CN109756483B - Safety protection method aiming at MELASEC protocol - Google Patents
Safety protection method aiming at MELASEC protocol Download PDFInfo
- Publication number
- CN109756483B CN109756483B CN201811514480.8A CN201811514480A CN109756483B CN 109756483 B CN109756483 B CN 109756483B CN 201811514480 A CN201811514480 A CN 201811514480A CN 109756483 B CN109756483 B CN 109756483B
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- request
- rule
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a safety protection method aiming at MELASEC protocol, which is characterized in that the value of a control object contained in the control operation process is extracted and compared with the range of the corresponding allowable control value through allowable access object preset rule filtering, and the preset rule is adopted for filtering through protocol depth analysis. In the embodiment, the situation that the performance of the system is reduced due to the fact that a non-MC protocol message is adopted to continuously initiate a communication request to a system device is effectively avoided through the integrity check of the MC protocol frame. The invention can effectively prevent the illegal access of unauthorized external equipment and intercept disguised information and illegal transaction access instructions by monitoring the data packet of the MC protocol communication session, and can also prevent the writing of illegal values to ensure the safety of a production field.
Description
Technical Field
The invention belongs to the field of data security, and particularly relates to a security protection method aiming at a MELAS protocol.
Background
At present, with the rapid development of informatization and industrialization deep fusion, an industrial control system increasingly adopts a standard and open communication protocol, and potential safety hazards of the communication protocol are increasingly prominent. The MELSEC protocol (MC protocol) provides an open and unified standard interface for field devices and automatic control applications as an industrial ethernet protocol, and has been widely applied in the control field. However, as the MELSEC protocol (MC protocol) is widely used, the security problem of the MELSEC protocol (MC protocol) is also receiving more and more attention.
In the prior art, in the process of performing security protection on the MELSEC protocol (MC protocol), security protection is not performed on an illegal external device accessing the programmable controller, that is, when the illegal external device accesses the programmable controller, field devices may be affected, and in a severe case, even a system is crashed, resulting in a production safety accident. The patent application with publication number CN105245555A discloses a security protection system for power serial server communication protocol, which provides a security protection system for protocol data in internet protocol to serial protocol and serial protocol to internet protocol, any protocol data and access request sent to internet and serial will pass the security authentication and detection of this security protection system, and is characterized in that: the safety protection system consists of the following three parts: the invention provides a communication protocol data analysis, reduction and formatting processing module, a protocol data analysis and detection system and a communication protocol data service model security policy definition system, which effectively overcome the defect that the prior power serial server does not have the security protection function of a communication protocol layer for various accessed power industrial control devices, and provides a protective layer for a power communication service protocol on a protocol conversion layer in a serial server software control system to prevent an attacker from utilizing illegal instructions and data to illegally operate and attack various accessed power control devices in the power serial server.
At present, in the prior art, protocol data is not deeply analyzed, so that critical events initiated by external devices, such as writing operation and resetting of field devices, cannot be monitored, some illegal external devices reset or write abnormal values to the field devices, the working state of the devices is intentionally changed, the field devices work abnormally, and even serious safety accidents are caused.
Disclosure of Invention
The object of the present invention is to provide a security protection method for the MELSEC protocol, i.e. the MC protocol, which can overcome the above technical problems; the method comprises the following steps:
step 1, presetting an MC security check rule, wherein the MC security check rule comprises a legal external access device, an allowed key event operation and a data value size of a legal write operation;
step 1.1, setting a legal external access equipment rule list according to actual conditions, wherein a single rule comprises external access equipment information, an IP address, an MAC address, an IP address of accessed equipment and a port number;
step 1.2, setting an allowed key event operation rule list according to actual safety precaution requirements, wherein a single rule comprises IP addresses of external access equipment and accessed equipment, and the allowed key event comprises writing operation of a soft element, writing operation of a label, writing operation of a buffer memory, module control operation and file operation;
step 1.3, setting legal value range rules of related write operation according to actual conditions, wherein a single rule comprises IP addresses of external access equipment and accessed equipment, a path of an accessed object, a write operation instruction, a sub instruction and a write operation value range;
step 2, analyzing the TCP/UDP message from the external equipment, and determining whether the message is a TCP/UDP protocol type message and whether the IP address in the message is an allowed external access equipment;
step 2.1, when the protocol type is a TCP/UDP protocol, judging whether the IP address and the destination port number of the external equipment are in a preset rule or not;
step 2.2, when the IP address and the destination port number do not accord with the safety rule, the message is discarded, the access request of the external equipment fails, and simultaneously, a log record is generated to generate alarm information;
step 2.3, when the IP address and the destination port number accord with the safety rule, the protocol message is further deeply analyzed;
step 3, the message which accords with the safety rule of the step is subjected to data frame integrity and legal compliance check;
the data frame integrity and legal compliance check specifically comprises the following steps:
step 3.1, extracting the application layer data in the TCP/UDP message;
step 3.2, analyzing the data packet according to the frame structure defined by the MC protocol to determine the characteristic data which accords with the format defined by the MC protocol in the data packet, determining whether the data packet is a 4E, 3E or 1E frame of the MC protocol, and simultaneously determining whether the mode of data transmission is in an ASCII code format or a binary format;
3.3, when the data frame is not the data request frame and the data response frame or the data length is wrong, discarding the data message to avoid unknown influence on equipment caused by the unconventional data request, and simultaneously recording a log to generate alarm information;
step 3.4, when the data frame is in compliance, the data is further deeply analyzed;
step 4, the safety protection aiming at the MC protocol specifically comprises the following steps:
step 4.1, the data packet passing the frame integrity check at least comprises the rule filtering of the network number, the programmable controller number, the IO number of the request target module and the station number of the request module;
step 4.2, extracting the head information of the data frame, including filtering the rules of the network number, the programmable controller number, the IO number of the request target module and the station number of the request module, checking whether the characteristic data in the data packet is matched according to the MC safety check rule, if so, indicating the data packet is a legal request, otherwise, discarding the data and recording a log;
step 5, the safety protection aiming at the MC protocol specifically comprises the following steps:
step 5.1, extracting instructions/sub-instructions of the data request frame, including a soft element access instruction, a label access instruction, a cache memory access instruction, a module control instruction and a file access instruction, and comparing the instructions/sub-instructions with preset key event safety rules;
step 5.2, judging whether the related instruction is in an allowed safety rule list, if yes, indicating that the request is a key event of allowed operation, otherwise, discarding the data packet, giving up the operation request, recording the log and generating an alarm;
step 6, the safety protection aiming at the MC protocol specifically comprises the following steps:
6.1, judging whether the specific operation value corresponding to the instruction/sub-instruction in the data packet is within a preset safety value range or not;
and 6.2, if the data request is in accordance with the data request, the data request is considered to be valid, the data message is released, the operation request is allowed, otherwise, the data packet is discarded, the request operation is refused so as to avoid damaging the field equipment, and simultaneously, the log is recorded and an alarm is generated.
The invention has the advantages that the confidentiality of important data of the control system can be effectively protected by filtering the preset rule of the allowable access object so as to avoid illegal acquisition of system data, and the legality and correctness of the control operation can be effectively protected by extracting the value of the control object contained in the control operation process and comparing the value with the range of the corresponding allowable control value. According to the invention, through deep analysis of the protocol, filtering is carried out by adopting a preset rule, and the safety protection of the MC protocol is realized; by introducing TCP/UDP protocol filtering and external equipment IP address filtering, illegal access of unauthorized external equipment is effectively prevented and the safety of a user network is ensured; the condition that the performance of the system is reduced because a non-MC protocol message is continuously used for initiating a communication request to a system device can be effectively avoided through the integrity check of the MC protocol frame. When an MC protocol Ethernet data packet is received, checking the legality of a plurality of preset tuple information of a data packet transmission layer; detecting the legality of the data format of the data packet application layer; detecting the legality of the instruction and the sub-instruction in the data packet; the validity of the access data of the data packet is detected, and the data packet of the MC protocol communication session is monitored, so that the illegal access of unauthorized external equipment can be effectively prevented, disguised information and illegal transaction access instructions can be intercepted, and meanwhile, the writing of illegal values can be prevented to ensure the safety of a production field.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic diagram illustrating a data frame integrity and legality compliance checking process of the method of the present invention;
FIG. 3 is a schematic flow chart of an embodiment of the method of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The method comprises the following steps:
step 1, presetting an MC security check rule, wherein the MC security check rule comprises a legal external access device, an allowed key event operation and a data value size of a legal write operation;
step 1.1, setting a legal external access equipment rule list according to actual conditions, wherein a single rule comprises external access equipment information, an IP address, an MAC address, an IP address of accessed equipment and a port number;
step 1.2, setting an allowed key event operation rule list according to actual safety precaution requirements, wherein a single rule comprises IP addresses of external access equipment and accessed equipment, and the allowed key event comprises writing operation of a soft element, writing operation of a label, writing operation of a buffer memory, module control operation and file operation;
step 1.3, setting legal value range rules of related write operation according to actual conditions, wherein a single rule comprises IP addresses of external access equipment and accessed equipment, a path of an accessed object, a write operation instruction, a sub instruction and a write operation value range;
step 2, analyzing the TCP/UDP message from the external equipment, and determining whether the message is a TCP/UDP protocol type message and whether the IP address in the message is an allowed external access equipment;
step 2.1, when the protocol type is a TCP/UDP protocol, judging whether the IP address and the destination port number of the external equipment are in a preset rule or not;
step 2.2, when the IP address and the destination port number do not accord with the safety rule, the message is discarded, the access request of the external equipment fails, and simultaneously, a log record is generated to generate alarm information;
step 2.3, when the IP address and the destination port number accord with the safety rule, the protocol message is further deeply analyzed;
step 3, the message according with the safety rules of the steps is subjected to data frame integrity and legal compliance check, and the data frame integrity and legal compliance check specifically comprises the following steps:
step 3.1, extracting the application layer data in the TCP/UDP message;
step 3.2, analyzing the data packet according to the frame structure defined by the MC protocol to determine the characteristic data which accords with the format defined by the MC protocol in the data packet, determining whether the data packet is a 4E, 3E or 1E frame of the MC protocol, and simultaneously determining whether the mode of data transmission is in an ASCII code format or a binary format;
3.3, when the data frame is not the data request frame and the data response frame or the data length is wrong, discarding the data message so as to avoid unknown influence on equipment caused by the unconventional data request, and simultaneously recording a log to generate alarm information;
step 3.4, when the data frame is in compliance, the data is further deeply analyzed;
step 4, the safety protection aiming at the MC protocol specifically comprises the following steps:
step 4.1, the data packet passing the frame integrity check at least comprises the rule filtering of the network number, the programmable controller number, the IO number of the request target module and the station number of the request module;
step 4.2, extracting the head information of the data frame, including filtering the rules of the network number, the programmable controller number, the IO number of the request target module and the station number of the request module, checking whether the characteristic data in the data packet is matched according to the MC safety check rule, if so, indicating the data packet is a legal request, otherwise, discarding the data and recording a log;
step 5, the safety protection aiming at the MC protocol specifically comprises the following steps:
step 5.1, extracting instructions/sub-instructions of the data request frame, including a soft element access instruction, a label access instruction, a cache memory access instruction, a module control instruction and a file access instruction, and comparing the instructions/sub-instructions with preset key event safety rules;
step 5.2, judging whether the related instruction is in an allowed safety rule list, if yes, indicating that the request is a key event of allowed operation, otherwise, discarding the data packet, giving up the operation request, recording the log and generating an alarm;
step 6, the safety protection aiming at the MC protocol specifically comprises the following steps:
6.1, judging whether the specific operation value corresponding to the instruction/sub-instruction in the data packet is within a preset safety value range or not;
and 6.2, if the data request is in accordance with the data request, the data request is considered to be valid, the data message is released, the operation request is allowed, otherwise, the data packet is discarded, the request operation is refused so as to avoid damaging the field equipment, and simultaneously, the log is recorded and an alarm is generated.
As shown in fig. 1, the method of the present invention comprises the following steps:
s101, presetting MC protocol security rules including legal external equipment and legal access data;
s102, when an MC protocol Ethernet data packet is received, checking the legality of a plurality of preset tuple information of a data packet transmission layer;
s103, detecting the legality of the data format of the data packet application layer; detecting the legality of the instruction and the sub-instruction in the data packet; detecting the legality of the access data of the data packet;
and S104, recording logs for the operation violating the preset safety rule, giving an alarm, and discarding or processing the message.
As shown in fig. 2, the data frame integrity and legal compliance check of the method of the present invention comprises the following steps:
s201, extracting protocol application program data in a TCP/UDP data packet, and determining whether the application data is protocol data according to the protocol characteristics of MELAS protocol, namely MC protocol;
s202, when the data is protocol data, further analyzing the protocol header data and determining the integrity of the data and whether the data is request data or response data;
s203, further deeply analyzing the characteristic data defined by the protocol when the protocol data is complete to judge whether the data violates the predefined rule;
and S204, discarding or releasing the message according to the rule comparison result, and recording the event.
As shown in fig. 3, in an embodiment, a method for securing a MC protocol, in which a securing apparatus is deployed between an external access device and a user network to provide a securing function, includes:
s301, external access equipment;
s302, the protection device related to the method is provided;
s303, the user network needing to be protected.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the scope of the present disclosure should be covered within the scope of the present invention claimed in the appended claims.
Claims (4)
1. A security protection method for the MELSEC protocol, comprising the steps of:
step 1, presetting an MC security check rule, wherein the MC security check rule comprises a legal external access device, an allowed key event operation and a data value size of a legal write operation;
step 2, analyzing the TCP/UDP message from the external equipment, and determining whether the message is a TCP/UDP protocol type message and whether the IP address in the message is an allowed external access equipment;
step 3, the message which accords with the safety rule of the step is subjected to data frame integrity and legal compliance check;
step 4.1, the data packet passing the frame integrity check at least comprises the rule filtering of the network number, the programmable controller number, the IO number of the request target module and the station number of the request module;
step 4.2, extracting the head information of the data frame, including filtering the rules of the network number, the programmable controller number, the IO number of the request target module and the station number of the request module, checking whether the characteristic data in the data packet is matched according to the MC safety check rule, if so, indicating the data packet is a legal request, otherwise, discarding the data and recording a log;
step 5.1, extracting instructions/sub-instructions of the data request frame, including a soft element access instruction, a label access instruction, a cache memory access instruction, a module control instruction and a file access instruction, and comparing the instructions/sub-instructions with preset key event safety rules;
step 5.2, judging whether the related instruction is in an allowed safety rule list, if yes, indicating that the request is a key event of allowed operation, otherwise, discarding the data packet, giving up the operation request, recording the log and generating an alarm;
6.1, judging whether the specific operation value corresponding to the instruction/sub-instruction in the data packet is within a preset safety value range or not;
and 6.2, if the data request is in accordance with the data request, the data request is considered to be valid, the data message is released, the operation request is allowed, otherwise, the data packet is discarded, the request operation is refused so as to avoid damaging the field equipment, and simultaneously, the log is recorded and an alarm is generated.
2. A method of security protection against the MELSEC protocol according to claim 1, characterized in that said step 1 comprises the following steps:
step 1.1, setting a legal external access equipment rule list according to actual conditions, wherein a single rule comprises external access equipment information, an IP address, an MAC address, an IP address of accessed equipment and a port number;
step 1.2, setting an allowed key event operation rule list according to actual safety precaution requirements, wherein a single rule comprises IP addresses of external access equipment and accessed equipment, and the allowed key event comprises writing operation of a soft element, writing operation of a label, writing operation of a buffer memory, module control operation and file operation;
step 1.3, setting legal value range rules of related write operation according to actual conditions, wherein the single rule comprises IP addresses of external access equipment and accessed equipment, a path of an accessed object, a write operation instruction, a sub instruction and a write operation value range.
3. A method of securing against the MELSEC protocol according to claim 1, characterized in that said step 2 comprises the following steps:
step 2.1, when the protocol type is a TCP/UDP protocol, judging whether the IP address and the destination port number of the external equipment are in a preset rule or not;
step 2.2, when the IP address and the destination port number do not accord with the safety rule, the message is discarded, the access request of the external equipment fails, and simultaneously, a log record is generated to generate alarm information;
and 2.3, when the IP address and the destination port number accord with the safety rule, further deeply analyzing the protocol message.
4. A method of security protection against the MELSEC protocol according to claim 1, characterized in that said step 3 comprises the following steps:
step 3.1, extracting the application layer data in the TCP/UDP message;
step 3.2, analyzing the data packet according to the frame structure defined by the MC protocol to determine the characteristic data which accords with the format defined by the MC protocol in the data packet, determining whether the data packet is a 4E, 3E or 1E frame of the MC protocol, and simultaneously determining whether the mode of data transmission is in an ASCII code format or a binary format;
3.3, when the data frame is not the data request frame and the data response frame or the data length is wrong, discarding the data message to avoid unknown influence on equipment caused by the unconventional data request, and simultaneously recording a log to generate alarm information;
and 3.4, when the data frame is in compliance, the data is subjected to further deep analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811514480.8A CN109756483B (en) | 2018-12-12 | 2018-12-12 | Safety protection method aiming at MELASEC protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811514480.8A CN109756483B (en) | 2018-12-12 | 2018-12-12 | Safety protection method aiming at MELASEC protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109756483A CN109756483A (en) | 2019-05-14 |
| CN109756483B true CN109756483B (en) | 2021-05-25 |
Family
ID=66403704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811514480.8A Active CN109756483B (en) | 2018-12-12 | 2018-12-12 | Safety protection method aiming at MELASEC protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109756483B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111835793A (en) * | 2020-08-05 | 2020-10-27 | 天津美腾科技股份有限公司 | Communication method and device for Internet of things access, electronic equipment and storage medium |
| CN111935325B (en) * | 2020-10-15 | 2021-08-24 | 广州汽车集团股份有限公司 | OTA (over the air) upgrading method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003167606A (en) * | 2001-11-30 | 2003-06-13 | Omron Corp | Programmable controller or programmable display unit and its user authentication method |
| CN101196854A (en) * | 2006-12-07 | 2008-06-11 | 国际商业机器公司 | Method and system for programmable memory device security |
| CN102156840A (en) * | 2010-02-12 | 2011-08-17 | 三菱电机株式会社 | Controller and managing device thereof |
| CN105847251A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Security protection method and system for industrial control system using S7 protocol |
| WO2018052435A1 (en) * | 2016-09-16 | 2018-03-22 | Siemens Aktiengesellschaft | Cyberattack-resilient control system design |
| CN108712369A (en) * | 2018-03-29 | 2018-10-26 | 中国工程物理研究院计算机应用研究所 | A kind of more attribute constraint access control decision system and method for industrial control network |
-
2018
- 2018-12-12 CN CN201811514480.8A patent/CN109756483B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003167606A (en) * | 2001-11-30 | 2003-06-13 | Omron Corp | Programmable controller or programmable display unit and its user authentication method |
| CN101196854A (en) * | 2006-12-07 | 2008-06-11 | 国际商业机器公司 | Method and system for programmable memory device security |
| CN102156840A (en) * | 2010-02-12 | 2011-08-17 | 三菱电机株式会社 | Controller and managing device thereof |
| CN105847251A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Security protection method and system for industrial control system using S7 protocol |
| WO2018052435A1 (en) * | 2016-09-16 | 2018-03-22 | Siemens Aktiengesellschaft | Cyberattack-resilient control system design |
| CN108712369A (en) * | 2018-03-29 | 2018-10-26 | 中国工程物理研究院计算机应用研究所 | A kind of more attribute constraint access control decision system and method for industrial control network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109756483A (en) | 2019-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| EP3158706B1 (en) | Ineffective network equipment identification | |
| CN107809433B (en) | Asset management method and device | |
| KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
| WO2021063068A1 (en) | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| WO2021139643A1 (en) | Method and apparatus for detecting encrypted network attack traffic, and electronic device | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN104811449A (en) | Base collision attack detecting method and system | |
| KR20140118494A (en) | Apparatus and method for detecting anomaly in a controller system | |
| TW201423471A (en) | System and Method of Monitoring Attacks of Cross Site Script | |
| WO2021131193A1 (en) | Attack monitoring center device and attack monitoring terminal device | |
| KR102433928B1 (en) | System for Managing Cyber Security of Autonomous Ship | |
| CN109756483B (en) | Safety protection method aiming at MELASEC protocol | |
| CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
| CN111669371B (en) | Network attack restoration system and method suitable for power network | |
| CN113311809A (en) | Industrial control system-based safe operation and maintenance instruction blocking device and method | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN110087238B (en) | Information security protection system of mobile electronic equipment | |
| CN112615858A (en) | Internet of things equipment monitoring method, device and system | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN107360134B (en) | Method for realizing safety remote control terminal and safety system thereof | |
| CN115147956A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113496024B (en) | Web page login method and device, storage medium and electronic equipment | |
| Cagalaban et al. | Improving SCADA control systems security with software vulnerability analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |