CN106341396A - Industrial control system with intrusion tolerance and security protection method - Google Patents
Industrial control system with intrusion tolerance and security protection method Download PDFInfo
- Publication number
- CN106341396A CN106341396A CN201610721494.1A CN201610721494A CN106341396A CN 106341396 A CN106341396 A CN 106341396A CN 201610721494 A CN201610721494 A CN 201610721494A CN 106341396 A CN106341396 A CN 106341396A
- Authority
- CN
- China
- Prior art keywords
- parsing switch
- main control
- control instruction
- switch
- control computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012795 verification Methods 0.000 claims description 10
- 238000013496 data integrity verification Methods 0.000 claims description 7
- 238000010200 validation analysis Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 9
- 238000004519 manufacturing process Methods 0.000 description 9
- 238000012544 monitoring process Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 238000011161 development Methods 0.000 description 7
- 230000006378 damage Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 231100000572 poisoning Toxicity 0.000 description 5
- 230000000607 poisoning effect Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000009545 invasion Effects 0.000 description 4
- 101000746134 Homo sapiens DNA endonuclease RBBP8 Proteins 0.000 description 3
- 101000969031 Homo sapiens Nuclear protein 1 Proteins 0.000 description 3
- 102100021133 Nuclear protein 1 Human genes 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 241001269238 Data Species 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 210000005252 bulbus oculi Anatomy 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 210000001508 eye Anatomy 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 210000003128 head Anatomy 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004069 plant analysis Substances 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
- 230000001755 vocal effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
The invention provides an industrial control system with intrusion tolerance and a security protection method. The method comprises N main control computers, a parsing switch and at least one controlled device. The main control computers are used for sending control instructions to the parsing switch; the parsing switch is used for sending the control instructions to the controlled device after receiving at least [(N-1)/2] identical control instructions; and the controlled device is used for sending status data to the main control computers via the parsing switch, wherein N is an integer greater than or equal to 3, and [(N-1)/2] is the integer part of (N-1)/2. According to the embodiments of the invention, the parsing switch compares the control instructions received from the multiple main control computers, and only when the parsing switch receives at least [(N-1)/2] identical control instructions, the parsing switch sends the control instructions to the controlled device. Thus, malicious control instructions cannot be sent to the controlled device even if the main control computers are intruded, and the network security of the industrial control system is improved.
Description
Technical field
The present invention relates to Industry Control security technology area is and in particular to a kind of industrial control system with tolerant invading
And safety protecting method.
Background technology
Background technology that may be related to various aspects of the invention is introduced it is believed that can carry to reader to reader in this part
For useful background information, thus contributing to reader to more fully understand various aspects of the invention.It is, therefore, to be understood that our department
The explanation dividing is for the above purpose, and not constitutes admission of prior art.
Industrial control system is a kind of complicated and the system of maturation.Simple industrial control system includes a main control unit
With one or more plc controllers, complicated any be centralized computer control system ccs, more complicated be distributed AC servo system
System dcs, and computer-based data acquisition and supervisor control scada, these are all typically industry controls
System processed.The form of expression of different industries industrial control system also varies.
Computer techno-stress technology is the basis of industrial control system.Early in the middle and late stage fifties, computer just by
It is applied in control system.At the beginning of the sixties, occur in that and the control system that simulation controls is substituted completely by computer, be referred to as directly
Digital control (direct digital control, ddc), developed into programmable logic controller (PLC) (programmable later
logic controller).The mid-1970s, with the appearance of microprocessor, computer control system enter one new fast
In the period of speed development, the distributed computer control system based on microprocessor is come out, and it is with multiple stage microprocessor altogether
Same decentralised control, and realize being operated by way of centralized management by data communication network, it is referred to as Distributed Control System
(distributed control system,dcs).
After entering the nineties, because the fast development of computer networking technology is so that dcs system is sent out further
Exhibition, improve the reliability and maintainability of system, today industrial control field dcs still in occupation of leading position, but
It is that dcs does not possess opening, wiring is complicated, costly, the very big difficulty of integrated presence of different manufacturers product.
From the late nineteen eighties, due to the development of large scale integrated circuit, many sensors, actuator, driving
The field apparatus such as device are intelligent, and people are just sought for thering is unified communication protocol communication interface with a communication cable
Field apparatus couple together, in mechanical floor transmission is no longer i/o (4~20ma/24vdc) signal, but digital signal, this
It is exactly fieldbus.Because it solves own reliability and the open problem of network control system, field bus technique by
Gradually become the development trend of computer control system.From that time, some flourishing industrial countries and transnational industry company are all confused
The confused standard for Fieldbus releasing oneself and Related product.
With the development of control system and monitoring system, computer-based production process controls and dispatching automation
System is developed, referred to as data acquisition and supervisor control (supervisory control and data
Acquisition, scada).Widely, technology development is also very ripe for application in power system for the scada system.It is made
For a topmost subsystem of EMS, there is information completely, improve efficiency, correct grasp system operation shape
State, accelerate decision-making, quick diagnosis can be helped to go out the advantages such as system fault condition, now have become as the indispensable work of power scheduling
Tool.It, to improving the reliability of operation of power networks, safety and economic benefit, mitigates dispatcher, realize power dispatching automation with
Modernization, improves the efficiency of scheduling and horizontal aspect has irreplaceable effect.
The initial design object of industrial control system is the automatization of industrial processes, with high stability and high reliability
For core index, the call duration time between controller and controlled cell has strict demand it is sometimes desirable within the very short time
Make control response, this is also the principal character that automatic control system is better than that manpower controls.Work for analysis and Control system
State is in addition it is also necessary to a monitoring system.One complete industrial control system include production control system, manufacturing monitoring system,
Information management system.
In early stage, this monitoring system is a monitoring system, does not have any control function it is desirable to commercial production network
It is physically separated with all information networks, be also unidirectional data transmission and monitoring network between, the therefore effect of monitoring system
Simply supervise.With the raising of production process and monitoring process automaticity, needing will be directly anti-for monitoring data analysis result
It is fed to production system, thus carrying out Reasonable adjustment.This requires to have two-way communication between two systems.With network technology and work
The combining closely of industry control system, and the proposition of industrial 4.0 concepts, industrial control system and monitor system and information processing
System is all difficult to carry out physical isolation, can only carry out logic isolation, since it is desired that the interaction of information.Further, many industry controls
System processed also has the demand accessing the Internet, particularly large-scale distributed scada system, is exactly logical between included subsystem
Cross what the Internet (LAN) was attached, therefore industrial control system completely disengages from epoch of the Internet and progressively steps down from the stage of history.
But, the design object of industrial control system is stability and reliability, does not account for information security issue and is carried
The risk come.In recent years, with information security issue, the harm that industrial control system causes was become increasingly conspicuous, with Iranian nuclear power
Station is paid much attention to by national governments and enterprise by the industrial control system safety problem that shake net viral subversive is typical case, passes
The physical isolation method of system has not adapted to the needs of New Times intelligent industrial development it is therefore desirable to be directed to industrial control system,
Design targetedly safety protecting method.
But, the feature that industrial control system is different from conventional systems is, the operation of a system may several years very
Keep uninterrupted to the more than ten years, the intrusion protection of the host computer system (hereinafter referred to as main control computer) of period is difficult to update, one
The computer-based worms that a little common computers can protect, are all likely to result in fatal harm to industrial control system.Therefore to work
The information safety protection of industry control system is not so easily it is important to protection can not be implemented to the leak finding and virus in time
Measure.
Existing industrial control system is (as shown in Figure 1) to include main control computer and controlled plant;Main control computer is used for setting to controlled
Preparation send control instruction, and controlled plant user is to main control computer status data.Industrial control system for the purpose of reliability,
Typically there is standby main control computer (as shown in Figure 2), after a main control computer being used for controlling suffers from virus attack, can open at once
Move standby main control computer, to reduce the harm caused by poisoning intrusion.Once running into this situation, infected main control computer horse back enters
Row updates, and system is temporarily replaced by standby main control computer.If intruder attack main control computer, according to security doctrine, in main control computer
In the case of cisco unity malfunction, naturally it is switched to standby control machine.But, if invader does not show destroys main control computer
It is intended to, but controlled plant is controlled by main control computer, cause controlled plant cisco unity malfunction even to damage, in this case single
May be not easy to find from main control computer.Shake net virus just employs similar vandalism, thus having escaped the eye of supervisors
Eyeball.
Content of the invention
The embodiment of the present invention provides a kind of industrial control system with tolerant invading and safety protecting method, for solving
How to ensure main control computer invaded after malice control instruction cannot send to the problem of controlled plant.
Embodiments provide a kind of industrial control system with tolerant invading, comprising:
N main control computer, parsing switch and at least one controlled plant;
Described main control computer is used for sending control instruction to described parsing switch;
Described parsing switch is used for receiving at leastAfter individual identical control instruction, by described control instruction
Send to controlled plant;
Described controlled plant is used for through described parsing switch to described main control computer status data;
Wherein, n is the integer more than or equal to 3,ForInteger part.
Alternatively, described parsing switch and described controlled plant are same physical equipment.
Embodiments provide a kind of safety protecting method based on above-mentioned industrial control system, comprising:
Parsing switch receives the control instruction that n main control computer sends within the default time respectively;
Described parsing switch is compared to the control instruction receiving, if described parsing switch receives at leastAfter individual identical control instruction, this identical control instruction is sent to controlled plant.
Alternatively, methods described also includes:
If the number of the identical control instruction that described parsing switch receives is less thanIndividual, then described parsing is handed over
Change planes the information of giving a warning.
Alternatively, before described parsing switch is compared to the control instruction receiving, methods described also includes:
Described parsing switch carries out identity and differentiates data integrity verification to the control instruction receiving;
Correspondingly, described parsing switch the control instruction receiving is compared including:
Described parsing switch is compared to by the control instruction of identity discriminating data integrity verification.
Alternatively, before described parsing switch is compared to the control instruction receiving, methods described also includes:
Described parsing switch carries out message novelty verification to the control instruction receiving, and verifies that described control instruction is
The no time limit crossing effectiveness;
Correspondingly, described parsing switch the control instruction receiving is compared including:
Described parsing switch is to being differentiated by identity, the control instruction of data integrity validation and message novelty verification
Compare.
Alternatively, methods described also includes:
Described parsing switch sends identical random number to each main control computer;
Correspondingly, the control instruction that n main control computer of parsing switch reception sends within the default time respectively includes:
Parsing switch receives the control carrying described random number that n main control computer sends within the default time respectively
Instruction.
Alternatively, methods described also includes:
Described parsing switch verifies what the random number that the control instruction that each main control computer sends carries was sent out with itself
Whether random number is identical.
Alternatively, methods described also includes:
Each main control computer arranges identical random number;
Correspondingly, the control instruction that n main control computer of parsing switch reception sends within the default time respectively includes:
Parsing switch receives the control carrying described random number that n main control computer sends within the default time respectively
Instruction.
The industrial control system with tolerant invading provided in an embodiment of the present invention and safety protecting method, parse switch
The control instruction of the multiple main control computers receiving is contrasted, only receives at least in parsing switchIndividual phase
With control instruction after, even if just described control instruction can be sent to controlled plant it is achieved that main control computer invaded after malice
Control instruction also cannot send to controlled plant, improves the internet security of industrial control system.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is the structural representation of industrial control system in prior art;
Fig. 2 is the structural representation of the industrial control system carrying standby main control computer in prior art;
Fig. 3 is the structural representation of the industrial control system with tolerant invading of one embodiment of the invention;
Fig. 4 is the schematic flow sheet of the safety protecting method of one embodiment of the invention.
Specific embodiment
Purpose, technical scheme and advantage for making the embodiment of the present invention are clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is carried out with clear, complete description it is clear that described embodiment is
The a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment being obtained under the premise of not making creative work, broadly falls into the scope of protection of the invention.
Main control computer in the embodiment of the present invention refers to the manually-operated host computer with control ability, controlled plant
Refer to the equipment that main control computer directly controls.
The embodiment of the present invention, when main control computer needs to send control instruction, needs multiple stage main control computer to make same operation,
In the time period of regulation, control instruction is sent to parsing switch.After parsing switch is verified, just control instruction is sent out
Give controlled plant.Whether the straightforward procedure of parsing switch checking instruction is to contrast to have from leastIndividual master control
The identical instruction of machine, further security demand requires whether parsing switch checking originates conjunction from the message of main control computer
Whether method, data integrity meet, whether message freshness meets condition etc..Further security requirement requires parsing to hand over
Change planes and verified whetherIndividual control instruction and the identical data of random-number portion, this random number is probably from solution
Analysis switch be sent to main frame it is also possible to by passing through what other communication port was consulted to generate between main control computer.By this
The method of bright offer, after being invaded, invader has no ability to for malicious instructions to be sent to controlled plant main control computer.Different
Method can tackle different degrees of Network Intrusion, thus providing different degrees of tolerant invading.
Fig. 3 is the structural representation of the industrial control system with tolerant invading of one embodiment of the invention.As Fig. 3 institute
Show, the industrial control system with tolerant invading of the embodiment of the present invention includes:
N main control computer 31, parsing switch 32 and at least one controlled plant 33;
Main control computer 31 is used for sending control instruction to parsing switch 32;
Parsing switch 32 is used for receiving at leastAfter individual identical control instruction, described control instruction is sent out
Deliver to controlled plant 33;
Controlled plant 33 is used for through parsing switch 32 to main control computer 31 status data;
Wherein, n is the integer more than or equal to 3,ForInteger part.
It will be appreciated that no matter how complicated an industrial control system is, and how complicated control process is, Industry Control
The hazard approach of system invasion, is all that the equipment (referred to herein as controlled plant) being responsible for it from invasion main control computer sends illegally
Instruction.In existing industrial control system, how illegal the instruction no matter invader sends is, as long as meet Industry Control patrolling
Volume, all can be accepted by controlled plant and execute, current controlled plant does not also distinguish whether the instruction from host computer is legal
Ability, later this ability also forever limited it is impossible to prevent main control computer invasion after aggressive behavior.
The industrial control system with tolerant invading of the embodiment of the present invention, parsing switch is to the multiple master controls receiving
The control instruction of machine is contrasted, and only receives at least in parsing switchAfter individual identical control instruction, just meeting
Even if described control instruction is sent to controlled plant it is achieved that main control computer invaded after malice control instruction also cannot send to
Controlled plant, improves the internet security of industrial control system.
In actual applications it is contemplated that the data-handling capacity general finite of controlled plant, also it is not easy to it is changed, is
It is easy to the director data that sweetly disposition comes from different main control computers, can increase a solution between main control computer and controlled plant
Analysis switch.This parsing switch and each main control computer are directly connected to, and are directly connected to controlled plant simultaneously, this parsing switch
The front end of controlled plant should be arranged on, i.e. the boundary of controlled plant and network connection.Certainly, parsing switch and controlled set
Standby can also be same physical equipment;If controlled plant can be transformed so as to be had the function of parsing switch,
In equipment form, parsing switch is not as the presence of separate physical entity.
It should be noted that for reliability and the redundancy of taking into account industrial control system, practical situation is n=
3.The quantity of main control computer is more, then industrial control system is safer, but increases the redundancy of industrial control system, needs larger
Overhead, the problems such as also easily cause delay.Following examples illustrate taking n=3 as a example, when the quantity of main control computer is
During other numerical value, scheme is similar to.
Fig. 4 is the schematic flow sheet of the safety protecting method of one embodiment of the invention.As shown in figure 4, the present invention is implemented
The safety protecting method of example is based on the above-mentioned industrial control system with tolerant invading, comprising:
S41: parsing switch receives the control instruction that n main control computer sends within the default time respectively;
S42: described parsing switch is compared to the control instruction receiving, if described parsing switch receive to
FewAfter individual identical control instruction, this identical control instruction is sent to controlled plant.
Had as a example 3 main control computers by industrial control system and illustrate, give the correct time on controlled plant has data to, report
Data is sent to parsing switch, and then parsing switch forwards the data to 3 main control computers;Bristle with anger under main control computer needs
When making, same instruction is sent to parsing switch by 3 main control computers respectively, if this parsing switch is in the time period of regulation
Inside only receive an instruction, then abandon;If receiving 2 identical instructions, this instruction is sent to controlled plant.If solution
The instruction that analysis switch receives is all different, either have received 2 instructions and still have received 3 instructions, then will
Data abandons.
As an example it is assumed that the data form of the standard communication protocol between main control computer and controlled plant is: header | |
Payload | | checksum, wherein header are data heads, and payload is data subject, and checksum is check bit, then 3
Main control computer passes through COM1 and sends same data (header | | payload | | checksum) to parsing switch.Parsing
After switch receives 2 such data, by comparing the concordance of payload it is possible to payload is sent to controlled setting
Standby.Certainly, send the communication protocol further according to standard during data, the data that therefore parsing switch sends to controlled plant is
header||payload||checksum.
The industrial control system with tolerant invading provided in an embodiment of the present invention and safety protecting method, parse switch
The control instruction of the multiple main control computers receiving is contrasted, only receives at least in parsing switchIndividual phase
With control instruction after, even if just described control instruction can be sent to controlled plant it is achieved that main control computer invaded after malice
Control instruction also cannot send to controlled plant, improves the internet security of industrial control system.
The embodiment of the present invention one kind preferred embodiment in, methods described also includes:
If the number of the identical control instruction that described parsing switch receives is less thanIndividual, then described parsing is handed over
Change planes transmission warning message.
It will be appreciated that when the number parsing the identical control instruction that switch receives is less thanWhen individual, say
Bright industrial control system has suffered poisoning intrusion, needs the information of giving a warning, and reminds operator to tackle poisoning intrusion in time, protects
The network security of card industrial control system.
However, above-described embodiment is after a main control computer suffers from poisoning intrusion, the control initiated by a main control computer is controlled
The instruction of equipment all cannot be executed, because can not be by parsing the checking of switch.But, if invader is by mutual
The remotely control of networking, can be communicated by the COM1 of main control computer, then can simulate 2 main control computers and exchange to parsing
Same control instruction initiated by machine, thus can reach the illegal purpose controlling controlled plant, makes success attack.Therefore said method
The poisoning intrusion of separate unit main control computer can be resisted, but can not prevent from attacking by the remotely control of the Internet.
Further, in order to overcome drawbacks described above, in described parsing switch, the control instruction receiving is compared
Before, methods described also includes:
Described parsing switch carries out identity and differentiates data integrity verification to the control instruction receiving;
Correspondingly, described parsing switch the control instruction receiving is compared including:
Described parsing switch is compared to by the control instruction of identity discriminating data integrity verification.
For example, when main control computer is to parsing switch transmission control instruction, need using cryptographic technique to control instruction
Carry out safeguard protection, increase identity and differentiate data integrity protection, so send out when parsing switch receives three main control computers
During the control instruction sent, first pass through authentication techniques and verify whether the source of these data is correct, then passes through data complete
Property resist technology verifies whether these director datas wreck.If these checkings can be transferred through, check whether there is two
Identical control instruction, if it has, be then sent to controlled plant by this control instruction;Otherwise abandon data, execute warning
Operation.
Specifically, when main control computer sends control instruction data data to parsing switch, first add the identity letter of oneself
Breath id, calculates hash value h of data and id using hash function, then uses and parses key k that switch is shared, calculates
((header | | payload | | checksum) h), is then sent to parsing switch to payload=e by k, id | | data | |.
, using shared key k deciphering payload | | data | | h that obtains id, whether checking id is legal, and (informed source is true for parsing switch
Property checking), whether checking h correct (data integrity validation), and if the verification passes, then record data is a valid data.
When there being two identical valid data data, data is sent to controlled plant.The same communication protocol wanting observes standard, because
This parsing data of sending to controlled plant of switch | | data | | checksum ' that is header.Note checksum ' here
It is usually different from checksum.
If attacker can pass through the COM1 of 2 main control computers of the Internet remotely control, but can not grasp enforcement password
The key information of protection, nor execution identity discriminating operation data integrity operations.But, attacker can be from communication ends
The control instruction that mouth eavesdropping main control computer sends, thus within any time afterwards, by the communication of the main control computer of 2 or more
Port, these control instructions are sent to parsing switch, because these instructions are legal, therefore can be by parsing switch
Authentication data integrity verification so that success attack.This attack is referred to as message replay attack.Message-replay is attacked
Hit that the harm causing in a lot of industrial control systems is limited, but the control system to some on-off control, the danger of Replay Attack
Evil is just very serious, because the appropriate to the occasion switch order of discord is likely to result in serious problems, the such as on-off control of Three Gorges sluice.
Therefore, in order to prevent Replay Attack, before described parsing switch is compared to the control instruction receiving,
Methods described also includes:
Described parsing switch carries out message novelty verification to the control instruction receiving, and verifies that described control instruction is
The no time limit crossing effectiveness;
Correspondingly, described parsing switch the control instruction receiving is compared including:
Described parsing switch is to being differentiated by identity, the control instruction of data integrity validation and message novelty verification
Compare.
For example, when the main control computer of the embodiment of the present invention is to parsing switch transmission control instruction, reflect except providing identity
Outside other information data integrity protection technique, also provide the protection of message freshness.Parsing switch receives these controls and refers to
When making, verify whether their source is correct, whether the integrity of checking data is correct, and whether the freshness of checking data meets
Requiring, then after meeting all these checkings, checking whether there is two identical instructions, if it has, then instructing this
It is sent to controlled plant;Otherwise abandon data, execution is reported to the police and operated.
Specifically, when main control computer sends director data data to parsing switch, first add the identity information id of oneself,
Add updated enumerator t (can be system time, with certain degree of accuracy and only retain several, end), using hash
Function calculates hash value h of id | | data | | t, then uses and parses key k that switch is shared, calculates payload=e
((header | | payload | | checksum) h), is then sent to parsing switch by k, id | | data | | t | |.Parsing exchanges
Machine using shared key k deciphering payload | | data | | t | | h that obtains id, whether checking id is legal, and (test by informed source verity
Card), whether checking h is correct (data integrity validation), and whether checking t is in the range of running (message novelty verification).As
Really these checkings can be transferred through, then record data is a valid data.When there being two identical valid data data, will
Data is sent to controlled plant.The same communication protocol wanting observes standard, the number that therefore parsing switch sends to controlled plant
According to | | data | | checksum ' that is header.Notice that checksum ' here is usually different from checksum.
Further, methods described also includes:
Described parsing switch sends identical random number to each main control computer;
Correspondingly, the control instruction that n main control computer of parsing switch reception sends within the default time respectively includes:
Parsing switch receives the control carrying described random number that n main control computer sends within the default time respectively
Instruction.
It should be noted that the embodiment of the present invention is challenge response mechanism, invader, then may be no if manual control
Method meets the ability producing successfully control instruction in a short time.The method mainly prevents the feelings invaded less than 2 main control computers
Condition, and be suitable for using in the scene of quick control.
Further, methods described also includes:
Described parsing switch verifies what the random number that the control instruction that each main control computer sends carries was sent out with itself
Whether random number is identical.
For example, main control computer, before sending instruction, first produces a random number back to all several by parsing switch
Individual main control computer, then main control computer send instruction in, this random number information is added in director data.When parsing switch
When receiving control instruction, in addition to checking informed source verity, data integrity data freshness, also will check is made
Whether random number is consistent with the random number that oneself produces.In the case that all these checkings are all passed through, check whether there is
Two control instructions are identical, if it has, then this control instruction is sent to controlled plant.
Specifically, before main control computer sends director data data to parsing switch, first from a main control computer to parsing
Switch sends control data, and parsing switch produces random number r and feeds back to all main control computers.When main control computer exchanges to parsing
When machine sends director data data, first add the identity information id of oneself, add random number r, add a updated counting
Device t (can be system time, represented with certain degree of accuracy and only retain several, end), calculates id using hash function | | data
Hash value h of | | r | | t, then use and parse switch share key k, calculate payload=e (k, id | | data | | r |
| t | | h), then (header | | payload | | checksum) is sent to parsing switch.Parsing switch is using shared close
Key k deciphering payload | | data | | r | | t | | h that obtains id, checking id whether legal (informed source authenticity verification), verify h
Correctly (data integrity validation) whether, whether checking t is in the range of running (message novelty verification).If these checkings
Can be transferred through, then record data is a valid data.When there being two identical valid data data | | during r, data is sent
To controlled plant.Equally want the communication protocol of observes standard, the data that therefore parsing switch sends to controlled plant is
header||data||checksum’.Notice that checksum ' here is usually different from checksum.
In another embodiment, methods described also includes:
Each main control computer arranges identical random number;
Correspondingly, the control instruction that n main control computer of parsing switch reception sends within the default time respectively includes:
Parsing switch receives the control carrying described random number that n main control computer sends within the default time respectively
Instruction.
It should be noted that the embodiment of the present invention needs there is another communication port between main control computer, this passage may
It is physically-isolated with network system, or attacker is difficult to a communication port finding and utilize, therefore cannot produce
Can be by parsing the illegal control instruction of switch checking (because random number mismatches).Random number r is not by main control computer application
Analytically switch is beamed back afterwards, but passes through random number r that other communication port is consulted between main control computer.This communication
Passage can be a verbal contract between main control computer operator it is also possible to be independently of outside main control computer, main control computer
(random number of generation can not be too big, otherwise inputs shared by this random number for the randomizer that operator can see
Time will be elongated).Certainly also have a lot of other methods can allow and share a random number between main control computer, or even allow this altogether
The process enjoying random number becomes very short.
For example, the embodiment of the present invention does not need to parse switch feedback random number, passes through other between main control computer
Communication port selects a same random number, and this random number is sent to parsing switch with director data.Parsing is handed over
Change planes after receiving these control instruction data, checking informed source verity, data integrity data freshness.Institute
In the case of having these checkings all to pass through, check whether there is two message with same random number and identical control instruction, such as
Fruit has, then this instruction is sent to controlled plant.
The embodiment of the present invention makes no matter main control computer suffers from trojan horse, worm-type virus, still suffers from invader remotely non-
In the case that method controls, all controlled system can not be worked the mischief.The harm that invader causes to invasion main control computer, it is right to be not enough to
The production process of industrial control system causes serious impact in some instances it may even be possible to not affect on actual production process.
It should be noted that parsing switch is when whether comparison control instruction is identical, also it is not necessarily numercal exhausted
To identical, can be a kind of fuzzy matching, as long as according to certain rule, the gap between two control instructions is in acceptable
In the range of, being judged as this two control instructions is identical, such as fingerprint recognition.
The industrial control system with tolerant invading provided in an embodiment of the present invention and safety protecting method, parse switch
The control instruction of the multiple main control computers receiving is contrasted, only receives at least in parsing switchIndividual phase
With control instruction after, even if just described control instruction can be sent to controlled plant it is achieved that main control computer invaded after malice
Control instruction also cannot send to controlled plant, improves the internet security of industrial control system.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program
Product.Therefore, the present invention can be using complete hardware embodiment, complete software embodiment or the reality combining software and hardware aspect
Apply the form of example.And, the present invention can be using in one or more computers wherein including computer usable program code
The upper computer program implemented of usable storage medium (including but not limited to disk memory, cd-rom, optical memory etc.) produces
The form of product.
The present invention is the flow process with reference to method according to embodiments of the present invention, equipment (system) and computer program
Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor instructing general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce
A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device
The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
It should be noted that term " inclusion ", "comprising" or its any other variant are intended to the bag of nonexcludability
Containing, so that including a series of process of key elements, method, article or equipment not only include those key elements, but also including
Other key elements being not expressly set out, or also include for this process, method, article or the intrinsic key element of equipment.
In the absence of more restrictions, the key element being limited by sentence "including a ..." is it is not excluded that including described key element
Process, method, also there is other identical element in article or equipment.
In the description of the present invention, illustrate a large amount of details.Although it is understood that, embodiments of the invention can
To put into practice in the case of there is no these details.In some instances, known method, structure and skill are not been shown in detail
Art, so as not to obscure the understanding of this description.Similarly it will be appreciated that disclosing and help understand respectively to simplify the present invention
One or more of individual inventive aspect, in the description to the exemplary embodiment of the present invention above, each of the present invention is special
Levy and be sometimes grouped together in single embodiment, figure or descriptions thereof.However, should not be by the method solution of the disclosure
Release is in reflect an intention that i.e. the present invention for required protection requires than the feature being expressly recited in each claim more
Many features.More precisely, as the following claims reflect, inventive aspect is less than single reality disclosed above
Apply all features of example.Therefore, it then follows claims of specific embodiment are thus expressly incorporated in this specific embodiment,
Wherein each claim itself is as the separate embodiments of the present invention.
Above example is merely to illustrate technical scheme, is not intended to limit;Although with reference to the foregoing embodiments
The present invention has been described in detail, it will be understood by those within the art that: it still can be to aforementioned each enforcement
Technical scheme described in example is modified, or carries out equivalent to wherein some technical characteristics;And these are changed or replace
Change, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (9)
1. a kind of industrial control system with tolerant invading is it is characterised in that include:
N main control computer, parsing switch and at least one controlled plant;
Described main control computer is used for sending control instruction to described parsing switch;
Described parsing switch is used for receiving at leastAfter individual identical control instruction, described control instruction is sent
To controlled plant;
Described controlled plant is used for through described parsing switch to described main control computer status data;
Wherein, n is the integer more than or equal to 3,ForInteger part.
2. the industrial control system with tolerant invading according to claim 1 is it is characterised in that described parsing switch
It is same physical equipment with described controlled plant.
3. a kind of safety protecting method of the industrial control system described in any one based on claim 1-2 is it is characterised in that wrap
Include:
Parsing switch receives the control instruction that n main control computer sends within the default time respectively;
Described parsing switch is compared to the control instruction receiving, if described parsing switch receives at least
After individual identical control instruction, this identical control instruction is sent to controlled plant.
4. safety protecting method according to claim 3 is it is characterised in that methods described also includes:
If the number of the identical control instruction that described parsing switch receives is less thanIndividual, then described parsing switch
Give a warning information.
5. safety protecting method according to claim 3 it is characterised in that described parsing switch to the control receiving
Before instruction processed is compared, methods described also includes:
Described parsing switch carries out identity and differentiates data integrity verification to the control instruction receiving;
Correspondingly, described parsing switch the control instruction receiving is compared including:
Described parsing switch is compared to by the control instruction of identity discriminating data integrity verification.
6. safety protecting method according to claim 5 it is characterised in that described parsing switch to the control receiving
Before instruction processed is compared, methods described also includes:
Described parsing switch carries out message novelty verification to the control instruction receiving, and whether to verify described control instruction
Spend the time limit of effectiveness;
Correspondingly, described parsing switch the control instruction receiving is compared including:
Described parsing switch is to being differentiated by identity, the control instruction of data integrity validation and message novelty verification is carried out
Compare.
7. safety protecting method according to claim 3 is it is characterised in that methods described also includes:
Described parsing switch sends identical random number to each main control computer;
Correspondingly, the control instruction that n main control computer of parsing switch reception sends within the default time respectively includes:
The control carrying described random number that parsing switch n main control computer of reception sends within the default time respectively refers to
Order.
8. safety protecting method according to claim 7 is it is characterised in that methods described also includes:
It is random that described parsing switch verifies that the random number that the control instruction that each main control computer sends carries is sent out with itself
Whether number is identical.
9. safety protecting method according to claim 3 is it is characterised in that methods described also includes:
Each main control computer arranges identical random number;
Correspondingly, the control instruction that n main control computer of parsing switch reception sends within the default time respectively includes:
The control carrying described random number that parsing switch n main control computer of reception sends within the default time respectively refers to
Order.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610721494.1A CN106341396A (en) | 2016-08-24 | 2016-08-24 | Industrial control system with intrusion tolerance and security protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610721494.1A CN106341396A (en) | 2016-08-24 | 2016-08-24 | Industrial control system with intrusion tolerance and security protection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106341396A true CN106341396A (en) | 2017-01-18 |
Family
ID=57824838
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610721494.1A Pending CN106341396A (en) | 2016-08-24 | 2016-08-24 | Industrial control system with intrusion tolerance and security protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106341396A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107703901A (en) * | 2017-11-21 | 2018-02-16 | 丹东华通测控有限公司 | One kind bypass industry control information security industrial control system |
| CN108155996A (en) * | 2018-03-12 | 2018-06-12 | 浙江大学 | Smart home safe communication method based on family's channel |
| CN108366041A (en) * | 2017-03-31 | 2018-08-03 | 北京安天网络安全技术有限公司 | Industry control Environmental security defence method and system based on service order model |
| CN108449333A (en) * | 2018-03-12 | 2018-08-24 | 浙江大学 | Intelligent domestic system based on family's channel safety communications protocol |
| CN108595574A (en) * | 2018-04-16 | 2018-09-28 | 上海达梦数据库有限公司 | Connection method, device, equipment and the storage medium of data-base cluster |
| CN115407640A (en) * | 2022-11-01 | 2022-11-29 | 山东博硕自动化技术有限公司 | Multi-control multi-machine automatic control system and control method thereof |
| CN115981274A (en) * | 2022-12-16 | 2023-04-18 | 安全邦(北京)信息技术有限公司 | Safety protection system of industrial control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011110096A1 (en) * | 2010-03-10 | 2011-09-15 | 上海通用化工技术研究所 | Method and device for realizing trusted network connection through router or switch |
| CN102799104A (en) * | 2012-07-02 | 2012-11-28 | 浙江正泰中自控制工程有限公司 | Safety control redundant system and method for fully-intelligent master control system |
| CN104157058A (en) * | 2014-08-12 | 2014-11-19 | 国网浙江奉化市供电公司 | Transformer substation computer room management system |
| CN105072101A (en) * | 2015-07-29 | 2015-11-18 | 中国科学院信息工程研究所 | SDN controller end system based on intrusion tolerance and safety communication method |
-
2016
- 2016-08-24 CN CN201610721494.1A patent/CN106341396A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011110096A1 (en) * | 2010-03-10 | 2011-09-15 | 上海通用化工技术研究所 | Method and device for realizing trusted network connection through router or switch |
| CN102799104A (en) * | 2012-07-02 | 2012-11-28 | 浙江正泰中自控制工程有限公司 | Safety control redundant system and method for fully-intelligent master control system |
| CN104157058A (en) * | 2014-08-12 | 2014-11-19 | 国网浙江奉化市供电公司 | Transformer substation computer room management system |
| CN105072101A (en) * | 2015-07-29 | 2015-11-18 | 中国科学院信息工程研究所 | SDN controller end system based on intrusion tolerance and safety communication method |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108366041A (en) * | 2017-03-31 | 2018-08-03 | 北京安天网络安全技术有限公司 | Industry control Environmental security defence method and system based on service order model |
| CN107703901A (en) * | 2017-11-21 | 2018-02-16 | 丹东华通测控有限公司 | One kind bypass industry control information security industrial control system |
| CN107703901B (en) * | 2017-11-21 | 2023-12-19 | 丹东华通测控有限公司 | Bypass industrial control information safety industrial control system |
| CN108155996A (en) * | 2018-03-12 | 2018-06-12 | 浙江大学 | Smart home safe communication method based on family's channel |
| CN108449333A (en) * | 2018-03-12 | 2018-08-24 | 浙江大学 | Intelligent domestic system based on family's channel safety communications protocol |
| CN108155996B (en) * | 2018-03-12 | 2019-11-22 | 浙江大学 | Smart home safe communication method based on family's channel |
| CN108595574A (en) * | 2018-04-16 | 2018-09-28 | 上海达梦数据库有限公司 | Connection method, device, equipment and the storage medium of data-base cluster |
| CN108595574B (en) * | 2018-04-16 | 2021-11-02 | 上海达梦数据库有限公司 | Database cluster connection method, device, equipment and storage medium |
| CN115407640A (en) * | 2022-11-01 | 2022-11-29 | 山东博硕自动化技术有限公司 | Multi-control multi-machine automatic control system and control method thereof |
| CN115407640B (en) * | 2022-11-01 | 2023-04-25 | 山东博硕自动化技术有限公司 | Multi-control multi-machine automatic control system and control method thereof |
| CN115981274A (en) * | 2022-12-16 | 2023-04-18 | 安全邦(北京)信息技术有限公司 | Safety protection system of industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106341396A (en) | Industrial control system with intrusion tolerance and security protection method | |
| CN103490895B (en) | A kind of industrial control identity authentication applying the close algorithm of state and device | |
| Nourian et al. | A systems theoretic approach to the security threats in cyber physical systems applied to stuxnet | |
| CA2980033C (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| McLaughlin | CPS: Stateful policy enforcement for control system device usage | |
| Garcia et al. | Detecting PLC control corruption via on-device runtime verification | |
| CN104991528B (en) | DCS information security control methods and control station | |
| CN104850093B (en) | Method and automated network for the security in monitoring automation network | |
| CN106878257B (en) | Industrial network closed-loop control method and system with intelligent attack protection function | |
| CN106462137A (en) | A system and method for securing an industrial control system | |
| CN105573291B (en) | A kind of threat detection method and safety device based on key parameter fusion verification | |
| CN109739203A (en) | A kind of industrial network Border Protection system | |
| CN113114647A (en) | Network security risk detection method and device, electronic equipment and storage medium | |
| AU2020337092A1 (en) | Systems and methods for enhancing data provenance by logging kernel-level events | |
| CN106130986B (en) | A kind of wind power plant active safety defence method based on automated decision-making | |
| CN110719250A (en) | Powerlink industrial control protocol anomaly detection method based on PSO-SVDD | |
| CN106155027A (en) | A kind of industrial control system and safety protecting method | |
| CN106326736A (en) | Data processing method and system | |
| CN111553664A (en) | Method for realizing intelligent management of design and production of communication equipment based on 5G technology | |
| CN105074833B (en) | The device that unauthorized for identifying the system mode to control and adjustment unit manipulates and the nuclear facilities with the device | |
| EP3179323B1 (en) | Method and system for detecting a plc in a scada system that is sending false telemetry data | |
| CN111901347A (en) | Dynamic identity authentication method and device under zero trust | |
| US11036194B2 (en) | Validation of control command in substantially real time for industrial asset control system threat detection | |
| CN106789929A (en) | A kind of industrial robot information security management method of facing cloud control platform | |
| CN114844676A (en) | Network security threat emergency disposal system and method for power monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination |