CN105847251B - Using the industrial control system safety protecting method and system of S7 agreements - Google Patents

Using the industrial control system safety protecting method and system of S7 agreements Download PDF

Info

Publication number
CN105847251B
CN105847251B CN201610165078.8A CN201610165078A CN105847251B CN 105847251 B CN105847251 B CN 105847251B CN 201610165078 A CN201610165078 A CN 201610165078A CN 105847251 B CN105847251 B CN 105847251B
Authority
CN
China
Prior art keywords
access request
frame
exterior portion
entire exterior
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610165078.8A
Other languages
Chinese (zh)
Other versions
CN105847251A (en
Inventor
陈惠欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Master Technology (beijing) Co Ltd
Original Assignee
Master Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Master Technology (beijing) Co Ltd filed Critical Master Technology (beijing) Co Ltd
Priority to CN201610165078.8A priority Critical patent/CN105847251B/en
Publication of CN105847251A publication Critical patent/CN105847251A/en
Application granted granted Critical
Publication of CN105847251B publication Critical patent/CN105847251B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Abstract

The present invention provides a kind of industrial control system safety protecting method using S7 agreements, including:TCP/IP layer protocol analysis is carried out to the outside access request from client, determines client ip address and port numbers to determine the legitimacy of the outside access request according to client address white list;It packages to outside access request, and detects the integrality of the frame of composition;The legitimacy of the outside access request is determined according to application function white list, and determines whether the application function of the outside access request is read-write capability;When the application function of outside access request is read-write capability, the legitimacy of the outside access request is determined according to the second default white list.The present invention also provides corresponding security protection systems.The present invention has carried out multilevel security protection in TCP/IP layer and application layer, can effectively resist the various attacks for industrial control equipment or system using S7 agreements, efficiently avoid not having security risk caused by safety precaution mechanism in the prior art.

Description

Using the industrial control system safety protecting method and system of S7 agreements
Technical field
The present invention relates to industrial information technology field, more particularly to a kind of industrial control system security protection side using S7 agreements Method and system.
Background technology
Industry control communication protocol as a kind of important language linked up between industrial control equipment and application, equipment and equipment, if It needs to realize that remote data monitoring just centainly be unable to do without communications protocol in industrial control system.With the development of the times, level of factory monitors Real-time, reliability requirement increase, the continuous promotion of industrial communication bus communication rate, from RS232/485 to industrial ether Net arrives industrial real-time ethernet again, Ethernet is largely introduced in industry control network, and after use TCP/IP or iso standard encapsulation It is transmitted, because general industry control agreement all experienced prolonged develop and all not examined at the beginning of design with accumulation, agreement Encryption, certification etc. are considered in the necessary authentication condition for ensureing user security now, so the peace of common industry control network agreement Full property is not high always.In addition the characteristic of industry control agreement be towards order, towards function, poll response formula, attacker only needs Agreement make is grasped, and is integrated into industry control network, the arbitrary data of target device can be carried out by agreement It distorts.
The 1 common threat of Siemens's S7 agreements of table
It is based primarily upon ISO TCP (RFC1006) and Siemens when Siemens S7 series or CP modules are using ethernet communication Own S7 protocol realizations.Since the S7 agreements of Siemens are underground agreements, but since SIEMENS PLC is widely used in industry control Every field, while being also indirect aggression object of famous " shake net (Stuxnet) " virus, therefore, in protocol level pair S7 series of PLC carries out security protection and necessitates, especially the S7 agreements under Ethernet environment.
Invention content
Embodiments of the present invention provide a kind of safety protecting method and system carrying S7 agreements based on RFC1006, use Reliability is low when solving the problems, such as that the industrial control system based on S7 agreements communicates in the prior art.
According to an aspect of the invention, there is provided a kind of safety protecting method, the method includes:
TCP/IP layer protocol analysis is carried out to external access request, the outside access is determined according to the first default white list Legitimate external access request in request;
It packages to the legitimate external access request and carries out frame integrity detection, visited with the determination legitimate external Ask the frame entire exterior portion access request by frame integrity detection in request;
The legitimacy of the application function of the frame entire exterior portion access request is determined according to application function white list, and is determined Whether the application function of the frame entire exterior portion access request is read-write capability;
When the application function of the frame entire exterior portion access request is not read-write capability, the frame entire exterior portion is allowed to visit Request is asked according to ICP/IP protocol group packet and is forwarded to internal communication port;Otherwise
The read/write legitimacy of the frame entire exterior portion access request is determined according to the second default white list.
According to another aspect of the present invention, a kind of security protection system is additionally provided, including:
Access request receiving port, configuration are asked with receiving the outside access from client;
Parsing module, configuration determine the client to ask the outside access to carry out TCP/IP layer protocol analysis IP address and access end slogan, and the legitimacy that the outside access is asked is determined according to the first default white list;
Group packet module, configuration is to package to outside access request;
Detection module, configuration is to detect the integrality for the frame that the outside access request forms;
Application function determining module, configuration according to application function white list to determine the legal of the outside access request Property, and determine whether the application function of the outside access request is read-write capability;
Read/write legitimacy determining module, when configuring using the application function asked when the outside access as read-write capability, root The read/write legitimacy of the outside access request is determined according to the second default white list.
The industrial control system safety protecting method and system using S7 agreements of embodiments of the present invention, in TCP/IP layer and Application layer has carried out multilevel security protection, can effectively resist and be attacked for using the industrial control equipment or the various of system of S7 agreements It hits, it is ensured that using confidentiality, integrality and the availability of the various industrial control equipments and system of S7 agreements, efficiently avoid tradition Do not have security risk caused by safety precaution mechanism using the industrial control equipment or system of S7 agreements.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described.It is to be appreciated that the content described with reference to the accompanying drawings is only some embodiments of the present invention, this Field those of ordinary skill according to these attached drawings and its can illustrate to obtain other embodiments.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention;
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 3 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention;
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art In the every other embodiment obtained without creative work, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the application can To be combined with each other.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise", include not only those elements, but also Including other elements that are not explicitly listed, or further include for this process, method, article or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including the element There is also other identical elements in process, method, article or equipment.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention.As shown in Figure 1, the implementation of the present invention The safety protecting method of mode includes:
S11:TCP/IP layer protocol analysis is carried out to external access request, the outside is determined according to the first default white list Legitimate external access request in access request;
S12:It packages to the legitimate external access request and carries out frame integrity detection, it is described legal outer with determination Pass through the frame entire exterior portion access request of frame integrity detection in portion's access request;
S13:The legitimacy of the application function of the frame entire exterior portion access request is determined according to application function white list, and Determine whether the application function of the frame entire exterior portion access request is read-write capability;
S14:When the application function of the frame entire exterior portion access request is not read-write capability, allow the frame completely outer Portion's access request is according to ICP/IP protocol group packet and is forwarded to internal communication port;
S15:When the application function of the frame entire exterior portion access request is read-write capability, according to the second default white list Determine the read/write legitimacy of the frame entire exterior portion access request.
In present embodiment, the first default white list is client address white list.Step S11 to external access request into Row TCP/IP layer protocol analysis determines the legitimate external access request in the outside access request according to the first default white list Including:
TCP/IP layer protocol analysis is carried out to the outside access request from client, determines the IP address of the client With access end slogan.
It in embodiment of the present invention, is asked for the outside access received, such as network interface message, carries out TCP/IP layer association View analysis, for non-Transmission Control Protocol or its client ip address and port numbers not in client address white list, then generates announcement Alert and log recording, and the packet is abandoned, if TCP connection has been established, block the connection.
Safety protecting method in present embodiment has carried out multilevel security protection in TCP/IP layer and application layer, can be with Effectively resist the various attacks for industrial control equipment or system using S7 agreements, it is ensured that set using the various industry controls of S7 agreements Standby and system confidentiality, integrality and availability, efficiently avoid traditional industrial control equipment or system using S7 agreements Do not have security risk caused by safety precaution mechanism.
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in Fig. 2, in some embodiment party It in formula, packages to outside access request, the integrality for detecting the frame of the outside access request composition includes:
S21:It is packaged according to the frame structure of RFC1006 protocol definitions to the legitimate external access request;
S22:Detect the integrality of the RFC1006 frames of the legitimate external access request composition;
S23:When the RFC1006 frames of legitimate external access request composition are imperfect, the legitimate external is blocked to visit Ask the TCP/IP connections of request;
S24:Otherwise, reading cache data forms upper layer S7 data, detects the S7 of the legitimate external access request composition The integrality of frame;
S25:When the S7 frames of legitimate external access request composition are imperfect, the legitimate external access request is blocked TCP/IP connections.
Wherein, group packet/detection process in present embodiment can be as follows:
Step 1:It checks PDU type types, if it is non-DT and ED dictionaries, frame check is carried out according to corresponding format.It is no Then enter step 2.
Step 2:It checks the fragment flag bit in frame, needs to cache upper layer data if it is 0, wait for next bag data, Until fragment mark is 1, with buffered upper layer data group packet, the complete carrying data of formation enter step 3.Otherwise, judge Whether buffer storage length crosses over range or caching packet number over range, is to generate alarm and log recording, abandons the packet, and block TCP/IP connections.Otherwise wait for next bag data.
Step 3:For the packet checked by RFC1006 protocol frames, check whether the first symbol of S7 protocol frames is correct, frame class Whether type is effective, and whether parameter length, data length field are consistent with data, and all of the above is then correctly legal whole frame, Into next validity judgement step, it is otherwise erroneous frame, abandons and generate log recording.
Present embodiment can package to the frame structure of external access request according to RFC1006 agreements and S7 agreements, For blocking filtering can not be carried out by frame check or the incomplete message of frame structure;It is soft that white list technology can resist malice It part and targetedly attacks, because in default situations, any unauthorized software, tool and process all cannot be in endpoints Upper operation.If Malware attempts in the endpoint installation for enabling white list, white list technology can determine whether this not and be it is credible into Journey, and negate that it runs permission.
Present embodiment can be effectively prevented from and be continued using non-S7 protocol massages by the integrity checking of S7 protocol frames Communication request is initiated to industrial control equipment or system and device, the situation for causing industrial control equipment and system performance to decline.
Further, it is also possible in the default white list for application layer, the filtering to external request is realized in application layer.
Fig. 3 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 3, this method includes:
S31:When the S7 frames of legitimate external access request composition are whole frame, extract the frame entire exterior portion and access The frame type and designator that request includes determine answering for the frame entire exterior portion access request according to the application function white list Whether it is the application function allowed with function;
S32:If the application function of the frame entire exterior portion access request is allowed application function, determine that the frame is complete Whether the application function of outside access request is read-write capability;
S33:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked.
By carrying out white list filtering to access request in application layer in present embodiment, entire industry control is further ensured The safety and reliability of grid;It is filtered by application function white list, can be effectively prevented to industrial control equipment or is The availability of system is destroyed, such as illegally change unit address, illegal upload BLOCK files, illegal issue control operational order, from And it ensure that the safety communicated between industrial control system.
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in figure 4, wherein second is default White list includes at least access information object white list and control object white list, this method include:
S411:Determine that the application function belonging to the frame entire exterior portion access request is to read function still to write function;
S421:Application function belonging to the frame entire exterior portion access request is that when reading function, it is complete to extract the frame The corresponding information object address of reading function of outside access request, and together with client ip address, according to the access information Whether object white list determines the information object address of the frame entire exterior portion access request in the range of allowing access;
S422:The information object address of the frame entire exterior portion access request is in the range of allowing access, by the frame Entire exterior portion access request is by ICP/IP protocol group packet and is forwarded to internal communication port;
S423:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked;
S431:When application function belonging to the frame entire exterior portion access request is to write function, it is complete to extract the frame Function corresponding control object information object address is write in outside access request, and together with client ip address, according to described Control object white list determine the frame entire exterior portion access request control object and controlling value whether in the range of definition;
S432:If the control object and controlling value in the range of definition, allow the frame entire exterior portion access request By ICP/IP protocol group packet and it is forwarded to internal communication port;
S433:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked.
In the above-described embodiment, described information object address include at least register type and offset address, described Determine the information object address of the outside access request whether in the model for allowing to access according to the access information object white list Include in enclosing:Determine the register whether in the range of allowing reading according to the access information object white list.
In the above-described embodiment, control object information object address includes at least register type and offset ground Location, the control object white list include the process parameter control value range of pre-defined permission, if the control pair As and controlling value in the range of definition, the outside access is asked by ICP/IP protocol group packet and to be forwarded to internal communication Port includes:
S4321:According to pre-defined technological parameter and register correspondence and coding method, it is complete to parse the frame The S7 frames of whole outside access request composition, obtain corresponding process parameter control value, according to the control object white list to institute It states S7 frames to be filtered, determines the controlling value whether in allowed limits;
S4322:If the controlling value is in allowed limits, the frame entire exterior portion access request is allowed to be assisted by TCP/IP View group packet is simultaneously forwarded to internal communication port;
S4323:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked.
Wherein, the correspondence of technological parameter and register can be that a technological parameter corresponds to one or more deposit Device can also be one or several Bit that a technological parameter corresponds to a register, can also be multiple technological parameters Share some register;The original coding of technological parameter can be Boolean type, have symbol integer, unsigned int, floating type or BCD types;The length of technological parameter can be one or more bytes, for have symbol integer, unsigned int, floating type or BCD types, technological parameter length at most can reach 8 bytes.For floating type, technological parameter length can be 4 bytes Or 8 bytes.Transformational relation can be defined between the original value and engineering value of technological parameter, the transformational relation can be ratio Relationship can also be technical coefficient relationship.
About technological parameter and register correspondence and coding method, 1) side of User Defined (configuration) can be used Method allows the mapping relations of user word definition process control parameter and Modbus register models in configuration tool:
For analogue type process control parameter, mapping relations include the corresponding originating register address of process control parameter, The byte length of start byte, data in a register, coding method, as shown in the table:
2 analogue type process control parameter of table and register mappings relationship
For boolean's property type process control parameter, mapping relations include the corresponding register address of process control parameter, The positions Bit offset, Bit digits in register, as shown in the table:
Title Function code Address Offset Digit
Process control parameter 3 Coil exports 1 0 1
Process control parameter 4 Single register output 100 6 1
Process control parameter 5 Multiregister exports 200 3 2
3 Boolean type process control parameter of table and register mappings relationship
2) the mapping relations configuration information of related process parameters is stored in configuration file, and initial runtime by this A little configuration files are read in memory;
3) it for write order, according to the initial address and byte length of technological parameter, checks whether and matches the command frame If corresponding data block, by coding method, is pressed coding method, is converted to technique by data block included in the command frame The engineering value of parameter.
Present embodiment is filtered by access information object white list, can be effectively protected control system significant data Secret avoids system data from being illegally accessed;The control object address and its controlling value that operating process includes are controlled by extraction, And controlling value is compared with the corresponding range for allowing controlling value, the legitimacy and just of control operation can be effectively protected True property.
In some embodiments, after the TCP/IP connections for blocking the outside access request, system log note is generated Record and alarm output signal.
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 5, this method include with Lower step:
S101:Data request packet is obtained from external network interface;
S102:TCP/CP protocol filterings are carried out to the data request packet;
S103:Determine whether to allow the client ip address accessed and port numbers;If so, executing step S104, otherwise Execute step S122;
S104:To the data request packet for having carried out TCP/CP protocol filterings according to the frame knot of RFC1006 protocol definitions Structure packages;
S105:Detect whether the data request packet forms complete RFC1006 frames;If so, executing step S106, otherwise hold Row step S122;
S106:It checks the fragment flag bit in RFC1006 frames, determines whether the frame is last packet fragmentation;If it is not, holding Row step S107, it is no to then follow the steps S109;
S107:Cache fragment packets;
S108:Judge whether that fragment packets buffer storage length overruns or cache packet number over range;If so, executing step S122 otherwise waits for next data request packet;
S109:Reading cache data forms the upper layer S7 data completely carried with buffered upper layer data group packet;
S110:Detect whether upper layer S7 data are complete S7 frames;If so, executing step S111, otherwise, step is executed S122;
S111:The frame type and designator that the S7 frames of extraction data request packet composition include, obtain the data request packet Application function belonging to the S7 frames of composition;
S112:Whether the application function belonging to the S7 frames of the data request packet composition is determined according to application function white list To allow the application function accessed, if so, step S113 is executed, it is no to then follow the steps S122;
S113:Determine whether the application function belonging to the S7 frames of the data request packet composition is read-write capability;If so, holding Row step S114, it is no to then follow the steps S121;
S114:Determine whether the application function belonging to the S7 frames of the data request packet composition is to write function;If it is not, holding Row step S115, it is no to then follow the steps S117;
S115:Extract the corresponding register range of read command of the S7 frames of the data request packet composition;
S116:Determine the register in step S115 whether in the range for allowing to read according to access information object white list It is interior;If so, executing step S121, otherwise, step S122 is executed;
S117:Extract the corresponding register range of write order and data of the S7 frames of the data request packet composition;
S118:Determine the register in step S117 whether in the range of allowing to write according to control object white list;If Within the allowable range, step S119 is executed, otherwise, executes step S122;
S119:According to the correspondence and coding of predefined register and technological parameter, the control of technological parameter is obtained Value;
S120:Determine whether the controlling value in step S119 is allowing in opereating specification according to control object white list, if Within the allowable range, execution step S121, it is no to then follow the steps S122;
S121:The data request packet according to ICP/IP protocol group and is forwarded to internal communication port;
S122:Block the TCP connection of the data request packet;
S123:Generate system log record and alarm output signal.
It is also needed to before the above embodiment:
1.1 pre-defined client address white lists:Establish the client address for allowing to access and access end slogan list;
1.3 pre-establish S7 agreements application function and frame type, the correspondence of designator;
1.4 pre-defined application function white lists:As unit of client ip address and application function title, pre-define Client allows the application function collection accessed;
1.5 pre-defined access information object white lists:With client ip address, information object address (register type, Offset address) it is unit, definition allows the information object address set that client accesses;
1.6 pre-defined control object white lists:With client ip address, control object information object address (register Type, offset address) it is unit, defining client allows the range of the control object of operation and the controlling value of permission.
In the above embodiment, the communication request for being unsatisfactory for white list requirement is being detected, and implementing after communicating blocking, it will Generation system log recording and alarm output, alarm output method include:Pass through device indicator light and the background monitoring of connection Software.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of Action merge, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.As shown in fig. 6, the present invention is another A aspect additionally provides a kind of security protection system, including:
Access request receiving port 1, for receiving the outside access request from client.
Parsing module 2 carries out TCP/IP layer protocol analysis for asking the outside access, determines the client ip Address and access end slogan, and the legitimacy that the outside access is asked is determined according to the first default white list.
Group packet/detection module 3, for the outside access request to be packaged and detected to outside access request Frame integrality.
Application function determining module 4, the legitimacy for determining the outside access request according to application function white list, And determine whether the application function of the outside access request is read-write capability.
Read/write legitimacy determining module 5 is used for when the application function that the outside access is asked is read-write capability, root The read/write legitimacy of the outside access request is determined according to the second default white list.
In some embodiments, the described first default white list is client address white list, and described second is default white List includes at least access information object white list and control object white list, the system comprises:
Module 6 is blocked, the TCP/IP connections for blocking illegal outside access request.
Extraction module 7, for extracting the outside access with asking the frame type for including and designator and information object Location.
Legitimacy determining module 5 includes:
Judging unit 51 is read and write, for determining that the application function belonging to the outside access request is to read function still to write work( Energy.
Parsing module 2 is additionally operable to parse the S7 frames of the outside access request composition, obtains corresponding process parameter control Value.
In some embodiments, system of the invention further includes warning module 8, described for being blocked in blocking module 6 After the TCP/IP connections of outside access request, system log record and alarm output signal are generated.
Embodiment of the method described above is only schematical, wherein the unit illustrated as separating component can It is physically separated with being or may not be, the component shown as unit may or may not be physics list Member, you can be located at a place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of module achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
It should be understood by those skilled in the art that, embodiments of the present invention can be provided as method, system or computer journey Sequence product.Therefore, the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware side The form of the embodiment in face.
The present invention is reference according to the method for embodiment of the present invention, the stream of equipment (system) and computer program product Journey figure and/or block diagram describe.It should be understood that can be realized by computer program instructions each in flowchart and/or the block diagram The combination of flow and/or box in flow and/or box and flowchart and/or the block diagram.These computer journeys can be provided Sequence instruct to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with Generate a machine so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for Realize the dress for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes It sets.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.These computer program instructions can also be loaded into computer or the processing of other programmable datas is set It is standby upper so that series of operation steps are executed on a computer or other programmable device to generate computer implemented processing, To which instruction executed on a computer or other programmable device is provided for realizing in one flow of flow chart or multiple streams The step of function of being specified in one box of journey and/or block diagram or multiple boxes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features; And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (9)

1. a kind of industrial control system safety protecting method using S7 agreements, including:
TCP/IP layer protocol analysis is carried out to external access request, determines that the outside access is asked according to the first default white list In legitimate external access request;
It packages to the legitimate external access request and carries out frame integrity detection, asked with the determination legitimate external access Pass through the frame entire exterior portion access request of frame integrity detection in asking;
The legitimacy of the application function of the frame entire exterior portion access request is determined according to application function white list, and described in determination Whether the application function of frame entire exterior portion access request is read-write capability;
When the application function of the frame entire exterior portion access request is not read-write capability, the frame entire exterior portion access is allowed to ask Rooting is according to ICP/IP protocol group packet and is forwarded to internal communication port;Otherwise
The read/write legitimacy of the frame entire exterior portion access request is determined according to the second default white list;Wherein
The first default white list is client address white list, and the second default white list includes at least access information pair As white list and control object white list;
It packages to the legitimate external access request and carries out frame integrity detection and include:
It is packaged according to the frame structure of RFC1006 protocol definitions to the legitimate external access request;
Detect the integrality of the RFC1006 frames of the legitimate external access request composition;
When the RFC1006 frames of legitimate external access request composition are imperfect, the legitimate external access request is blocked TCP/IP connections;Otherwise
Reading cache data forms upper layer S7 data, detects the integrality of the S7 frames of the legitimate external access request composition;
When the S7 frames of legitimate external access request composition are imperfect, the TCP/IP of the legitimate external access request is blocked Connection.
2. safety protecting method according to claim 1, wherein described to carry out TCP/IP layer agreement to external access request Parsing determines that the legitimate external access request in the outside access request includes according to the first default white list:
TCP/IP layer protocol analysis is carried out to the outside access request from client, determines IP address and the visit of the client Ask port numbers.
3. safety protecting method according to claim 2, wherein described determine that the frame is complete according to application function white list The legitimacy of the application function of whole outside access request, and determine the frame entire exterior portion access request application function whether be Read-write capability includes:
When the S7 frames of legitimate external access request composition are whole frame, extracting the frame entire exterior portion access request includes Frame type and designator, determine that the application function of the frame entire exterior portion access request is according to the application function white list The no application function to allow;
If the application function of the frame entire exterior portion access request is allowed application function, determine that the frame entire exterior portion is visited Ask whether the application function of request is read-write capability;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request.
4. safety protecting method according to claim 3, wherein described to determine that the frame is complete according to the second default white list The read/write legitimacy of whole outside access request includes:
Determine that the application function belonging to the frame entire exterior portion access request is to read function still to write function;
Application function belonging to the frame entire exterior portion access request is to extract the frame entire exterior portion access when reading function and ask The corresponding information object address of reading function asked, and together with client ip address, according to the access information object white list Determine the information object address of the frame entire exterior portion access request whether in the range of allowing access:
If the information object address of the frame entire exterior portion access request allows the frame complete in the range of allowing access Outside access request is by ICP/IP protocol group packet and is forwarded to internal communication port;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request;
When application function belonging to the frame entire exterior portion access request is to write function, extracts the frame entire exterior portion access and ask That asks writes function corresponding control object information object address, and together with client ip address, white according to the control object List determine the frame entire exterior portion access request control object and controlling value whether in the range of definition:
If the control object and controlling value in the range of definition, allow the frame entire exterior portion access request by TCP/IP Protocol groups packet is simultaneously forwarded to internal communication port;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request.
5. safety protecting method according to claim 4, wherein described information object address include at least register type And offset address, the information object that the frame entire exterior portion access request is determined according to the access information object white list Address whether allow access in the range of include:
Determine the register whether in the range of allowing reading according to the access information object white list.
6. safety protecting method according to claim 4 is posted wherein control object information object address includes at least Storage type and offset address, the control object white list include the process parameter control value range of pre-defined permission, If the control object and controlling value in the range of definition, allow the frame entire exterior portion access request to be assisted by TCP/IP View group packet is simultaneously forwarded to internal communication port and includes:
According to pre-defined technological parameter and register correspondence and coding method, parses the frame entire exterior portion and access The S7 frames for asking composition, obtain corresponding process parameter control value, are carried out to the S7 frames according to the control object white list In allowed limits whether filtering, determine the controlling value;
If the controlling value is in allowed limits, allow the frame entire exterior portion access request by ICP/IP protocol group Bao Bingzhuan It is sent to internal communication port;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request.
7. according to the safety protecting method described in any one of claim 1-6, in the TCP/ for blocking the outside access request After IP connections, system log record and alarm output signal are generated.
8. a kind of industrial control system security protection system using S7 agreements, the system comprises:
Access request receiving port, configuration are asked with receiving the outside access from client;
Parsing module, configuration is to ask the outside access to carry out TCP/IP layer protocol analysis, with determining the client ip Location and access end slogan, and the legitimacy that the outside access is asked is determined according to the first default white list;
Group packet module, configures to package to the legitimate external access request;
Detection module is configured to detect the integrality for the frame that the legitimate external access request forms;
Application function determining module is configured to determine the legal of the frame entire exterior portion access request according to application function white list Property, and determine whether the application function of the frame entire exterior portion access request is read-write capability;
Read/write legitimacy determining module, configuration using when the application function of the frame entire exterior portion access request is read-write capability, The read/write legitimacy of the frame entire exterior portion access request is determined according to the second default white list;Wherein
The first default white list is client address white list, and the second default white list includes at least access information pair As white list and control object white list;
To the legitimate external access request package including:
It is packaged according to the frame structure of RFC1006 protocol definitions to the legitimate external access request;
The integrality for detecting the frame of legitimate external access request composition includes:
Detect the integrality of the RFC1006 frames of the legitimate external access request composition;
When the RFC1006 frames of legitimate external access request composition are imperfect, the legitimate external access request is blocked TCP/IP connections;Otherwise
Reading cache data forms upper layer S7 data, detects the integrality of the S7 frames of the legitimate external access request composition;
When the S7 frames of legitimate external access request composition are imperfect, the TCP/IP of the legitimate external access request is blocked Connection.
9. security protection system according to claim 8, including:
Module is blocked, configuration is to block the TCP/IP connections of illegal outside access request;
Extraction module is configured to extract the frame type and designator and information object that the frame entire exterior portion access request includes Address;
Warning module, configuration is after the TCP/IP connections of the illegal outside access request of the blocking module blocks, to generate system Log recording and alarm output signal;
The read/write legitimacy determining module includes:
Judging unit is read and write, configuration is to read function still to write with the application function belonging to the determination frame entire exterior portion access request Function;
The parsing module is also configured to parse the S7 frames that the legitimate external access request forms, and obtains corresponding technological parameter Controlling value.
CN201610165078.8A 2016-03-22 2016-03-22 Using the industrial control system safety protecting method and system of S7 agreements Active CN105847251B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610165078.8A CN105847251B (en) 2016-03-22 2016-03-22 Using the industrial control system safety protecting method and system of S7 agreements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610165078.8A CN105847251B (en) 2016-03-22 2016-03-22 Using the industrial control system safety protecting method and system of S7 agreements

Publications (2)

Publication Number Publication Date
CN105847251A CN105847251A (en) 2016-08-10
CN105847251B true CN105847251B (en) 2018-10-30

Family

ID=56588294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610165078.8A Active CN105847251B (en) 2016-03-22 2016-03-22 Using the industrial control system safety protecting method and system of S7 agreements

Country Status (1)

Country Link
CN (1) CN105847251B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277547A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring Siemens S7-PLC setting internal clock
CN111277617A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring Siemens S7-PLC uploading and downloading program block
CN111277448A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring deletion of Siemens S7-PLC internal program block
CN111277548A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring Siemens S7-PLC to set session password
CN111277546A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring illegal reading and writing Siemens S7-PLC data
CN109756483B (en) * 2018-12-12 2021-05-25 杭州华威信安科技有限公司 Safety protection method aiming at MELASEC protocol
CN115208593B (en) * 2021-03-26 2023-08-18 南宁富联富桂精密工业有限公司 Security monitoring method, terminal and computer readable storage medium
CN115277885A (en) * 2022-07-27 2022-11-01 北京天融信网络安全技术有限公司 Data detection method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882828A (en) * 2011-07-11 2013-01-16 上海可鲁系统软件有限公司 Information safe transmission control method between inside network and outside network and gateway thereof
CN103581159A (en) * 2012-08-10 2014-02-12 俞晓鸿 System and method for controlling Internet access through white list based on various terminals
CN104092698A (en) * 2014-07-21 2014-10-08 北京网秦天下科技有限公司 Network resource access control method and device
CN105337986A (en) * 2015-11-20 2016-02-17 英赛克科技(北京)有限公司 Credible protocol conversion method and credible protocol conversion system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9660808B2 (en) * 2005-08-01 2017-05-23 Schneider Electric It Corporation Communication protocol and method for authenticating a system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882828A (en) * 2011-07-11 2013-01-16 上海可鲁系统软件有限公司 Information safe transmission control method between inside network and outside network and gateway thereof
CN103581159A (en) * 2012-08-10 2014-02-12 俞晓鸿 System and method for controlling Internet access through white list based on various terminals
CN104092698A (en) * 2014-07-21 2014-10-08 北京网秦天下科技有限公司 Network resource access control method and device
CN105337986A (en) * 2015-11-20 2016-02-17 英赛克科技(北京)有限公司 Credible protocol conversion method and credible protocol conversion system

Also Published As

Publication number Publication date
CN105847251A (en) 2016-08-10

Similar Documents

Publication Publication Date Title
CN105847251B (en) Using the industrial control system safety protecting method and system of S7 agreements
KR102414860B1 (en) Network probes and methods for processing messages
CN108965215B (en) Dynamic security method and system for multi-fusion linkage response
EP2843897B1 (en) Locked Down Network Interface
WO2017084535A1 (en) Method for trusted protocol conversion and system
CN103905451A (en) System and method for trapping network attack of embedded device of smart power grid
US20120124661A1 (en) Method for detecting a web application attack
CN109739203A (en) A kind of industrial network Border Protection system
CN104994094B (en) Virtual platform safety protecting method based on virtual switch, device and system
CN103647772A (en) Method for carrying out trusted access controlling on network data package
JP6182150B2 (en) Intrusion detection and prevention of process equipment networks
CN105847249A (en) Safety protection system and method for Modbus network
US20140298008A1 (en) Control System Security Appliance
CN108259226A (en) Security configuration and platform management are carried out using network is managed
US11838319B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
CN104519065A (en) Implementation method of industrial control firewall supporting Modbus TCP protocol filtering
EP3675455B1 (en) Bi-directional data security for supervisor control and data acquisition networks
CN110417739A (en) It is a kind of based on block chain technology safety Netowrk tape in measurement method
CN104539600A (en) Industrial control firewall implementing method for supporting filtering IEC 104 protocol
CN105577705B (en) For the safety protecting method and system of IEC60870-5-104 agreements
CN1326365C (en) Worm blocking system and method using hardware-based pattern matching
CN104735043A (en) Method for preventing suspicious data package from attacking PLC via industrial Ethernet
CN109756483B (en) Safety protection method aiming at MELASEC protocol
US11528284B2 (en) Method for detecting an attack on a control device of a vehicle
CN113938312B (en) Method and device for detecting violent cracking flow

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant