CN111506022A - Industrial control system and safety auditing method in industrial control system - Google Patents
Industrial control system and safety auditing method in industrial control system Download PDFInfo
- Publication number
- CN111506022A CN111506022A CN201910092973.5A CN201910092973A CN111506022A CN 111506022 A CN111506022 A CN 111506022A CN 201910092973 A CN201910092973 A CN 201910092973A CN 111506022 A CN111506022 A CN 111506022A
- Authority
- CN
- China
- Prior art keywords
- audit
- control
- upper computer
- auditing
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000012550 audit Methods 0.000 claims abstract description 117
- 230000004044 response Effects 0.000 claims abstract description 37
- 238000012795 verification Methods 0.000 claims abstract description 26
- 230000000052 comparative effect Effects 0.000 claims description 8
- 238000007726 management method Methods 0.000 abstract description 11
- 230000006854 communication Effects 0.000 abstract description 7
- 230000006872 improvement Effects 0.000 abstract description 5
- 230000005540 biological transmission Effects 0.000 description 6
- 230000002265 prevention Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/4185—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by the network communication
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/31—From computer integrated manufacturing till monitoring
- G05B2219/31088—Network communication between supervisor and cell, machine group
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application discloses an ICS and a security audit method in the ICS. The system comprises: control device, host computer, switch and audit host computer. And the exchanger is used for mirroring the industrial protocol data to the auditing host. The auditing host is used for analyzing the industrial protocol data to obtain a control command, a control parameter and an address of the upper computer; and sending an audit query request to the upper computer. The upper computer is used for verifying the control command and the control parameters according to the audit query request to generate a verification result; and sending an audit inquiry response with a verification result to the audit host. And the auditing host is used for generating auditing records according to the auditing inquiry response. According to the embodiment of the application, the management aspect of the auditing host is used for providing effective supervision on the ICS safety, the requirements of users on ICS safety audit record and safety protection measures are met, traceability on the communication process of an ICS industrial control protocol is realized, and the improvement on the safety of key links of the ICS is facilitated.
Description
Technical Field
The embodiment of the application relates to the field of industrial process information safety, in particular to an industrial control system and a safety auditing method in the industrial control system.
Background
With the rapid development of Industrial informatization, the trend of integration of industrialization and informatization is more and more obvious, and ICS (Industrial Control System) also utilizes a computer network technology to improve the integration, interconnection and informatization management levels among systems. In the future, ICS is more and more opened to improve production efficiency and benefit, and safety problems caused by opening become important factors for restricting the development of the two-way integration and the 4.0 industry.
In the related art, in order to ensure the information security of the ICS, some enterprises may strengthen the use of the removable storage medium and the notebook in the ICS from the management, such as removing unnecessary USB (Universal Serial Bus) interfaces and optical drives in the ICS, and using a special notebook to perform security operation and maintenance.
However, the related art has problems that the management measures are not executed in place, and human malicious illegal operations cannot be limited.
Disclosure of Invention
The embodiment of the application provides an industrial control system and a security audit method in the industrial control system, which can be used for solving the problems that management measures in the prior art are not executed in place and manual malicious illegal operations cannot be limited. The technical scheme is as follows:
in a first aspect, an ICS is provided, the ICS comprising: the system comprises control equipment, an upper computer, a switch and an auditing host;
the switch is used for mirroring the industrial protocol data transmitted between the control equipment and the upper computer to the auditing host;
the auditing host is used for analyzing the industrial protocol data to obtain a request instruction and a response instruction between the control equipment and the upper computer; analyzing the request instruction and the response instruction according to an industrial protocol to obtain a control command, a control parameter and an address of the upper computer; sending an audit query request to the upper computer according to the address of the upper computer, wherein the audit query request comprises the control command and the control parameters;
the upper computer is used for verifying the control command and the control parameters according to the audit query request to generate a verification result; sending an audit query response carrying the verification result to the audit host;
and the auditing host is also used for generating auditing records according to the auditing inquiry response.
Optionally, the audit host is specifically configured to:
analyzing the audit inquiry response, performing comparative audit on the address of the upper computer and the address in a legal upper computer white list, and performing comparative audit on the control command, the control parameter, the legal control command and the legal control parameter in the legal upper computer white list to generate an audit record; the audit record comprises the occurrence time corresponding to the control command, the behavior information corresponding to the control command, the address of the operation object corresponding to the control parameter, the number of the operation objects corresponding to the control parameter and an audit result.
Optionally, the upper computer is specifically configured to:
and respectively carrying out byte verification on the historical control command and the historical control parameter sent to the control equipment by the upper computer and the control command and the control parameter included in the audit query request to obtain the verification result.
Optionally, the switch is specifically configured to:
mirroring data transmitted between the control device and the upper computer;
capturing the industrial protocol data from the data;
and sending the industrial protocol data to the auditing host.
Optionally, the audit host includes a first network card and a second network card;
the first network card is used for accessing a control network comprising the control equipment, the upper computer and the switch;
and the second network card is used for accessing an auditing network comprising each switch in the ICS.
In a second aspect, a security audit method in an ICS is provided, the method including:
the switch mirrors industrial protocol data transmitted between the control equipment and the upper computer to the auditing host;
the auditing host analyzes the industrial protocol data to obtain a request instruction and a response instruction between the control equipment and the upper computer; analyzing the request instruction and the response instruction according to an industrial protocol to obtain a control command, a control parameter and an address of the upper computer; sending an audit query request to the upper computer according to the address of the upper computer, wherein the audit query request comprises the control command and the control parameters;
the upper computer verifies the control command and the control parameters according to the audit query request to generate a verification result; sending an audit query response carrying the verification result to the audit host;
and the auditing host generates an auditing record according to the auditing inquiry response.
Optionally, the generating, by the audit host, an audit record according to the audit query response includes:
analyzing the audit inquiry response, performing comparative audit on the address of the upper computer and the address in a legal upper computer white list, and performing comparative audit on the control command, the control parameter, the legal control command and the legal control parameter in the legal upper computer white list to generate an audit record; the audit record comprises the occurrence time corresponding to the control command, the behavior information corresponding to the control command, the address of the operation object corresponding to the control parameter, the number of the operation objects corresponding to the control parameter and an audit result.
Optionally, the verifying the control command and the control parameter according to the audit query request to generate a verification result includes:
and respectively carrying out byte verification on the historical control command and the historical control parameter sent to the control equipment by the upper computer and the control command and the control parameter included in the audit query request to obtain the verification result.
Optionally, the method for mirroring the industrial protocol data transmitted between the control device and the upper computer to the audit host by the switch includes:
mirroring data transmitted between the control device and the upper computer;
capturing the industrial protocol data from the data;
and sending the industrial protocol data to the auditing host.
Optionally, the audit host includes a first network card and a second network card;
the first network card is used for accessing a control network comprising the control equipment, the upper computer and the switch;
and the second network card is used for accessing an auditing network comprising each switch in the ICS.
The beneficial effects brought by the technical scheme provided by the embodiment of the application can include:
the industrial protocol data transmitted between the upper computer and the control equipment is mirrored to the auditing host computer through the switch, the auditing host computer firstly carries out a series of operations on the industrial protocol data to obtain a control command and a control parameter, and then audits the control command and the control parameter. According to the method and the system, effective supervision on the ICS safety is provided from the management aspect of the audit host, the requirements of users on ICS safety audit record and safety protection measures are met, information tracking, system safety management and risk prevention are facilitated, traceability of the communication process of an ICS industrial control protocol is achieved, and the improvement of the safety of key links of the ICS is facilitated.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is an architectural diagram of an ICS provided by an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating a communication process between an upper computer and a control device in an ICS according to an embodiment of the present application;
FIG. 3 is a flow diagram of a method for security auditing of ICS provided by an embodiment of the present application;
FIG. 4 is a flowchart of a security audit method for ICS provided by another embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, an architecture diagram of an ICS is shown, where the ICS may include: control device 11, host computer 12, switch 13 and audit host computer 14.
The control device 11 is a computer for controlling the industrial device and acquiring the condition of the industrial device. The control device 11 is, for example, a programmable controller.
The upper computer 12 is a computer, such as a PC (personal computer), from which a user can directly issue control commands.
