CN110620779A - Industrial control protocol instruction level protection method based on error code response - Google Patents

Industrial control protocol instruction level protection method based on error code response Download PDF

Info

Publication number
CN110620779A
CN110620779A CN201910915792.8A CN201910915792A CN110620779A CN 110620779 A CN110620779 A CN 110620779A CN 201910915792 A CN201910915792 A CN 201910915792A CN 110620779 A CN110620779 A CN 110620779A
Authority
CN
China
Prior art keywords
instruction
industrial
error code
industrial control
upper computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910915792.8A
Other languages
Chinese (zh)
Inventor
朱振乾
李鹏
许爱东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronic Technology Cyber Security Co Ltd
Original Assignee
China Electronic Technology Cyber Security Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronic Technology Cyber Security Co Ltd filed Critical China Electronic Technology Cyber Security Co Ltd
Priority to CN201910915792.8A priority Critical patent/CN110620779A/en
Publication of CN110620779A publication Critical patent/CN110620779A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
    • G05B19/4185Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication
    • G05B19/4186Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication by protocol, e.g. MAP, TOP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The invention discloses an error code response-based industrial control protocol instruction level protection method, which comprises the following steps: s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system; s2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode; s3, carrying out deep analysis on the acquired communication message to acquire a control instruction; and S4, matching the control commands one by one according to the preset industrial control protocol depth command strategy, and discarding the communication messages corresponding to the control commands if the matching fails. The invention can recover the corresponding error code of the upper computer while discarding the communication message, thereby not only avoiding TCP disconnection caused by directly discarding the communication message, but also informing the upper computer that the control instruction is discarded, avoiding the control instruction from being repeatedly sent, and simultaneously not influencing the communication of the subsequent instructions of the upper computer.

Description

Industrial control protocol instruction level protection method based on error code response
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an industrial control protocol instruction level protection method based on error code response.
Background
In recent years, many attack events aiming at an industrial control system have occurred in the world, a typical intrusion event is 2010, western countries including the United states attack the Iran nuclear facilities through a virus weapon of a 'seismic net', the virus finds Siemens control software, intercepts and captures instructions of the control software to Programmable Logic Control (PLC), finds out and identifies software applied to a centrifuge, and then sends out a false instruction, so that the centrifuge is abnormal in rotating speed to cause equipment damage, and huge loss of the Iran nuclear facilities is caused.
The industrial firewall and the industrial security gateway equipment in the current market correctly identify the false instruction by analyzing the PLC instruction and combining a PLC instruction strategy white list, thereby effectively protecting virus attacks such as 'seismic net' and the like. When some safety protection devices such as industrial firewalls detect illegal instructions, corresponding messages of the safety protection devices are directly discarded to prevent attack behaviors. However, the integrity of the TCP connection is damaged while the message is discarded, and the TCP connection is disconnected due to the reliable transmission characteristics of the TCP, thereby causing the software connection of the upper computer to be interrupted.
And the other part of the industrial firewall and the like are realized in a proxy mode. When the security protection device detects an illegal instruction, the security protection device directly discards the message of the corresponding application layer to prevent the attack behavior. Due to the characteristics of the proxy, the TCP connection is not interrupted, but the upper computer software is not informed of the state of the instruction, so that the upper computer software can continuously and repeatedly acquire the instruction, subsequent instructions cannot be issued, network congestion is caused, and the client software is unavailable or crashed under a severe condition.
Disclosure of Invention
The invention aims to: the invention provides an industrial control protocol instruction level protection method based on error code response, which is characterized in that an industrial control protocol is deeply analyzed to obtain a control instruction of an industrial control system, and a corresponding error code is replied while a communication message corresponding to the control instruction which does not conform to an industrial control protocol depth instruction strategy is discarded in combination with an industrial control protocol depth instruction strategy, so that TCP disconnection caused by directly discarding the communication message can be avoided, an upper computer can be informed that the control instruction is discarded, the control instruction is prevented from being repeatedly discarded and even more serious consequence is avoided, and the issuing of subsequent instructions of the upper computer is not influenced.
The technical scheme adopted by the invention for solving the technical problems is as follows: an industrial control protocol instruction level protection method based on error code response comprises the following steps:
s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system;
s2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode;
s3, deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system to acquire a control instruction;
s4, according to the preset industrial control protocol depth instruction strategy, matching the control instructions one by one, and processing according to the matching result:
(1) if the control instruction is successfully matched, releasing the communication message corresponding to the control instruction;
(2) if the control instruction matching fails, discarding the communication message corresponding to the control instruction; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
Further, the industrial protocol command error code at least comprises a corresponding error code indicating the discarding of the communication message.
Further, the method for deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system at least comprises the analysis of a function code, a register address, a register value, file content and a keyword level.
Further, the control instructions include at least device start/stop, program upload/download, device discovery/directory browsing, address space read/write, and file read/write.
Further, the preconfigured industrial control protocol depth instruction policy at least comprises a blacklist and whitelist depth instruction policy.
Further, the proxy mode at least comprises a proxy transparent proxy or an application proxy.
Further, the industrial safety protection device is an industrial firewall or an industrial safety gateway.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
the invention recovers the corresponding error code of the upper computer while discarding the communication message, and clearly informs the upper computer of the type of the error, thereby realizing the normal passing of the control instruction which accords with the industrial control protocol depth instruction strategy and the prompting error of the control instruction which does not accord with the industrial control protocol depth instruction strategy. In particular, the amount of the solvent to be used,
in the traditional method, directly discarding a single communication message can cause the interruption of TCP connection, thereby affecting the peer of other legal control instructions and further causing the terminal of the whole service; the invention recovers the corresponding error code of the upper computer while discarding the message, and can ensure the reliability of the TCP connection, thereby the TCP connection is not interrupted and the peer of other control instructions except the discarded communication message is not influenced.
In the traditional method, when a communication message is discarded, an error code is not replied, and the upper computer considers that the control instruction is overtime, so that the discarded communication message is continuously and repeatedly requested, the network load is increased, and the operation of the whole service is seriously influenced; the invention recovers the corresponding error code of the upper computer while discarding the message, so that the upper computer can know the error type of the control instruction, and the upper computer can correctly sense the control instruction execution failure.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a block flow diagram of an error response based industrial control protocol instruction level protection method implemented by the present invention.
Detailed Description
The invention provides an industrial control protocol instruction level protection method based on error code response, which is characterized in that an industrial control protocol is deeply analyzed to obtain a control instruction of an industrial control system, and a corresponding error code is replied while a communication message corresponding to the control instruction which does not conform to an industrial control protocol depth instruction strategy is discarded in combination with an industrial control protocol depth instruction strategy, so that TCP connection interruption caused by directly discarding the communication message can be avoided, an upper computer can be informed that the control instruction is discarded, the repeated instruction sending effect and even more serious effect of the control instruction are avoided, and the issuing of subsequent instructions of the upper computer is not influenced.
The method for protecting the industrial control protocol instruction level based on the error code response comprises the following steps:
s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system; that is, an industrial safety protection device is connected in series between the upper computer and the lower computer of the industrial control system, and the industrial safety protection device may be an industrial safety protection device such as an industrial firewall and an industrial safety gateway, and is configured to complete the implementation processes of the following steps S2 to S4.
It should be noted that, in the industrial safety protection device, an industrial control protocol deep command strategy and an industrial protocol command error code need to be configured in advance. And starting the proxy service of the industrial safety protection equipment after configuring the industrial control protocol deep instruction strategy and the industrial protocol instruction error code.
S2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode; generally, the proxy mode may be a transparent proxy or an application proxy, etc.
S3, deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system to acquire a control instruction; specifically, the obtained communication message between the upper computer and the lower computer of the industrial control system is subjected to deep analysis, at least comprising analysis of function codes, register addresses, register values, file contents and keyword levels, so that the obtained control instruction at least comprises related instructions such as equipment start/stop, program uploading/downloading, equipment discovery/directory browsing, address space reading/writing, file reading/writing and the like, and the control instruction can be configured according to industrial standards and requirements.
S4, according to the preset industrial control protocol depth instruction strategy, matching the control instructions one by one, and processing according to the matching result:
(1) if the control instruction is successfully matched, releasing the communication message corresponding to the control instruction;
(2) if the control instruction matching fails, discarding the communication message corresponding to the control instruction; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
The industrial protocol instruction error code at least comprises an error code discarded by the communication message because the communication message discarding of the upper computer needs to be recovered, such as the instruction is unreachable, the instruction permission is insufficient, the instruction is wrong, the instruction range is overflowed, the instruction is illegal, the instruction is not applicable, the instruction is overtime, and the system is busy. That is, an error code is configured for each problem of the control command in the communication message, and the error code is used as an identifier of the type of the problem occurring in the control command.
The pre-configured industrial control protocol depth instruction strategy at least comprises a black and white list depth instruction strategy, and the instruction strategy is represented to be configured with a black list and a white list, wherein the black list and the white list are divided according to corresponding states (problems or normal) of control instructions, for example, states of control instructions such as instruction unreachable, instruction permission insufficient, instruction error, instruction range overflow, instruction illegal, instruction inapplicable, instruction overtime, system busy and the like belong to the black list, and other normal states belong to the white list. That is, when the control command is respectively matched with the black list and the white list, if the control command is normal, the control command is matched with the white list, and the matching is successful, the communication message corresponding to the control command is released; if the control instruction has a problem, matching the control instruction with a blacklist, and discarding the communication message corresponding to the control instruction if the matching fails; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
That is to say, the invention recovers the corresponding error code of the upper computer while discarding the communication message, and clearly informs the upper computer of the type of the control instruction error in the communication message, thereby realizing the normal passing of the control instruction which accords with the industrial control protocol depth instruction strategy and the prompting error of the control instruction which does not accord with the industrial control protocol depth instruction strategy. In particular, the amount of the solvent to be used,
in the traditional method, directly discarding a single communication message can cause the interruption of TCP connection, thereby affecting the peer of other legal control instructions and further causing the terminal of the whole service; the invention recovers the corresponding error code of the upper computer while discarding the message, and can ensure the reliability of the TCP connection, thereby the TCP connection is not interrupted and the peer of other control instructions except the discarded communication message is not influenced.
In the traditional method, when a communication message is discarded, an error code is not replied, and an upper computer considers that the control instruction is overtime, so that the discarded communication message is continuously and repeatedly requested, a subsequent instruction cannot be issued, a network load is added, and the operation of the whole service is seriously influenced; the invention recovers the corresponding error code of the upper computer while discarding the message, so that the upper computer can know the error type of the control instruction, and the upper computer can correctly sense the control instruction execution failure.

Claims (7)

1. An industrial control protocol instruction level protection method based on error code response is characterized by comprising the following steps:
s1, connecting the industrial safety protection equipment in series between an upper computer and a lower computer of the industrial control system;
s2, acquiring a communication message between the upper computer and the lower computer of the industrial control system in a proxy mode;
s3, deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system to acquire a control instruction;
s4, according to the preset industrial control protocol depth instruction strategy, matching the control instructions one by one, and processing according to the matching result:
(1) if the control instruction is successfully matched, releasing the communication message corresponding to the control instruction;
(2) if the control instruction matching fails, discarding the communication message corresponding to the control instruction; and meanwhile, generating a corresponding error code response message according to the preset industrial protocol instruction error code, and replying a corresponding error code response message to the upper computer.
2. The error response-based industrial control protocol instruction level protection method according to claim 1, wherein the industrial protocol instruction error code at least comprises a corresponding error code indicating a discard of the communication message.
3. The error code response-based industrial control protocol instruction level protection method according to claim 1, wherein the method for deeply analyzing the acquired communication message between the upper computer and the lower computer of the industrial control system at least comprises analyzing a function code, a register address, a register value, file contents and a keyword level.
4. The error code response based industrial control protocol instruction level protection method according to claim 1, wherein the control instructions comprise at least device start/stop, program upload/download, device discovery/directory browsing, address space read/write, and file read/write.
5. The error code response-based industrial control protocol instruction level protection method according to claim 1, wherein the preconfigured industrial control protocol deep instruction policy comprises at least a blacklist and whitelist deep instruction policy.
6. The error code response based industrial control protocol instruction level protection method according to claim 1, wherein the proxy mode at least comprises a proxy transparent proxy or an application proxy.
7. The error-code-response-based industrial control protocol instruction-level protection method according to claim 1, wherein the industrial security protection device is an industrial firewall or an industrial security gateway.
CN201910915792.8A 2019-09-26 2019-09-26 Industrial control protocol instruction level protection method based on error code response Pending CN110620779A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910915792.8A CN110620779A (en) 2019-09-26 2019-09-26 Industrial control protocol instruction level protection method based on error code response

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910915792.8A CN110620779A (en) 2019-09-26 2019-09-26 Industrial control protocol instruction level protection method based on error code response

Publications (1)

Publication Number Publication Date
CN110620779A true CN110620779A (en) 2019-12-27

Family

ID=68924122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910915792.8A Pending CN110620779A (en) 2019-09-26 2019-09-26 Industrial control protocol instruction level protection method based on error code response

Country Status (1)

Country Link
CN (1) CN110620779A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160359812A1 (en) * 2005-06-03 2016-12-08 Asavie R&D Limited Secure network communication system and method
CN106899419A (en) * 2015-12-17 2017-06-27 北京网御星云信息技术有限公司 A kind of method for realizing abnormality processing, device and request end
CN109922085A (en) * 2019-04-11 2019-06-21 江苏亨通工控安全研究院有限公司 A kind of security protection system and method based on CIP agreement in PLC

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160359812A1 (en) * 2005-06-03 2016-12-08 Asavie R&D Limited Secure network communication system and method
CN106899419A (en) * 2015-12-17 2017-06-27 北京网御星云信息技术有限公司 A kind of method for realizing abnormality processing, device and request end
CN109922085A (en) * 2019-04-11 2019-06-21 江苏亨通工控安全研究院有限公司 A kind of security protection system and method based on CIP agreement in PLC

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐婷: "《高校图书馆门户网站建设》", 30 June 2016 *

Similar Documents

Publication Publication Date Title
US10929538B2 (en) Network security protection method and apparatus
CN112702300B (en) Security vulnerability defense method and device
US10225280B2 (en) System and method for verifying and detecting malware
EP2008188B1 (en) Software vulnerability exploitation shield
CN111010409B (en) Encryption attack network flow detection method
CN111510436B (en) Network security system
CN111800401B (en) Service message protection method, device, system and computer equipment
WO2008040223A1 (en) Method for filtering harmfulness data transferred between terminal and destination host in network
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
CN112398829A (en) Network attack simulation method and system for power system
EP3433783A1 (en) Rule enforcement in a network
CN114301647A (en) Prediction defense method, device and system for vulnerability information in situation awareness
CN114928564A (en) Function verification method and device of security component
CN110620779A (en) Industrial control protocol instruction level protection method based on error code response
CN111756707A (en) Back door safety protection device and method applied to global wide area network
CN110809004A (en) Safety protection method and device, electronic equipment and storage medium
CN115314285A (en) Interception method of cracking behaviors and security gateway device
CN114866361A (en) Method, device, electronic equipment and medium for detecting network attack
KR101687811B1 (en) Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution
CN114861168A (en) Anti-escape attack behavior deception honeypot construction method
CN109257389B (en) Attack processing method and device and electronic equipment
WO2005120006A1 (en) Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system
CN107819787B (en) System and method for preventing illegal external connection of local area network computer
CN111490989A (en) Network system, attack detection method and device and electronic equipment
CN113660666B (en) Bidirectional request response detection method for man-in-the-middle attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191227