CN111277545A - Method for monitoring start and stop of Siemens S7-PLC controller - Google Patents
Method for monitoring start and stop of Siemens S7-PLC controller Download PDFInfo
- Publication number
- CN111277545A CN111277545A CN201811477009.6A CN201811477009A CN111277545A CN 111277545 A CN111277545 A CN 111277545A CN 201811477009 A CN201811477009 A CN 201811477009A CN 111277545 A CN111277545 A CN 111277545A
- Authority
- CN
- China
- Prior art keywords
- executing
- byte
- data packet
- siemens
- plc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention discloses a method for monitoring start and stop of a Siemens S7-PLC controller, which is characterized by comprising the following steps of S001 setting a switch to be in a bypass mirror image working mode and mirroring all PLC communication flow of the Siemens S7-PLC, S002 analyzing the mirrored PLC communication flow, judging whether an application layer protocol of a data packet in the PLC communication flow is an S7comm protocol, if so, executing the step S003, otherwise, executing the step S002, S003 judging whether a remote operation service control field value of a head part of the S7comm data packet is a specified value, if so, executing the step S004, otherwise, executing the step S002, S004 judging whether a function field value of a parameter part of the S7comm data packet is a specified value, if so, executing the step S005, otherwise, executing the step S002, and S005 recording a source IP address, a source MAC address, an interface number, a port number and a port number in a current data packet, A destination IP address, a destination MAC address, a destination port number for subsequent analysis.
Description
Technical Field
The invention belongs to the field of industrial control network safety, particularly relates to a method for monitoring a Siemens controller, and particularly relates to a method for monitoring the start and stop of a Siemens S7-PLC controller.
Background
With the continuous cross fusion of industrial 4.0, Chinese manufacturing 2025, Internet +, Internet of things and two-way fusion processes, more and more information technologies are applied to the field of industrial control, the openness of industrial control systems is higher and higher, and safety problems such as Trojan, virus and network attack are brought while great promotion is brought to industrial production. These all become important factors restricting the development of informatization and industrialization, and the traditional protective measures mainly based on physical isolation are far from meeting the requirements of industrial informatization development. Currently, industrial control systems generally have some serious safety problems, which are mainly expressed as follows:
firstly, various security holes cannot be reinforced in time, and serious potential safety hazards exist in the system
The existing industrial control system generally has security holes in the layers of equipment, systems, protocols and the like, and based on a special operation mechanism of the industrial control system, the industrial control has the characteristics that system software is difficult to upgrade in real time, the security holes are difficult to reinforce in time, the service cycle of the equipment is long, the compatibility of system patches is poor, the release cycle is long and the like, so that the industrial control system has serious potential safety hazards.
Secondly, the industrial network and bus communication lack a safety mechanism and are easy to be attacked and utilized
The industrial control system aims at real-time performance and reliability, pursues efficiency and speed, lacks security measures for identity authentication, rule check, encryption transmission, integrity check and the like, and is extremely easy to attack. The industrial control system field bus uses clear code transmission in a large quantity, and is easy to decipher and forge.
Thirdly, the internet and the industrial control system are integrated, and the safety threat of the industrial control system is comprehensively upgraded
The potential attack path in the industrial environment is increased by the integration of deep networking and multi-level interconnection, more security holes are brought by the introduction of the traditional IT products, the security theory and the protection system of the emerging information technology in the industrial control field are not mature, and the security protection means is also insufficient, so that the industrial control network can 'attack' one by one in front of the network attack.
Incompatibility of security products in the field of traditional information security in industrial control networks
Because the traditional information network security product has wide application scenes, the detection of characteristics and dangerous behaviors can be only carried out on the basis of a blacklist, and a large number of characteristics, behaviors and protocols of the traditional information security do not exist in an industrial control environment. Moreover, the safety detection in the blacklist mode needs long-term and mature technology accumulation and large amount of sample analysis in the industrial control safety industry to possibly achieve certain detection effectiveness. In the industrial control environment, the number of communication devices is relatively small, the communication protocol is relatively single, and the communication service is relatively fixed, so that the safety detection based on the white list is provided.
The programmable controller produced by SIEMENS (SIEMENS) of germany has wide application in China, and has application in the fields of metallurgy, chemical engineering, printing production lines and the like. PLC products of Siemens (SIEMENS) include LOGO, S7-200, S7-1200, S7-300, S7-400, and the like. Siemens S7 series PLC has small volume, high speed, standardization, network communication capability, stronger function and high reliability. The S7 series PLC products can be divided into micro PLC (such as S7-200), PLC with small-scale performance requirement (such as S7-300) and PLC with medium and high performance requirement (such as S7-400), etc. However, Siemens S7-PLC also suffers from the above-mentioned problems in the art, and specifically, there is no method available in the prior art for effectively monitoring the start and stop of the Siemens S7-PLC controller.
Disclosure of Invention
The invention provides a method for monitoring the start and stop of a Siemens S7-PLC controller, which aims at the defects of the prior art, judges whether the illegal start and stop of the controller is existed or not and records key information such as a source IP address, a source MAC address, a source port number, a target IP address, a target MAC address, a target port number and the like for subsequent analysis and use by analyzing communication data of the Siemens S7-PLC controller, and comprises the following steps:
s001, setting the switch to be in a bypass mirror image working mode, and mirroring all PLC communication flows of Siemens S7-PLC;
s002, analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002;
s003, judging whether the remote operation service control field value of the head part of the S7comm data packet is a specified value, if so, executing the step S004, otherwise, executing the step S002;
s004, judging whether the function field value of the parameter part of the S7comm data packet is a specified value or not, if so, executing the step S005, otherwise, executing the step S002;
and S005, recording the source IP address, the source MAC address, the source port number, the target IP address, the target MAC address and the target port number in the current data packet for subsequent analysis.
Preferably, the step S002 includes the steps of:
s0021, searching whether the data packet contains a request connection identifier 0x11e00000000100c0010ac1020100c202, if so, executing a step S0022, otherwise, executing a step S0021, wherein 0xe0 represents that the PLC communication connection is requested to be established;
s0022, searching whether the data packet after the connection identifier request 0x11e00000000100c0010ac1020100c202 contains a confirmed connection identifier 0x11d00001000100c0010ac1020100c202, if so, executing a step S003, otherwise, executing a step S0021, wherein 0xd0 represents the confirmed connection.
Preferably, the specified value in the step S003 is 0x 1.
Preferably, in the step S003, the content of the 2 nd byte of the header portion of the S7comm packet is the remote operation service control field value.
Preferably, in the step S004, the designated value is a start PLC controller or a stop PLC controller, wherein the start PLC controller is represented by 0x28, and the stop PLC controller is represented by 0x 29.
Preferably, the content of the 1 st byte to the 6 th byte of the current data packet is the destination MAC address, the content of the 7 th byte to the 12 th byte is the source MAC address, the content of the 27 th byte to the 30 th byte is the source IP address, the content of the 31 st byte to the 34 th byte is the destination IP address, the content of the 35 th byte to the 36 th byte is the source port number, and the content of the 37 th byte to the 38 th byte is the destination port number.
The invention has the beneficial effects that:
1. the industrial control network is accessed through the working mode of the bypass mirror image of the switch, and the switch passively receives data without influencing the function and the performance of the industrial control system.
2. Whether the PLC controller is illegally started or stopped is identified by analyzing the data packet of the Siemens PLC, and the state of the PLC controller does not need to be monitored manually.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The invention is further illustrated with reference to the figures and examples. As shown in fig. 1, the method of the present invention comprises the steps of:
s001, setting the switch to be in a bypass mirror image working mode, and mirroring all PLC communication flows of Siemens S7-PLC;
s002, analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002, wherein the specific steps of the step S002 comprise:
s0021, searching whether the data packet contains a request connection identifier 0x11e00000000100c0010ac1020100c202, if so, executing a step S0022, otherwise, executing a step S0021, wherein 0xe0 represents that the PLC communication connection is requested to be established;
s0022, searching whether the data packet after requesting the connection identifier 0x11e00000000100c0010ac1020100c202 contains the confirmed connection identifier 0x11d00001000100c0010ac1020100c202, if so, executing the step S003, otherwise, executing the step S0021, wherein 0xd0 represents the confirmed connection.
S003, judging whether the value of the remote operation service control ROSCTR field of the Header (namely the head part) of the S7comm data packet is a specified value 0x1 (namely Job), if so, executing the step S004, otherwise, executing the step S002;
and S004, judging whether the Function field value of the Parameter of the S7comm data packet is a designated value 0x28 or 0x29, if so, executing the step S005, otherwise, executing the step S002, wherein 0x28 represents PI-Service, namely starting the PLC controller, and 0x29 represents PLC STOP, namely stopping the PLC controller.
And S005, the operation meeting the conditions is suspicious/illegal operation, and a source IP address, a source MAC address, a source port number, a target IP address, a target MAC address and a target port number in the current data packet are recorded aiming at the message of the operation for subsequent analysis and use.
The following is the data of the current data packet in the embodiment of the present invention:
e0dca03a331ce0dca040519708004500008f1dd740004006993ac0a80104c0a80103da25 0066f30ecbc5000874585018390840d000000300006702f080320100000188005600000407120a10060001000184000d70120a10010001000184000c82120a10010001000184000c86120a10010001000184000c88120a10010001000184000c89120a10060001000184000d90120a10060001000184000db0
as indicated by the italic part of the data, the contents of the 1 st byte to the 6 th byte of the current packet are the target MAC address 0xe0dca03a331c, i.e. the target MAC address is e0-dc-a0-3a-33-1 c; the contents of bytes 7 to 12 are source MAC address 0xe0dca0405197, i.e., source MAC address e0-dc-a 0-40-51-97.
As shown by the underlined part in the above data, the content of the 27 th byte to the 30 th byte is the source IP address 0xc0a80104, i.e. the source IP address is 192.168.1.4; the contents of bytes 31 to 34 are the target IP address 0xc0a80103, i.e., the target IP address is 192.168.1.3; the content of the 35 th byte to the 36 th byte is the source port number 0xda25, i.e. the source port number 55845; the content of the 37 th byte to the 38 th byte is a target port number 0x0066, i.e., the target port number is 102.
The method solves the technical problem that no method for effectively monitoring the start and stop of the Siemens S7-PLC controller exists in the prior art.
It is to be understood that the invention is not limited to the examples described above, but that modifications and variations are possible to those skilled in the art in light of the above teachings, and that all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.
Claims (6)
1. A method for monitoring start and stop of a Siemens S7-PLC controller is characterized by comprising the following steps:
s001, setting the switch to be in a bypass mirror image working mode, and mirroring all PLC communication flows of Siemens S7-PLC;
s002, analyzing the mirrored PLC communication flow, judging whether the application layer protocol of the data packet in the PLC communication flow is the S7comm protocol, if so, executing the step S003, otherwise, executing the step S002;
s003, judging whether the remote operation service control field value of the head part of the S7comm data packet is a specified value, if so, executing the step S004, otherwise, executing the step S002;
s004, judging whether the function field value of the parameter part of the S7comm data packet is a specified value or not, if so, executing the step S005, otherwise, executing the step S002;
and S005, recording the source IP address, the source MAC address, the source port number, the target IP address, the target MAC address and the target port number in the current data packet for subsequent analysis.
2. The method for monitoring the start and stop of the Siemens S7-PLC controller according to claim 1, wherein the specific step of the step S002 comprises:
s0021, searching whether the data packet contains a request connection identifier 0x11e00000000100c0010ac1020100c202, if so, executing a step S0022, otherwise, executing a step S0021, wherein 0xe0 represents that the PLC communication connection is requested to be established;
s0022, searching whether the data packet after the connection identifier request 0x11e00000000100c0010ac1020100c202 contains a confirmed connection identifier 0x11d00001000100c0010ac1020100c202, if so, executing a step S003, otherwise, executing a step S0021, wherein 0xd0 represents the confirmed connection.
3. The method for monitoring the start and stop of Siemens S7-PLC controller of claim 2, wherein said specified value in said step S003 is 0x 1.
4. The method for monitoring start and stop of Siemens S7-PLC controller of claim 1, wherein in said step S003, the content of the 2 nd byte of the header portion of said S7comm data packet is said remote operation service control field value.
5. The method for monitoring the start and stop of Siemens S7-PLC controller according to claim 3, wherein in step S004, said designated value is to start PLC controller or stop PLC controller, wherein the start PLC controller is represented by 0x28, and the stop PLC controller is represented by 0x 29.
6. The method of claim 1, wherein the 1 st byte to the 6 th byte of the current data packet is the destination MAC address, the 7 th byte to the 12 th byte is the source MAC address, the 27 th byte to the 30 th byte is the source IP address, the 31 st byte to the 34 th byte is the destination IP address, the 35 th byte to the 36 th byte is the source port number, and the 37 th byte to the 38 th byte is the destination port number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477009.6A CN111277545A (en) | 2018-12-05 | 2018-12-05 | Method for monitoring start and stop of Siemens S7-PLC controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811477009.6A CN111277545A (en) | 2018-12-05 | 2018-12-05 | Method for monitoring start and stop of Siemens S7-PLC controller |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111277545A true CN111277545A (en) | 2020-06-12 |
Family
ID=71001412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811477009.6A Pending CN111277545A (en) | 2018-12-05 | 2018-12-05 | Method for monitoring start and stop of Siemens S7-PLC controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111277545A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN106411659A (en) * | 2016-11-29 | 2017-02-15 | 福建中金在线信息科技有限公司 | Business data monitoring method and apparatus |
| WO2018044410A1 (en) * | 2016-09-01 | 2018-03-08 | Siemens Aktiengesellschaft | High interaction non-intrusive industrial control system honeypot |
| CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
| CN108418807A (en) * | 2018-02-05 | 2018-08-17 | 浙江大学 | A kind of industrial control system popular protocol is realized and monitoring analyzing platform |
| US20190297095A1 (en) * | 2016-05-20 | 2019-09-26 | Georgia Tech Research Corporation | Systems and Methods For Detecting Anomalous Software on a Programmable Logic Controller |
-
2018
- 2018-12-05 CN CN201811477009.6A patent/CN111277545A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| US20190297095A1 (en) * | 2016-05-20 | 2019-09-26 | Georgia Tech Research Corporation | Systems and Methods For Detecting Anomalous Software on a Programmable Logic Controller |
| WO2018044410A1 (en) * | 2016-09-01 | 2018-03-08 | Siemens Aktiengesellschaft | High interaction non-intrusive industrial control system honeypot |
| CN106411659A (en) * | 2016-11-29 | 2017-02-15 | 福建中金在线信息科技有限公司 | Business data monitoring method and apparatus |
| CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
| CN108418807A (en) * | 2018-02-05 | 2018-08-17 | 浙江大学 | A kind of industrial control system popular protocol is realized and monitoring analyzing platform |
Non-Patent Citations (2)
| Title |
|---|
| GONGMO: "西门子S7协议学习分享", 《HTTPS://WWW.SOUHU.COM/A/207043694_354899》 * |
| LIUKERTEAM: "工控安全|西门子通信协议S7COMM(Part 2)", 《HTTPS://WWW.SOHU.COM/A/274716812_354899》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
| CN101022343B (en) | Network invading detecting/resisting system and method | |
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| CN110971620A (en) | Intelligent gateway flow security policy method | |
| CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
| CN111131154A (en) | Network management data ferrying method and system, storage medium and computer equipment | |
| WO2012014509A1 (en) | Unauthorized access blocking control method | |
| CN110557244B (en) | Application data unit encryption method in water conservancy industrial control system | |
| CN103067389B (en) | High safety file transfer method based on short website | |
| EP2709320B1 (en) | Method and apparatus for sending packet | |
| CN105959289A (en) | Self-learning-based safety detection method for OPC Classic protocol | |
| CN1173529C (en) | Protection method for controlling message safety based on message of border gateway protocol | |
| CN101409636A (en) | Safety on-line upgrade method for networking equipment firmware | |
| CN105897929B (en) | A kind of method and device of video monitoring data backup | |
| CN111277545A (en) | Method for monitoring start and stop of Siemens S7-PLC controller | |
| CN106899616B (en) | Security rule configuration method of IP-free firewall | |
| CN111277448A (en) | Method for monitoring deletion of Siemens S7-PLC internal program block | |
| CN111277546A (en) | Method for monitoring illegal reading and writing Siemens S7-PLC data | |
| CN111277617A (en) | Method for monitoring Siemens S7-PLC uploading and downloading program block | |
| CN111277548A (en) | Method for monitoring Siemens S7-PLC to set session password | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN111277547A (en) | Method for monitoring Siemens S7-PLC setting internal clock | |
| CN106549962B (en) | Method for realizing communication protocol of universal intelligent control platform | |
| CN105991509A (en) | Session processing method and apparatus | |
| CN101547127B (en) | Identification method of inside and outside network messages |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 710072 b1901, innovation building, West University of technology, No. 127, Youyi West Road, Beilin District, Xi'an City, Shaanxi Province Applicant after: Shaanxi University of technology Ruidi Information Technology Co.,Ltd. Address before: 710072 b1901, innovation building, West University of technology, No. 127, Youyi West Road, Beilin District, Xi'an City, Shaanxi Province Applicant before: Shaanxi CISCO Rudi Network Security Technology Co.,Ltd. |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200612 |