A plurality of upper computers 12 and a plurality of control devices 11 may be included within one ICS. The upper computer 12 and the control device 11 may communicate with each other based on an industrial control protocol, and the communication process may be as shown in fig. 2, where the upper computer 12 sends a request instruction to the control device 11, and after receiving the request instruction, the control device 11 controls the industrial device according to the request instruction, and sends a response instruction to the upper computer 12.
The switch 13 can implement information transmission among a plurality of ports. For example, the upper computer 12 and the control device 11 are respectively connected to the switch 13, and the switch 13 can implement information transmission between the upper computer 12 and the control device 11.
The audit host 14 is a computer for security auditing of the ICS.
The following describes the technical solution of the present application with reference to the ICS system shown in fig. 1.
And the switch 13 is used for mirroring the industrial protocol data transmitted between the control device 11 and the upper computer 12 to the auditing host 14.
Industrial protocol data refers to data transmitted based on an industrial control protocol. The switch 13 has a port mirroring function, and can mirror the industrial protocol data transmitted between the control device 11 and the upper computer 12 to the auditing host 14.
Optionally, when the switch 13 mirrors the industrial protocol data to the audit host, the switch is specifically configured to: the data transmitted between the mirror image control device 11 and the upper computer 12 include industrial protocol data and other communication data; capturing industrial protocol data from the data; the industrial protocol data is sent to the auditing host 14.
Optionally, the auditing host 14 includes a first network card and a second network card; the first network card is used for accessing a control network comprising a control device 11, an upper computer 12 and a switch 13; the second network card is used to access the audit network including the switches 13 within the ICS.
The control network is composed of an auditing host 14, an upper computer 12, control equipment 11 and a switch 13, wherein the auditing host 14 is accessed to the control network through a control network card; the audit network is composed of an audit host 14 and a switch 13, the audit host 14 is connected with an audit port of the switch 13 through an audit network card, the audit port of the switch 13 is a mirror image of a port of the control device 11, and all data received and sent by the port of the control device 11 are mirrored to the audit port.
Optionally, the audit network and the control network communicate with each other via a local area network.
The auditing host 14 is used for analyzing the industrial protocol data to obtain a request instruction and a response instruction between the control equipment 11 and the upper computer 12; according to the industrial protocol, analyzing the request instruction and the response instruction to obtain a control command, a control parameter and an address of the upper computer 12; and sending an audit query request to the upper computer 12 according to the address of the upper computer 12, wherein the audit query request comprises a control command and a control parameter.
Optionally, the industrial protocol specification includes a ModBus protocol, a ProfiBus protocol, an OPC protocol, and the like.
The request instruction is an instruction transmitted from the upper computer 12 to the control device 11. The response instruction is an instruction for controlling the industrial equipment to perform corresponding operation and reply to the upper computer 12 after the control equipment 11 receives the request instruction sent by the upper computer 12.
The request instruction and the response instruction comprise a control instruction, a control parameter and address information of the upper computer, and the auditing host 14 analyzes the request instruction and the response instruction to obtain the corresponding control instruction, the control parameter and the address information of the upper computer 12.
The control command is a command for the control device 11 to instruct the industrial device to perform a corresponding operation. The control parameters are used for indicating the address and the quantity information of the corresponding industrial equipment when the control command is executed. Illustratively, the control command is to open a valve of the industrial equipment. The control parameter is the opening of the valves of 10 industrial plants in zone 3. One upper computer 12 can control a plurality of control devices 11, and one control device 11 can also be controlled by a plurality of upper computers 12. The address of the upper computer 12 is identification information of the upper computer, and different upper computers 12 have different addresses.
The audit query request is used to instruct the upper computer 12 to verify the control command and the control parameters.
The upper computer 12 is used for verifying the control command and the control parameters according to the audit query request to generate a verification result; and sending an audit inquiry response carrying the verification result to the audit host 14.
Optionally, when the upper computer 12 verifies the control command and the control parameter, it is specifically configured to: and comparing the historical control command and the historical control parameter sent by the upper computer 12 to the control equipment 11 with the control command and the control parameter included in the audit query request in bytes respectively to obtain a verification result.
For example, the bytes corresponding to the historical control command and the historical control parameter sent by the upper computer 12 to the control device 11 are 03 and 0808, respectively, and the bytes corresponding to the control command and the control parameter included in the audit query request are 03,0809, respectively, then comparing the bytes of 03,0808 and 03,0809, and obtaining a check result.
And the auditing host 14 is also used for generating auditing records according to the auditing inquiry response.
Optionally, the audit host 14 is specifically configured to: analyzing the audit inquiry response, comparing and auditing the address of the upper computer with the address in the white list of the legal upper computer, comparing and auditing the control command and the control parameter with the legal control command and the legal control parameter in the white list of the legal upper computer, and generating an audit record; the audit record comprises the occurrence time corresponding to the control command, the behavior information corresponding to the control command, the address of the operation object corresponding to the control parameter, the number of the operation objects corresponding to the control parameter and the audit result.
The legal upper computer white list comprises the address of the legal upper computer, a legal control command and a legal control parameter corresponding to the legal upper computer. The content of the legal upper computer white list is not limited, and the content of the legal upper computer white list can be configured by a user according to the auditing requirement of ICS. For example, the user can reasonably configure a legal upper computer white list according to the security level to be met by the ICS.
The behavior information corresponding to the control command is used for indicating the action required to be executed by the operation object (industrial equipment), the address of the operation object (industrial equipment) corresponding to the control parameter is used for indicating the position of the operation object (industrial equipment), and the number of the operation objects (industrial equipment) corresponding to the control parameter is used for indicating the number of the operation objects (industrial equipment) required to execute the control command.
The auditing result comprises: legal operation, control commands of an illegal upper computer, inconsistency of the control commands, exceeding of control authority and the like. The legal operation means that the address of the upper computer to be audited belongs to the address corresponding to the white list of the legal upper computer, and the control command and the control parameter to be audited belong to the legal control command and the legal control parameter. The control command of the illegal upper computer means that the address of the audited upper computer does not belong to the address corresponding to the white list of the legal upper computer. The inconsistent control command means that the audited control command is inconsistent with the control command sent by the auditing host, namely the control command is inconsistent in verification result. Exceeding the control authority means that the audited control command and control parameter do not belong to the control command and control parameter corresponding to the legal upper computer white list.
For example, the address corresponding to the white list of the legal upper computer includes the address of the upper computer 1, the address of the upper computer 2 and the address of the upper computer 3, the address of the upper computer to be audited is the address of the upper computer 4, and if the address of the upper computer 4 does not belong to the address corresponding to the white list of the legal upper computer, the auditing result is the control command of the illegal upper computer.
For another example, the bytes of the legal control command and the legal control parameter corresponding to the white list of the legal upper computer, which are the legal control command and the legal control parameter of the upper computer 1, are 03,0808; the byte corresponding to the legal control command and the control parameter of the upper computer 2 is 02,0302; the upper computer to be audited is the upper computer 1, the byte corresponding to the corresponding control command and control parameter is 02,0808, and the auditing result is that the control authority is exceeded.
For another example, if the byte corresponding to the audited control command is 02 and the byte corresponding to the control command sent by the auditing host is 03, the auditing result is that the control commands are inconsistent.
For another example, the legal control command and the legal control parameter corresponding to the white list of the legal upper computer: the byte corresponding to the legal control command and the legal control parameter of the upper computer 1 is 03,0808; the byte corresponding to the legal control command and the control parameter of the upper computer 2 is 02,0302; the upper computer to be audited is the upper computer 1, the byte corresponding to the corresponding control command and control parameter is 03,0808, and the auditing result is legal operation.
To sum up, the system provided by the embodiment of the application mirrors industrial protocol data transmitted between the upper computer and the control device to the auditing host through the switch, and the auditing host firstly performs a series of operations on the industrial protocol data to obtain a control command and a control parameter and then audits the control command and the control parameter. According to the method and the system, effective supervision on the ICS safety is provided from the management aspect of the audit host, the requirements of users on ICS safety audit record and safety protection measures are met, information tracking, system safety management and risk prevention are facilitated, traceability of the communication process of an ICS industrial control protocol is achieved, and the improvement of the safety of key links of the ICS is facilitated.
In addition, the auditing host is provided with two network cards which are respectively correspondingly connected with the control network and the auditing network, so that the parallel transmission of the two networks can be realized, the transmission bandwidth of the system is reduced, and when the control network fails, the auditing network can still run, thereby facilitating information tracking, system safety management and risk prevention.
Referring to fig. 3 and 4 in combination, there is shown a flow chart of a security audit method in ICS, the method comprising:
step 301, the switch mirrors industrial protocol data transmitted between the control device and the upper computer to the auditing host.
Optionally, the switch performs the following sub-steps to mirror the industrial protocol data transmitted between the control device and the upper computer to the auditing host:
1. data transmitted between the mirror image control device and the upper computer;
2. capturing industrial protocol data from the data;
3. and sending the industrial protocol data to the auditing host.
And step 302, the auditing host analyzes the industrial protocol data to obtain a request instruction and a response instruction between the control equipment and the upper computer.
And 303, the auditing host analyzes the request instruction and the response instruction according to an industrial protocol to obtain a control command, a control parameter and an address of an upper computer.
And step 304, the auditing host sends an auditing inquiry request to the upper computer according to the address of the upper computer, wherein the auditing inquiry request comprises a control command and a control parameter.
And 305, verifying the control command and the control parameters by the upper computer according to the audit query request to generate a verification result.
And step 306, the upper computer sends an audit inquiry response carrying the verification result to the audit host.
Optionally, the upper computer performs byte check on the historical control command and the historical control parameter sent by the upper computer to the control device and the control command and the control parameter included in the audit query request respectively to obtain a check result.
Optionally, the auditing host analyzes the auditing inquiry response, performs comparison auditing on the address of the upper computer and the address in the legal upper computer white list, and performs comparison auditing on the control command and the control parameter and the legal control command and the legal control parameter in the legal upper computer white list to generate an auditing record; the audit record comprises the occurrence time corresponding to the control command, the behavior information corresponding to the control command, the address of the operation object corresponding to the control parameter, the number of the operation objects corresponding to the control parameter and the audit result.
Optionally, the auditing host comprises a first network card and a second network card;
the first network card is used for accessing a control network comprising control equipment, an upper computer and a switch;
the second network card is used for accessing an audit network comprising all switches in the ICS.
In summary, according to the method provided by the embodiment of the application, the switch mirrors the industrial protocol data transmitted between the upper computer and the control device to the auditing host, the auditing host firstly performs a series of operations on the industrial protocol data to obtain the control command and the control parameter, and then audits the control command and the control parameter. According to the method and the system, effective supervision on the ICS safety is provided from the management aspect of the audit host, the requirements of users on ICS safety audit record and safety protection measures are met, information tracking, system safety management and risk prevention are facilitated, traceability of the communication process of an ICS industrial control protocol is achieved, and the improvement of the safety of key links of the ICS is facilitated.
In addition, the auditing host is provided with two network cards which are respectively correspondingly connected with the control network and the auditing network, so that the parallel transmission of the two networks can be realized, the transmission bandwidth of the system is reduced, and when the control network fails, the auditing network can still run, thereby facilitating information tracking, system safety management and risk prevention.
The above description is only exemplary of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements and the like that are made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. An Industrial Control System (ICS), characterized in that the ICS comprises: the system comprises control equipment, an upper computer, a switch and an auditing host;
the switch is used for mirroring the industrial protocol data transmitted between the control equipment and the upper computer to the auditing host;
the auditing host is used for analyzing the industrial protocol data to obtain a request instruction and a response instruction between the control equipment and the upper computer; analyzing the request instruction and the response instruction according to an industrial protocol to obtain a control command, a control parameter and an address of the upper computer; sending an audit query request to the upper computer according to the address of the upper computer, wherein the audit query request comprises the control command and the control parameters;
the upper computer is used for verifying the control command and the control parameters according to the audit query request to generate a verification result; sending an audit query response carrying the verification result to the audit host;
and the auditing host is also used for generating auditing records according to the auditing inquiry response.
2. The ICS of claim 1, wherein the audit host is specifically configured to:
analyzing the audit inquiry response, performing comparative audit on the address of the upper computer and the address in a legal upper computer white list, and performing comparative audit on the control command, the control parameter, the legal control command and the legal control parameter in the legal upper computer white list to generate an audit record; the audit record comprises the occurrence time corresponding to the control command, the behavior information corresponding to the control command, the address of the operation object corresponding to the control parameter, the number of the operation objects corresponding to the control parameter and an audit result.
3. The ICS of claim 1, wherein the upper computer is specifically configured to:
and respectively carrying out byte verification on the historical control command and the historical control parameter sent to the control equipment by the upper computer and the control command and the control parameter included in the audit query request to obtain the verification result.
4. The ICS of claim 1, wherein the switch is specifically configured to:
mirroring data transmitted between the control device and the upper computer;
capturing the industrial protocol data from the data;
and sending the industrial protocol data to the auditing host.
5. The ICS of any one of claims 1 to 4, wherein the audit host comprises a first network card and a second network card;
the first network card is used for accessing a control network comprising the control equipment, the upper computer and the switch;
and the second network card is used for accessing an auditing network comprising each switch in the ICS.
6. A safety audit method in an Industrial Control System (ICS), which is characterized by comprising the following steps:
the switch mirrors industrial protocol data transmitted between the control equipment and the upper computer to the auditing host;
the auditing host analyzes the industrial protocol data to obtain a request instruction and a response instruction between the control equipment and the upper computer; analyzing the request instruction and the response instruction according to an industrial protocol to obtain a control command, a control parameter and an address of the upper computer; sending an audit query request to the upper computer according to the address of the upper computer, wherein the audit query request comprises the control command and the control parameters;
the upper computer verifies the control command and the control parameters according to the audit query request to generate a verification result; sending an audit query response carrying the verification result to the audit host;
and the auditing host generates an auditing record according to the auditing inquiry response.
7. The method of claim 6, wherein generating, by the audit host, an audit record based on the audit query response comprises:
analyzing the audit inquiry response, performing comparative audit on the address of the upper computer and the address in a legal upper computer white list, and performing comparative audit on the control command, the control parameter, the legal control command and the legal control parameter in the legal upper computer white list to generate an audit record; the audit record comprises the occurrence time corresponding to the control command, the behavior information corresponding to the control command, the address of the operation object corresponding to the control parameter, the number of the operation objects corresponding to the control parameter and an audit result.
8. The method of claim 6, wherein the verifying the control command and the control parameter according to the audit query request, and generating a verification result comprises:
and respectively carrying out byte verification on the historical control command and the historical control parameter sent to the control equipment by the upper computer and the control command and the control parameter included in the audit query request to obtain the verification result.
9. The method of claim 6, wherein the switch mirrors industrial protocol data transmitted between the control device and the upper computer to the audit host, and the method comprises:
mirroring data transmitted between the control device and the upper computer;
capturing the industrial protocol data from the data;
and sending the industrial protocol data to the auditing host.
10. The method of any one of claims 6 to 9, wherein the audit host includes a first network card and a second network card;
the first network card is used for accessing a control network comprising the control equipment, the upper computer and the switch;
and the second network card is used for accessing an auditing network comprising each switch in the ICS.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910092973.5A CN111506022A (en) | 2019-01-30 | 2019-01-30 | Industrial control system and safety auditing method in industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910092973.5A CN111506022A (en) | 2019-01-30 | 2019-01-30 | Industrial control system and safety auditing method in industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111506022A true CN111506022A (en) | 2020-08-07 |
Family
ID=71863906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910092973.5A Pending CN111506022A (en) | 2019-01-30 | 2019-01-30 | Industrial control system and safety auditing method in industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111506022A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104063473A (en) * | 2014-06-30 | 2014-09-24 | 江苏华大天益电力科技有限公司 | Database auditing monitoring system and database auditing monitoring method |
| CN104468537A (en) * | 2014-11-25 | 2015-03-25 | 公安部第三研究所 | System and method for achieving safety audit |
| CN107817756A (en) * | 2017-10-27 | 2018-03-20 | 西北工业大学 | Networking DNC system target range design method |
| CN108763543A (en) * | 2018-05-31 | 2018-11-06 | 郑州信大天瑞信息技术有限公司 | Database audit monitors system |
| CN109144023A (en) * | 2017-06-27 | 2019-01-04 | 西门子(中国)有限公司 | A kind of safety detection method and equipment of industrial control system |
| CN209086928U (en) * | 2018-10-26 | 2019-07-09 | 上海纽盾科技股份有限公司 | A kind of deployment architecture of database audit |
| CN110752951A (en) * | 2019-10-24 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Industrial network flow monitoring and auditing method, device and system |
| CN110958231A (en) * | 2019-11-21 | 2020-04-03 | 博智安全科技股份有限公司 | Industrial control safety event monitoring platform and method based on Internet |
| CN111159715A (en) * | 2019-12-24 | 2020-05-15 | 贵州航天计量测试技术研究所 | Industrial control safety audit system and method based on artificial intelligence |
-
2019
- 2019-01-30 CN CN201910092973.5A patent/CN111506022A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104063473A (en) * | 2014-06-30 | 2014-09-24 | 江苏华大天益电力科技有限公司 | Database auditing monitoring system and database auditing monitoring method |
| CN104468537A (en) * | 2014-11-25 | 2015-03-25 | 公安部第三研究所 | System and method for achieving safety audit |
| CN109144023A (en) * | 2017-06-27 | 2019-01-04 | 西门子(中国)有限公司 | A kind of safety detection method and equipment of industrial control system |
| CN107817756A (en) * | 2017-10-27 | 2018-03-20 | 西北工业大学 | Networking DNC system target range design method |
| CN108763543A (en) * | 2018-05-31 | 2018-11-06 | 郑州信大天瑞信息技术有限公司 | Database audit monitors system |
| CN209086928U (en) * | 2018-10-26 | 2019-07-09 | 上海纽盾科技股份有限公司 | A kind of deployment architecture of database audit |
| CN110752951A (en) * | 2019-10-24 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Industrial network flow monitoring and auditing method, device and system |
| CN110958231A (en) * | 2019-11-21 | 2020-04-03 | 博智安全科技股份有限公司 | Industrial control safety event monitoring platform and method based on Internet |
| CN111159715A (en) * | 2019-12-24 | 2020-05-15 | 贵州航天计量测试技术研究所 | Industrial control safety audit system and method based on artificial intelligence |
Non-Patent Citations (1)
| Title |
|---|
| 韩春龙: "数控机床网络安全审计保护技术研究", 《第三十届中国(天津)2016 IT、网络、信息技术、电子、仪器仪表创新学术会议论文集》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8667589B1 (en) | Protection against unauthorized access to automated system for control of technological processes | |
| US7877520B2 (en) | Storage device and method of setting configuration information of same | |
| CN101334760B (en) | Method, device for controlling bus illegal operation and system embodying the device | |
| CN101411163A (en) | System and method for tracking the security enforcement in a grid system | |
| CN110109427A (en) | Process control software security architecture based on least privilege | |
| CN101593252B (en) | Method and system for controlling access of computer to USB equipment | |
| CN101594360A (en) | LAN system and the method for safeguarding LAN information safety | |
| CN105978871A (en) | Communication protection device for numerical control system | |
| US7409563B2 (en) | Method and apparatus for preventing un-authorized attachment of computer peripherals | |
| CN101561855B (en) | Method and system for controlling computer to access USB device | |
| RU2746101C2 (en) | System and method of network unit definition using rules of inventory | |
| WO2006116931A1 (en) | A method for guaranteeing the safety of the storage network data and the system thereof | |
| CN113114632A (en) | Can peg graft formula intelligence financial audit platform | |
| JP7374792B2 (en) | System and method for incrementally increasing IT security of elements of technical systems | |
| US11310203B2 (en) | IoT computer system and arrangement comprising an IoT computer system and an external system | |
| US7383366B2 (en) | Keypad user interface and port sequence mapping algorithm | |
| CN101420299B (en) | Method for enhancing stability of intelligent cipher key equipment and intelligent cipher key equipment | |
| CN103824014A (en) | Isolation certificating and monitoring method of USB (universal serial bus) port within local area network | |
| CN111506022A (en) | Industrial control system and safety auditing method in industrial control system | |
| CN1243312C (en) | Embedded safety module and its safety protection method | |
| CN113110354B (en) | Ferry-based industrial data security system and method | |
| CN115981274A (en) | Safety protection system of industrial control system | |
| CN108809938A (en) | A kind of remote-control realization method and system of encryption device | |
| CN112631154B (en) | Apparatus and method for securely executing an automation program in a cloud computing environment | |
| CN2896370Y (en) | Intelligent key device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200807 |
|
| RJ01 | Rejection of invention patent application after publication |