CN110620779A - Industrial control protocol instruction level protection method based on error code response - Google Patents
Industrial control protocol instruction level protection method based on error code response Download PDFInfo
- Publication number
- CN110620779A CN110620779A CN201910915792.8A CN201910915792A CN110620779A CN 110620779 A CN110620779 A CN 110620779A CN 201910915792 A CN201910915792 A CN 201910915792A CN 110620779 A CN110620779 A CN 110620779A
- Authority
- CN
- China
- Prior art keywords
- instruction
- industrial
- error code
- industrial control
- upper computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
- G05B19/4185—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication
- G05B19/4186—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication by protocol, e.g. MAP, TOP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention discloses an error code response-based industrial control protocol instruction level protection method, which comprises the following steps: s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system; s2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode; s3, carrying out deep analysis on the acquired communication message to acquire a control instruction; and S4, matching the control commands one by one according to the preset industrial control protocol depth command strategy, and discarding the communication messages corresponding to the control commands if the matching fails. The invention can recover the corresponding error code of the upper computer while discarding the communication message, thereby not only avoiding TCP disconnection caused by directly discarding the communication message, but also informing the upper computer that the control instruction is discarded, avoiding the control instruction from being repeatedly sent, and simultaneously not influencing the communication of the subsequent instructions of the upper computer.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an industrial control protocol instruction level protection method based on error code response.
Background
In recent years, many attack events aiming at an industrial control system have occurred in the world, a typical intrusion event is 2010, western countries including the United states attack the Iran nuclear facilities through a virus weapon of a 'seismic net', the virus finds Siemens control software, intercepts and captures instructions of the control software to Programmable Logic Control (PLC), finds out and identifies software applied to a centrifuge, and then sends out a false instruction, so that the centrifuge is abnormal in rotating speed to cause equipment damage, and huge loss of the Iran nuclear facilities is caused.
The industrial firewall and the industrial security gateway equipment in the current market correctly identify the false instruction by analyzing the PLC instruction and combining a PLC instruction strategy white list, thereby effectively protecting virus attacks such as 'seismic net' and the like. When some safety protection devices such as industrial firewalls detect illegal instructions, corresponding messages of the safety protection devices are directly discarded to prevent attack behaviors. However, the integrity of the TCP connection is damaged while the message is discarded, and the TCP connection is disconnected due to the reliable transmission characteristics of the TCP, thereby causing the software connection of the upper computer to be interrupted.
And the other part of the industrial firewall and the like are realized in a proxy mode. When the security protection device detects an illegal instruction, the security protection device directly discards the message of the corresponding application layer to prevent the attack behavior. Due to the characteristics of the proxy, the TCP connection is not interrupted, but the upper computer software is not informed of the state of the instruction, so that the upper computer software can continuously and repeatedly acquire the instruction, subsequent instructions cannot be issued, network congestion is caused, and the client software is unavailable or crashed under a severe condition.
Disclosure of Invention
The invention aims to: the invention provides an industrial control protocol instruction level protection method based on error code response, which is characterized in that an industrial control protocol is deeply analyzed to obtain a control instruction of an industrial control system, and a corresponding error code is replied while a communication message corresponding to the control instruction which does not conform to an industrial control protocol depth instruction strategy is discarded in combination with an industrial control protocol depth instruction strategy, so that TCP disconnection caused by directly discarding the communication message can be avoided, an upper computer can be informed that the control instruction is discarded, the control instruction is prevented from being repeatedly discarded and even more serious consequence is avoided, and the issuing of subsequent instructions of the upper computer is not influenced.
The technical scheme adopted by the invention for solving the technical problems is as follows: an industrial control protocol instruction level protection method based on error code response comprises the following steps:
s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system;
s2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode;
s3, deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system to acquire a control instruction;
s4, according to the preset industrial control protocol depth instruction strategy, matching the control instructions one by one, and processing according to the matching result:
(1) if the control instruction is successfully matched, releasing the communication message corresponding to the control instruction;
(2) if the control instruction matching fails, discarding the communication message corresponding to the control instruction; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
Further, the industrial protocol command error code at least comprises a corresponding error code indicating the discarding of the communication message.
Further, the method for deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system at least comprises the analysis of a function code, a register address, a register value, file content and a keyword level.
Further, the control instructions include at least device start/stop, program upload/download, device discovery/directory browsing, address space read/write, and file read/write.
Further, the preconfigured industrial control protocol depth instruction policy at least comprises a blacklist and whitelist depth instruction policy.
Further, the proxy mode at least comprises a proxy transparent proxy or an application proxy.
Further, the industrial safety protection device is an industrial firewall or an industrial safety gateway.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
the invention recovers the corresponding error code of the upper computer while discarding the communication message, and clearly informs the upper computer of the type of the error, thereby realizing the normal passing of the control instruction which accords with the industrial control protocol depth instruction strategy and the prompting error of the control instruction which does not accord with the industrial control protocol depth instruction strategy. In particular, the amount of the solvent to be used,
in the traditional method, directly discarding a single communication message can cause the interruption of TCP connection, thereby affecting the peer of other legal control instructions and further causing the terminal of the whole service; the invention recovers the corresponding error code of the upper computer while discarding the message, and can ensure the reliability of the TCP connection, thereby the TCP connection is not interrupted and the peer of other control instructions except the discarded communication message is not influenced.
In the traditional method, when a communication message is discarded, an error code is not replied, and the upper computer considers that the control instruction is overtime, so that the discarded communication message is continuously and repeatedly requested, the network load is increased, and the operation of the whole service is seriously influenced; the invention recovers the corresponding error code of the upper computer while discarding the message, so that the upper computer can know the error type of the control instruction, and the upper computer can correctly sense the control instruction execution failure.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a block flow diagram of an error response based industrial control protocol instruction level protection method implemented by the present invention.
Detailed Description
The invention provides an industrial control protocol instruction level protection method based on error code response, which is characterized in that an industrial control protocol is deeply analyzed to obtain a control instruction of an industrial control system, and a corresponding error code is replied while a communication message corresponding to the control instruction which does not conform to an industrial control protocol depth instruction strategy is discarded in combination with an industrial control protocol depth instruction strategy, so that TCP connection interruption caused by directly discarding the communication message can be avoided, an upper computer can be informed that the control instruction is discarded, the repeated instruction sending effect and even more serious effect of the control instruction are avoided, and the issuing of subsequent instructions of the upper computer is not influenced.
The method for protecting the industrial control protocol instruction level based on the error code response comprises the following steps:
s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system; that is, an industrial safety protection device is connected in series between the upper computer and the lower computer of the industrial control system, and the industrial safety protection device may be an industrial safety protection device such as an industrial firewall and an industrial safety gateway, and is configured to complete the implementation processes of the following steps S2 to S4.
It should be noted that, in the industrial safety protection device, an industrial control protocol deep command strategy and an industrial protocol command error code need to be configured in advance. And starting the proxy service of the industrial safety protection equipment after configuring the industrial control protocol deep instruction strategy and the industrial protocol instruction error code.
S2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode; generally, the proxy mode may be a transparent proxy or an application proxy, etc.
S3, deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system to acquire a control instruction; specifically, the obtained communication message between the upper computer and the lower computer of the industrial control system is subjected to deep analysis, at least comprising analysis of function codes, register addresses, register values, file contents and keyword levels, so that the obtained control instruction at least comprises related instructions such as equipment start/stop, program uploading/downloading, equipment discovery/directory browsing, address space reading/writing, file reading/writing and the like, and the control instruction can be configured according to industrial standards and requirements.
S4, according to the preset industrial control protocol depth instruction strategy, matching the control instructions one by one, and processing according to the matching result:
(1) if the control instruction is successfully matched, releasing the communication message corresponding to the control instruction;
(2) if the control instruction matching fails, discarding the communication message corresponding to the control instruction; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
The industrial protocol instruction error code at least comprises an error code discarded by the communication message because the communication message discarding of the upper computer needs to be recovered, such as the instruction is unreachable, the instruction permission is insufficient, the instruction is wrong, the instruction range is overflowed, the instruction is illegal, the instruction is not applicable, the instruction is overtime, and the system is busy. That is, an error code is configured for each problem of the control command in the communication message, and the error code is used as an identifier of the type of the problem occurring in the control command.
The pre-configured industrial control protocol depth instruction strategy at least comprises a black and white list depth instruction strategy, and the instruction strategy is represented to be configured with a black list and a white list, wherein the black list and the white list are divided according to corresponding states (problems or normal) of control instructions, for example, states of control instructions such as instruction unreachable, instruction permission insufficient, instruction error, instruction range overflow, instruction illegal, instruction inapplicable, instruction overtime, system busy and the like belong to the black list, and other normal states belong to the white list. That is, when the control command is respectively matched with the black list and the white list, if the control command is normal, the control command is matched with the white list, and the matching is successful, the communication message corresponding to the control command is released; if the control instruction has a problem, matching the control instruction with a blacklist, and discarding the communication message corresponding to the control instruction if the matching fails; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
That is to say, the invention recovers the corresponding error code of the upper computer while discarding the communication message, and clearly informs the upper computer of the type of the control instruction error in the communication message, thereby realizing the normal passing of the control instruction which accords with the industrial control protocol depth instruction strategy and the prompting error of the control instruction which does not accord with the industrial control protocol depth instruction strategy. In particular, the amount of the solvent to be used,
in the traditional method, directly discarding a single communication message can cause the interruption of TCP connection, thereby affecting the peer of other legal control instructions and further causing the terminal of the whole service; the invention recovers the corresponding error code of the upper computer while discarding the message, and can ensure the reliability of the TCP connection, thereby the TCP connection is not interrupted and the peer of other control instructions except the discarded communication message is not influenced.
In the traditional method, when a communication message is discarded, an error code is not replied, and an upper computer considers that the control instruction is overtime, so that the discarded communication message is continuously and repeatedly requested, a subsequent instruction cannot be issued, a network load is added, and the operation of the whole service is seriously influenced; the invention recovers the corresponding error code of the upper computer while discarding the message, so that the upper computer can know the error type of the control instruction, and the upper computer can correctly sense the control instruction execution failure.
Claims (7)
1. An industrial control protocol instruction level protection method based on error code response is characterized by comprising the following steps:
s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system;
s2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode;
s3, deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system to acquire a control instruction;
s4, according to the preset industrial control protocol depth instruction strategy, matching the control instructions one by one, and processing according to the matching result:
(1) if the control instruction is successfully matched, releasing the communication message corresponding to the control instruction;
(2) if the control instruction matching fails, discarding the communication message corresponding to the control instruction; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
2. The error response-based industrial control protocol instruction level protection method according to claim 1, wherein the industrial protocol instruction error code at least comprises a corresponding error code indicating a discard of the communication message.
3. The error code response-based industrial control protocol instruction level protection method according to claim 1, wherein the method for deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system at least comprises analyzing a function code, a register address, a register value, file contents and a keyword level.
4. The error code response based industrial control protocol instruction level protection method according to claim 1, wherein the control instructions comprise at least device start/stop, program upload/download, device discovery/directory browsing, address space read/write, and file read/write.
5. The error code response-based industrial control protocol instruction level protection method according to claim 1, wherein the preconfigured industrial control protocol deep instruction policy comprises at least a blacklist and whitelist deep instruction policy.
6. The error code response based industrial control protocol instruction level protection method according to claim 1, wherein the proxy mode at least comprises a proxy transparent proxy or an application proxy.
7. The error-code-response-based industrial control protocol instruction-level protection method according to claim 1, wherein the industrial security protection device is an industrial firewall or an industrial security gateway.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910915792.8A CN110620779A (en) | 2019-09-26 | 2019-09-26 | Industrial control protocol instruction level protection method based on error code response |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910915792.8A CN110620779A (en) | 2019-09-26 | 2019-09-26 | Industrial control protocol instruction level protection method based on error code response |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110620779A true CN110620779A (en) | 2019-12-27 |
Family
ID=68924122
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910915792.8A Pending CN110620779A (en) | 2019-09-26 | 2019-09-26 | Industrial control protocol instruction level protection method based on error code response |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110620779A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160359812A1 (en) * | 2005-06-03 | 2016-12-08 | Asavie R&D Limited | Secure network communication system and method |
CN106899419A (en) * | 2015-12-17 | 2017-06-27 | 北京网御星云信息技术有限公司 | A kind of method for realizing abnormality processing, device and request end |
CN109922085A (en) * | 2019-04-11 | 2019-06-21 | 江苏亨通工控安全研究院有限公司 | A kind of security protection system and method based on CIP agreement in PLC |
-
2019
- 2019-09-26 CN CN201910915792.8A patent/CN110620779A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160359812A1 (en) * | 2005-06-03 | 2016-12-08 | Asavie R&D Limited | Secure network communication system and method |
CN106899419A (en) * | 2015-12-17 | 2017-06-27 | 北京网御星云信息技术有限公司 | A kind of method for realizing abnormality processing, device and request end |
CN109922085A (en) * | 2019-04-11 | 2019-06-21 | 江苏亨通工控安全研究院有限公司 | A kind of security protection system and method based on CIP agreement in PLC |
Non-Patent Citations (1)
Title |
---|
徐婷: "《高校图书馆门户网站建设》", 30 June 2016 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10929538B2 (en) | Network security protection method and apparatus | |
CN112702300B (en) | Security vulnerability defense method and device | |
US10225280B2 (en) | System and method for verifying and detecting malware | |
EP2008188B1 (en) | Software vulnerability exploitation shield | |
CN111010409B (en) | Encryption attack network flow detection method | |
CN111510436B (en) | Network security system | |
CN111800401B (en) | Service message protection method, device, system and computer equipment | |
WO2008040223A1 (en) | Method for filtering harmfulness data transferred between terminal and destination host in network | |
CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
CN112398829A (en) | Network attack simulation method and system for power system | |
EP3433783A1 (en) | Rule enforcement in a network | |
CN114301647A (en) | Prediction defense method, device and system for vulnerability information in situation awareness | |
CN114928564A (en) | Function verification method and device of security component | |
CN110620779A (en) | Industrial control protocol instruction level protection method based on error code response | |
CN111756707A (en) | Back door safety protection device and method applied to global wide area network | |
CN110809004A (en) | Safety protection method and device, electronic equipment and storage medium | |
CN115314285A (en) | Interception method of cracking behaviors and security gateway device | |
CN114866361A (en) | Method, device, electronic equipment and medium for detecting network attack | |
KR101687811B1 (en) | Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution | |
CN114861168A (en) | Anti-escape attack behavior deception honeypot construction method | |
CN109257389B (en) | Attack processing method and device and electronic equipment | |
WO2005120006A1 (en) | Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system | |
CN107819787B (en) | System and method for preventing illegal external connection of local area network computer | |
CN111490989A (en) | Network system, attack detection method and device and electronic equipment | |
CN113660666B (en) | Bidirectional request response detection method for man-in-the-middle attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191227 |