CN111400780A - Safety reinforcement management device for industrial control terminal - Google Patents
Safety reinforcement management device for industrial control terminal Download PDFInfo
- Publication number
- CN111400780A CN111400780A CN202010346392.2A CN202010346392A CN111400780A CN 111400780 A CN111400780 A CN 111400780A CN 202010346392 A CN202010346392 A CN 202010346392A CN 111400780 A CN111400780 A CN 111400780A
- Authority
- CN
- China
- Prior art keywords
- interface
- industrial control
- usb
- interface group
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a safety reinforcement management device for an industrial control terminal, which comprises a server-side interface group, an equipment-side interface group and a management-side interface group, wherein the server-side interface group comprises an RJ45 Ethernet interface, an RS232 serial port and two USB-Host interfaces, and is connected with a service system side; the Device end interface group comprises an RJ45 Ethernet interface, an RS232 serial port and a USB-Device interface, and is connected with the protected object end; the management terminal interface group comprises a Console interface and an RJ45 Ethernet interface. The device adopts an external deployment mode independent of the protected object, accesses the protected object through adopting a standardized communication interface, is portable and easy to deploy, and achieves the effect of enhancing the safety of the protected object.
Description
Technical Field
The invention relates to the technical field of industrial equipment, in particular to a safety reinforcement management device for an industrial control terminal.
Background
With the coming of the intelligent manufacturing era, the fusion development of IT and OT has become a great trend, the industrial control network is more and more open, and the industrial control system, the Internet of things and the Internet present a deep fusion situation, so that the intelligentization and informatization degrees of the industrial control system are greatly improved, and the information safety of the industrial control system faces a severe challenge. Industrial control terminals such as industrial controllers, numerical control equipment, industrial control stations, intelligent sensors and the like are used as field layer terminal equipment in an industrial control network, the deployment positions of the industrial control terminals are not fixed, the areas are scattered, the mobility of contact personnel is high, and the safety management of the industrial control terminals faces certain difficulty; in addition, at the beginning of design, the industrial control terminal device or system lacks security design and consideration from the perspective of communication, and the control system is usually an embedded or simplified operating system, in order to ensure real-time performance and availability of the system, it is impossible to perform security reinforcement by updating operating system patches, installing virus checking and killing software or other protection software like a common computer, with the arrival of the era of intelligent manufacturing and industrial internet, the network access of the industrial control terminal has become a necessary trend, the industrial control terminal lacking security protection is extremely easy to become an attack object of hacker software or trojans, worms, viruses and the like, and further, the industrial control terminal device or the system in the industrial control network is attacked by taking the attack object as a jump board, important data and files are stolen, so that the industrial control network has serious security hidden danger.
In the scheme in the prior art, an industrial firewall is generally adopted to divide different devices of an industrial control network into domains, different security domains are divided by the firewall, data interaction between different domains is prevented, communication protocol defense is performed at the same time, but the industrial firewall cannot achieve one-to-one targeted protection on the industrial control devices, and the detection granularity and accuracy of communication data content are poor.
Disclosure of Invention
The invention aims to provide a safety reinforcement management device for an industrial control terminal, which is portable and easy to deploy by adopting a mode of externally arranging independent protected objects and accessing the protected objects through a standardized communication interface, thereby achieving the effect of enhancing the safety of the protected objects.
The purpose of the invention is realized by the following technical scheme:
a security reinforcement management device for an industrial control terminal, the device comprising a server-side interface group, an equipment-side interface group and a management-side interface group, wherein:
the server-side interface group comprises an RJ45 Ethernet interface, an RS232 serial port and two USB-Host interfaces, and is connected with the service system side;
the Device end interface group comprises an RJ45 Ethernet interface, an RS232 serial port and a USB-Device interface, and is connected with the protected object end;
the management terminal interface group comprises a Console interface and an RJ45 Ethernet interface and is used for maintaining and upgrading the device, managing strategy configuration and performing centralized audit;
specifically, the method comprises the following steps: the RJ45 Ethernet interface at the equipment terminal interface group end is connected with the Ethernet interface of the protected object, and the RJ45 Ethernet interface at the server terminal interface group end is connected with the Ethernet interface of the service system, so that the safety control of the Ethernet communication link is realized;
the RS232 serial port of the equipment terminal interface group end is connected with the serial port of the protected object, and the RS232 serial port of the server terminal interface group end is connected with the serial port of the service system, so that the safety control of the serial bus communication link is realized;
the USB-Device interface of the Device terminal interface group end is connected with the USB interface of the protected object, the USB-Host interface of the server terminal interface group end is connected with the USB storage Device in an inserting mode, safety control over USB bus communication is achieved, and hardware feature identification, legality limitation and read-write permission limitation of the mobile storage medium are achieved through configuration strategies.
According to the technical scheme provided by the invention, the device adopts an external deployment mode independent of the protected object, is accessed into the protected object by adopting a standardized communication interface, is portable and easy to deploy, and achieves the effect of enhancing the safety of the protected object.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a security reinforcement management device for an industrial control terminal according to an embodiment of the present invention;
FIG. 2 is a schematic view of the external structure of the apparatus according to the present invention;
fig. 3 is a schematic view of the effect of the device of the present invention after the cable protective casing is closed.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The following will describe an embodiment of the present invention in further detail with reference to the accompanying drawings, and as shown in fig. 1, is a schematic structural diagram of a security reinforcement management apparatus for an industrial control terminal according to an embodiment of the present invention, where the apparatus mainly includes a server-side interface group, an equipment-side interface group, and a management-side interface group, where:
the server-side interface group comprises an RJ45 Ethernet interface 1, an RS232 serial port 2 and two USB-Host interfaces 3, and is connected with a service system side;
the Device end interface group comprises an RJ45 Ethernet interface 4, an RS232 serial port 5 and a USB-Device interface 6, and is connected with the protected object end;
the management terminal interface group comprises a Console interface 7 and an RJ45 Ethernet interface 8, and is used for maintenance upgrading, policy configuration management and centralized auditing of the security reinforcement management shell device;
specifically, the method comprises the following steps: the RJ45 Ethernet interface 4 at the equipment terminal interface group end is connected with the Ethernet interface of the protected object, and the RJ45 Ethernet interface 1 at the server terminal interface group end is connected with the Ethernet interface of the service system, so that the safety control of an Ethernet communication link is realized;
the RS232 serial port 5 of the equipment terminal interface group end is connected with the serial port of the protected object, and the RS232 serial port 2 of the server terminal interface group end is connected with the serial port of the service system, so that the safety control of the serial bus communication link is realized;
the USB-Device interface 6 of the Device end interface group end is connected with the USB interface of the protected object, the USB-Host interface 3 of the server end interface group end is connected with the USB storage Device in an inserting mode, safety control over USB bus communication is achieved, and hardware feature identification, legality limitation and read-write permission limitation of the mobile storage medium can be achieved through configuration strategies.
In specific implementation, the device inserts a security information coding module through the USB-Host interface 3 of the server interface group end, and the security information coding module communicates with the device through a USB interface. Specifically, when the device communicates with a service system to send data, plaintext data is sent to a safety information coding module, the safety information coding module carries out forward safety information coding on the data, and the device sends coded data returned by the safety information coding module to a network; similarly, the coded data received by the device from the service system is sent to the security information coding module for reverse security decoding, so that the security protection of the communication link between the protected object and the service system is realized.
In addition, as shown in fig. 1, the device is further provided with a two-gear key change-over switch 9 for realizing the switching of the working modes of the device, including a safety protection mode and a maintenance diagnosis process monitoring mode. In specific implementation, the device is switched to a safety protection mode through a two-gear key change-over switch 9, and the device realizes the functions of identity authentication, access control, communication data stream monitoring, protocol deep analysis, safety encryption and the like in the communication process between a protected object (a subject) and a service system (an object) through complete take-over of all communication interfaces of the protected object; and the device is switched to a maintenance and diagnosis process detection mode through the two-gear key change-over switch 9, the device realizes the monitoring of the maintenance and diagnosis process between the maintenance and diagnosis equipment (main body) and the protected object (object) through the complete take-over of all communication interfaces of the protected object, records and stores the data flow of the maintenance and diagnosis process, and is convenient for the tracing inquiry and data analysis of the diagnosis and maintenance process.
Fig. 2 is a schematic view of an external structure of the device of the present invention, the device further includes a cable protective casing 10 and a casing closing lock 11, external protection of the device is achieved through the cable protective casing 10 and the casing closing lock 11, fig. 3 is a schematic view of an effect of the device after the cable protective casing is closed, and the cable protective casing 10 locks the device through the casing closing lock 11, so as to effectively prevent the cable from being removed maliciously by a person, and ensure a protection effect of the device.
In addition, in the concrete implementation, a cable connection state checking function module is further arranged in the device and used for monitoring the connection state of the communication cable. Once the cable is removed, the security reinforcement management enclosure device generates alarm information and logs in real time.
The device is also internally provided with an unpacking investigation alarm module which is used for detecting and warning the unpacking action of the device and recording a log.
The device can be deployed between a field device layer industrial control terminal and a monitoring layer business system; the industrial control terminal comprises an industrial controller, numerical control equipment, an industrial control station or an intelligent sensor.
It is noted that those skilled in the art will recognize that embodiments of the present invention are not described in detail herein.
In conclusion, the device can realize functions of communication interface control, access control, data filtering, identity authentication, channel encryption, security audit, maintenance diagnosis control and the like of the industrial control terminal, finally effectively protect the communication and data security of the industrial control terminal, prevent attack and illegal data leakage, and simultaneously effectively prevent abnormal data from flowing into the industrial control terminal; in addition, the device is also internally provided with a perfect service auditing function, and carries out whole-process recording on the normal operation and maintenance and repair conditions of the industrial control terminal.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (7)
1. The safety reinforcement management device for the industrial control terminal is characterized by comprising a server-side interface group, an equipment-side interface group and a management-side interface group, wherein:
the server-side interface group comprises an RJ45 Ethernet interface, an RS232 serial port and two USB-Host interfaces, and is connected with the service system side;
the Device end interface group comprises an RJ45 Ethernet interface, an RS232 serial port and a USB-Device interface, and is connected with the protected object end;
the management terminal interface group comprises a Console interface and an RJ45 Ethernet interface and is used for maintaining and upgrading the device, managing strategy configuration and performing centralized audit;
specifically, the method comprises the following steps: the RJ45 Ethernet interface at the equipment terminal interface group end is connected with the Ethernet interface of the protected object, and the RJ45 Ethernet interface at the server terminal interface group end is connected with the Ethernet interface of the service system, so that the safety control of the Ethernet communication link is realized;
the RS232 serial port of the equipment terminal interface group end is connected with the serial port of the protected object, and the RS232 serial port of the server terminal interface group end is connected with the serial port of the service system, so that the safety control of the serial bus communication link is realized;
the USB-Device interface of the Device terminal interface group end is connected with the USB interface of the protected object, the USB-Host interface of the server terminal interface group end is connected with the USB storage Device in an inserting mode, safety control over USB bus communication is achieved, and hardware feature identification, legality limitation and read-write permission limitation of the mobile storage medium are achieved through configuration strategies.
2. The security reinforcement management device for industrial control terminals according to claim 1,
the device inserts a safety information coding module through a USB-Host interface of the server interface group end, the safety information coding module communicates with the device through the USB interface, and the specific process is as follows:
when the device is communicated with a service system, plaintext data is sent to the safety information coding module, the safety information coding module carries out forward safety information coding on the data, and the device sends coded data returned by the safety information coding module to a network;
similarly, the device receives the coded data from the service system, and sends the coded data to the security information coding module for reverse security decoding, so as to realize security protection of a communication link between the protected object and the service system.
3. The security reinforcement management device for industrial control terminals according to claim 1,
the device is also provided with two gear key change-over switches for realizing the switching of the working modes of the device;
the working modes comprise a safety protection mode and a maintenance diagnosis process monitoring mode.
4. The security reinforcement management device for industrial control terminals according to claim 1,
the device also comprises a cable protective shell and a shell closing lock, wherein the cable protective shell locks the device through the shell closing lock, and the device is protected from the outside.
5. The security reinforcement management device for industrial control terminals according to claim 1,
a cable connection state checking function module is arranged in the device and used for monitoring the connection state of the communication cable.
6. The security reinforcement management device for industrial control terminals according to claim 1,
the device is internally provided with an unpacking investigation alarm module which is used for detecting and warning the unpacking action of the device and recording a log.
7. The security reinforcement management device for industrial control terminals according to claim 1,
the device is deployed between the field equipment layer industrial control terminal and the monitoring layer business system; the industrial control terminal comprises an industrial controller, numerical control equipment, an industrial control station or an intelligent sensor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010346392.2A CN111400780A (en) | 2020-04-27 | 2020-04-27 | Safety reinforcement management device for industrial control terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010346392.2A CN111400780A (en) | 2020-04-27 | 2020-04-27 | Safety reinforcement management device for industrial control terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111400780A true CN111400780A (en) | 2020-07-10 |
Family
ID=71437336
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010346392.2A Pending CN111400780A (en) | 2020-04-27 | 2020-04-27 | Safety reinforcement management device for industrial control terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111400780A (en) |
-
2020
- 2020-04-27 CN CN202010346392.2A patent/CN111400780A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Humayed et al. | Cyber-physical systems security—A survey | |
CN109543475B (en) | External terminal protection device and protection system | |
KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
US11170133B2 (en) | External terminal protection device and protection system for data flow control | |
CN109739203B (en) | Industrial network boundary protection system | |
US20210067487A1 (en) | Hardware Control Logic Based Data Forwarding Control Method and System | |
CN105978871A (en) | Communication protection device for numerical control system | |
KR102433928B1 (en) | System for Managing Cyber Security of Autonomous Ship | |
CN109344609A (en) | A kind of TCU module, TCU system and guard method | |
CN103679028A (en) | Software behavior monitoring method and terminal | |
CN114418263A (en) | A defense system for power monitoring device of thermal power plant | |
CN113411295A (en) | Role-based access control situation awareness defense method and system | |
CN115314286A (en) | Safety guarantee system | |
CN110087238B (en) | Information security protection system of mobile electronic equipment | |
Shao et al. | Research on detection and evaluation technology of cybersecurity in intelligent and connected vehicle | |
CN106534110B (en) | Trinity transformer substation secondary system safety protection system framework system | |
CN212084141U (en) | Safety reinforcement management device for industrial control terminal | |
CN112532612A (en) | Industrial control network safety protection system | |
CN111898167A (en) | External terminal protection equipment and protection system including identity information verification | |
CN109756483B (en) | Safety protection method aiming at MELASEC protocol | |
CN111400780A (en) | Safety reinforcement management device for industrial control terminal | |
CN111885179B (en) | External terminal protection device and protection system based on file monitoring service | |
CN114760075A (en) | Multi-network information emergency safety system based on block chain and watchdog WDGM | |
KR102494831B1 (en) | Network intrusion detection system for information processing system of nuclear power plants | |
CN108768996A (en) | A kind of detection guard system of SQL injection attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |