CN106161330A - A kind of security isolation system being applied to PROFINET EPA - Google Patents
A kind of security isolation system being applied to PROFINET EPA Download PDFInfo
- Publication number
- CN106161330A CN106161330A CN201510114276.7A CN201510114276A CN106161330A CN 106161330 A CN106161330 A CN 106161330A CN 201510114276 A CN201510114276 A CN 201510114276A CN 106161330 A CN106161330 A CN 106161330A
- Authority
- CN
- China
- Prior art keywords
- unit
- profinet
- epa
- security isolation
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of security isolation system being applied to PROFINET EPA.With application prospect extensive PROFINET real-time ethernet as research object, combining PROFINET communication protocol depth detection function with universal industrial firewall functionality, research and development are based on the Special industrial information safety devices of PROFINET.Except realization blocks network attack and antivirus protection, prevents control network and field apparatus unauthorized access; and outside the general information safety protection function such as data encryption, identity discriminating; also analyse in depth PROFINET network service feature; by predicting network service behavior, on-line monitoring correspondence, real-time throughput and non-realtime bandwidth at the networking initial stage according to configuration info; and depth detection PROFINET application layer data bag etc., effectively identify exceptional communication situation on network.When there is security threat, timely " isolation " PROFINET network contacts with external network, and sends dangerous discernment process and alarm log, can carry out the lower dress of safety to out of control or fault main website.
Description
Technical field:
The present invention relates to EPA and information security field, the security isolation neck of particularly PROFINET EPA
Territory.
Background technology:
As the application of industrial communication technology is increasingly extensive, in practice, industrial control system is faced with the safe prestige becoming increasingly conspicuous
Side of body problem.Past is less to the security consideration of industrial control system, because the communication network of industrial control system is dedicated network,
Generally believe and be difficult to cause security threat to industrial control system.But current technology development trend is: industrial enterprise's control with management
Change and intelligent, i.e. the management of industrial enterprise be not confined to upper layer information alternately, but frequently obtains bottom manufacturing system
Data, can directly interact with final control system even in some cases.Occur both at home and abroad recently is a lot of due to peace
The industrial control system accident entirely causing has caused relevant ministries and commissions of country to pay much attention to, has been fully recognized that reinforcement industrial control system
The importance of information security management and urgency, and information security management requirement is proposed to major fields industrial control system.
The a lot of industrial control system accidents causing due to information security reason at home and abroad occurring in the recent period, cause country
The great attention of relevant departments, assists [2011] No. 451 files " with regard to reinforcement industrial control system information security management in Ministry of Industry and Information
Notice ", clear stipulaties major fields industrial control system information security management requires, comprising: connection management requires, networking
Management requirement, configuration management requirement, data management requirement etc..And power industry, petrochemical industry have all been put into effect or have fermented appearance
The control system safety requirements to the industry for the related pins.This provides opportunity for domestic industrial control equipment and system manufacturer
And challenge.But current domestic industry control equipment and system manufacturer are serious not at the safe practice Innovation Input of industrial control system
Foot, and the domestic technology not also being related to and product.The establishment of the present invention has in time filled up domestic in EPA safety
Technology and the blank of product, will provide the security solution of the industrial control system being badly in need of, and drive domestic enterprise to add for industry
The Research on Security Technology of strong industrial control system.
For domestic automation equipment and system manufacturer, face the huge competitive pressure from overseas enterprise.State-owned enterprise of state
The gap of industry and offshore company is mainly reflected in the technical merit of Complex Structural System, such as: the information with whole production and management system
Share, the diagnosis of system and management function, system reliability and security.Improve system diagnostics and management function, and system
Security all needs the communication network of constructing system level.Comparing offshore company, the research and development ability of domestic enterprise's industrial communication is more weak, but
The Innovation Input to industrial communication technology for the domestic enterprise substantially strengthens, and this product that can be produced by domestic enterprise is logical by industry every year
The quantity of letter certification is verified.Judging from present circumstances, the safe practice of industrial communication will be under industrial automation technology
One hot spot technology, is abroad also at the starting stage to the safe practice of industrial communication, roughly the same with domestic research and development situation.
The technology of the present invention direction is " EPA security isolation technology ", and its research and development achievement can be used in industrial environment, and can be by
These security isolation instruments are incorporated in industrial control system, constitute the multi-level safety defence of industrial control system, and this will improve work
Industry product and the product competitiveness of system manufacturing enterprise.
Content of the invention:
For solving the problem existing for background technology, the invention discloses a kind of PROFINET that can be applied to scene for a long time
PROFINET communication protocol depth detection function is combined by security isolation system with universal industrial firewall functionality, research and development based on
The Special industrial information safety devices of PROFINET.
The system of the present invention includes the port-guard function of general purpose firewall, detects and block network attack and antivirus protection.
The system of the present invention can prevent from controlling the unauthorized access of network and field apparatus, protection facility information and data not by
Leakage and illegal change.
The system of the present invention carries out depth detection, protocal analysis based on PROFINET application layer data bag, identifies in bus
Dangerous message, such as: malicious attack message, camouflage message etc..
The system of the present invention has PROFINET network service behavior prediction, predicts on network normal according to configuration info
Correspondence, bandwidth and handling capacity, identified due to attack or virus impact by carrying out contrasting prediction case and practical communication
Improper communication.
The system of the present invention has PROFINET network user data encryption technology, prevents project data from revealing, prevents virus
Malicious attack.
The system of the present invention has key message and prestores and backup functionality, can believe key based on prestoring information
The access of breath and change are verified, it is possible to the lower dress to out of control or fault main website carrying out safety.
The system of the present invention has intelligent interaction technology, and graphic software platform network service is added up, acceptable to safety barrier
Functional configuration, can send dangerous discernment process and alarm log.
Brief description:
Fig. 1 is the systematic schematic diagram of the present invention.
Fig. 2 is the system composition figure of the present invention.
Detailed description of the invention:
The invention discloses a kind of PORFINET security isolation system that can be applied to scene for a long time, the system base of the present invention
In PROFINET communication feature, determine the concrete key element that hazard recognition message considers, such as: communication quality statistics, communication report
Logical relation between Wen, the sequential relationship of communication message, the agreement accordance of communication message, concrete application qualifications etc.,
Improve the intelligent of safe recognizer and efficiency.
The system of the present invention has the dangerous knowledge of general purpose firewall function, the PROFINET protocol analysis function of the degree of depth, classification
Other places reason is realized by hardware FPGA with warning function and message forwarding capability, to improve real-time.
Fig. 1 shows the principle of the security isolation system of the present invention, and this system includes EPA security isolation equipment HMI
Module and EPA two submodules of security isolation device hardware module: wherein EPA security isolation HMI module bag
Include HMI interface (1), dispensing unit (2), status poll unit (3), logging unit (4), alarm unit (5) and safety every
From HMI intelligence communication unit (6), wherein dispensing unit (2), status poll unit (3), logging unit (4), list of reporting to the police
Unit (5) work independently from each other, and all carry out with security isolation HMI intelligence communication unit data backstage share, security isolation HMI intelligence
Can realize that EPA security isolation equipment HMI and EPA security isolation equipment are hard by Ethernet by communication unit (6)
The communication of part module;EPA security isolation device hardware module includes security isolation intelligent interaction unit (7), industry ether
Net firewall functionality (8), EPA deep analysis unit (9), dangerous message Intelligent Recognition unit (10), critical data are pre-
Memory cell (11), key message additional examination & verification unit (12), ciphering user data unit (13).Wherein each security function unit
Having orbution from EPA backbone network to EPA branched network, each safety function module all receives from safety
The configuration order of isolator intelligent interaction unit, and transmit status alert information to it.
Further, security isolation intelligent interaction unit (7) is realized by flush bonding processor, acceptable to security isolation system
Functional configuration, is designed by expert system model to the recognizer of dangerous message, can send dangerous discernment and processes and report to the police day
Will, realizes communication by Ethernet.
Further, EPA industrial fireproof wall (8) is realized by FPGA, mainly acts on the Internet of EPA
And transport layer, by configurable service access rule, safeguard industries control network, from the intrusion of disabled user, filters non-
PROFINET protocol massages, and if desired control network and upper layer network are kept apart.This EPA industrial fireproof wall (8)
Carry out Internet message according to source IP address, source port number, purpose IP address, destination slogan, the many attribute of COS
Filter.
Further, EPA deep analysis unit (9) is realized by FPGA, completes from bus in real time by data acquisition
In equipment, carry out the parsing of message in each communication layers (such as application layer, client layer) according to message structure.PROFINET agreement
Traffic rate is higher, Ethernet isolator to the reception of PROFINET message, storage, analysis, forward the real-time of four processes
Property require very high, therefore module must assure that PROFINET time requirement when realizing.By various reports relevant in PROFINET agreement
The form with hardware submodule in this module such as literary composition structure, basic status machine, diagnosis mechanism realizes.
Further, dangerous message Intelligent Recognition unit (10) is realized by flush bonding processor, receives defeated from intelligent interaction module
The correct network configuration information of the field bus control system that enters, the primitive decision condition as network communication state is (e.g., legal
The message of main website, legal tributary address, legal input/output data etc.);According to these decision conditions and other networks
Characteristic (e.g., message sequential, equipment state etc.) hazard recognition message simultaneously analyzes the attack that may be subject to.
Further, the pre-memory cell of critical data (11) is realized by flush bonding processor, passes in PROFINET control network
Defeated key message, as application relation is set up, the security audit that parametrization and configuration info add, to ensure net further
Reliable and the safety of network key message, and safety re-downloads installation to be realized to main frame out of control.
Further, key message additional examination & verification unit (12) is realized by flush bonding processor, controls network for PROFINET
The key message of middle transmission, as application relation is set up, the security audit that parametrization and configuration info add, to protect further
Reliable and the safety of barrier network key information.
Further, ciphering user data unit (13) is realized by FPGA hardware, adds PROFINET user data
Close transmission is configurable, it is to avoid important flow data plaintext transmission in a network, prevents project data from revealing, prevents virus
Malicious attack.
Fig. 2 illustrates it is the security isolation system composition figure of the present invention, and this system includes: backbone network side PHY chip (1), main
Dry net side MAC chip (2), FPGA (3), branched network side MAC chip (4), branched network side PHY chip (5), NOR FLASH (6),
Processor (7), HMI configuration PHY chip (8) and the direct-connected module (9) of bypass;Wherein backbone network side PHY chip (1), backbone network
Side MAC chip (2), FPGA (3), branched network side MAC chip (4), branched network side PHY chip (5) constitute one from industry
Ether backbone network receives to the communication path of branched network, module in the postindustrial Ethernet message thus path of correct configuration and forwards,
Because of requirement of real-time, the reception of EPA data message, security audit and filtration, critical data stores, and data
Sending and mainly being realized by FPGA, NOR FLASH (6) provides nonvolatile storage space for the program in FPGA;Processor (7)
Achieve upper computer software configuration feature and part non real-time message analysis function, processor (7) with HMI configuration PHY chip (8)
The dual port RAM of the realization by FPGA (3) inside for the data exchange with FPGA (3) realizes;Bypass direct-connected module (9) and realize module
Direct-connected pattern will be switched in the case of not configuring and break down, do not interfere with the proper communication of EPA.
The preferably enforcement being above the system to the present invention is illustrated, but the invention is not limited to described reality
Executing example, those of ordinary skill in the art can also make all equivalent variations or replace on the premise of without prejudice to present invention spirit
Change, these equivalent deformation or replacement be all contained in the application claim limited in the range of.
Claims (9)
1. being applied to a security isolation system for PROFINET EPA, it includes that EPA security isolation sets
Standby HMI module and EPA security isolation device hardware module, wherein, described EPA security isolation HMI mould
Block includes HMI interface (1), dispensing unit (2), status poll unit (3), logging unit (4), alarm unit (5) and peace
Full isolation HMI intelligence communication unit (6);Described EPA security isolation device hardware module includes that security isolation intelligence is handed over
Mutual unit (7), EPA fire wall (8), EPA deep analysis unit (9), dangerous message Intelligent Recognition unit
(10), the pre-memory cell of critical data (11), key message additional examination & verification unit (12), ciphering user data unit (13).
2. security isolation system according to claim 1, its feature is looked in described dispensing unit (2), described state
Ask unit (3), described logging unit (4), described alarm unit (5) work independently from each other, and all with described safety
Isolation HMI intelligence communication unit (6) carries out data backstage and shares, and described security isolation HMI intelligence communication unit (6) is passed through
Ethernet realizes EPA security isolation equipment HMI module and the communication of EPA security isolation device hardware module.
3. security isolation system according to claim 2, described security isolation intelligent interaction unit (7) is by embedded
Reason device realizes, the acceptable functional configuration to security isolation system, carries out the recognizer of dangerous message by expert system model
Design, sends dangerous discernment and processes and alarm log, realize communication by Ethernet.
4. security isolation system according to claim 3, it is characterised in that: described EPA industrial fireproof wall (8)
Realized by FPGA, for Internet and the transport layer of EPA, by configurable service access rule, safeguard industries control
Network processed, from the intrusion of disabled user, filters non-PROFINET protocol massages, and if desired will control network and upper layer network
Keeping apart, described EPA industrial fireproof wall (8) is according to source IP address, source port number, purpose IP address, destination
The many attribute of slogan, COS carry out Internet packet filtering.
5. security isolation system according to claim 4, it is characterised in that: described EPA deep analysis unit
(9) realized by FPGA, complete from PROFINET bus in real time by data acquisition to equipment, lead to each according to message structure
Letter layer carries out the parsing of message.
6. security isolation system according to claim 5, it is characterised in that: described dangerous message Intelligent Recognition unit (10)
Realized by flush bonding processor, receive the correct network configuration information of field bus control system from the input of intelligent interaction module,
Primitive decision condition as network communication state;According to described decision condition and other network characteristics and analyze and may be subject to
Attack.
7. security isolation system according to claim 6, it is characterised in that: the pre-memory cell of described critical data (11)
Realized by flush bonding processor, for the key message of transmission in PROFINET control network, as application relation is set up, parametrization
The security audit adding with configuration info, with the reliable of further Logistics networks key message and safety, and to master out of control
Machine realizes that safety re-downloads installation.
8. security isolation system according to claim 7, it is characterised in that: described key message additional examination & verification unit (12)
Realized by flush bonding processor, for PROFINET control network in transmission key message, the security audit adding, with
Reliable and the safety of further Logistics networks key message.
9. security isolation system according to claim 8, it is characterised in that: described ciphering user data unit (13) leads to
Cross FPGA hardware to realize, be encrypted transmission and configuration to PROFINET user data, it is to avoid important flow data is at net
Plaintext transmission in network, prevents project data from revealing and viral malicious attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510114276.7A CN106161330A (en) | 2015-03-16 | 2015-03-16 | A kind of security isolation system being applied to PROFINET EPA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510114276.7A CN106161330A (en) | 2015-03-16 | 2015-03-16 | A kind of security isolation system being applied to PROFINET EPA |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106161330A true CN106161330A (en) | 2016-11-23 |
Family
ID=58064109
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510114276.7A Pending CN106161330A (en) | 2015-03-16 | 2015-03-16 | A kind of security isolation system being applied to PROFINET EPA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106161330A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786404A (en) * | 2017-09-20 | 2018-03-09 | 北京东土科技股份有限公司 | The security implementation method and device of industry internet field layer wideband bus framework |
| CN113014385A (en) * | 2021-03-25 | 2021-06-22 | 黑龙江大学 | Double-port hardware network data encryption system and method |
| CN114666109A (en) * | 2022-03-12 | 2022-06-24 | 深圳市龙信信息技术有限公司 | Novel general hardware platform for information security |
| CN114745454A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Boundary protection device, system, method, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984170A (en) * | 2012-12-11 | 2013-03-20 | 清华大学 | System and method for safe filtering of industrial control network |
| CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
| CN202975775U (en) * | 2012-12-23 | 2013-06-05 | 珠海市鸿瑞软件技术有限公司 | Security management platform |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
-
2015
- 2015-03-16 CN CN201510114276.7A patent/CN106161330A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984170A (en) * | 2012-12-11 | 2013-03-20 | 清华大学 | System and method for safe filtering of industrial control network |
| CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
| CN202975775U (en) * | 2012-12-23 | 2013-06-05 | 珠海市鸿瑞软件技术有限公司 | Security management platform |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786404A (en) * | 2017-09-20 | 2018-03-09 | 北京东土科技股份有限公司 | The security implementation method and device of industry internet field layer wideband bus framework |
| CN113014385A (en) * | 2021-03-25 | 2021-06-22 | 黑龙江大学 | Double-port hardware network data encryption system and method |
| CN113014385B (en) * | 2021-03-25 | 2023-09-01 | 黑龙江大学 | Double-network-port hardware network data encryption system |
| CN114666109A (en) * | 2022-03-12 | 2022-06-24 | 深圳市龙信信息技术有限公司 | Novel general hardware platform for information security |
| CN114745454A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Boundary protection device, system, method, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101977731B1 (en) | Apparatus and method for detecting anomaly in a controller system | |
| US8737398B2 (en) | Communication module with network isolation and communication filter | |
| US11363035B2 (en) | Configurable robustness agent in a plant security system | |
| US9954903B2 (en) | Industrial network security translator | |
| CN104683352B (en) | A kind of industrial communication isolation gap with binary channels ferry-boat | |
| CN105812387A (en) | Unidirectional safe data exchange device | |
| CN205670253U (en) | A kind of trusted gateway system of industrial control system | |
| CN204392296U (en) | Secure isolation gateway in a kind of industrial control network | |
| CN105337986A (en) | Credible protocol conversion method and credible protocol conversion system | |
| CN110113336B (en) | Network flow abnormity analysis and identification method for transformer substation network environment | |
| CN106161330A (en) | A kind of security isolation system being applied to PROFINET EPA | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| CN105743843A (en) | Processing method and device of preventing packet attack | |
| CN108833425A (en) | A kind of network safety system and method based on big data | |
| CN103457948A (en) | Industrial control system and safety device thereof | |
| CN105488396A (en) | Intelligent power grid service security gateway system based on data stream correlation analysis technology | |
| CN108322484A (en) | A kind of industrial control data ferry-boat system | |
| CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| CN101714990B (en) | Network security safeguarding integrated system and control method thereof | |
| CN101621427B (en) | Anti-intrusion method and system for a communication network | |
| US20140297004A1 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN105577704B (en) | For the safety protecting method and system of IEC60870-5-101 agreements | |
| Kiuchi et al. | Security technologies, usage and guidelines in SCADA system networks | |
| CN114301621B (en) | Intelligent transformer substation and network communication safety control method and device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20161123 |
|
| WD01 | Invention patent application deemed withdrawn after publication |