CN111399463A - Industrial network data one-way isolation method and device - Google Patents
Industrial network data one-way isolation method and device Download PDFInfo
- Publication number
- CN111399463A CN111399463A CN202010254108.9A CN202010254108A CN111399463A CN 111399463 A CN111399463 A CN 111399463A CN 202010254108 A CN202010254108 A CN 202010254108A CN 111399463 A CN111399463 A CN 111399463A
- Authority
- CN
- China
- Prior art keywords
- data
- host system
- network
- remote
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 43
- 238000004891 communication Methods 0.000 claims abstract description 94
- 230000011664 signaling Effects 0.000 claims description 56
- 238000003860 storage Methods 0.000 claims description 46
- 238000006243 chemical reaction Methods 0.000 claims description 15
- 238000009776 industrial production Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 10
- 230000001105 regulatory effect Effects 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 4
- 238000013475 authorization Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 6
- 238000000034 method Methods 0.000 abstract description 6
- 230000006872 improvement Effects 0.000 description 13
- 230000001276 controlling effect Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/4183—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by data acquisition, e.g. workpiece identification
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/31—From computer integrated manufacturing till monitoring
- G05B2219/31282—Data acquisition, BDE MDE
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for unidirectional isolation of industrial network data, which are characterized in that a first host system and a second host system which are independent from each other are arranged, point tables are respectively arranged at the input end and the output end of the first host system and the second host system to control the circulation of data point data, the communication point table arrangement between the first host system and the second host system is solidified, the configuration of data points with remote control and remote regulation types in a second point table and a third point table which control the communication between the first host system and the second host system is invalidated, the data points with other data types are preset and configured according to the used industrial communication protocol in a normal way, so that the unidirectional isolation device of the invention automatically isolates the remote regulation and remote control industrial data from the second network to the first network on a data link, and the data of the first network can be selectively transmitted to the second network, the data fed back in the second network can automatically remove commands and/or data messages, and a question-answering mechanism of network communication is reserved, so that the data security of the first network is ensured while the normal communication of the industrial network is ensured.
Description
Technical Field
The invention relates to an industrial network security technology, in particular to a method and a device for unidirectional isolation of industrial network data.
Background
With the rapid development of industrial automation control, more and more industrial enterprises use their internal (or dedicated) networks to interconnect their production process dedicated devices or industrial intelligent devices together to form an industrial production system network, which has extremely high requirements for security level. In order to better monitor and manage the industrial production system network, it is necessary to collect and transmit the relevant data of the production process dedicated device or the industrial intelligent device in the system to an external industrial management network, which is generally an external network and has a relatively low security level.
Communication isolation is needed between a network with a low security level and a network with a high security level, and in the first generation of prior art, data transmission is carried out by manually using media such as a U disk and the like through physical isolation, so that the two can not be directly communicated, and a hacker is prevented from operating and controlling the network of the industrial production system. But this approach is too inefficient.
To solve this problem, the second generation prior art introduces the concept of gatekeepers.
The network gate is an information safety device which uses a solid-state switch read-write medium with multiple control functions to connect two independent host systems. Because two independent host systems are isolated through the gatekeeper, no physical connection, logical connection and information transmission protocol for communication exist between the systems, no information exchange according to the protocol exists, and only no protocol ferry is performed in a data file form. Therefore, the network gate logically isolates and blocks all network connections with potential attack possibility to the internal network, so that an external attacker cannot directly invade, attack or destroy the internal network, and the safety of the internal host is guaranteed.
Although the high security offered by the security gatekeeper is obvious as a physical security device, it is inevitably determined by its nature of the operating principle that there are some drawbacks to the security gatekeeper:
first, the existing security gatekeeper only supports static data exchange, and does not support interactive access. The communication protocol in the industrial system is an application protocol on TCP/IP, 80% of industrial communication protocols are in a question-answering mode, and communication handshake cannot be realized by using a gateway.
Secondly, the existing security network gate is mainly used in typical IT environments such as data centers and the like, has a complex structure, higher cost, larger volume and high power consumption, and has certain requirements on the machine room environment where the security network gate is installed. The installation of industrial network equipment is often in a harsh environment, often located in production lines, process equipment rooms or even field monitoring sites, and has small space and unstable power supply (many places lack of commercial power and usually rely on wind power or solar energy for power generation). The existing safety network gate equipment has large volume and large power consumption, and is not suitable for industrial environment.
With the development of the prior art, the industrial network more adopts an industrial gateway containing configuration software to realize the acquisition of data points in the industrial production system network, and the unidirectional data isolation between the industrial production system network and the industrial management network is realized through the filtering and control of the acquisition points. However, the industrial gateway can only implement unidirectional isolation of the industrial network in an engineering manner, and an engineer is required to perform engineering configuration on site to perform complete isolation or partial isolation. The isolation effect is configured completely depending on the cognition of an engineer, and if human error occurs, the expected isolation effect cannot be achieved. Alternatively, the isolation rules may change if a third party, such as a later maintenance engineer, mismanipulates the modified configuration. In addition, different methods used by different configuration software are different, and engineers who do not have certain experience in unidirectional isolation of such unconventional operations are often unable to perform adequately.
Based on the above defects, the industrial system further needs a standardized and productized industrial safety isolation gatekeeper which meets the requirements of the industrial system and can meet the characteristics of the industrial system, so that the product mode is used for replacing the engineering mode to realize the safety isolation in the network between different safety levels in the industrial network.
Disclosure of Invention
The invention aims to provide a method and a device for unidirectional isolation of industrial network data, which are used for controlling the industrial network, wherein data of a first network (such as an industrial network with high security level) can be selectively transmitted to a second network (such as a management network with low security level), and the data fed back in the second network can automatically eliminate commands and/or data messages in the data, so that a question-answering mechanism of network communication is reserved, normal communication of the industrial network is guaranteed, and meanwhile, the data security of the first network is ensured.
In order to solve the above technical problem, an embodiment of the present invention provides an industrial network data unidirectional isolation apparatus, including:
the system comprises a first host system and a second host system, wherein the first host system and the second host system are respectively independent in software and hardware, the first host system is communicated with a first network, and the second host system is communicated with a second network;
the first host system and the second host system are in communication connection; the first host system comprises a first point table and a second point table; the first point table is used for storing the configuration of each telemetering and remote communication data point to be collected and/or the configuration of the data point to be received with a remote control and remote regulation command in the first network, and the configuration at least comprises the equipment address and the data type of each data point; the second point table is used for storing the configuration of each telemetering and remote communication data point which needs to be forwarded to the second host system and the configuration of the data point which is to receive the remote control and remote control command from the second host system; the configuration at least comprises a first storage position (register address) and a data type of each telemetering and remote signaling data point data to be forwarded in the first host system, and a second storage position (register address) and a data type of each remote control and remote signaling command data to be received in the second host system;
the second host system comprises a third point table and a fourth point table; the third point table is used for storing the configuration of each acquired telemetry and remote signaling data point from the first host system and the configuration of a remote control and remote signaling command data point required to be returned to the first host system, wherein the configuration at least comprises a second storage position (register address) and a data type of each acquired telemetry and remote signaling data in the first host system, and a third storage position (register address) and a data type of each acquired telemetry and remote signaling command data in the second host system; the fourth table is used for storing a configuration of the data points received from the second network and a configuration of the telemetry and telemetry data points forwarded to the second network, the configuration at least including a fourth storage location (register address) and a data type of the received data point data at the second host system, and a third storage location (register address) and a data type of the telemetry and telemetry data points forwarded to the second network at the second host system;
the first host system is used for acquiring remote measuring and remote signaling data from the equipment of the first network according to the first point table and transmitting the remote measuring and remote regulating command data to the equipment of the first network; forwarding the collected telemetry and telemetry data to the second host system according to the second point table, and receiving telemetry and telemetry data from the second host system; the second host system is used for receiving remote measuring and remote signaling data from the first host system according to the third point table and sending remote measuring and remote regulating command data to the first host system; sending the telemetering and remote signaling data to equipment of a second network according to the fourth table, and receiving remote control and remote signaling command data from the second network;
performing invalidation processing on the configuration of the data points with the data types of remote control and remote regulation in the second point table and the third point table, and performing preset configuration on data points of other data types according to the used industrial communication protocol in a normal mode;
curing the second point table and the third point table locally at the first host system and the second host system.
The embodiment of the invention also provides a unidirectional isolation method of industrial network data, which comprises the unidirectional isolation device of the industrial network data in any one of the embodiments of the invention, and further comprises the following steps:
the first host system collects telemetering and remote signaling data from the equipment of the first network according to the equipment address of each data point to be collected in the first point table, and stores the collected telemetering and remote signaling data needing to be forwarded in a locally specified forwarding and storing position (forwarding register address), wherein the specified forwarding and storing position (forwarding register address) corresponds to the storing position (register address) of each telemetering and remote signaling data point data needing to be forwarded to the second host system, stored in the second point table, in the first host system;
the first host system forwarding the telemetry and telemetry data of its forwarding storage location to the second host system;
the second host system receives the forwarded telemetering and remote signaling data point data from the first host system according to the storage position (register address) of each telemetering and remote signaling data point data collected from the first host system and stored in the third point table in the first host system; storing the collected telemetry and remote signaling data to be forwarded in a locally specified forwarding storage location (forwarding register address), where the specified forwarding storage location (forwarding register address) corresponds to a storage location (register address) of each telemetry and remote signaling data point data, which is stored in the fourth table and is forwarded to the second network, in the second host system;
the second host system forwards the telemetry and telemetry data of its forwarding storage location to the second network.
Compared with the prior art, the embodiment of the invention has the advantages that the independent first host system and second host system are arranged, the point tables are respectively arranged at the input end and the output end of the first host system and the second host system to control the circulation of data point data, the communication point table arrangement between the first host system and the second host system is solidified, the configuration of the data points with the types of remote control and remote regulation in the second point table and the third point table for controlling the communication between the first host system and the second host system is subjected to invalidation treatment, the data points of the rest data types are subjected to preset configuration according to the used industrial communication protocol in a normal mode, so that the unidirectional isolation device of the invention automatically isolates the remote regulation and remote control industrial data from the second network to the first network on a data link, and the data of the first network (such as an industrial network with a high safety level) can be selectively transmitted to the second network (such as a management network with a low safety level), the data fed back in the second network can automatically remove commands and/or data messages, and a question-answering mechanism of network communication is reserved, so that the data security of the first network is ensured while the normal communication of the industrial network is ensured.
In addition, the second point table and the third point table are locally solidified in the first host system and the second host system, so that the unidirectional isolation device can be configured as one device in use, namely, the unidirectional isolation device only needs to be configured on the first network side and the second network side once. The use complexity of the user is not increased, and the use experience of the user is improved.
As a further improvement, the invalidating the configuration of the data points in the second point table and the third point table, where the data type is remote control and remote regulation, includes at least:
the storage position in the configuration of each data point with the data type of remote control and remote regulation is vacant, or the storage position is set as an unidentifiable code; or to set the storage location to an unrecognizable address.
As a further refinement, locally solidifying the second point table and the third point table at the first host system and the second host system comprises: solidifying the second point table and the third point table through local burning; or, the second point table and the third point table are solidified through encryption setting.
As a further improvement, the same or different communication protocols are adopted between the first host system and the first network, between the first host system and the second host system, and between the second host system and the second network; the communication protocol at least comprises: a standard industrial communication protocol, a standard public TCP/IP network communication protocol, and/or a proprietary industrial communication protocol.
As a further improvement, the communication between the first host system and the second host system adopts a private industrial communication protocol, or a modified standard industrial communication protocol, or a standard communication protocol which is encrypted and cannot change the point table without authorization.
As a further improvement, the second host system is connected with the second network through a TCP/IP network port, and the first host system is connected with the second host system through a serial port communication link;
the second host system further comprises:
a second protocol conversion unit, configured to analyze a data packet received from the second network according to a TCP/IP network protocol between the second host system and the second network; formatting the data with the format corresponding to remote signaling, remote measuring, remote control and remote regulation in the data message obtained by analysis according to the known message format; and carrying out protocol conversion on the formatted data message according to the serial port communication protocol between the first host system and the second host system to obtain the data message conforming to the serial port communication protocol format for outputting to the first host system.
As a further improvement, the protocol conversion unit formats the data of the format corresponding to remote signaling, remote measuring, remote controlling and remote regulating in the data packet obtained by analysis according to the known packet format, including:
the data points on the data positions corresponding to remote signaling, remote measuring, remote control and/or remote regulation in the data message obtained by analysis are vacant; or
And deleting the rest data except the header and the trailer and the content part related to the communication in the remote control and remote regulation message.
The data corresponding to remote signaling, remote measuring, remote control and/or remote regulation in the message format is formatted according to the communication protocol format of the message, so that the data and commands in the reverse message (namely the message from the low-security network to the high-security industrial network) can be automatically filtered, the response information in the message can be reserved, the reverse transmission of the rest of remote signaling, remote measuring, remote control and/or remote regulation data is isolated while the response mechanism of network communication is reserved, the data link is isolated, the protocol is further analyzed and converted, and the data in the high-security industrial network can be deeply guaranteed to be transmitted to the low-security network in a one-way manner while the communication burden is not increased.
As a further refinement, the configuration of the data points in the first, second, third and fourth point tables further includes a data point name or meaning;
the data point names in the second and third point tables may be modified.
As a further improvement, the first host system further comprises:
and the first protocol conversion unit is used for analyzing the data message received from the first network according to the communication protocol adopted between the first host system and the first network, and performing format conversion on the message content obtained by analysis according to the serial port communication protocol adopted between the first host system and the second host system to obtain the data message conforming to the serial port communication protocol format for outputting to the second host system.
As a further improvement, the first network is a high security level industrial network, and the second network is a low security level network;
the high-security-level industrial network is an industrial production network, and the low-security-level network is an industrial management network or other non-industrial production networks.
Drawings
Fig. 1 is a structural view of a unidirectional isolation apparatus of an industrial network according to a first embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solutions claimed in the claims of the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments.
A preferred embodiment of the present invention relates to a unidirectional isolation apparatus for industrial network data, as shown in fig. 1, comprising: the system comprises a first host system and a second host system, wherein the first host system and the second host system are respectively independent of software and hardware, the first host system is communicated with a first network, and the second host system is communicated with a second network. In general, the first network may be a high security level industrial network, such as an industrial production network, and the second network may be a low security level network, such as an industrial management network or other non-industrial production network.
The first host system and the second host system are in communication connection; the first host system comprises a first point table and a second point table; the first point table is used for storing the configuration of each telemetering and remote-communication data point to be collected and/or the configuration of data points to be received remote-control and remote-regulation commands in the first network, the configuration at least comprises the equipment address and the data type of each data point, and the data type generally comprises remote-communication data, telemetering data, remote-control data, remote-regulation data and the like; the second point table is used for storing the configuration of each telemetering and remote communication data point which needs to be forwarded to the second host system and the configuration of the data point which is to receive the remote control and remote control command from the second host system; the configuration at least comprises the storage position (such as register address) and data type of each telemetering and remote signaling data point data to be forwarded in the first host system, and the storage position (such as register address) and data type of each remote control and remote signaling command data to be received in the second host system; for clarity of reference, and convenience of subsequent description, the storage location of each telemetric and telesignaling data point data to be forwarded in the first host system is referred to as a first storage address, and the storage location of each remote control and telemodulation command data to be received in the second host system is referred to as a second storage address.
The second host system comprises a third point table and a fourth point table; the third point table is used for storing the configuration of each acquired telemetry and remote signaling data point from the first host system and the configuration of a remote control and remote signaling command data point required to be returned to the first host system, wherein the configuration at least comprises a second storage position (register address) and a data type of each acquired telemetry and remote signaling data in the first host system, and a third storage position (register address) and a data type of each acquired telemetry and remote signaling command data in the second host system; the fourth table is used for storing a configuration of the data points received from the second network and a configuration of the telemetry and telemetry data points forwarded to the second network, the configuration at least including a fourth storage location (register address) and a data type of the received data point data at the second host system, and a third storage location (register address) and a data type of the telemetry and telemetry data points forwarded to the second network at the second host system;
the first host system is used for acquiring remote measuring and remote signaling data from the equipment of the first network according to the first point table and transmitting the remote measuring and remote regulating command data to the equipment of the first network; forwarding the collected telemetry and telemetry data to the second host system according to the second point table, and receiving telemetry and telemetry data from the second host system; the second host system is used for receiving remote measuring and remote signaling data from the first host system according to the third point table and sending remote measuring and remote regulating command data to the first host system; sending the telemetering and remote signaling data to equipment of a second network according to the fourth table, and receiving remote control and remote signaling command data from the second network;
performing invalidation processing on the configuration of the data points with the data types of remote control and remote regulation in the second point table and the third point table, and performing preset configuration on data points of other data types according to the used industrial communication protocol in a normal mode;
curing the second point table and the third point table locally at the first host system and the second host system.
Compared with the prior art, the embodiment of the invention has the advantages that the independent first host system and second host system are arranged, the point tables are respectively arranged at the input end and the output end of the first host system and the second host system to control the circulation of data point data, the communication point table arrangement between the first host system and the second host system is solidified, the configuration of the data points with the types of remote control and remote regulation in the second point table and the third point table for controlling the communication between the first host system and the second host system is subjected to invalidation treatment, the data points of the rest data types are subjected to preset configuration according to the used industrial communication protocol in a normal mode, so that the unidirectional isolation device of the invention automatically isolates the remote regulation and remote control industrial data from the second network to the first network on a data link, and the data of the first network (such as an industrial network with a high safety level) can be selectively transmitted to the second network (such as a management network with a low safety level), the data fed back in the second network can automatically remove commands and/or data messages, and a question-answering mechanism of network communication is reserved, so that the data security of the first network is ensured while the normal communication of the industrial network is ensured.
In addition, the second point table and the third point table are locally solidified in the first host system and the second host system, so that the unidirectional isolation device can be configured as one device in use, namely, the unidirectional isolation device only needs to be configured on the first network side and the second network side once. The use complexity of the user is not increased, and the use experience of the user is improved.
As a further improvement, the invalidating the configuration of the data points in the second point table and the third point table, where the data type is remote control and remote regulation, includes at least:
the storage position in the configuration of each data point with the data type of remote control and remote regulation is vacant, or the storage position is set as an unidentifiable code; or to set the storage location to an unrecognizable address.
As a further refinement, locally solidifying the second point table and the third point table at the first host system and the second host system comprises: solidifying the second point table and the third point table through local burning; or, the second point table and the third point table are solidified through encryption setting.
As a further improvement, the same or different communication protocols are adopted between the first host system and the first network, between the first host system and the second host system, and between the second host system and the second network; the communication protocol at least comprises: a standard industrial communication protocol, a standard public TCP/IP network communication protocol, and/or a proprietary industrial communication protocol.
As a further improvement, the communication between the first host system and the second host system adopts a private industrial communication protocol, or a modified standard industrial communication protocol, or a standard communication protocol which is encrypted and cannot change the point table without authorization.
As a further improvement, the second host system is connected with the second network through a TCP/IP network port, and the first host system is connected with the second host system through a serial port communication link;
the second host system further comprises:
a second protocol conversion unit, configured to analyze a data packet received from the second network according to a TCP/IP network protocol between the second host system and the second network; formatting the data with the format corresponding to remote signaling, remote measuring, remote control and remote regulation in the data message obtained by analysis according to the known message format; and carrying out protocol conversion on the formatted data message according to the serial port communication protocol between the first host system and the second host system to obtain the data message conforming to the serial port communication protocol format for outputting to the first host system.
As a further improvement, the second protocol conversion unit formats the data of the format corresponding to remote signaling, remote measuring, remote controlling and remote adjusting in the parsed data packet according to the known packet format includes:
the data points on the data positions corresponding to remote signaling, remote measuring, remote control and/or remote regulation in the data message obtained by analysis are vacant; or
And deleting the rest data except the header and the trailer and the content part related to the communication in the remote control and remote regulation message.
The data corresponding to remote signaling, remote measuring, remote control and/or remote regulation in the message format is formatted according to the communication protocol format of the message, so that the data and commands in the reverse message (namely the message from the low-security network to the high-security industrial network) can be automatically filtered, the response information in the message can be reserved, the reverse transmission of the rest of remote signaling, remote measuring, remote control and/or remote regulation data is isolated while the response mechanism of network communication is reserved, the data link is isolated, the protocol is further analyzed and converted, and the data in the high-security industrial network can be deeply guaranteed to be transmitted to the low-security network in a one-way manner while the communication burden is not increased.
As a further refinement, the configuration of the data points in the first, second, third and fourth point tables further includes a data point name or meaning;
the data point names in the second and third point tables may be modified.
As a further improvement, the first host system further comprises:
and the first protocol conversion unit is used for analyzing the data message received from the first network according to the communication protocol adopted between the first host system and the first network, and performing format conversion on the message content obtained by analysis according to the serial port communication protocol adopted between the first host system and the second host system to obtain the data message conforming to the serial port communication protocol format for outputting to the second host system.
A second embodiment of the present invention provides a method for unidirectional isolation of industrial network data, including the unidirectional isolation device of industrial network data described in any of the first embodiments, and further including the following steps:
the first host system collects telemetering and remote signaling data from the equipment of the first network according to the equipment address of each data point to be collected in the first point table, and stores the collected telemetering and remote signaling data needing to be forwarded in a locally specified forwarding and storing position (forwarding register address), wherein the specified forwarding and storing position (forwarding register address) corresponds to the storing position (register address) of each telemetering and remote signaling data point data needing to be forwarded to the second host system, stored in the second point table, in the first host system;
the first host system forwarding the telemetry and telemetry data of its forwarding storage location to the second host system;
the second host system receives the forwarded telemetering and remote signaling data point data from the first host system according to the storage position (register address) of each telemetering and remote signaling data point data collected from the first host system and stored in the third point table in the first host system; storing the collected telemetry and remote signaling data to be forwarded in a locally specified forwarding storage location (forwarding register address), where the specified forwarding storage location (forwarding register address) corresponds to a storage location (register address) of each telemetry and remote signaling data point data, which is stored in the fourth table and is forwarded to the second network, in the second host system;
the second host system forwards the telemetry and telemetry data of its forwarding storage location to the second network.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (11)
1. An industrial network data unidirectional isolation device, characterized by comprising:
the system comprises a first host system and a second host system, wherein the first host system and the second host system are respectively independent in software and hardware, the first host system is communicated with a first network, and the second host system is communicated with a second network;
the first host system and the second host system are in communication connection; the first host system comprises a first point table and a second point table; the first point table is used for storing the configuration of each telemetering and remote communication data point to be collected and/or the configuration of the data point to be received with a remote control and remote regulation command in the first network, and the configuration at least comprises the equipment address and the data type of each data point; the second point table is used for storing the configuration of each telemetering and remote communication data point which needs to be forwarded to the second host system and the configuration of the data point which is to receive the remote control and remote control command from the second host system; the configuration at least comprises a first storage position and a data type of each telemetering and remote signaling data point data to be forwarded in the first host system, and a second storage position and a data type of each remote control and remote regulation command data to be received in the second host system;
the second host system comprises a third point table and a fourth point table; the third point table is used for storing the configuration of each telemetering and remote communication data point collected from the first host system and the configuration of a remote control and remote regulation command data point required to be returned to the first host system, wherein the configuration at least comprises a second storage position and a data type of each collected telemetering and remote communication data in the first host system and a third storage position and a data type of each telemetering and remote communication command data required to be forwarded in the second host system; the fourth table is used for storing the configuration of the data points received from the second network and the configuration of the telemetry and remote communication data points forwarded to the second network, wherein the configuration at least comprises the fourth storage position and the data type of the received data point data at the second host system, and the third storage position and the data type of the data of the telemetry and remote communication data points forwarded to the second network at the second host system;
the first host system is used for acquiring remote measuring and remote signaling data from the equipment of the first network according to the first point table and transmitting the remote measuring and remote regulating command data to the equipment of the first network; forwarding the collected telemetry and telemetry data to the second host system according to the second point table, and receiving telemetry and telemetry data from the second host system; the second host system is used for receiving remote measuring and remote signaling data from the first host system according to the third point table and sending remote measuring and remote regulating command data to the first host system; sending the telemetering and remote signaling data to equipment of a second network according to the fourth table, and receiving remote control and remote signaling command data from the second network;
performing invalidation processing on the configuration of the data points with the data types of remote control and remote regulation in the second point table and the third point table, and performing preset configuration on data points of other data types according to the used industrial communication protocol in a normal mode;
curing the second point table and the third point table locally at the first host system and the second host system.
2. The unidirectional isolation device of industrial network data as claimed in claim 1, wherein the invalidation of the configuration of the data points of the second and third point tables whose data types are remote control and remote regulation at least comprises:
the storage position in the configuration of each data point with the data type of remote control and remote regulation is vacant, or the storage position is set as an unidentifiable code; or to set the storage location to an unrecognizable address.
3. The unidirectional industrial network data isolation device of claim 1, wherein curing the second point table and the third point table locally at the first host system and the second host system comprises: solidifying the second point table and the third point table through local burning; or, the second point table and the third point table are solidified through encryption setting.
4. The unidirectional isolation device of industrial network data of claim 1, wherein the same or different communication protocols are used between the first host system and the first network, between the first host system and the second host system, and between the second host system and the second network; the communication protocol at least comprises: a standard industrial communication protocol, a standard public TCP/IP network communication protocol, and/or a proprietary industrial communication protocol.
5. The unidirectional isolation device of industrial network data, according to claim 1, wherein the communication between the first host system and the second host system adopts a proprietary industrial communication protocol, or a modified standard industrial communication protocol, or a standard communication protocol which is encrypted and cannot change the point table without authorization.
6. The industrial network data unidirectional isolation device according to claim 5, wherein the second host system is connected with the second network through a TCP/IP network port, and the first host system is connected with the second host system through a serial communication link;
the second host system further comprises:
a second protocol conversion unit, configured to analyze a data packet received from the second network according to a TCP/IP network protocol between the second host system and the second network; formatting the data with the format corresponding to remote control and remote regulation in the data message obtained by analysis according to the known message format; and carrying out protocol conversion on the formatted data message according to the serial port communication protocol between the first host system and the second host system to obtain the data message conforming to the serial port communication protocol format for outputting to the first host system.
7. The unidirectional isolation device of industrial network data of claim 6, wherein the protocol conversion unit formats the remotely controlled and remotely modulated data corresponding to the parsed data message format according to the known message format comprises:
the data point on the data point corresponding to remote control and/or remote regulation in the data message obtained by analysis is vacant; or
And deleting the rest data except the header and the trailer and the content part related to the communication in the remote control and remote regulation message.
8. The unidirectional isolation device of industrial network data as claimed in claim 1, wherein the configuration of data points in the first, second, third and fourth point tables further comprises data point name or meaning;
the data point names in the second and third point tables may be modified.
9. The unidirectional isolation device of industrial network data as recited in claim 6, wherein the first host system further comprises:
and the first protocol conversion unit is used for analyzing the data message received from the first network according to the communication protocol adopted between the first host system and the first network, and performing format conversion on the message content obtained by analysis according to the serial port communication protocol adopted between the first host system and the second host system to obtain the data message conforming to the serial port communication protocol format for outputting to the second host system.
10. The unidirectional industrial network data isolation device of any one of claims 1 to 9, wherein the first network is a high security level industrial network and the second network is a low security level network;
the high-security-level industrial network is an industrial production network, and the low-security-level network is an industrial management network or other non-industrial production networks.
11. An industrial network data unidirectional isolation method, characterized by comprising the industrial network data unidirectional isolation device of any one of claims 1 to 9, and further comprising the following steps:
the first host system collects telemetering and remote signaling data from equipment of the first network according to the equipment address of each data point to be collected in the first point table, and stores the collected telemetering and remote signaling data needing to be forwarded in a locally specified forwarding and storing position, wherein the specified forwarding and storing position corresponds to the storing position of each telemetering and remote signaling data point data which is stored in the second point table and needs to be forwarded to the second host system, in the first host system;
the first host system forwarding the telemetry and telemetry data of its forwarding storage location to the second host system;
the second host system receives the forwarded telemetering and remote signaling data point data from the first host system according to the stored telemetering and remote signaling data point data collected from the first host system in the third point table at the storage position of the first host system; storing the collected telemetering and remote signaling data which need to be forwarded in a locally specified forwarding and storing position, wherein the specified forwarding and storing position corresponds to the storing position of each telemetering and remote signaling data point data which are stored in the fourth table and forwarded to the second network in the second host system;
the second host system forwards the telemetry and telemetry data of its forwarding storage location to the second network.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911349313 | 2019-12-24 | ||
| CN2019113493137 | 2019-12-24 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111399463A true CN111399463A (en) | 2020-07-10 |
| CN111399463B CN111399463B (en) | 2023-10-20 |
Family
ID=71429351
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010254108.9A Active CN111399463B (en) | 2019-12-24 | 2020-04-02 | Industrial network data unidirectional isolation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111399463B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637176A (en) * | 2020-12-17 | 2021-04-09 | 山东云天安全技术有限公司 | Industrial network data isolation method, device and storage medium |
| CN115550431A (en) * | 2022-08-31 | 2022-12-30 | 山东爱普电气设备有限公司 | Unidirectional data transmission method and system based on power Internet of things terminal |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6330616B1 (en) * | 1998-09-14 | 2001-12-11 | International Business Machines Corporation | System for communications of multiple partitions employing host-network interface, and address resolution protocol for constructing data frame format according to client format |
| US20020165961A1 (en) * | 2001-04-19 | 2002-11-07 | Everdell Peter B. | Network device including dedicated resources control plane |
| WO2011032492A1 (en) * | 2009-09-17 | 2011-03-24 | 中兴通讯股份有限公司 | Identity identification, across-network communication and service migration method, and information intercommunication network architecture |
| CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁系统软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
| CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
| CN105391613A (en) * | 2015-11-19 | 2016-03-09 | 四川中鼎自动控制有限公司 | Hydropower station Ethernet-type security isolation device inside-outside universal data bridge |
| CN207083114U (en) * | 2017-06-02 | 2018-03-09 | 北京胜风合力系统技术有限公司 | A kind of data one-way transmission apparatus between two security domain networks |
| CN108053630A (en) * | 2017-11-28 | 2018-05-18 | 国电南瑞科技股份有限公司 | A kind of cross-safety zone wireless data access system and method |
| CN108243096A (en) * | 2016-12-23 | 2018-07-03 | 中国石油化工股份有限公司胜利油田分公司 | A kind of oil field multifunctional security gateway |
| CN108248641A (en) * | 2017-12-06 | 2018-07-06 | 中国铁道科学研究院电子计算技术研究所 | A kind of urban track traffic data processing method and device |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN111478891A (en) * | 2019-12-24 | 2020-07-31 | 上海可鲁系统软件有限公司 | Industrial network isolation method and device with different security levels |
| US20200295971A1 (en) * | 2017-11-29 | 2020-09-17 | Abb Schweiz Ag | Method and devices for data transmission in substation |
-
2020
- 2020-04-02 CN CN202010254108.9A patent/CN111399463B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6330616B1 (en) * | 1998-09-14 | 2001-12-11 | International Business Machines Corporation | System for communications of multiple partitions employing host-network interface, and address resolution protocol for constructing data frame format according to client format |
| US20020165961A1 (en) * | 2001-04-19 | 2002-11-07 | Everdell Peter B. | Network device including dedicated resources control plane |
| WO2011032492A1 (en) * | 2009-09-17 | 2011-03-24 | 中兴通讯股份有限公司 | Identity identification, across-network communication and service migration method, and information intercommunication network architecture |
| CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁系统软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
| CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
| CN105391613A (en) * | 2015-11-19 | 2016-03-09 | 四川中鼎自动控制有限公司 | Hydropower station Ethernet-type security isolation device inside-outside universal data bridge |
| CN108243096A (en) * | 2016-12-23 | 2018-07-03 | 中国石油化工股份有限公司胜利油田分公司 | A kind of oil field multifunctional security gateway |
| CN207083114U (en) * | 2017-06-02 | 2018-03-09 | 北京胜风合力系统技术有限公司 | A kind of data one-way transmission apparatus between two security domain networks |
| CN108053630A (en) * | 2017-11-28 | 2018-05-18 | 国电南瑞科技股份有限公司 | A kind of cross-safety zone wireless data access system and method |
| US20200295971A1 (en) * | 2017-11-29 | 2020-09-17 | Abb Schweiz Ag | Method and devices for data transmission in substation |
| CN108248641A (en) * | 2017-12-06 | 2018-07-06 | 中国铁道科学研究院电子计算技术研究所 | A kind of urban track traffic data processing method and device |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN111478891A (en) * | 2019-12-24 | 2020-07-31 | 上海可鲁系统软件有限公司 | Industrial network isolation method and device with different security levels |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637176A (en) * | 2020-12-17 | 2021-04-09 | 山东云天安全技术有限公司 | Industrial network data isolation method, device and storage medium |
| CN115550431A (en) * | 2022-08-31 | 2022-12-30 | 山东爱普电气设备有限公司 | Unidirectional data transmission method and system based on power Internet of things terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111399463B (en) | 2023-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111478891A (en) | Industrial network isolation method and device with different security levels | |
| US10742680B2 (en) | Method of industrial data communication with dedicated physical channel isolation and a system applying the method | |
| CN104065731B (en) | A kind of ftp file Transmission system and transmission method | |
| CN102096405B (en) | Remote industrial network monitoring method and system based on S-Link and VLAN (Virtual Local Area Network) technique | |
| US20190036730A1 (en) | Connection unit, monitoring system and method for operating an automation system | |
| CN104125125A (en) | Intelligent housing system and control method | |
| CN102434478B (en) | Remote intelligent control system and control method for fan | |
| CN109656210B (en) | Industrial data acquisition method, system and main system | |
| CN107479524A (en) | A kind of Intelligent wind power field SCADA system of ciphering type Profinet communication modes | |
| CN102215265A (en) | System and method for realizing uniform management and monitoring of remote virtual desktop access | |
| CN111399463B (en) | Industrial network data unidirectional isolation method and device | |
| KR101980008B1 (en) | Plc and sequence circuit control system using web platform, and method thereof | |
| CN111786956A (en) | System and method for safely accessing intranet network based on message middleware communication | |
| CN108964264A (en) | The wireless realization of debugging method of intelligent substation site device | |
| JP4104799B2 (en) | Network system and communication method | |
| CN108769076A (en) | Data collecting system, method and device with network isolation function | |
| CN102065416A (en) | Method, device and system for formatting logs | |
| CN105551220A (en) | Remote data acquisition method for dry dust removal of converter gas | |
| CN104468497B (en) | The data isolation method and device of monitoring system | |
| CN215642359U (en) | PLC control device | |
| CN210573773U (en) | Data acquisition device and system with network isolation function | |
| CN212009372U (en) | Industrial control data fusion acquisition system | |
| CN111935254A (en) | Remote peer-to-peer transparent transmission debugging system | |
| CN116055534A (en) | Multi-serial device data forwarding system and method | |
| CN113285999A (en) | Edge calculation system and control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231103 Address after: 201203 north, 2nd floor, No.82, Lane 887, Zuchongzhi Road, Pudong New Area, Shanghai Patentee after: Shanghai Kelu Software Co.,Ltd. Patentee after: Shanghai Left Bank Investment Management Co.,Ltd. Address before: 201203 403D 5, 3000 Longdong Avenue, Pudong New Area, Shanghai. Patentee before: Shanghai Kelu Software Co.,Ltd. |