Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for encrypting communication of an industrial control system, an electronic device, and a storage medium, which can fundamentally solve the problem of communication security of the industrial control system.
The embodiment of the invention provides a method for encrypting communication of an industrial control system, which comprises the following steps:
capturing industrial control flow sent by an industrial control upper computer, and releasing non-industrial control flow;
the industrial control flow is encrypted based on a preset encryption algorithm and then forwarded to a hardware decryption device;
the hardware decryption device decrypts the received industrial control flow based on a decryption algorithm corresponding to a preset encryption algorithm;
the hardware decryption device analyzes the decrypted industrial control flow and judges whether the industrial control flow is an important operation instruction, if so, the hardware decryption device executes interception operation and forwards the intercepted industrial control flow to an industrial control upper computer for confirmation; if the operation instruction is not an important operation instruction, forwarding the operation instruction to the PLC;
wherein the important operation instruction comprises: downloading, erasing, or restarting.
Further, catch the industrial control flow that industrial control host computer sent, release non-industrial control flow, specifically include:
and capturing industrial control flow and releasing non-industrial control flow by configuring an industrial control protocol or a port number used by the current system in the configuration file.
Further, the execution of the interception operation and the forwarding to the industrial control upper computer for confirmation specifically include: and if the industrial control upper computer judges that operation and maintenance change is needed, the industrial control upper computer selects to enter an operation and maintenance mode and sends a control removal instruction to the hardware decryption device.
In a second aspect, an embodiment of the present invention provides an apparatus for encrypting communication in an industrial control system, including:
the agent module is arranged on the industrial control upper computer, and the hardware decryption device is connected between the industrial control upper computer and the PLC in series;
the agent module is used for capturing industrial control flow sent by the industrial control upper computer and releasing non-industrial control flow; the industrial control flow is encrypted based on a preset encryption algorithm and then forwarded to a hardware decryption device;
the hardware decryption device is used for decrypting the received industrial control flow based on a decryption algorithm corresponding to a preset encryption algorithm; analyzing the decrypted industrial control flow, judging whether the industrial control flow is an important operation instruction, if so, executing interception operation and forwarding the intercepted operation to an agent module for confirmation; if the operation instruction is not an important operation instruction, forwarding the operation instruction to the PLC; wherein the important operation instruction comprises: downloading, erasing, or restarting.
Further, catch the industrial control flow that industrial control host computer sent, release non-industrial control flow, specifically include:
and capturing industrial control flow and releasing non-industrial control flow by configuring an industrial control protocol or a port number used by the current system in the configuration file.
Further, the execution of the interception operation and the forwarding to the industrial control upper computer for confirmation specifically include: and if the agent module judges that the operation and maintenance change is needed, the agent module selects to enter an operation and maintenance mode and sends a control removal instruction to the hardware decryption device.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing any one of the industrial control system communication encryption methods.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs are executable by one or more processors to implement the method for communication encryption of an industrial control system according to any one of the foregoing implementation manners.
The industrial control system communication encryption method, device, electronic equipment and storage medium provided by the embodiment of the invention are different from the traditional simple protection method using IP filtering and the like, and the industrial control flow of the industrial control upper computer is decrypted and analyzed by serially connecting the hardware decryption device between the industrial control upper computer and the PLC, so that important operation instructions are intercepted and further judgment is carried out at the industrial control upper computer end, and the communication safety problem in the industrial control system is effectively solved.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
To more clearly illustrate the embodiments of the present invention, the technical terms involved are thus explained and illustrated:
PLC: a programmable logic controller;
the industrial control upper computer is an engineer station, an operator station or an OPC server in the industrial control system.
Engineer station: a workstation for use by an industrial process control engineer to configure, program, modify, etc. a computer system.
An operator station: in a distributed control system, a human interface device is used as an operator console. Including a display, a host, a keyboard or mouse, etc.
In a first aspect, an embodiment of the present invention provides a method for encrypting communication in an industrial control system, which can effectively solve a problem of communication security in the industrial control system.
Fig. 1 is a flowchart of a method of an embodiment of a method for encrypting communication in an industrial control system, including:
s101: and capturing the industrial control flow sent by the industrial control upper computer, and releasing the non-industrial control flow.
The industrial control flow sent by the industrial control upper computer is captured, the non-industrial control flow is released, and the specific scheme can be but is not limited to: and capturing industrial control flow and releasing non-industrial control flow by configuring an industrial control protocol or a port number used by the current system in the configuration file.
The industrial control protocol described in this embodiment includes, but is not limited to: modbus protocol, Siemens S7 protocol, OPC protocol, ENIP protocol, MMS protocol, 104 protocol.
S102: and encrypting the industrial control flow based on a preset encryption algorithm and forwarding the industrial control flow to a hardware decryption device.
S103: and the hardware decryption device decrypts the received industrial control flow based on a decryption algorithm corresponding to the preset encryption algorithm.
S104: the hardware decryption device analyzes the decrypted industrial control flow and judges whether the industrial control flow is an important operation instruction, if so, the hardware decryption device executes interception operation and forwards the intercepted industrial control flow to an industrial control upper computer for confirmation; if the operation instruction is not an important operation instruction, forwarding the operation instruction to the PLC; wherein the important operation instruction comprises: downloading, erasing, or restarting.
As a specific embodiment, the method for analyzing the decrypted industrial control traffic and determining whether the industrial control traffic is an important operation instruction by the hardware decryption device includes, but is not limited to: and the hardware decryption device analyzes the decrypted industrial control flow, analyzes the function code field and judges whether the operation command is an important operation command.
As a specific embodiment, the encryption algorithm and the decryption algorithm may be selected according to specific requirements, and the real-time performance, encryption and decryption efficiency, security and/or resource consumption of the industrial control system need to be considered, including but not limited to: AES.
In the embodiment, the internal software of the PLC is customized for a manufacturer and cannot be changed randomly, so that the industrial control flow is decrypted by using a hardware decryption device connected in series between the industrial control upper computer and the PLC, and meanwhile, the industrial control flow which is judged to be an important operation instruction is forwarded to the industrial control upper computer for final judgment by performing analysis operation, so that the problem of communication safety in the industrial control system is effectively solved.
Fig. 2 is a flowchart of a method of another embodiment of the communication encryption method for the industrial control system, including:
s201: and capturing the industrial control flow sent by the industrial control upper computer, and releasing the non-industrial control flow.
S202: the industrial control flow is encrypted based on a preset encryption algorithm and then forwarded to a hardware decryption device;
s203: the hardware decryption device decrypts the received industrial control flow based on a decryption algorithm corresponding to a preset encryption algorithm;
s204: the hardware decryption device analyzes the decrypted industrial control flow and judges whether the industrial control flow is an important operation instruction, and if the industrial control flow is an important operation instruction, the hardware decryption device executes interception operation and forwards the intercepted industrial control flow to an industrial control upper computer; if the operation instruction is not an important operation instruction, forwarding the operation instruction to the PLC; wherein the important operation instruction comprises: downloading, erasing, or restarting.
S205: and if the industrial control upper computer judges that operation and maintenance change is needed, the industrial control upper computer selects to enter an operation and maintenance mode and sends a control removal instruction to the hardware decryption device.
In this embodiment, the hardware decryption device is used for analyzing the industrial control flow, the forwarding of the operation instruction determined as important to the industrial control upper computer is further determined, if the industrial control upper computer is determined as legal, the operation and maintenance mode is entered, and a control removal instruction is sent to the hardware decryption device, so that the normal operation and maintenance operation is not affected on the premise of ensuring the safety of communication data.
In a second aspect, an embodiment of the present invention provides an apparatus for encrypting communication in an industrial control system, which can effectively solve the problem of communication security in the industrial control system.
Fig. 3 is a schematic structural diagram of an embodiment of a communication encryption device of an industrial control system according to the present invention, including:
the agent module is arranged on the industrial control upper computer, and the hardware decryption device is connected between the industrial control upper computer and the PLC in series; the industrial control upper computer can be an engineer station or an operator station.
The agent module is used for capturing industrial control flow sent by the industrial control upper computer and releasing non-industrial control flow; the industrial control flow is encrypted based on a preset encryption algorithm and then forwarded to a hardware decryption device;
the hardware decryption device is used for decrypting the received industrial control flow based on a decryption algorithm corresponding to a preset encryption algorithm; analyzing the decrypted industrial control flow, judging whether the industrial control flow is an important operation instruction, if so, executing interception operation and forwarding the intercepted operation to an agent module for confirmation; if the operation instruction is not an important operation instruction, forwarding the operation instruction to the PLC; wherein the important operation instruction comprises: downloading, erasing, or restarting. Wherein, industrial control host computer includes but not limited to: engineer station, operator station, or OPC server.
Preferably, catch the industrial control flow that industrial control host computer sent, pass non-industrial control flow, specifically include:
and capturing industrial control flow and releasing non-industrial control flow by configuring an industrial control protocol or a port number used by the current system in the configuration file.
Preferably, the executing of the interception operation and the forwarding to the industrial control upper computer for confirmation specifically include: and if the agent module judges that the operation and maintenance change is needed, the agent module selects to enter an operation and maintenance mode and sends a control removal instruction to the hardware decryption device.
According to the embodiment, the industrial control flow is encrypted at the industrial control upper computer end, the hardware decryption device connected between the industrial control upper computer and the PLC in series is used for decrypting the industrial control flow, and meanwhile, the industrial control flow which is judged to be an important operation instruction is forwarded to the industrial control upper computer for final judgment through analysis operation, so that the problem of communication safety in an industrial control system is effectively solved.
In a third aspect, an embodiment of the present invention further provides an electronic device, which can effectively solve the problem of communication security in an industrial control system.
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device of the present invention, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, and is used for executing the method for encrypting the industrial control system communication according to any one of the foregoing embodiments.
For the specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code, reference may be made to the description of the embodiment shown in fig. 1 and 2 of the present invention, which is not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs are executable by one or more processors to implement the method for communication encryption of an industrial control system according to any one of the foregoing implementation manners.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the method embodiment, since it is substantially similar to the apparatus embodiment, the description is simple, and the relevant points can be referred to the partial description of the apparatus embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.