frame, if meeting the format that control domain defines, for legal whole frame, into next validity judgement step, otherwise for Erroneous frame then abandons, and generates log recording.
Present embodiment can package to frame structure according to IEC104 agreements, for that can not pass through CRC check or frame The incomplete message of structure, carries out blocking filtering;White list technology can resist Malware and targetedly attack, because In default situations, any unauthorized software, tool and process cannot all be run on endpoint.If Malware attempts In the endpoint installation for enabling white list, it is trusted process that white list technology, which can determine whether this not, and negates that it runs permission.
Present embodiment can be effectively prevented from use by the integrity checking of introducing IEC60870-5-104 protocol frames Non- IEC104 protocol massages continue to initiate communication request to industrial control equipment or system and device, cause under industrial control equipment and system performance The situation of drop.
Safety protecting method in present embodiment, for IEC60870-5-104 agreements TCP/IP layer and application layer into Gone multilevel security protection, can effectively resist for using IEC60870-5-104 agreements industrial control equipment or system it is more Kind attack, it is ensured that confidentiality, integrality and the availability of the various industrial control equipments and system of IEC60870-5-104 agreements are used, It efficiently avoids traditional industrial control equipment using IEC60870-5-104 agreements or system does not have safety precaution mechanism and leads The security risk of cause.
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in Fig. 2, in some embodiment party In formula, wherein the first default white list is client address white list.
S21:To from client outside access request carry out TCP/IP layer protocol analysis, determine client ip address and Access end slogan;
S22:Determine whether the client ip address and the access end slogan are being permitted according to client address white list Perhaps in the range of accessing;
S23:If the client ip address and the access end slogan not in the range of allowing access, block described outer The TCP/IP connections of portion's access request.
For the outside access request received, such as network interface message in present embodiment, TCP/IP layer agreement has been carried out Analysis, for non-Transmission Control Protocol or its client ip address and port numbers not in client address white list, then generates alarm And log recording, and the packet is abandoned, if TCP connection has been established, block the connection.Present embodiment is by introducing TCP/IP Layer protocol filters, and can be effectively prevented the unauthorized access at unauthorized client end.
Further, it is also possible in the default white list for application layer, the filtering to external request is realized in application layer.
Fig. 3 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 3, in some embodiment party In formula, the second default white list includes application function white list, and the application function white list includes the application work(for allowing to access It can corresponding ASDU type identifications, transmission reason code and information object address range.This method includes:
S31:When outside access request is I format frame, extract outside access request ASDU type identifications, Reason code and information object address are transmitted, the application function of the outside access request is determined according to the application function white list Whether it is the application function for allowing to access;
S32:If the application function of the outside access request is not in the range of the application function white list defines, resistance The TCP/IP connections of the disconnected outside access request;
S33:Otherwise, judge the application function of outside access request whether in order to control function.
In IEC60870-5-104 agreements, frame format includes I format frame, S format frames and U format frames, three kinds of formats Frame includes APCI (controlling information using stipulations), but only I format frame includes ASDU (Application service data unit), wherein ASDU is made of data cell mark and multiple information objects.Data cell mark include type identification, varistructure determiner, It includes information object address, information object element and information object markers to transmit reason and public address, information object.Due to answering The diligent combination application that can relate to multiple contents such as ASDU types, transmission reason, therefore, present embodiment combination IEC104 agreements The application transport function of offer, the transfer function of IEC104 agreements is classified by application scenarios, such as is divided into:Total calling Function, grouping calling function, electric flux calling function, background scans function, distant control function, step position adjustment function, setting work( Function, event transfer function, file transmitting function etc. application function when energy, parameter setting function, school, and by these functions with It is related to ASDU types, incidence relation is established in possible transmission reason combination etc..For the communication link between specific main website and substation, " application function and its message address range " allowed by transmission link defined in white list, to which remote definition allows to pass through ASDU types, transmission reason and information object.
By the way that white list is divided into client address white list and application function white list in present embodiment, and respectively White list filtering is carried out to access request in TCP/IP layer and application layer, further ensures the safety of entire industrial control system network Property and reliability;It, will be in common application function in practical application and communication transfer agreement as a result of packet mode ASDU types and transmission reason establish correspondence, and establish white list for application function, avoid traditional with ASDU Type, transmission reason are that ease for use is poor, it is low to be easy omission filtering rule, system treatment effeciency caused by unit setting filtering rule The problems such as, it can be effectively prevented the availability destruction to industrial control equipment or system, such as illegal change unit address illegally uploads Configuration file, illegal issue control operational order etc., to ensure that the safety communicated between industrial control system.
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in figure 4, wherein second is default White list includes data access range white list and control object white list, and this method includes:
S411:When the outside access request ASDU belonging to application function be control function when, extract the ASDU Information object address and controlling value, and together with client ip address, the control is determined according to the control object white list Within the allowable range whether value processed;
S412:If the controlling value is within the allowable range, allow the outside access request according to ICP/IP protocol group packet And it is forwarded to internal communication port;
S413:Otherwise, the TCP/IP connections of the outside access request are blocked;
S421:When application function belonging to the ASDU of outside access request is not control function, described in extraction The information object address of ASDU, and together with client ip address, determined according to the data access range white list described outer Whether the information object address of the ASDU of portion's access request is in the range of allowing access;
S422:If described information object address in the range of allowing access, allows the outside access request basis ICP/IP protocol group packet is simultaneously forwarded to internal communication port;
S423:Otherwise, the TCP/IP connections of the outside access request are blocked.
Present embodiment is filtered by data access range white list, can be effectively protected control system significant data Secret avoids system data from being illegally accessed;The control object address and its controlling value that operating process includes are controlled by extraction, And controlling value is compared with the corresponding range for allowing controlling value, the legitimacy and just of control operation can be effectively protected True property.
In some embodiments, after blocking the outside access request, system log record and alarm output are generated Signal.
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 5, this method include with Lower step:
S101:Data request packet is received from outside port;
S102:TCP/CP protocol filterings are carried out to the data request packet;
S103:Determine whether to allow the client ip address accessed and port numbers;If so, executing step S104, otherwise Execute step S114;
S104:It packages to external data request according to the frame structure of IEC101 protocol definitions;
S105:Detect whether the external data request forms whole frame;If so, executing step S106;Otherwise step is executed Rapid S114;
S106:Determine whether the frame of the external data request composition includes ASDU;If no including execute step S107 Then follow the steps S114;
S107:It compares the type identification for the ASDU for including in the frame of the external data request composition and transmits reason and answer Corresponding ASDU types and transmission reason are concentrated with function, is obtained belonging to the ASDU in the frame of the external data request composition Application function;
S108:Answering belonging to ASDU that the frame of external data request composition includes is determined according to application function white list Whether it is the application function for allowing to access with function, if so, step S109 is executed, it is no to then follow the steps S114;
S109:Determine whether the application function belonging to ASDU that the frame of external data request composition includes is grasped in order to control Make application function, if so, step S110 is executed, it is no to then follow the steps S112;
S110:Control operation application function belonging to the ASDU that the frame for extracting the external data request composition includes corresponds to Information object address and controlling value;
S111:Determine whether the controlling value in step S110 is allowing in opereating specification according to control object white list, if Within the allowable range, execution step S113, it is no to then follow the steps S114;
S112:Determine that the non-controlling operates the information of the application function of application function according to data access range white list Whether object address is allowing in access profile, if allowing in access profile, executes step S113, no to then follow the steps S114;
S113:It will be forwarded to internal communication port according to the request of the external data of ICP/IP protocol group packet;
S114:Block the TCP/IP connections of the external data request
S115:Generate system log record and alarm output signal.
It is also needed to before the above embodiment:
1.1 pre-defined client address white lists:Establish the client address for allowing to access and access end slogan list;
1.2 pre-establish the correspondence of IEC104 agreements application function and ASDU types, transmission reason;
1.3 pre-defined application function white lists:As unit of client ip address and application function title, pre-define Allow the application function collection accessed;
1.4 pre-defined data access range white lists:With client ip address, information object address (public address, letter Cease body address) it is unit, definition allows the information object address set accessed;
1.5 pre-defined control object white lists:(publicly with client ip address, control object information object address Location, information body address) it is unit, definition allows the range of the control object of operation and the controlling value of permission.
In the above embodiment, the communication request for being unsatisfactory for white list requirement is being detected, and implementing after communicating blocking, it will Generation system log recording and alarm output, alarm output method include:Pass through device indicator light and the background monitoring of connection Software.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of Action merge, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.As shown in fig. 6, the present invention is another A aspect additionally provides a kind of security protection system, including:
Access request receiving port 1, for receiving outside access request;
Parsing module 2 carries out TCP/IP layer protocol analysis for asking the outside access, white name is preset according to first Single TCP/IP layer legitimacy for determining the outside access request;
Group packet/detection module 3, for the outside access request to be packaged and detected to outside access request Frame integrality;
Frame determination type module 4, the frame type for determining the outside access request, the frame type includes I format Frame, S format frames and U format frames;
Application layer determining module 5 is used for when outside access request is I format frame, according to the second default white list Determine the application layer legitimacy of the outside access request;
Sending module 6, for being S format frames or U format frames or outside access request when outside access request When legal, internal communication port will be forwarded to according to the outside access request after ICP/IP protocol group packet;
Module 7 is blocked, for when outside access request is illegal, blocking the TCP/IP of the outside access request Connection.
In some embodiments, the first default white list is client address white list, and parsing module 2 is used for coming from The outside access request of client carries out TCP/IP layer protocol analysis, determines the client ip address and access end slogan;
When module 7 being blocked to be used to ask TCP/IP layer illegal according to the outside access that parsing module 2 determines, block The TCP/IP connections of the outside access request.
In some embodiments, the second default white list includes application function white list, and application function white list includes The corresponding ASDU type identifications of application function accessed, transmission reason code and information object address range, application layer is allowed to determine Module 5 includes:
Application function judging unit 51, for when outside access request is I format frame, extracting the outside access ASDU types, transmission reason code and the information object address of request determine the external visit according to the application function white list Ask whether the application function of request is the application function for allowing to access;When the application function of outside access request is answered described When in the range of being defined with function white list, the application function of outside access request whether in order to control function is judged;
Wherein, block application function of the module 7 for being asked in the outside access not in the application function white list When in the range of definition, the TCP/IP connections of the outside access request are blocked.
In some embodiments, the second default white list includes data access range white list and the white name of control object Single, the application layer determining module 5 further includes:
Control object unit 52, the application function belonging to ASDU for being asked when the outside access is control function When, information object address and the controlling value of the ASDU are extracted, determines that the controlling value is according to the control object white list It is no within the allowable range;
Sending module 6 be used for when the controlling value within the allowable range when, will be according to described in after ICP/IP protocol group packet Outside access request is forwarded to internal communication port;
Block module 7 be used for when the controlling value not within the allowable range when, block the TCP/ of outside access request IP connections;
The application function that application layer determining module 5 is used to work as belonging to the ASDU of outside access request is not control function When, determine whether the information object address of the ASDU of the outside access request is permitting according to the data access range white list Perhaps in the range of accessing;
Sending module 6 is used for when the information object address of the ASDU is in the range of allowing access, will be according to TCP/ Outside access request after IP agreement group packet is forwarded to internal communication port;
It blocks module 7 to be used for when described information object address is not in the range of allowing access, blocks the external visit Ask the TCP/IP connections of request.
In some embodiments, system of the invention further includes warning module 8, for being blocked in the blocking module 7 After the TCP/IP connections of the outside access request, system log record and alarm output signal are generated.
Embodiment of the method described above is only schematical, wherein the unit illustrated as separating component can It is physically separated with being or may not be, the component shown as unit may or may not be physics list Member, you can be located at a place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of module achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
It should be understood by those skilled in the art that, embodiments of the present invention can be provided as method, system or computer journey Sequence product.Therefore, the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware side The form of the embodiment in face.
The present invention is reference according to the method for embodiment of the present invention, the stream of equipment (system) and computer program product Journey figure and/or block diagram describe.It should be understood that can be realized by computer program instructions each in flowchart and/or the block diagram The combination of flow and/or box in flow and/or box and flowchart and/or the block diagram.These computer journeys can be provided Sequence instruct to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with Generate a machine so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for Realize the dress for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes It sets.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.These computer program instructions can also be loaded into computer or the processing of other programmable datas is set It is standby upper so that series of operation steps are executed on a computer or other programmable device to generate computer implemented processing, To which instruction executed on a computer or other programmable device is provided for realizing in one flow of flow chart or multiple streams The step of function of being specified in one box of journey and/or block diagram or multiple boxes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features; And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of safety protecting method for IEC60870-5-104 agreements, including:
TCP/IP layer protocol analysis is carried out to the outside access request received, the outside is determined according to the first default white list The TCP/IP layer legitimacy of access request, the first default white list are client address white list;
If legal, package to outside access request, detects the integrality of the frame of the outside access request composition;
If frame is complete, the frame type of the outside access request is determined, the frame type includes I format frame, S format frames and U lattice Formula frame;
When outside access request is S format frames or U format frames, allow the outside access request according to ICP/IP protocol Group wraps and is forwarded to internal communication port;
When outside access request is I format frame, answering for the outside access request is determined according to the second default white list Allowed the outside access request if legal with lamination according to ICP/IP protocol group packet and be forwarded to internal communication end Mouthful;Otherwise the TCP/IP connections of the outside access request are blocked;The second default white list includes application function white list, The application function white list includes the corresponding ASDU type identifications of application function for allowing to access, transmission reason code and information pair As address range.
2. safety protecting method according to claim 1, wherein carry out TCP/IP layer to the outside access request received Protocol analysis determines that the TCP/IP layer legitimacy of the outside access request includes according to the first default white list:
TCP/IP layer protocol analysis is carried out to the outside access request from client, determines client ip address and access port Number;
Determine whether the client ip address and the access end slogan are allowing access according to client address white list In range;
If the client ip address and the access end slogan block the outside access to ask not in the range of allowing access The TCP/IP connections asked.
3. safety protecting method according to claim 2, wherein
When outside access request is I format frame, answering for the outside access request is determined according to the second default white list Include with lamination:
ASDU type identifications, transmission reason code and the information object address for extracting the outside access request, according to the application Function white list determines whether the application function of the outside access request is the application function for allowing to access;
If the application function of the outside access request not in the range of the application function white list defines, blocks described outer The TCP/IP connections of portion's access request;Otherwise
Judge the application function of outside access request whether in order to control function.
4. safety protecting method according to claim 3, wherein the second default white list further includes data access model White list and control object white list are enclosed, whether in order to control the application function for judging the outside access request after function Including:
When the outside access request ASDU belonging to application function be control function when, extract the information object of the ASDU Address and controlling value, and together with client ip address, according to the control object white list determine the controlling value whether In allowable range:
If the controlling value is within the allowable range, allows the outside access request according to ICP/IP protocol group packet and be forwarded to To internal communication port;Otherwise
Block the TCP/IP connections of the outside access request;
When the outside access request ASDU belonging to application function be not control function when, extract the information pair of the ASDU As address, and together with client ip address, the outside access request is determined according to the data access range white list Whether the information object address of ASDU is in the range of allowing access:
If described information object address in the range of allowing access, allows the outside access request according to ICP/IP protocol Group wraps and is forwarded to internal communication port;Otherwise
Block the TCP/IP connections of the outside access request.
5. according to the safety protecting method described in any one of claim 1-4, after blocking the outside access request, generate System log record and alarm output signal.
6. a kind of security protection system for IEC60870-5-104 agreements, the system comprises:
Access request receiving port, configuration is to receive outside access request;
Parsing module, configuration is to ask the outside access to carry out TCP/IP layer protocol analysis, according to the first default white list Determine that the TCP/IP layer legitimacy of the outside access request, the first default white list are client address white list;
Group packet module, configuration is to package to outside access request;
Detection module, configuration is to detect the integrality for the frame that the outside access request forms;
Frame determination type module, with the frame type of the determination outside access request, the frame type includes I format frame, S for configuration Format frame and U format frames;
Application layer determining module, configuration according to the second default white list when outside access request is I format frame, to determine The application layer legitimacy of the outside access request, the second default white list includes application function white list, the application Function white list includes the corresponding ASDU type identifications of application function for allowing to access, transmission reason code and information object address model It encloses;
Sending module, configuration are that S format frames or U format frames or outside access request are closed to work as the outside access request When method, internal communication port will be forwarded to according to the outside access request after ICP/IP protocol group packet;
Module is blocked, configuration is when outside access request is illegal, to block the TCP/IP of the outside access request to connect It connects.
7. security protection system according to claim 6, wherein the parsing module configuration is with to outer from client Portion's access request carries out TCP/IP layer protocol analysis, determines the client ip address and access end slogan;
When the outside access for blocking module configuration to be determined according to parsing module asks TCP/IP layer illegal, block The TCP/IP connections of the outside access request.
8. security protection system according to claim 7, wherein the application layer determining module includes:
Application function judging unit, configuration is when outside access request is I format frame, to extract the outside access request ASDU types, transmission reason code and information object address, determine that the outside access is asked according to the application function white list Whether the application function asked is the application function for allowing to access;When the application function of outside access request applies work(described When can be in the range of white list definition, the application function of outside access request whether in order to control function be judged;
Wherein, the application function for blocking module configuration to be asked in the outside access is not in the application function white list When in the range of definition, the TCP/IP connections of the outside access request are blocked.
9. security protection system according to claim 8, wherein the second default white list includes data access range White list and control object white list, the application layer determining module further include:
When control object unit, configuration with the application function belonging to the ASDU that is asked when the outside access are control functions, carry Information object address and the controlling value for taking the ASDU determine whether the controlling value is permitting according to the control object white list Perhaps in range;
Sending module configuration with when the controlling value within the allowable range when, will be according to described in after ICP/IP protocol group packet Outside access request is forwarded to internal communication port;
Blocking module configuration with when the controlling value not within the allowable range when, block the TCP/ of the outside access request IP connections;
It is not control that the application layer determining module, which is additionally configured to work as the application function belonging to the ASDU of outside access request, When function, determined according to the data access range white list ASDU of outside access request information object address whether In the range of allowing access;
Sending module configuration, will be according to TCP/ with when the information object address of the ASDU is in the range of allowing access Outside access request after IP agreement group packet is forwarded to internal communication port;
The blocking module configuration is when described information object address is not in the range of allowing access, to block the external visit Ask the TCP/IP connections of request.
Further include warning module 10. according to the security protection system described in any one of claim 6-9, configures with described After blocking the TCP/IP connections of outside access request described in module blocks, system log record and alarm output signal are generated.
CN201610166403.2A 2016-03-22 2016-03-22 For the safety protecting method and system of IEC60870-5-104 agreements Active CN105577705B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610166403.2A CN105577705B (en) 2016-03-22 2016-03-22 For the safety protecting method and system of IEC60870-5-104 agreements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610166403.2A CN105577705B (en) 2016-03-22 2016-03-22 For the safety protecting method and system of IEC60870-5-104 agreements

Publications (2)

Publication Number Publication Date
CN105577705A CN105577705A (en) 2016-05-11
CN105577705B true CN105577705B (en) 2018-08-21

Family

ID=55887360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610166403.2A Active CN105577705B (en) 2016-03-22 2016-03-22 For the safety protecting method and system of IEC60870-5-104 agreements

Country Status (1)

Country Link
CN (1) CN105577705B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106982219A (en) * 2017-04-20 2017-07-25 电子科技大学 A kind of IEC104 communications access control method
CN107547540B (en) * 2017-08-30 2020-06-26 上海许继电气有限公司 IEC-60870-5-104 protocol message monitoring method
CN115208593B (en) * 2021-03-26 2023-08-18 南宁富联富桂精密工业有限公司 Security monitoring method, terminal and computer readable storage medium
CN115118674A (en) * 2022-06-22 2022-09-27 深圳市沃特沃德信息有限公司 Application program networking monitoring method, device, equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN102307197A (en) * 2011-08-29 2012-01-04 浙江中烟工业有限责任公司 Trusted enhancement subsystem of multilevel security intercommunication platform
CN105337986A (en) * 2015-11-20 2016-02-17 英赛克科技(北京)有限公司 Credible protocol conversion method and credible protocol conversion system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN102307197A (en) * 2011-08-29 2012-01-04 浙江中烟工业有限责任公司 Trusted enhancement subsystem of multilevel security intercommunication platform
CN105337986A (en) * 2015-11-20 2016-02-17 英赛克科技(北京)有限公司 Credible protocol conversion method and credible protocol conversion system

Also Published As

Publication number Publication date
CN105577705A (en) 2016-05-11

Similar Documents

Publication Publication Date Title
KR101977731B1 (en) Apparatus and method for detecting anomaly in a controller system
CN108965215B (en) Dynamic security method and system for multi-fusion linkage response
CN105337986B (en) Credible protocol conversion method and system
CN105577705B (en) For the safety protecting method and system of IEC60870-5-104 agreements
EP2945350B1 (en) Protocol splitter and corresponding communication method
CN105847251B (en) Using the industrial control system safety protecting method and system of S7 agreements
KR20160002058A (en) Modbus Communication Pattern Learning Based Abnormal Traffic Detection Apparatus and Method
CN107864162B (en) fusion gateway dual system and communication safety protection method thereof
KR20120058913A (en) Intelligent Electric Device, network system including the device and the protecting method for the network
EP3675455B1 (en) Bi-directional data security for supervisor control and data acquisition networks
CN114143068A (en) Electric power internet of things gateway equipment container safety protection system and method thereof
CN106888185B (en) industrial network safety protection method based on serial link
Feng et al. Snort improvement on profinet RT for industrial control system intrusion detection
CN105812338B (en) Data access control method and network management equipment
CN106161330A (en) A kind of security isolation system being applied to PROFINET EPA
US9298175B2 (en) Method for detecting abnormal traffic on control system protocol
CN104601578A (en) Recognition method and device for attack message and core device
CN105577704B (en) For the safety protecting method and system of IEC60870-5-101 agreements
CN104735043A (en) Method for preventing suspicious data package from attacking PLC via industrial Ethernet
KR101606090B1 (en) Apparatus and method for protecting network
KR101440154B1 (en) Apparatus and method for user authentication of network security system
CN105721334B (en) Method and equipment for determining transmission path and updating ACL
RU2509425C1 (en) Method and apparatus for controlling distributed information system data streams
CN113794563A (en) Communication network security control method and system
US10972486B2 (en) Cyber security system for internet of things connected devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant