CN110225038B - Method, device and system for industrial information security - Google Patents

Method, device and system for industrial information security Download PDF

Info

Publication number
CN110225038B
CN110225038B CN201910510238.1A CN201910510238A CN110225038B CN 110225038 B CN110225038 B CN 110225038B CN 201910510238 A CN201910510238 A CN 201910510238A CN 110225038 B CN110225038 B CN 110225038B
Authority
CN
China
Prior art keywords
data
operator station
server
industrial
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910510238.1A
Other languages
Chinese (zh)
Other versions
CN110225038A (en
Inventor
杨明旭
吴志华
郭立龙
蔡艳林
孙杨
杨明勋
徐乐晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Original Assignee
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd filed Critical Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority to CN201910510238.1A priority Critical patent/CN110225038B/en
Publication of CN110225038A publication Critical patent/CN110225038A/en
Application granted granted Critical
Publication of CN110225038B publication Critical patent/CN110225038B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses a method, a device and a system for industrial information security, wherein the system comprises: industrial equipment, industrial control equipment, operator stations, and servers; the industrial equipment is used for acquiring industrial field environment data; the industrial control equipment is used for acquiring and processing environmental data acquired by the industrial equipment in real time; the operator station is used for verifying the legality of the environment data, sending the authentication code of the physical machine to the server for authentication, encrypting the environment data and the operation click data of the operator and sending the encrypted data to the server after the authentication is passed, decrypting the control data returned by the server and sending the decrypted control data to the industrial control equipment to control the industrial equipment; and the server is used for receiving the authentication code sent by the operator station for authentication, sending an authentication passing instruction to the operator station after the authentication is passed, receiving the encrypted data sent by the operator station for decryption, and returning the encrypted control data to the operator station.

Description

Method, device and system for industrial information security
Technical Field
The present application relates to the field of industrial information security, and more particularly, to a method, apparatus, and system for industrial information security.
Background
Based on the arrival of the industrial 4.0 era and the intelligent manufacturing era, the nation vigorously pushes two-way fusion, namely, the industrialization and the informatization are butted to mutually promote the common development, so that the industrial control intranet network is required to be directly butted with the Internet to form the Internet of things. However, at present, this method has a great safety hazard:
1. in this way, the network architecture of the industrial control system is based on the traditional information network communication architecture, but the industrial control equipment is not completely suitable for the traditional network due to the specialty and limitation of the industrial control equipment, and compared with the traditional PC and server, the operation speed, the network transmission rate, the application compatibility and the like of the controller are not in the same order of magnitude, so that the industrial control system is more vulnerable.
2. The data stream and the authority of the user are not clearly divided, and any equipment can carry out two-way communication, so that once a malicious attacker enters an industrial control intranet, malicious penetration can be directly carried out upwards or downwards, the attack surface is enlarged, and greater loss is caused to the user.
3. The industrial control host is weak in safety protection, the operating systems of the industrial control host adopt conventional consumption-level operating systems, and system bugs are often detected by the consumption-level systems. And because of the requirement of production work, the industrial control host needs to operate for a long time and cannot be shut down, and the installation patch cannot be updated in time. And if production field personnel are mixed and management is incomplete, a storage medium carrying malicious codes is randomly connected to the industrial control host, which is a great threat to the safety of the whole industrial control system.
4. The industrial protocol adopts the plain text, encryption processing is not carried out, and if a malicious attacker invades or hijacks any one end of the server, the industrial control host and the like, key information such as the running state, the control mode, data information, process flow and the like of the equipment such as the PLC and the like can be completely collected. Sensitive information is leaked, an attacker can use known key information to replay data packets, DDOS and other malicious means, normal production of an enterprise is disturbed, and even production accidents can be caused.
However, the industrial information security covers the whole process of industrial operation, and not only relates to the security of the traditional computer network information system, but also relates to the security of industrial software and hardware equipment, a control system, an industrial protocol, production data and the like. The importance of safety is self-evident, and therefore, the establishment of a special industrial information safety system is a technical problem which needs to be solved urgently at present.
Disclosure of Invention
The application provides a method, a device and a system for industrial information security, which are used for improving the security of industrial information.
The application provides the following scheme:
one aspect provides a system for industrial information security, the system comprising:
the system comprises industrial equipment, industrial control equipment, an operator station and a server provided with at least two virtual machines;
the industrial equipment is used for acquiring industrial field environment data;
the industrial control equipment is used for acquiring and processing environmental data acquired by the industrial equipment in real time;
the operator station is used for verifying the legality of the environment data, sending an authentication code of a physical machine where the environment data is located to a server for authentication, encrypting the environment data and the operation click data of the operator and sending the encrypted data to the server after the environment data and the operation click data of the operator pass the authentication, decrypting the control data returned by the server and sending the decrypted control data to the industrial control equipment so as to control the industrial equipment;
and the server is used for receiving the authentication code sent by the operator station for authentication, sending an authentication passing instruction to the operator station after the authentication is passed, receiving the encrypted data sent by the operator station for decryption, and returning the encrypted control data to the operator station.
Preferably, the first and second liquid crystal materials are,
the operator station is further used for reading the information of the physical machine before the client operates each time and judging whether the physical machine is safe or not according to the information of the physical machine; the information of the physical machine comprises at least one of the running process, the hardware configuration and the system information of the physical machine.
Preferably, the first and second liquid crystal materials are,
the operator station is also used for receiving identity information to be authenticated of the operator and sending the identity information to the server for authentication;
the server is further used for authenticating the identity information to be authenticated according to the prestored identity information of the operator and sending an authentication passing instruction to the operator station after the identity information and the authentication code are authenticated.
Preferably, the first and second liquid crystal materials are,
the server is also used for generating a random secret key after the authentication is passed and sending the random secret key to the operator station, and encrypting the control data by using the random secret key and a preset encryption algorithm;
and the operator station is used for encrypting data according to the random secret key and a preset encryption algorithm.
Preferably, the first and second liquid crystal materials are,
the operator station is further configured to send specific data to the server at a preset time;
the server is also used for judging whether the server receives the specific data and interrupting the communication with the operator station or transmitting the data sent by the operator station to another virtual machine for backup when judging that the specific data is not received.
Preferably, the first and second liquid crystal materials are,
the server is further used for learning the data received from the operator station to obtain an operation rule of the industrial equipment, judging whether subsequently received data sent by the operator station conform to the operation rule or not, and if not, interrupting communication with the operator station or transmitting the data sent by the operator station to another virtual machine for backup.
The present application also provides a method for industrial information security for use in an operator station, the method comprising:
sending the authentication code of the physical machine to a server for authentication;
receiving real-time detection data of the industrial equipment acquired by the industrial control equipment, performing primary processing, and using the data after the primary processing and the coded operator station click data as operator station data;
after receiving the command that the server passes authentication, encrypting the operator station data and sending the encrypted data to a corresponding virtual machine in the server;
receiving control data returned by the server according to the operator station data;
and decrypting the control data and sending the decrypted data to the industrial equipment through the industrial control equipment to execute related operations.
The application also provides a method for industrial information security, which is applied to a server provided with at least two virtual machines, and the method comprises the following steps:
receiving and verifying an authentication code of a corresponding physical machine sent by an operator station;
if the authentication is passed, sending an authentication passing instruction to the operator station;
receiving encrypted operator station data sent by the operator station and storing the encrypted operator station data to a corresponding virtual machine;
and decrypting the operator station data by the corresponding virtual machine, processing the decrypted operator station data, and returning the encrypted control data to the operator station.
The present application further provides a computer system comprising:
one or more processors; and the number of the first and second groups,
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
sending the authentication code of the physical machine to a server for authentication;
and receiving real-time detection data of the industrial equipment acquired by the industrial control equipment, performing primary processing, and using the data after the primary processing and the coded operator station click data as the operator station data.
After receiving the command that the server passes authentication, encrypting the operator station data and sending the encrypted data to a corresponding virtual machine in the server;
receiving control data returned by the server according to the operator station data;
and decrypting the control data and sending the decrypted data to the industrial equipment through the industrial control equipment to execute related operations.
The present application further provides a computer system comprising:
one or more processors; and (c) a second step of,
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
receiving and verifying an authentication code of a corresponding physical machine sent by an operator station;
if the authentication is passed, sending an authentication passing instruction to the operator station;
receiving encrypted operator station data sent by the operator station and storing the encrypted operator station data to a corresponding virtual machine;
and decrypting the operator station data by the corresponding virtual machine, processing the decrypted operator station data, and returning the encrypted control data to the operator station.
According to the specific embodiments provided herein, the present application discloses the following technical effects:
according to the technical scheme, data transmission is mainly carried out between the operator station and the server, industrial control equipment and the like cannot be directly communicated with the server, the compatibility problem of network speed and the like is solved, one operator station can correspond to a plurality of industrial equipment, and data management is facilitated. The operator station and the server adopt an identity authentication and bidirectional encryption scheme, so that the safety of data transmission is ensured.
Further, the operator station carries out self-checking in each operation after the client is installed and installed, and the safety is further guaranteed.
More importantly, the method for verifying the data based on the specific data further improves the information transmission safety.
Of course, it is not necessary for any product to achieve all of the above-described advantages at the same time for the practice of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required in the embodiments will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram of a system provided in an embodiment of the present application;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a flow chart of a method provided by another embodiment of the present application;
FIG. 4 is a diagram illustrating a computer system architecture according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments that can be derived from the embodiments given herein by a person of ordinary skill in the art are intended to be within the scope of the present disclosure.
The present application provides a system architecture diagram, as shown in fig. 1, which comprises, in order, an industrial device 11, an industrial control device 12, an operator station 13, and a server 14, according to one of the trends of the data. The industrial equipment 11 is used for collecting field environment information distributed in an industrial field, such as various instruments and meters, sensors and the like. The industrial control device 2 includes, for example, a PLC, an information acquisition card, etc., and is configured to acquire information acquired by the industrial device in real time and process the information, for example, convert an analog signal into a digital signal. The operator station 13 is used as a transfer station for data, and is configured to perform validity verification on data acquired from the industrial control device, remove illegal data, perform security processing such as encryption and encoding on the data, and transmit the data to the server 14. A plurality of virtual machines are provided in the server 14 for performing different tasks. The virtual machine receives the data of the operator station 13, decrypts the data, encrypts the control data of the virtual machine, sends the encrypted control data to the operator station 13, and sends the encrypted control data to the industrial control equipment 12 after being processed by the operator station 13 so as to perform field control on the industrial equipment 11.
Through the system, data transmission is mainly performed between the operator station 13 and the server 14, the industrial control device 12 and the like cannot be directly communicated with the server 14, the compatibility problem of network rate and the like is solved, and one operator station 13 can correspond to a plurality of industrial devices 11, so that data management is facilitated.
The above system in the present application may further include an engineer station, and the setting of the engineer station and the like may refer to the operator station 13, which is different from the operator station 13 in that data transmitted thereby is click data operated by the engineer. Reference is made to the following description of the operator station 13 with regard to data transmission means, authentication means, etc.
Example one
In this application, in order to guarantee the security of data transmission, this application adopts authentication and encryption mechanism: before communication, identity authentication is carried out on the physical machine of the operator station, and an encryption algorithm is adopted for bidirectional communication data between the operator station and the server station.
The authentication mechanism is set for avoiding other illegal physical machines from impersonating the operator station to communicate with the server. Specifically, when the client is installed on the physical machine of the operator station for the first time, the system information, the hardware information and the like of the physical machine are read to read the machine code of the physical machine, the authentication code is generated according to the machine code, and if the ECC is adopted for multiple salt adding encryption, the authentication code is generated and sent to the server for storage. And then, before the client operates and starts, reading the authentication code of the client and comparing the authentication code with the authentication code stored in the server, and after the authentication codes of the client and the server are identical, performing a subsequent data communication process. This way it is avoided that other physical machines impersonate the operator station to communicate illegally with the server.
The physical machine of the same operator station can be invaded illegally, therefore, the self-checking mechanism can be added to the operator station before the authentication code is sent to the server by the operator station, specifically, after the client is installed on the operator station, the running process, hardware configuration and system information of the machine can be read firstly before running each time, and after the physical machine is ensured not to be changed greatly, the authentication code of the machine is read and compared with the authentication code stored by the server, so that the authentication mechanism is completed. This self-check mechanism avoids the situation where the operator station has been hacked and continues to communicate with the server.
Besides the authentication of the physical machine of the operator station, the method can also comprise the identity authentication of the operator, and the identity authentication information input by the operator is received by the operator station and is sent to the server for authentication. The server can also store the corresponding relation between the operator and the physical machine of the operator station so as to further authenticate the operation authority of the operator.
After the authentication, the operator station and the server station perform data transmission, so that the software client needs to be installed in the operator station, and the software server needs to be installed in the corresponding virtual machine in the server for mutual communication. The server side is provided with a plurality of virtual machines and adopts a container isolation technology to isolate the virtual machines, so that the operation and communication data are completely isolated from each other, and the server side has the functions of snapshot, backup and the like. The data transmitted by the server to the physical machine of the operator station is image data which is subjected to coding and encryption processing, is decrypted by the operator station, is independently transmitted to industrial control equipment such as a PLC (programmable logic controller) and the like in a serial port communication mode, and further controls the industrial equipment on the site. The data transmitted by the operator station to the server virtual machine is data obtained by encrypting real-time detection data acquired by the industrial control equipment from the industrial equipment and encoded operation click data.
The operator station and the server station may use a preset encryption algorithm or may use a secret key.
In the present application, after the authentication is completed, the server may generate a key and transmit the key to the operator station. The server and the operator station may then encrypt the data for transmission in conjunction with the key and encryption algorithm.
Example two
However, the self-check mechanism is generally set before the client of the operator station runs each time, and the intruder can adopt other means to make hardware information and the like of the system seemingly not be changed. There are some disadvantages to this approach.
To this end, the present application further provides a way to validate with specific data: certain data is sent by the industrial control device to the operator station at certain set times and then it is verified whether the certain data is received at the server station. If not, it can be determined that the operator station has been altered and the transmitted information is illegal data. Of course, these specific data could also be initiated directly by the operator station, such as by entering the specific data by manual input and sending it to the server for verification.
In fact, the operation of the industrial system is regular, and the data can be verified on the server by means of the regularity of the operation of different industrial systems. For example, if some industrial systems are in a stopped state in a specific time period, the server may check the received data at the beginning of the specific time period to determine whether the operation rule of the corresponding system is satisfied.
The operation rule of the industrial system can be determined by manually inputting data or can be learned by a server. The specific server can learn data of a period of representative time to obtain a certain operation rule, such as a day and night rule or a four-season operation rule, and then obtain data and time for representing the operation rule, so that a specific data verification process can be started subsequently.
For the verification of the specific data learned by the server, some irregular data may occur due to specific situations, for example, night operation rules are destroyed due to an emergency needing overtime. If some conditions stop communicating data uniformly, data loss will result. At this time, data communication can be continued, but newly received data needs to be transmitted to another independent virtual machine as backup, and once it is determined that no illegal intrusion occurs subsequently, the backup data can be transmitted to the original virtual machine to complete the data. A plurality of virtual machines in the server adopt a container isolation technology, so that the independence and the safety of data are ensured.
EXAMPLE III
As described in the background art, in an industrial environment, it may happen that a person connects a storage medium carrying malicious codes to an operator station at will, thereby causing a network accident, and for this reason, the operator station continuously scans hardware information and an operating system of a physical machine after a client is started, and the scanning mode adopts a white list mode, compares the data with data before the client is started, and provides a service for closing or stopping the hardware access and the software operation when new hardware access and software operation are found. Or the data is transmitted to another virtual machine for backup, and the data is perfected to the original virtual machine after the illegal invasion is determined to be absent.
Example four
Corresponding to the systems of the first to third embodiments, a fourth embodiment of the present application provides a method for industrial information security, which is applied to the operator station client mentioned in the above systems, as shown in fig. 2, and includes the following steps:
and S21, sending the authentication code of the physical machine to the server for authentication.
Specifically, the authentication code may be generated by first reading system information, hardware information, and the like of the physical machine to read the machine code when the client is installed on the physical machine of the operator station for the first time, and generating the authentication code according to the machine code, for example, by performing ECC multiple salt-adding encryption, and then generating the authentication code, and sending the authentication code to the server for storage. And then before the client operates and starts each time, reading the authentication code of the client and comparing the authentication code with the authentication code stored in the server, and after the authentication codes of the client and the server are identical, the server passes the authentication and returns an authentication passing instruction to the client so as to carry out the subsequent data communication process.
S22, the operator station receives real-time detection data of the industrial equipment acquired by the industrial control equipment, performs primary processing, and takes the data after the primary processing and the coded operator station click data as the operator station data;
such as removing illegal data or invalid data therein. Due to the complexity of the industrial field environment, even if the industrial equipment acquires data by itself, invalid data may occur. If the measured temperature data is more than 1000 degrees in the open air environment, the data exceeding the preset limit value can be taken as error data to be eliminated, so that the server is prevented from carrying out error judgment after the data is sent to the server.
The operator station click data is related to the physical machine of the operator station, can be used for representing various operation requests and the like of the operator, and therefore needs to be collected and sent to the server together.
And S23, after receiving the command that the server passes the authentication, encrypting the data of the operator station and sending the encrypted data to the corresponding virtual machine in the server.
After the authentication is passed, the operator station can communicate with the server, and specifically, the data can be encrypted by using an encryption algorithm and then sent to the server.
To further improve the security of the encryption algorithm, the server may generate a random key after authentication, and then send the random key to the operator station. The data is encrypted by the operator station according to the random key and a stored encryption algorithm.
And S24, receiving control data returned by the server according to the operator station data.
And S25, decrypting the control data and sending the decrypted data to the industrial equipment through the industrial control equipment to execute related operations.
The data sent by the server to the operator station is also encrypted data, so that the data needs to be decrypted by the operator station and then sent to the corresponding industrial equipment for execution.
By the method, the relevant data collected by the industrial equipment is sent to the server station through the operator station, namely, the initial processing can be carried out through the operator station, and the fixed-point directional transmission between the operator station and the server can be realized. The authentication process is completed before the two parties communicate, and the communication data is encrypted in two directions, so that the safety is further ensured.
In a more preferred embodiment, the operator may also be authenticated. The operator identity authentication information can be stored in the server in advance, the operator station acquires the operator identity information and sends the operator identity information to the server for authentication, and only after the authentication is passed, the subsequent communication process is carried out. Further, the server can also store the corresponding relation between the operator and the physical machine of the operator station so as to further authenticate the operation authority of the operator.
For further improving the safety, the application adds a self-checking mechanism of the operator station, and the self-checking mechanism specifically comprises: before the client of the operator station runs each time, the running process, hardware configuration and system information of the local machine are read firstly, after the physical machine is ensured not to be changed greatly, the authentication code of the local machine is read and compared with the authentication code stored in the server, and the authentication mechanism is completed. This self-check mechanism avoids the situation where the operator station has been hacked and continues to communicate with the server.
As described in the background art, in an industrial environment, it may happen that a person connects a storage medium carrying malicious codes to an operator station at will, thereby causing a network accident, and in this embodiment, the operator station periodically or in real time scans hardware information and an operating system of a physical machine after a client is started, and the scanning mode adopts a white list mode, and compares the data with data before the client is started, and when new hardware access and software operation are found, the service is closed or stopped. Or the data is transmitted to another virtual machine for backup, and the data is perfected to the original virtual machine after the illegal invasion is determined to be absent.
The present embodiments further provide a way for the operator station client to authenticate with specific data:
the operator station receives specific data sent by the industrial control equipment at some set time and sends the data to the server station for verification;
the server may be verified manually or intelligently, or may be verified in a variety of ways, as will be described in connection with the server-related process flow.
And receiving a verification result returned by the server station, and if the verification is not passed, stopping the data transmission process or transmitting the data to another virtual machine for backup.
The backup has the advantage that the backup data can be transferred to the original virtual machine perfection data once it is subsequently determined that no illegal intrusion has occurred.
EXAMPLE five
Corresponding to the systems of the first to third embodiments, a fifth embodiment of the present application provides a method for industrial information security, which is applied to a server mentioned in the above systems, where the server is provided with at least two virtual machines, as shown in fig. 3, and includes the following steps:
and S31, receiving and verifying the authentication code of the corresponding physical machine sent by the operator station.
The server is pre-stored with authentication codes of the physical machines of the operator stations, and the authentication codes can be used for reading the machine codes of the physical machines by reading system information, hardware information and the like of the physical machines when the client is installed on the physical machines of the operator stations for the first time, and then generating and sending the machine codes to the server for storage. And then reading the authentication code of the local machine and sending the authentication code to the server before the client operates and starts each time, and verifying the authentication code according to the pre-stored authentication code by the server.
And S32, if the authentication is passed, sending an authentication passing instruction to the operator station.
And when the authentication codes of the two parties are identical, the server returns an authentication passing instruction to the client side so that the client side can carry out subsequent data communication flow according to the instruction.
And S33, receiving the encrypted operator station data sent by the operator station and storing the encrypted operator station data in a corresponding virtual machine.
A plurality of virtual machines are arranged in the server and respectively correspond to different operator stations or carry out different operations such as backup and the like. After the server receives the data of the operator station, the data can be sent to the corresponding virtual machine according to conditions such as physical machine ID or request content such as backup.
And S34, decrypting the operator station data by the corresponding virtual machine, processing the decrypted operator station data, and returning the encrypted control data to the operator station.
With respect to the encryption of data, the server may generate a random key after authentication, and then encrypt the data according to the random key and a stored encryption algorithm. And sending the random key to the operator station for the operator station to encrypt data according to the random key and a stored encryption algorithm.
In a more preferred embodiment, the operator may also be authenticated. The operator identity authentication information can be stored in the server in advance, the operator station acquires the operator identity information and sends the operator identity information to the server for authentication, and only after the authentication is passed, the subsequent communication process is carried out. Further, the server can also store the corresponding relation between the operator and the physical machine of the operator station so as to further authenticate the operation authority of the operator.
The embodiment further provides a way for the server to perform authentication using specific data:
the server receives specific data transmitted by the operator station at some set time.
The specific data may be received by the operator station from the industrial control device. Of course, these specific data could also be initiated directly by the operator station, such as by entering the specific data by manual input and sending it to the server for verification.
The server determines whether the specific data is received. If not, it can be determined that the operator station has been altered and the transmitted information is illegal data.
In fact, the operation of the industrial system is regular, and the data can be verified on the server by means of the regularity of the operation of different industrial systems. For example, if some industrial systems are in a stopped state in a specific time period, the server may check the received data at the beginning of the specific time period to determine whether the operation rule of the corresponding system is satisfied.
The operation rule of the industrial system can be determined by manually inputting data or can be learned by a server. The specific server can learn data of a period of representative time to obtain a certain operation rule, such as a day and night rule or a four-season operation rule, and then obtain data and time for representing the operation rule, so that a specific data verification process can be started subsequently.
For the verification of the specific data learned by the server, some data which does not conform to the rule may occur due to the occurrence of a specific situation, for example, the night operation rule is damaged due to the overtime requirement in an emergency situation. If some conditions stop communicating data uniformly, the data will be lost. At this time, data communication can be continued, but newly received data needs to be transmitted to another independent virtual machine as backup, and once it is determined that no illegal intrusion occurs subsequently, the backup data can be transmitted to the original virtual machine to complete the data. A plurality of virtual machines in the server adopt a container isolation technology, so that the independence and the safety of data are ensured.
EXAMPLE six
Corresponding to the fourth embodiment, the present application provides an apparatus for industrial information security, the apparatus comprising:
and the authentication code sending unit is used for sending the authentication code of the physical machine to the server for authentication.
In a preferred embodiment, the apparatus further includes an authentication code generation unit configured to, when the client is first installed on the physical machine at the operator station, read system information, hardware information, and the like of the physical machine to read a machine code thereof, and generate the authentication code based on the machine code.
The data acquisition unit is used for receiving real-time detection data of the industrial equipment acquired by the industrial control equipment, performing primary processing on the real-time detection data and taking the data after the primary processing and the coded operator station click data as operator station data;
and the first encryption unit is used for encrypting the data of the operator station and sending the encrypted data to the corresponding virtual machine in the server after receiving the command that the server passes the authentication.
To further improve the security of the encryption algorithm, the server may generate a random key after authentication, and then send the random key to the operator station. The data is encrypted by a first encryption unit according to the random key and a stored encryption algorithm.
And the control data receiving unit is used for receiving the control data returned by the server according to the operator station data.
And the first decryption unit is used for decrypting the control data and sending the decrypted data to the industrial equipment through the industrial control equipment to execute related operations.
In a more preferred embodiment, the apparatus further includes a self-checking unit, configured to, before the client runs, read local data information, such as a running process, hardware configuration, system information, and the like, to determine whether the physical machine is invaded, and after it is ensured that the physical machine is not greatly changed, send information to the authentication code sending unit to execute the authentication function.
The self-checking unit is also used for periodically or real-timely scanning hardware information and an operating system of the physical machine after the client is started, the scanning mode adopts a white list mode, the white list mode is compared with data before the client is started, and when new hardware access and software operation are found, the service is closed or stopped. Or the data is transmitted to another virtual machine for backup, and the data is perfected to the original virtual machine after the illegal invasion is determined to be absent.
In a preferred mode of this embodiment, the apparatus further includes:
and the specific data verification unit is used for receiving specific data sent by the industrial control equipment at some set time, sending the specific data to the server station for verification, receiving a verification result returned by the server station, and stopping a data transmission process or transmitting the data to another virtual machine for backup if the verification fails.
EXAMPLE seven
Corresponding to the fifth embodiment, the present application provides an apparatus for industrial information security, the apparatus comprising:
and the authentication code receiving unit is used for receiving and verifying the authentication code of the corresponding physical machine sent by the operator station.
The server is pre-stored with the authentication codes of the physical machines of the operator stations, and the authentication code receiving unit verifies the authentication codes according to the pre-stored authentication codes.
And the authentication passing instruction sending unit is used for sending an authentication passing instruction to the operator station when the authentication passes.
And the data receiving unit is used for receiving the encrypted operator station data sent by the operator station and storing the encrypted operator station data to the corresponding virtual machine.
A plurality of virtual machines are arranged in the server and respectively correspond to different operator stations or carry out different operations such as backup and the like. After the server receives the data of the operator station, the data can be sent to the corresponding virtual machine according to conditions such as physical machine ID or request content such as backup.
A second decryption unit configured to decrypt the operator station data and process the decrypted operator station data.
And the second encryption unit is used for encrypting the control data and returning the control data to the operator station.
In a preferred embodiment, the apparatus further comprises a random key generation unit for generating a random key after the authentication has been passed and for sending the random key to the operator station, and the second encryption unit then encrypts the data according to the random key and a stored encryption algorithm.
Further, the apparatus further comprises:
and the specific data receiving unit is used for receiving specific data transmitted by the operator station at some set time.
The specific data may be received by the operator station from the industrial control device. Of course, these specific data could also be initiated directly by the operator station, such as by entering the specific data by manual input and sending it to the server for verification.
And the specific data verification unit is used for judging whether the specific data are received. If not, it can be determined that the operator station has been altered and the transmitted information is illegal data.
In fact, the operation of the industrial system is regular, and the specific data verification unit can verify the data at the server by means of the regularity of the operation of different industrial systems. For example, if some industrial systems are in a stop state for a specific time period, the specific data verification unit may verify the received data at the beginning of the specific time period to determine whether the operation rule of the corresponding system is satisfied.
The operation rule of the industrial system can be determined by manually inputting data or can be learned by a server. The specific data verification unit can learn data of a period of representative time to obtain a certain operation rule, such as a day and night rule or a four-season operation rule, and then obtain data and time for representing the operation rule, so that a specific data verification process can be started subsequently.
For the verification of the specific data learned by the specific data verification unit, some irregular data may occur due to specific situations, for example, night operation rules are destroyed due to an emergency requiring overtime. If some conditions stop communicating data uniformly, the data will be lost. At this time, data communication can be continued, but newly received data needs to be transmitted to another independent virtual machine as backup, and once it is determined that no illegal intrusion occurs subsequently, the backup data can be transmitted to the original virtual machine to complete the data.
Example eight
Corresponding to the fourth embodiment, an eighth embodiment of the present application further provides a computer system, including:
one or more processors; and the number of the first and second groups,
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
and sending the authentication code of the physical machine to a server for authentication.
And the operator station receives real-time detection data of the industrial equipment acquired by the industrial control equipment, performs primary processing on the real-time detection data and uses the data after the primary processing and the coded operator station click data as operator station data.
And after receiving the command that the server passes the authentication, encrypting the data of the operator station and sending the encrypted data to the corresponding virtual machine in the server.
And receiving control data returned by the server according to the operator station data.
And decrypting the control data and sending the decrypted data to the industrial equipment through the industrial control equipment to execute related operations.
Example nine
Corresponding to the fifth embodiment, a ninth embodiment of the present application further provides a computer system, including:
one or more processors; and the number of the first and second groups,
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
and receiving and verifying the authentication code of the corresponding physical machine sent by the operator station.
And if the authentication is passed, sending an authentication passing instruction to the operator station.
And receiving the encrypted operator station data sent by the operator station and storing the encrypted operator station data to the corresponding virtual machine.
And decrypting the operator station data by the corresponding virtual machine, processing the decrypted operator station data, and returning the encrypted control data to the operator station.
Fig. 4 illustrates an architecture of a computer system, which may include, in particular, a processor 1510, a video display adapter 1511, a disk drive 1512, an input/output interface 1513, a network interface 1514, and a memory 1520. The processor 1510, video display adapter 1511, disk drive 1512, input/output interface 1513, network interface 1514, and memory 1520 may be communicatively coupled via a communication bus 1530.
The processor 1510 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solution provided by the present Application.
The Memory 1520 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1520 may store an operating system 1521 for controlling the operation of the computer system 1500, a Basic Input Output System (BIOS)1522 for controlling low-level operations of the computer system 1500. In addition, a web browser 1523, a data storage management system 1524, an icon font processing system 1525, and the like can also be stored. The icon font processing system 1525 may be an application program that implements the operations of the foregoing steps in this embodiment of the application. In summary, when the technical solution provided by the present application is implemented by software or firmware, the relevant program codes are stored in the memory 1520 and called for execution by the processor 1510.
The input/output interface 1513 is used for connecting an input/output module to realize information input and output. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The network interface 1514 is used to connect a communication module (not shown) to enable the device to communicatively interact with other devices. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
The bus 1530 includes a path to transfer information between the various components of the device, such as the processor 1510, the video display adapter 1511, the disk drive 1512, the input/output interface 1513, the network interface 1514, and the memory 1520.
In addition, the computer system 1500 may also obtain information of specific pickup conditions from a virtual resource object pickup condition information database for performing condition judgment, and the like.
It should be noted that although the above devices only show the processor 1510, the video display adapter 1511, the disk drive 1512, the input/output interface 1513, the network interface 1514, the memory 1520, the bus 1530, etc., in a specific implementation, the devices may also include other components necessary for proper operation. Furthermore, it will be understood by those skilled in the art that the apparatus described above may also include only the components necessary to implement the solution of the present application, and not necessarily all of the components shown in the figures.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a cloud server, or a network device) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments, which are substantially similar to the method embodiments, are described in a relatively simple manner, and reference may be made to some descriptions of the method embodiments for relevant points. The above-described system and system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The data processing method, device and apparatus provided by the present application are introduced in detail, and a specific example is applied in the present application to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific embodiments and the application range may be changed. In view of the above, the description should not be taken as limiting the application.

Claims (3)

1. A system for industrial information security, the system comprising:
the system comprises industrial equipment, industrial control equipment, an operator station and a server provided with at least two virtual machines, wherein the virtual machines are isolated from each other by adopting a container isolation technology;
the industrial equipment is used for acquiring industrial field environment data;
the industrial control equipment is used for acquiring and processing environmental data acquired by the industrial equipment in real time;
the operator station is used for verifying the legality of the environment data, sending an authentication code of a physical machine where the environment data is located to a server for authentication, encrypting the environment data and click data of the operator station and sending the encrypted data to the server after the environment data and the click data of the operator station pass the authentication, decrypting control data returned by the server and sending the decrypted control data to the industrial control equipment so as to control the industrial equipment;
the server is used for receiving the authentication code sent by the operator station for authentication, sending an authentication passing instruction to the operator station after the authentication is passed, receiving the encrypted data sent by the operator station for decryption, and returning the encrypted control data to the operator station;
the physical machine is provided with a client, and the operator station is also used for reading the information of the physical machine before the client operates each time and judging whether the physical machine is safe or not according to the information of the physical machine; the information of the physical machine comprises at least one of an operation process, hardware configuration and system information of the physical machine;
the operator station is also used for receiving identity information to be authenticated of an operator and sending the identity information to the server for authentication;
the server is further used for authenticating the identity information to be authenticated according to prestored identity information of an operator and sending an authentication passing instruction to the operator station after the identity information and the authentication code are authenticated;
the server is also used for generating a random secret key after the authentication is passed and sending the random secret key to the operator station, and encrypting the control data by using the random secret key and a preset encryption algorithm;
the operator station is used for encrypting data according to the random secret key and a preset encryption algorithm;
the operator station is further configured to send specific data to the server at a preset time;
the server is also used for judging whether the server receives the specific data and interrupting the communication with the operator station or transmitting the data sent by the operator station to another virtual machine for backup when judging that the specific data is not received;
the server is further used for learning the data received from the operator station to obtain an operation rule of the industrial equipment, judging whether subsequently received data sent by the operator station conform to the operation rule or not, and if not, interrupting communication with the operator station or transmitting the data sent by the operator station to another virtual machine for backup.
2. A method for industrial information security, applied to a system for industrial information security according to claim 1, characterized in that the method comprises:
sending the authentication code of the physical machine to a server for authentication;
receiving real-time acquired environmental data of the industrial equipment acquired by the industrial control equipment, performing primary processing, and using the data after the primary processing and the coded operator station click data as operator station data;
after receiving the command that the server passes authentication, encrypting the operator station data and sending the encrypted data to a corresponding virtual machine in the server;
receiving control data returned by the server according to the operator station data;
and decrypting the control data and sending the decrypted data to the industrial equipment through the industrial control equipment to execute related operations.
3. A computer system, comprising:
one or more processors; and
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform a method for industrial information security as recited in claim 2.
CN201910510238.1A 2019-06-13 2019-06-13 Method, device and system for industrial information security Active CN110225038B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910510238.1A CN110225038B (en) 2019-06-13 2019-06-13 Method, device and system for industrial information security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910510238.1A CN110225038B (en) 2019-06-13 2019-06-13 Method, device and system for industrial information security

Publications (2)

Publication Number Publication Date
CN110225038A CN110225038A (en) 2019-09-10
CN110225038B true CN110225038B (en) 2022-05-17

Family

ID=67816977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910510238.1A Active CN110225038B (en) 2019-06-13 2019-06-13 Method, device and system for industrial information security

Country Status (1)

Country Link
CN (1) CN110225038B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111179119B (en) * 2020-01-03 2024-03-19 云南电网有限责任公司电力科学研究院 Intelligent monitoring and early warning system and method for law enforcement recorder of transformer substation
CN112650172B (en) * 2020-12-17 2021-08-20 山东云天安全技术有限公司 Safety authentication method and equipment for industrial control system
CN113014557B (en) * 2021-02-13 2023-06-27 贵州保久安防集团有限公司 Data interaction method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969438A (en) * 2010-10-25 2011-02-09 胡祥义 Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN106100836A (en) * 2016-08-09 2016-11-09 中京天裕科技(北京)有限公司 A kind of industrial user's authentication and the method and system of encryption
CN109286599A (en) * 2017-07-20 2019-01-29 北京展讯高科通信技术有限公司 Data security protection method, smart machine, server and readable storage medium storing program for executing

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572386A (en) * 2011-05-20 2012-07-11 广东迅通科技股份有限公司 Multi-device cooperation alarm analysis processing system
CN203489359U (en) * 2013-09-19 2014-03-19 新疆天富热电股份有限公司供热分公司 Boiler monitoring system
CN104539658B (en) * 2014-12-09 2018-01-19 武汉大政科技有限责任公司 One kind is based on enterprise's private clound big data processing method
US9742742B1 (en) * 2016-11-18 2017-08-22 Vaultara LLC Secure data transfer system and method
CN107911370A (en) * 2017-11-22 2018-04-13 深圳市智物联网络有限公司 A kind of data ciphering method and device, data decryption method and device
CN107819673A (en) * 2017-11-24 2018-03-20 安徽省雨龙家具有限公司 It is a kind of based on the intelligent home furnishing control method to communicate in time

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969438A (en) * 2010-10-25 2011-02-09 胡祥义 Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN106100836A (en) * 2016-08-09 2016-11-09 中京天裕科技(北京)有限公司 A kind of industrial user's authentication and the method and system of encryption
CN109286599A (en) * 2017-07-20 2019-01-29 北京展讯高科通信技术有限公司 Data security protection method, smart machine, server and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN110225038A (en) 2019-09-10

Similar Documents

Publication Publication Date Title
US8990923B1 (en) Protection against unauthorized access to automated system for control of technological processes
RU2690887C2 (en) Modular safety control device
CN110225038B (en) Method, device and system for industrial information security
US8989386B2 (en) Method and device for providing at least one secure cryptographic key
US8972730B2 (en) System and method of using a signed GUID
JP6911122B2 (en) Permission method and system to acquire terminal attack warning message log
US9560523B2 (en) Mobile device authentication
CN103825738A (en) Registration information authentication method and device
CN104035408A (en) RTU (Remote Terminal Unit) controller and communication method with SCADA (Supervisory Control And Data Acquisition) system
CN105099705A (en) Safety communication method and system based on USB protocol
CN111143856A (en) PLC remote firmware upgrading system and method
CN103500202A (en) Security protection method and system for light-weight database
CN100334519C (en) Method for establishing credible input-output channels
CN114301705A (en) Industrial control defense method and system based on trusted computing
CN106131008A (en) Video and audio monitoring device and safety certifying method, video and audio presentation device
CN108880912A (en) A kind of IT O&M control system and method
CN104219208A (en) Method and device for data input
US9369446B2 (en) Secure remote desktop
CN109842615B (en) Communication device and communication method
CN104270346A (en) Bidirectional authentication method, device and system
CN116881936A (en) Trusted computing method and related equipment
JP2017183930A (en) Server management system, server device, server management method, and program
CN211557285U (en) Control terminal, signature server and task server
WO2018033016A1 (en) Method and system for authorizing conversion of terminal state
CN113885425A (en) Industrial field PLC network safety operation and maintenance method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant