CN109976239B

CN109976239B - Industrial control system terminal safety protection system

Info

Publication number: CN109976239B
Application number: CN201910353810.8A
Authority: CN
Inventors: 何占博; 王颖; 刘军; 宋悦; 高飞; 张晛; 王黎; 马海慧; 朱琳; 郑德利
Original assignee: Beijing Jinghang Computing Communication Research Institute
Current assignee: Beijing Jinghang Computing Communication Research Institute
Priority date: 2019-04-29
Filing date: 2019-04-29
Publication date: 2020-06-16
Anticipated expiration: 2039-04-29
Also published as: CN109976239A

Abstract

The invention belongs to the technical field of industrial control system terminal safety protection, and particularly relates to an industrial control system terminal safety protection system. Industrial control system terminal safety protection system includes: terminal safety protection equipment and a terminal safety centralized management system; according to the scheme, a series of technical means of strong identity authentication, dual access control, interface protection strategies, file depth analysis, security audit and equipment centralized management are comprehensively utilized, malicious behaviors such as network attack, illegal access and the like in the operation of industrial control system equipment are effectively blocked, and centralized configuration and management of multiple industrial control system equipment terminal security protection strategies of the same type or different types are simultaneously realized. The scheme has the advantages that the industrial control equipment terminal has high safety protection level, supports centralized and unified management of a plurality of pieces of equipment, and the centralized management platform is suitable for various application environments and various industrial protocols, has good compatibility, is simple in equipment addition and deletion, flexible in protection strategy configuration, efficient in alarm reporting and equipment management and the like.

Description

Industrial control system terminal safety protection system

Technical Field

The invention belongs to the technical field of industrial control system terminal safety protection, and particularly relates to an industrial control system terminal safety protection system.

Background

The industrial control system is widely applied to important fields relating to national safety, such as electric power, petrifaction, traffic, municipal administration, novel intelligent manufacturing and the like, once a safety problem occurs, the influence is not only the economic loss of an enterprise, but also the national safety and social public interests are damaged, and the importance of the industrial control system is self-evident. Since 2010 the 'network earthquake' event, the concern of all countries in the world on the safety problem of the industrial control system is promoted to an unprecedented height, and all countries in the world are tightening to make policies, standards, technologies and protection schemes, wherein the terminal safety of the industrial control system becomes the focus of the concern of research institutions and enterprises in the fields of industry and information security. At present, the safety of industrial control systems is also raised to the national safety strategy height in China, and relevant policies and standards are gradually formulated and implemented. Although China is still in the early stage of just starting and cultivating markets in the technical field of industrial control system terminal safety protection, the method relates to national safety and has huge future market potential, so that research, system research and development and industrial application of the industrial control system terminal safety protection method become problems to be solved urgently.

At present, industrial control system terminal safety protection products in domestic and foreign markets are mainly classified into two types, one type is industrial control host software which is installed on an industrial control host in a software program mode; the other type is interface protection type hardware which protects interfaces such as equipment USB and the like. However, the two types of industrial control system terminal safety protection products mainly have the following problems: firstly, because the environment of software and hardware platforms in an industrial control network is relatively complex, a plurality of systems such as CNC, PLC, DCS, SCADA and the like mainly depend on foreign software and hardware manufacturers, and situations that a design backdoor, an interface is not suitable or an application scene is not consistent exist and the like are difficult to avoid; secondly, the industrial control system generally adopts an embedded or simplified operating system, and the systems generally cannot update operating system patches, install virus searching and killing software and information security products, and lack the necessary security protection measures as a network terminal device, so that the industrial control system has serious potential safety hazards; thirdly, malicious network attacks can easily steal the authority of a super user by using the vulnerability exposed to the industrial control system on the network, and arbitrarily damage the system or steal confidential data; fourthly, the industrial control system equipment does not generally adopt a double strong identity identification means to realize access control, and the data stored in the industrial control equipment and various interfaces (serial ports, network ports, USB interfaces and the like) on the equipment have the risk of illegal access of unauthorized users; and fifthly, operation and maintenance of the industrial control system depend on external operation and maintenance personnel if necessary, and a technical means for supervising illegal operation of the external operation and maintenance personnel and tracing the illegal operation afterwards is lacked. And sixthly, a centralized unified management platform capable of configuring and managing the security protection strategies of a plurality of industrial control system equipment terminals of the same type or different types at the same time is lacked.

From the above analysis, the defects of the terminal safety protection of the industrial control system at the present stage are mainly as follows: the method can not comprehensively monitor and protect various interfaces on the industrial control system equipment by comprehensively applying a series of technical means of dual access control, identity-strengthening identification, interface protection strategy, file depth analysis, security audit and equipment centralized management; network attacks, illegal accesses and other malicious behaviors in the operation of industrial control system equipment cannot be effectively blocked; the centralized and unified management of the safety protection of a plurality of industrial control system equipment terminals of the same or different types cannot be realized simultaneously.

Disclosure of Invention

Technical problem to be solved

The technical problem to be solved by the invention is as follows: aiming at the technical field of industrial control system terminal safety protection, how to overcome the defects of the prior art, the industrial control system terminal safety protection system is provided.

(II) technical scheme

In order to solve the above technical problem, the present invention provides an industrial control system terminal safety protection system, including: terminal safety protection equipment and a terminal safety centralized management system;

the industrial control system terminal safety protection system operates in an industrial control equipment terminal safety protection system safety domain, and the industrial control equipment terminal safety protection system safety domain further comprises the following components except the protection system: the system comprises a plurality of industrial firewalls, a switch, a numerical control machine group, a programmable logic controller group, a decentralized control system group, a monitoring and data acquisition system group, a CNC-MES (computerized numerical control system-manufacturing execution system) information management system, a PLC-MES information management system, a DCS-MES information management system, a SCADA-MES information management system, four OPC (optical proximity correction) servers/databases and four monitoring terminals, wherein the CNC-MES information management system, the PLC-MES information management system, the decentralized control system group and the monitoring and data acquisition system group respectively correspond to the numerical control machine group, the programmable logic controller group, the decentralized control system group and; the four OPC servers/databases and the four monitoring terminals are arranged in a one-to-one correspondence manner to the numerical control machine tool group, the programmable logic controller group, the distributed control system group and the monitoring and data acquisition system group;

the industrial control system terminal safety protection system forms a terminal safety protection layer;

the CNC-MES information management system, the PLC-MES information management system, the DCS-MES information management system, the SCADA-MES information management system, the industrial firewall and the switch form an industrial control system layer;

the system comprises a numerical control machine tool group, a programmable logic controller group, a distributed control system group, a monitoring and data acquisition system group, four OPC servers/databases and four monitoring terminals, wherein the four OPC servers/databases and the four monitoring terminals form a manufacturing and production execution layer.

Wherein, the terminal security centralized management system comprises: the system comprises a strong identity identification module, a dual access control module, an interface protection strategy module and a file depth analysis module;

the identity-strengthening authentication module is used for carrying out identity-strengthening authentication on the login operation of the user, generating an identity authentication result success message or an identity authentication result failure message and sending the identity authentication result success message or the identity authentication result failure message to the dual access control module;

the dual access control module is used for carrying out centralized configuration on the industrial control equipment according to the instruction of an administrator under the condition of receiving the identity authentication result success message, generating industrial control equipment configuration end information and sending the industrial control equipment configuration end information to the interface protection strategy module; the interface protection strategy module is used for comparing the access authority of the common user, generating user access control success information or user access control failure information and sending the information to the interface protection strategy module;

the interface protection strategy module is used for carrying out interface protection strategy configuration on the industrial control equipment after receiving the configuration end information of the industrial control equipment, generating an xml configuration file taking the unique identifier of the industrial control equipment and the current time as names, and sending the xml configuration file to the file depth analysis module;

the file depth analysis module is used for sending the xml configuration file to the industrial control equipment for protection strategy configuration, and the industrial control equipment performs subsequent manufacturing and production execution operation according to the currently configured protection strategy.

Wherein the strong identity authentication module comprises: the system comprises a hash value generating unit, a hash value comparing unit and a strong identity identification result sending unit; the strong identity authentication module uses a cryptographic hash function SHA-256 with strong confusion property as an identity authentication algorithm;

the hash value generating unit is used for calculating and generating a hash value with a fixed length of 256 bits through an encryption hash function SHA-256 according to a user instruction or an input user name and a password;

the hash value comparison unit is used for comparing the consistency of the hash value generated by calculation with the corresponding hash value in the OPC server/database, if the hash values are consistent, the user is allowed to log in the terminal security centralized management system, and meanwhile, an identity authentication result success message is generated; if the hash values are not consistent, the login request is rejected, and meanwhile an identity authentication result failure message is generated;

and the identity-strengthening authentication result sending unit is used for sending the identity authentication result success message or the identity authentication result failure message to the dual access control module.

Wherein the dual access control module comprises: the device comprises a user identity judgment unit, a network segment configuration unit, an equipment configuration unit, an authority matching judgment unit and an access control result generation unit;

the user identity judging unit is used for judging the user identity under the condition of receiving the identity authentication result success message, generating a first trigger signal to the network segment configuration unit when the user identity is an administrator, and generating a second trigger signal to the permission matching judging unit when the user identity is a common user;

the network segment configuration unit is used for allowing an administrator user to log in the industrial control system terminal safety protection system after receiving the first trigger signal, and configuring the IP address and the subnet mask of the terminal safety protection device according to the instruction of the administrator user, so that the terminal safety protection device and all industrial control devices in the industrial control device terminal safety protection system safety domain are in the same network segment; the industrial control equipment comprises: the system comprises a numerical control machine tool group, a programmable logic controller group, a decentralized control system group and a monitoring and data acquisition system group;

the equipment configuration unit is used for carrying out centralized configuration on the industrial control equipment in the safety domain of the safety protection system of the industrial control equipment terminal according to the instruction of the administrator user, generating configuration end information of the industrial control equipment and sending the configuration end information to the interface protection strategy module;

the authority configuration unit is used for completing access control authority configuration between a common user and corresponding industrial control equipment according to an instruction of an administrator user and generating access control authority configuration end information;

the authority matching judgment unit is used for allowing a common user to log in the industrial control system terminal safety protection system after receiving the second trigger signal, simultaneously comparing the corresponding relation between the access control authorities of the common user and the industrial control equipment, allowing the user to log in and operate the industrial control equipment according to the access control authority if the corresponding relation of the access control authorities is matched, and refusing the user to log in and operate the industrial control equipment according to the access control authority if the corresponding relation of the access control authorities is not matched;

the access control result generation unit is used for generating user access control success information under the condition that the corresponding relation of the access control authority is matched and sending the information to the interface protection strategy module; and under the condition that the corresponding relation of the access control authority is not matched, generating user access control failure information and sending the user access control failure information to the interface protection strategy module.

Wherein the interface protection policy module comprises: the device comprises a serial port configuration unit, a network port configuration unit, a USB interface configuration unit, a configuration file generation unit and a configuration file sending unit;

the serial port configuration unit is used for carrying out protection strategy configuration on the serial port of the industrial control equipment;

the network port configuration unit is used for carrying out protection strategy configuration on the network port of the industrial control equipment;

the USB interface configuration unit is used for carrying out protection strategy configuration on a USB interface of the industrial control equipment;

the configuration file generating unit is used for storing the protection strategy and generating an xml configuration file with the unique identifier of the industrial control equipment and the current time as names after the protection strategy configuration of the interface is completed;

the configuration file sending unit is used for sending the xml configuration file to the file depth analysis module.

Wherein, the file depth analysis module comprises: a configuration file encryption unit and a configuration file decryption unit;

when receiving an xml configuration file sent by an interface protection strategy module, the configuration file encryption unit encrypts the xml configuration file and sends the encrypted xml configuration file to industrial control equipment which is consistent with the unique identification of the industrial control equipment in the xml configuration file by adopting a TCP (transmission control protocol);

the configuration file decryption unit is arranged on the industrial control equipment, decrypts the xml configuration file with the consistent unique identifier after receiving the xml configuration file, performs protection strategy configuration according to the decrypted configuration parameter information, and performs subsequent manufacturing and production execution operation according to the currently configured protection strategy by the industrial control equipment.

Wherein, the file depth analysis module further comprises: the file filtering unit and the file analyzing unit;

the file filtering unit is used for carrying out file format examination and filtering according to a white list and a black list of industrial control processing file formats when receiving industrial control processing files or other unknown files from a security domain, and sending the industrial control processing files or other unknown files to the file analyzing unit if the file formats of the industrial control processing files or other unknown files belong to the white list of the industrial control processing file formats; if the file format of the industrial control processing file or other unknown files belongs to the industrial control processing file format blacklist, discarding the file and not forwarding the file;

the file analysis unit stores analysis rules and analysis conditions which are customized by a user in advance, wherein the analysis rules and the analysis conditions are the rules and the conditions which are customized by the user and can influence the safety protection of the industrial control equipment;

the file analysis unit is used for carrying out comprehensive depth scanning analysis on the contents of the industrial control processing file or other unknown files, judging whether the contents meet the analysis rule and the analysis condition defined by a user in advance, blocking transmission and forwarding of the file if the industrial control processing file or other unknown files contain characters meeting the analysis rule and the analysis condition, and otherwise, sending the industrial control processing file or other unknown files to target industrial control equipment.

The industrial control processing file format white list comprises an NC program file format and a txt file format of Siemens, Fanuc and Heidenhain industrial control equipment manufacturers;

and the industrial control processing file format blacklist comprises an exe file format.

Wherein, the analysis rule adopts a regular expression; the parsing conditions include a key (content), a depth of detection (depth), a fixed position (permanent _ position), a float position (float _ position), a protocol feature (protocol _ characteristics), and an attack feature (attack _ characteristics).

Wherein the safety protection system further comprises: a security audit module;

the safety audit module is used for receiving log alarm information reported in the manufacturing and production execution process of the industrial control equipment in the safety domain in real time;

the safety audit module is used for recording a service protection log of the terminal safety protection device, and an operation behavior log (including user identity authentication and access control) and a maintenance log aiming at the industrial control device;

the security audit module is used for generating and storing an attack information log when illegal invasion aiming at the terminal security protection equipment or equipment abnormity occurs;

the service protection log (filter _ log), the operation behavior log (operation _ log), the maintenance log (maintain _ log) and the attack information log (attack _ log), wherein the log fields of the service protection log (filter _ log), the operation behavior log (operation _ log), the maintenance log (maintain _ log) and the attack information log (attack _ log) are described as follows:

(1) the service protection log records all records of file examination and filtering by the terminal safety protection device, including: event number, time, file name, service type, transmission direction, transmission result, file type check, file format check, keyword check, source IP address and destination IP address;

(2) the operation behavior log records all the configuration management operation records of the industrial control equipment, and comprises the following steps: event number, user name, equipment identification, operation, occurrence time, hostIP, hostMac and result;

(3) maintaining all maintenance records of the log record industrial control equipment, monitoring the interactive data stream of log entry, log exit, log upgrade, log degradation and fault maintenance of the industrial control equipment, and comprising the following steps: event number, equipment identification, starting time, ending time, maintenance personnel, data record, maintenance mode and result;

(4) the attack information log records all records of the terminal security protection device under network attack, including: event number, occurrence time, attack source IP, attack target IP, attack source Mac, attack target Mac, target port, attack object, attack type and attack event description.

(III) advantageous effects

The invention provides a terminal safety protection system of an industrial control system, which aims at the technical field of terminal safety protection of the industrial control system, overcomes the defects of the prior art and improves the terminal safety protection capability and the level of the industrial control system in a module control mode. The invention is suitable for various industrial control systems such as CNC, DCS, PLC, PAC, SCADA, RTU, FCS, IPC and the like.

According to the scheme, a series of technical means of strong identity authentication, dual access control, interface protection strategies, file depth analysis, security audit and equipment centralized management are comprehensively utilized, malicious behaviors such as network attack, illegal access and the like in the operation of industrial control system equipment are effectively blocked, and centralized configuration and management of multiple industrial control system equipment terminal security protection strategies of the same type or different types are simultaneously realized. The scheme has the advantages that the industrial control equipment terminal has high safety protection level, supports centralized and unified management of a plurality of pieces of equipment, and the centralized management platform is suitable for various application environments and various industrial protocols, has good compatibility, is simple in equipment addition and deletion, flexible in protection strategy configuration, efficient in alarm reporting and equipment management and the like.

Specifically, compared with the prior art, the invention has the following beneficial effects:

(1) the invention comprehensively utilizes a series of technical means of strong identity authentication, dual access control, interface protection strategy, file depth analysis, security audit and equipment centralized management, realizes the comprehensive takeover and monitoring of serial ports, USB ports, network ports and the like of the industrial control system, effectively blocks network attacks, illegal access and other malicious behaviors in the operation of industrial control system equipment, realizes the comprehensive security audit and the subsequent tracing aiming at service protection logs, operation behavior logs, attack information logs and maintenance logs, and improves the protection capability and the level of the equipment terminal security of the industrial control system.

(2) The industrial control system terminal safety protection system realizes centralized and unified management of configuration of a plurality of industrial control system equipment terminal safety protection strategies of the same type or different types at the same time in a software program control mode, and the platform has the advantages of suitability for various application environments, various industrial protocols, good compatibility, simple equipment addition and deletion, flexible protection strategy configuration, high efficiency of alarm reporting and equipment management and the like.

Therefore, compared with the traditional network intrusion detection equipment and intrusion prevention equipment, the invention further improves the safety protection capability and the level of the industrial control system terminal, and the provided terminal safety protection system has the advantages of being suitable for various application environments, various industrial protocols, good in compatibility, simple in equipment addition and deletion, flexible in protection strategy configuration, efficient in alarm reporting and equipment management, simpler, more flexible and efficient in realization of centralized protection on the safety of a plurality of industrial control system terminals and the like. The invention can be widely applied to the technical field of safety protection of various industrial control system terminals relating to national economy, national defense industry and national safety, in particular to the situations that the safety of the industrial control system terminals needs to be intensively and uniformly protected, and the like.

Drawings

Fig. 1 is a schematic connection diagram of a safety protection system of an industrial control system terminal.

Fig. 2 is a module composition and data flow diagram of a safety protection system of an industrial control system terminal.

Fig. 3 is a working flow chart of the industrial control system terminal safety protection system.

Detailed Description

In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.

Aiming at the problems in the prior art, the invention provides a protection method and a system for industrial control system terminal safety, which are necessary, and the industrial control system terminal safety protection centralized management platform is provided and various technical means are comprehensively applied to ensure the safe and stable operation of the industrial control system.

Specifically, as shown in fig. 1, the industrial control system terminal safety protection system includes: terminal safety protection equipment and a terminal safety centralized management system; the terminal security centralized management system is preferably carried by a management computer (PC);

As shown in fig. 2, the terminal security centralized management system includes: the system comprises a strong identity identification module, a dual access control module, an interface protection strategy module and a file depth analysis module;

as shown in fig. 3, the strong identity authentication module is configured to perform strong identity authentication on a login operation of a user, generate an identity authentication result success message or an identity authentication result failure message, and send the identity authentication result success message or the identity authentication result failure message to the dual access control module;

the equipment configuration unit is used for performing centralized configuration of industrial control equipment in the safety domain of the safety protection system of the industrial control equipment terminal according to an instruction of an administrator user (adding, modifying or deleting the types of the industrial control equipment allowed to be added into the safety domain in an industrial control equipment list, and generating configuration end information of the industrial control equipment and sending the configuration end information to the interface protection strategy module after completing the adding, modifying or deleting operation;

the protection strategy configuration parameters of the serial port are as follows: bit/sec (B), data bit (D), parity (P), stop bit (S), flow control (F);

the protection strategy configuration parameters of the network port are as follows: IP address, subnet mask, MAC address, port number;

the protection strategy configuration mode of the USB interface is as follows: performing access control on a USB storage medium, setting the USB access authority to be read-only, and limiting the data transmission direction;

And before receiving the configuration file updated by the timestamp, the industrial control equipment normally performs subsequent manufacturing production execution operation according to the current configuration strategy, and if the configuration file encryption unit receives the xml configuration file updated by the timestamp, the encryption-decryption-configuration operation is performed again.

The white list of the industrial control processing file format comprises an NC program file format and a txt file format of Siemens, Fanuc and Heidenhain industrial control equipment manufacturers, and file format types contained in the white list and the black list are independently added, modified and deleted.

In addition, the safety protection system further comprises: a device centralized management module;

the equipment centralized management module provided by the invention has the following functions besides the addition and deletion of industrial control equipment and the configuration of protection strategies on the terminal safety protection equipment centralized management platform:

(1) the administrator authority classification function, the device centralized management module sets the administrator authority level and the authority items.

(2) The user authority classification function is realized, and users with all levels of authority can only execute the operation in the authority;

(3) role management, according to the principle of three-power separation, three default roles of a system administrator, a security secrecy person and a security auditor are provided, and the three default roles related by the invention have the following permissions:

1) the system administrator has the authority of creating users, editing user information, and configuring the IP address of the terminal safety protection device, the subnet mask and the industrial control device list;

2) the security secrecy personnel has the authority for creating roles, configuring the authority for the roles, endowing the roles to the users and viewing the operation logs of the system administrator and the security auditor;

3) the security auditor has the authority to view the security clerk and all the normal user operation logs.

Example 1

The method and the system for protecting the industrial control system terminal comprehensively utilize a series of technical means of identity-strengthening identification, dual access control, interface protection strategies, file depth analysis, security audit and equipment centralized management, and are more suitable for centralized and unified protection of multiple industrial control system equipment terminal security strategies of the same type or different types.

The following describes the protection of the industrial control system terminal by using the method and the system of the invention in detail with reference to specific embodiments. Therefore, the method can be extended to wider industrial control system terminal safety protection application.

Firstly, building a safety protection security domain of an industrial control equipment terminal, and building an industrial control equipment terminal safety protection system consisting of an industrial control system terminal safety protection system HT-304, a management machine PC1, an industrial firewall FW1, a switch IC1, CNC numerical control machine tools C1 and C2, PLC programmable logic controllers P1 and P2, a DCS distributed control system D1, a SCADA monitoring and data acquisition system S1, and a CNC-MES1, a CNC-MES2, a PLC-MES1, a PLC-MES2, a DCS-MES security domain 1, a SCADA-MES1 information management system, an OPC-C1, an OPC-C2, an OPC-P1, an OPC-P2, an OPC-D1, an OPC-S1 server/database and a monitoring terminal which respectively correspond to the safety protection security domain of the industrial control equipment terminal. The industrial control system terminal safety protection system HT-304 forms a terminal safety protection layer; CNC-MES1, CNC-MES2, PLC-MES1, PLC-MES2, DCS-MES1, SCADA-MES1 informatization management system, industrial firewall FW1 and switch IC1 form an industrial control system layer; the numerical control machine tools C1 and C2, the programmable logic controllers P1 and P2, the decentralized control system D1, the monitoring and data acquisition system S1, the OPC-C1, the OPC-C2, the OPC-P1, the OPC-P2, the OPC-D1, the OPC-S1 server/database and the monitoring terminal form a manufacturing and production execution layer.

The invention relates to a safety protection system for an industrial control system terminal, which comprises the following components: the system comprises a strong identity authentication module, a dual access control module, an interface protection strategy module, a file depth analysis module, a security audit module and an equipment centralized management module.

1. Strong identity authentication module

11) The strong identity authentication module uses a cryptographic hash function SHA-256 with strong confusion property as an identity authentication algorithm;

12) the strong identity identification module calculates and generates a hash value with 256 bits in fixed length according to a user name user1 and a password123, SHA-256 input by a user;

13) and the strong identity identification module compares the consistency of the hash value generated by calculation with the corresponding hash value in the database, if the hash values are consistent, the user1 is allowed to log in the system, and if the hash values are inconsistent, the user1 is refused to log in.

14) And the identity-strengthening authentication module sends the identity authentication result message to the dual access control module.

2. Dual access control module

21) When the logged-in user is administrator admin:

21.1) after receiving the identity authentication success message sent by the strong identity authentication module, the dual access control module configures the IP address of the terminal security protection device to be 192.168.1.100 and the subnet mask to be 255.255.255.0, so as to ensure that the terminal security protection device and all industrial control devices in the security domain are in the same network segment;

21.2) adding CNC, DCS, PLC, PAC, SCADA, RTU, FCS, IPC and other industrial control system types in an industrial control equipment list by the double access control module as selectable items;

21.3) the dual access control module sends an access control and equipment configuration end message to the interface protection policy module.

22) When the logged-in user is a normal user 1:

22.1) after receiving the identity authentication success message sent by the strong identity authentication module, the dual access control module searches and adds six industrial control devices, namely C1, C2, P1, P2, D1 and S1, in the industrial control device list and adds the industrial control devices to the device centralized management area;

22.2) the dual access control module compares access control information such as user names, passwords and the like corresponding to C1, C2, P1, P2, D1 and S1, and logs in the industrial control equipment;

22.3) if the user1 successfully logs in, respectively displaying the main interfaces of six industrial control devices, namely C1, C2, P1, P2, D1 and S1, in sub-windows 1-6 of the centralized management platform, otherwise, prompting a login error and rejecting the user1 to log in;

22.4) the dual access control module configures that the IP address of C1 is 192.168.1.200, the subnet mask is 255.255.255.0, the IP address of C2 is 192.168.1.201, the subnet mask is 255.255.255.0, the IP address of P1 is 192.168.1.202, the subnet mask is 255.255.255.0, the IP address of P2 is 192.168.1.203, the subnet mask is 255.255.255.0, the IP address of D1 is 192.168.1.204, the subnet mask is 255.255.255.0, the IP address of S1 is 192.168.1.205, the subnet mask is 255.255.255.0;

22.5) the dual access control module sends an access control and equipment configuration end message to the interface protection policy module.

3. Interface protection policy module

31) After receiving the dual access control module end message, the interface protection policy module performs interface protection policy configuration on six industrial control devices, namely C1, C2, P1, P2, D1 and S1 respectively;

32) the interface protection policy module performs protection policy configuration on hardware interfaces such as serial ports, network ports, and USB of C1, C2, P1, P2, D1, and S1, respectively, and in this embodiment, the interface protection policy module is configured as follows:

32.1) serial port configuration parameters: bit/sec (B) is B _ C1, B _ C2, B _ P1, B _ P2, B _ D1, B _ S1 respectively; data bits (D) are D _ C1, D _ C2, D _ P1, D _ P2, D _ D1, D _ S1, respectively; parity checks (P) are P _ C1, P _ C2, P _ P1, P _ P2, P _ D1, P _ S1, respectively; the stop bits (S) are S _ C1, S _ C2, S _ P1, S _ P2, S _ D1, S _ S1, respectively; flow control (F) is F _ C1, F _ C2, F _ P1, F _ P2, F _ D1, F _ S1, respectively;

32.2) network port configuration parameters: the IP address and the subnet mask are the same as those of the dual access control module (4), the MAC addresses are respectively MAC _ C1, MAC _ C2, MAC _ P1, MAC _ P2, MAC _ D1 and MAC _ S1, the PORT numbers are respectively PORT _ C1, PORT _ C2, PORT _ P1, PORT _ P2, PORT _ D1 and PORT _ S1;

32.3) the USB access rights of the user1 to C1, C2, P1, P2, D1 and S1 are all set to be read only;

33) after the interface protection strategy configuration is completed, the interface protection strategy module automatically saves the protection strategy and generates configuration files C1_ currenttime1.xml, C2_ currenttime1.xml, P1_ currenttime1.xml, P2_ currenttime1.xml, D1_ currenttime1.xml and S1_ currenttime1. xml;

34) the interface protection strategy module sends configuration files C1_ currenttime1.xml, C2_ currenttime1.xml, P1_ currenttime1.xml, P2_ currenttime1.xml, D1_ currenttime1.xml and S1_ currenttime1.xml to the file depth analysis module one by one.

4. File depth analysis module

41) When the file depth analysis module receives the configuration files of C1_ currenttime1.xml, C2_ currenttime1.xml, P1_ currenttime1.xml, P2_ currenttime1.xml, D1_ currenttime1.xml and S1_ currenttime1.xml sent by the interface protection policy module, the file depth analysis module encrypts the xml configuration files, sends the xml configuration files to the industrial control devices C1, C2, P1, P2, D1 and S1 by using the TCP protocol, and enters step 43);

42) when the file depth analysis module receives the industrial control processing files Fanuc _ file.nc and unknown _ file.txt and other unknown files SQLIn project.exe from outside the security domain, file format examination and filtration are carried out according to the white list and the black list of the industrial control processing file format, and after examination, the files Fanuc _ file.nc and unknown _ file.txt belong to the white list of the industrial control processing file format, the operation goes to step 44); if the SQLIn project.exe belongs to the industrial control processing file format blacklist, discarding the file and not forwarding the file;

43) the industrial control equipment C1, C2, P1, P2, D1 and S1 respectively decrypt configuration files C1_ currenttime1.xml, C2_ currenttime1.xml, P1_ currenttime1.xml, P2_ currenttime1.xml, D1_ currenttime1.xml and S1_ currenttime1.xml, and perform policy configuration according to the decrypted configuration parameter information, until the configuration file updated by the timestamp is received, the industrial control equipment performs subsequent manufacturing production execution operation according to the current configuration policy, and the configuration file updated without the timestamp is provided in the embodiment;

44) the file depth analysis module carries out comprehensive depth scanning analysis on the file contents of the file Fanuc _ file.nc and the file unknown _ file.txt, and according to the analysis rule and the analysis condition defined by a user, the file Fanuc _ file.nc does not contain characters meeting the analysis rule and the analysis condition, the step 45 is carried out, and the file unknown _ file.txt contains insert/create/update keywords meeting the analysis rule and the analysis condition, so that the forwarding of the file is blocked;

45) and the file deep analysis module sends the file Fanuc _ file.nc which is subjected to deep analysis and filtration through the file format and the file content to target industrial control equipment C1 and C2, and records a service protection log.

The embodiment relates to the white list of the industrial control processing file format in the step 42) which comprises an NC program file format and a txt file format of famous industrial control equipment manufacturers such as Siemens, Fanuc, Heidenhain and the like, and the black list which comprises an exe file format.

The present embodiment relates to the parsing rule in step 44) using a regular expression; the parsing conditions include a key (content key), a detection depth (depth 1000 bytes), a fixed position (permanent _ position) file length, a floating position (float _ position) file length, a protocol feature (protocol _ characteristics) and an attack feature (attack _ characteristics) respectively.

5. Security audit module

51) The safety audit module receives log alarm information reported in the manufacturing and production execution process of industrial control equipment C1, C2, P1, P2, D1 and S1 in a safety domain in real time;

52) the security audit module records service protection logs, i.e. filter _ log _ C1, filter _ log _ C2, filter _ log _ P1, filter _ log _ P2, filter _ log _ D1, filter _ log _ S1, operation behavior logs (including user identity authentication and access control) operation _ log _ C1, operation _ log _ C2, operation _ log _ P1, operation _ log _ P2, operation _ log _ D1, operation _ log _ S1 and maintenance logs, i.e. main _ log _ C1, main _ log _ C2, main _ log _ P1, main _ log _ P2, main _ log _ D1 and main _ log _ S1 of the terminal security protection device;

53) the safety audit module has an alarm function at the same time: when illegal intrusion or equipment abnormity happens to the terminal security protection equipment, the security audit module generates attack information logs of attack _ log _ C1, attack _ log _ C2, attack _ log _ P1, attack _ log _ P2, attack _ log _ D1 and attack _ log _ S1.

6. Equipment centralized management module

In addition to the above-mentioned adding of the industrial control device and configuring of the protection policy to the terminal safety protection device HT-304, the device centralized management module described in this embodiment further has the following functions:

61) the device centralized management module sets the authority level of the administrator to be L1-LN and the corresponding authority Item set to be Item 1-ItemN.

62) The user Authority classification function sets the Authority levels to be 1-Authority, and the users at the corresponding levels can only execute operations 1-OperationN within the Authority at the corresponding levels;

63) role management, according to the principle of three-power separation, three default roles of system administrator admin, security secrecy and security auditor are provided, and the three default roles related in this embodiment have the following permissions:

63.1) the system administrator has the authority to create users, edit user information, configure IP addresses of terminal safety protection devices, subnet masks and industrial control device lists;

63.2) the security secrecy personnel has the authority to create roles, configure the authority for the roles, endow the roles to users and check the operation logs of the system administrator and the security auditor;

63.3) the security auditor has the authority to view the security clerk and all normal user logs.

In summary, the industrial control system terminal security protection system provided in this embodiment further improves the industrial control system terminal security protection capability and level, and the provided terminal security protection centralized unified management platform has the advantages of being suitable for various application environments, various industrial protocols, good in compatibility, simple in equipment addition and deletion, flexible in protection policy configuration, efficient in alarm reporting and equipment management, simpler, more flexible, and more efficient in implementing centralized protection on the security of multiple industrial control system terminals, and the like. The invention can be widely applied to the technical field of safety protection of various industrial control system terminals relating to national economy, national defense industry and national safety, in particular to the situations that the safety of the industrial control system terminals needs to be intensively and uniformly protected, and the like.

The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims

1. The utility model provides an industrial control system terminal safety protection system which characterized in that, industrial control system terminal safety protection system includes: terminal safety protection equipment and a terminal safety centralized management system;

the system comprises a numerical control machine tool group, a programmable logic controller group, a decentralized control system group and a monitoring and data acquisition system group, wherein a manufacturing production execution layer is formed by four OPC servers/databases and four monitoring terminals;

the terminal security centralized management system comprises: the system comprises a strong identity identification module, a dual access control module, an interface protection strategy module and a file depth analysis module;

the file depth analysis module is used for sending the xml configuration file to the industrial control equipment for protection strategy configuration, and the industrial control equipment performs subsequent manufacturing execution operation according to the currently configured protection strategy;

2. The industrial control system terminal security protection system of claim 1, wherein the strong identity authentication module comprises: the system comprises a hash value generating unit, a hash value comparing unit and a strong identity identification result sending unit; the strong identity authentication module uses a cryptographic hash function SHA-256 with strong confusion property as an identity authentication algorithm;

3. The industrial control system terminal security protection system of claim 1, wherein the interface protection policy module comprises: the device comprises a serial port configuration unit, a network port configuration unit, a USB interface configuration unit, a configuration file generation unit and a configuration file sending unit;

4. The industrial control system terminal safety protection system of claim 1, wherein the file depth parsing module comprises: a configuration file encryption unit and a configuration file decryption unit;

5. The industrial control system terminal safety protection system of claim 4, wherein the file depth parsing module further comprises: the file filtering unit and the file analyzing unit;

6. The industrial control system terminal safety protection system of claim 5, wherein the industrial control processing file format white list comprises an NC program file format and a txt file format of Siemens, Fanuc, Heidenhain industrial control equipment manufacturers;

7. The industrial control system terminal safety protection system according to claim 5, wherein the parsing rule is a regular expression; the parsing conditions include a key (content), a depth of detection (depth), a fixed position (permanent _ position), a float position (float _ position), a protocol feature (protocol _ characteristics), and an attack feature (attack _ characteristics).

8. The industrial control system terminal safety protection system of claim 1, wherein the safety protection system further comprises: a security audit module;