CN112866210A - Industrial control equipment access control method and device and electronic equipment - Google Patents
Industrial control equipment access control method and device and electronic equipment Download PDFInfo
- Publication number
- CN112866210A CN112866210A CN202011644282.0A CN202011644282A CN112866210A CN 112866210 A CN112866210 A CN 112866210A CN 202011644282 A CN202011644282 A CN 202011644282A CN 112866210 A CN112866210 A CN 112866210A
- Authority
- CN
- China
- Prior art keywords
- upper computer
- target
- industrial control
- target information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000004044 response Effects 0.000 claims abstract description 66
- 238000012795 verification Methods 0.000 claims abstract description 24
- 238000012508 change request Methods 0.000 claims description 31
- 230000015654 memory Effects 0.000 claims description 18
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000003894 drinking water pollution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
- H04L67/1012—Server selection for load balancing based on compliance of requirements or conditions with available server resources
Abstract
The invention provides an access control method and device for industrial control equipment and electronic equipment, wherein the method comprises the following steps: when an access request of an upper computer to a target industrial control device is received, sending a target information acquisition instruction to the upper computer; receiving a target information response data packet of the upper computer, wherein the target information response data packet comprises hardware identification information or identity certificate information of the upper computer; verifying the identity information of the upper computer according to the target information response data packet of the upper computer; and determining whether to send an access request to the target industrial control equipment or not according to the identity information verification result of the upper computer. The hardware identification information or the identity certificate information of the upper computer is authenticated through the firewall, so that the purpose of disguising a legal upper computer is achieved by preventing the illegal upper computer from tampering an IP/MAC address, the illegal control of industrial control equipment is realized, and the safety of the industrial control equipment is improved.
Description
Technical Field
The invention relates to the technical field of industrial control safety, in particular to an industrial control equipment access control method and device and electronic equipment.
Background
Along with the continuous deepening of informatization and industrialization integration, unsafe factors in a traditional IT network are greatly introduced into an industrial control system, so that the original fragile industrial control system is frosted on snow, key infrastructures of the industry, energy, traffic, water conservancy and the like of the nationwide civilian are in greater safety risk, once damaged, the power supply interruption, drinking water pollution, traffic paralysis and the like of the whole city can be caused, and the public life and even the national safety are influenced. Therefore, it is very urgent to enhance the safety construction work of the industrial control system.
In the related art, an industrial firewall is installed and deployed between an industrial control device and an upper computer, a pre-stored black/white list is built in the industrial firewall, and control authority based on an IP/MAC address is recorded in the black/white list, for example, a certain source IP address has access authority to a certain target IP address. The industrial firewall judges whether the upper computer has the access authority of the industrial control equipment according to the data frame (containing the source IP address and the target IP address) sent by the upper computer. However, the IP/MAC address is easily tampered, and if the industrial control device is illegally accessed, the IP/MAC address of the illegal upper computer is only changed into the IP/MAC address of the upper computer recorded in the white list, which results in low security of the industrial control device.
Disclosure of Invention
In view of this, embodiments of the present invention provide an access control method and apparatus for industrial control equipment, and an electronic device, so as to solve the defect of low security of industrial control equipment in the prior art.
According to a first aspect, an embodiment of the present invention provides an access control method for industrial control equipment, which is applied to a firewall, and includes the following steps: when an access request of an upper computer to a target industrial control device is received, sending a target information acquisition instruction to the upper computer; receiving a target information response data packet of the upper computer, wherein the target information response data packet comprises hardware identification information or identity certificate information of the upper computer; verifying the identity information of the upper computer according to the target information response data packet of the upper computer; and determining whether to send an access request to the target industrial control equipment or not according to the identity information verification result of the upper computer.
Optionally, the target information response data packet further includes safety protection information of the upper computer; determining whether to send an access request to the target industrial control equipment according to the identity information verification result of the upper computer comprises the following steps: judging whether the upper computer meets a safe access condition or not according to the identity information verification result of the upper computer and the safety protection information of the upper computer; and when the upper computer meets the safe access condition, sending an access request to the target industrial control equipment.
Optionally, when an access request of an upper computer to a target industrial control device is received, a target information acquisition instruction is sent to the upper computer, and the method includes: when an access request of an upper computer to a target industrial control device is received, whether a data change request and/or a state change request to the target industrial control device exist in the access request is identified; and when a data change request and/or a state change request exist, sending a target information acquisition instruction to the upper computer.
Optionally, the industrial control device access control method further includes: receiving an access request execution result of the target industrial control equipment; and sending the access request execution result to an upper computer.
According to a second aspect, an embodiment of the present invention provides an access control method for industrial control equipment, which is applied to an upper computer, and includes the following steps: monitoring a target information acquisition instruction receiving port; when a target information acquisition instruction is received, constructing a target information response data packet according to the target information acquisition instruction, wherein the target information response data packet comprises hardware identification information or identity certificate information; and sending the target information response data packet.
Optionally, constructing a target information response data packet according to the target information obtaining instruction includes: acquiring identity information and safety protection information; and constructing a target information response data packet according to the identity information and the safety protection information.
According to a third aspect, an embodiment of the present invention provides an access control device for industrial control equipment, which is applied to a firewall, and includes: the target information acquisition module is used for sending a target information acquisition instruction to the upper computer when receiving an access request of the upper computer to the target industrial control equipment; the target information receiving module is used for receiving a target information response data packet of the upper computer, and the target information response data packet comprises hardware identification information or identity certificate information of the upper computer; the identity verification module is used for verifying the identity information of the upper computer according to the target information response data packet of the upper computer; and the access judgment module is used for determining whether to send an access request to the target industrial control equipment according to the identity information verification result of the upper computer.
According to a fourth aspect, an embodiment of the present invention provides an access control device for industrial control equipment, which is applied to an upper computer, and includes: the port monitoring module is used for monitoring a target information acquisition instruction receiving port; the data response packet construction module is used for constructing a target information response data packet according to a target information acquisition instruction when the target information acquisition instruction is received, wherein the target information response data packet comprises hardware identification information or identity certificate information of the upper computer; and the data packet sending module is used for sending the target information response data packet.
According to a fifth aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method for controlling access to an industrial control device according to the first aspect or any one of the embodiments of the first aspect when executing the program.
According to a sixth aspect, an embodiment of the present invention provides a storage medium, where computer instructions are stored, and when the instructions are executed by a processor, the steps of the access control method for the industrial control device according to the first aspect or any one of the embodiments of the first aspect are implemented.
The technical scheme of the invention has the following advantages:
according to the industrial control equipment access control method provided by the embodiment, the firewall is used for carrying out identity verification on hardware identification information or identity certificate information of the upper computer, so that an illegal upper computer is prevented from tampering an IP/MAC address, the purpose of disguising a legal upper computer is achieved, illegal control over the industrial control equipment is realized, and the safety of the industrial control equipment is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a specific example of an access control method for an industrial control device in an embodiment of the present invention;
fig. 2 is a flowchart of a specific example of an access control method for an industrial control device in an embodiment of the present invention;
fig. 3 is a flowchart of a specific example of an access control method for an industrial control device in an embodiment of the present invention;
fig. 4 is a schematic block diagram of a specific example of an access control device of an industrial control device in an embodiment of the present invention;
fig. 5 is a schematic block diagram of a specific example of an access control device of an industrial control device in an embodiment of the present invention;
fig. 6 is a schematic block diagram of a specific example of an electronic device in the embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; the two elements may be directly connected or indirectly connected through an intermediate medium, or may be communicated with each other inside the two elements, or may be wirelessly connected or wired connected. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The embodiment provides an access control method for industrial control equipment, which is applied to a firewall, and as shown in fig. 1, the method includes the following steps:
s101, when an access request of an upper computer to a target industrial control device is received, a target information acquisition instruction is sent to the upper computer;
illustratively, the firewall may be an industrial firewall. The access request of the upper computer to the target industrial control equipment can comprise reading target industrial control equipment data, writing target industrial control equipment data, changing the state of the target industrial control equipment and the like. The mode of sending the access request to the target industrial control equipment by the upper computer can be that configuration software in the upper computer is started, and the configuration software and the industrial control equipment are communicated through a certain industrial control protocol, for example, siemens adopts an S7 communication protocol; a certain field of the communication protocol represents a specific operation type; for example, configuration change is performed on the industrial control equipment, the equipment is shut down, the equipment is restarted, and the like.
When an access request of an upper computer to a target industrial control device is received, the firewall suspends the access request, and meanwhile, a target information acquisition instruction based on UDP is actively sent to the upper computer. The target information acquisition instruction may include an instruction to acquire identity information of the upper computer.
S102, receiving a target information response data packet of the upper computer, wherein the target information response data packet comprises hardware identification information or identity certificate information of the upper computer;
for example, when the target information obtaining instruction is to obtain the identity information of the upper computer, the target information response data packet carries the identity information of the upper computer. In order to prevent other illegal upper computers from forging identity information, the identity information of the upper computer in the embodiment can be hardware identification information of the upper computer, the hardware identification information generally has uniqueness, such as a serial number of a hard disk of the upper computer and the like, the hardware identification information of the upper computer is not limited in the embodiment, and a person skilled in the art can determine the hardware identification information as required. The identity information of the upper computer can also be an identity certificate issued by a third-party certificate authority.
S103, verifying the identity information of the upper computer according to the target information response data packet of the upper computer;
illustratively, when the target information response data packet of the upper computer is identity information, the identity information of the upper computer is verified according to the target information response data packet of the upper computer, such that the hardware identification information sent by the upper computer is matched with a white list pre-stored in a firewall, and when the hardware identification information is matched with the information in the white list, the identity of the upper computer is legal. The mode of verifying the identity information of the upper computer can also be to judge whether the identity certificate sent by the upper computer is issued by a legal certificate authority. The method for verifying whether the identity certificate is legal may be to decrypt through a corresponding decryption key, and when the decrypted value is the same as the value stored in the third-party authority, it indicates that the identity certificate is legal.
And S104, determining whether to send the access request to the target industrial control equipment or not according to the identity information verification result of the upper computer.
Illustratively, when the identity information verification result of the upper computer is that the identity is legal, the access request can be sent to the target industrial control equipment, and when the identity information verification result of the upper computer is that the identity is illegal, the access request is discarded.
In addition, a target information acquisition instruction is actively initiated by the firewall, that is, whether the identity of the upper computer is verified or not depends on a security policy configured by the firewall and does not depend on the upper computer, and the upper computer only responds to the instruction of the firewall, so that the flexibility of the firewall in access control of the industrial control equipment is improved.
As an optional implementation manner of this embodiment, the target information response packet further includes security protection information of the upper computer; according to the identity information verification result of the upper computer, whether the access request is sent to the target industrial control equipment or not is determined to comprise the following steps:
judging whether the upper computer meets a safe access condition or not according to the identity information verification result of the upper computer and the safety protection information of the upper computer; and when the upper computer meets the safe access condition, sending the access request to the target industrial control equipment.
Illustratively, the security protection information of the upper computer may include whether the upper computer updates a key patch, whether security protection software is deployed, whether security policy configuration meets requirements, and the like. The safety access condition can be that the identity information verification result of the upper computer is legal and the safety degree of the upper computer meets the preset requirement. The mode of judging whether the upper computer safety degree meets the preset requirement can be to comprehensively grade the safety protection information sent by the upper computer, when the comprehensive grading result meets the preset threshold value, for example, 80 points, the upper computer safety degree can be considered to meet the preset requirement, the mode of judging whether the upper computer safety degree meets the preset requirement is not limited, and technicians in the field can determine the mode as required. And when the identity information verification result of the upper computer is legal and the safety degree of the upper computer meets the preset requirement, sending the access request to the target industrial control equipment.
According to the industrial control equipment access control method provided by the embodiment, the safety protection information of the upper computer is verified, so that the safety of the upper computer is ensured, and the safety of accessing the industrial control equipment is further ensured.
As an optional implementation manner of this embodiment, when receiving an access request of an upper computer to a target industrial control device, sending a target information acquisition instruction to the upper computer includes:
s1011, when an access request of the upper computer to the target industrial control equipment is received, identifying whether a data change request and/or a state change request to the target industrial control equipment exists in the access request;
and S1012, when a data change request and/or a state change request exist, sending a target information acquisition instruction to the upper computer.
For example, the data change request and/or the state change request may include writing data to the target industrial control device, changing the target industrial control device data (e.g., resetting the target industrial control device data), and changing the state of the target industrial control device (e.g., turning off the target industrial control device), which may potentially cause a safety hazard to the industrial control device. The manner of identifying whether the access request includes a data change request and/or a state change request for the target industrial control device may be that the firewall identifies a specific communication protocol type by analyzing a communication data packet corresponding to the access request, and further identifies operation type information for the target industrial control device. And when the data change request and/or the state change request are identified, sending a target information acquisition instruction to the upper computer.
According to the industrial control equipment access control method provided by the embodiment, whether the data change request and/or the state change request for the target industrial control equipment exist in the access request is identified, and when the data change request and/or the state change request for the target industrial control equipment exist (namely only when hidden danger is generated on the safety of the industrial control equipment in the access request), the upper computer is verified, so that the access safety of the industrial control equipment is ensured, and meanwhile, the data processing amount of the access control of the industrial control equipment is reduced.
As an optional implementation manner of this embodiment, the method for controlling access to the industrial control device further includes:
s105, receiving an access request execution result of the target industrial control equipment; the access request execution result includes success or failure of data change and/or state change.
And S106, sending the execution result of the access request to an upper computer.
The embodiment provides an access control method for industrial control equipment, which is applied to an upper computer as shown in fig. 2, and includes the following steps:
s201, monitoring a target information acquisition instruction receiving port;
illustratively, the upper computer deploys a security authentication component in advance, which is used to monitor a target information acquisition instruction of the target information acquisition instruction receiving port, where the target information acquisition instruction receiving port may be freely defined, and this embodiment does not limit this.
After S201, this embodiment may further include: s200, sending an access request to target industrial control equipment;
for example, the mode of sending the access request to the target industrial control device by the upper computer may be to start configuration software in the upper computer, and the configuration software and the industrial control device communicate with each other through a certain industrial control protocol, for example, siemens adopts an S7 communication protocol; a certain field of the communication protocol represents a specific operation type; for example, configuration change is performed on the industrial control equipment, the equipment is shut down, the equipment is restarted, and the like.
S202, when a target information acquisition instruction is received, constructing a target information response data packet according to the target information acquisition instruction, wherein the target information response data packet comprises hardware identification information or identity certificate information;
illustratively, when a target information acquisition instruction is received, a target information response data packet is constructed according to the target information acquisition instruction, when the target information acquisition instruction is used for acquiring hardware identification information of the upper computer, such as a hardware serial number of a hard disk, the hardware serial number of the hard disk is acquired to construct the target information response data packet, and when the target information acquisition instruction is used for acquiring identity certificate information of the upper computer, the identity certificate information of the upper computer is acquired to construct the target information response data packet.
S203, the destination information response packet is transmitted.
According to the industrial control equipment access control method provided by the embodiment, the firewall is used for carrying out identity verification on hardware identification information or identity certificate information of the upper computer, so that an illegal upper computer is prevented from tampering an IP/MAC address, the purpose of disguising a legal upper computer is achieved, illegal control over the industrial control equipment is realized, and the safety of the industrial control equipment is improved.
As an optional implementation manner of this embodiment, constructing a target information response packet according to the target information obtaining instruction includes: acquiring identity information and safety protection information; and constructing a target information response data packet according to the identity information and the safety protection information.
Illustratively, the manner of acquiring the identity information may be to read own hardware identification information or identity certificate information; the mode of acquiring the safety protection information can be reading the system information of the host computer, and judging whether the upper computer system updates the key patch, deploys the safety protection software and whether the safety strategy configuration meets the requirements. And constructing the identity information and the safety protection information into a target information response data packet.
According to the industrial control equipment access control method provided by the embodiment, the safety protection information of the upper computer is verified, so that the safety of the upper computer is ensured, and the safety of accessing the industrial control equipment is further ensured.
In this embodiment, the interaction process between the firewall and the upper computer, as shown in fig. 3, includes:
s201, monitoring a target information acquisition instruction receiving port;
s200, sending an access request to target industrial control equipment;
s101, when an access request of an upper computer to a target industrial control device is received, a target information acquisition instruction is sent to the upper computer;
s101 includes:
s1011, when an access request of the upper computer to the target industrial control equipment is received, identifying whether a data change request and/or a state change request to the target industrial control equipment exists in the access request;
and S1012, when a data change request and/or a state change request exist, sending a target information acquisition instruction to the upper computer.
S202, when a target information acquisition instruction is received, constructing a target information response data packet according to the target information acquisition instruction, wherein the target information response data packet comprises hardware identification information or identity certificate information;
s203, sending the target information response data packet;
s103, verifying the identity information of the upper computer according to the target information response data packet of the upper computer;
and S104, determining whether to send the access request to the target industrial control equipment or not according to the identity information verification result of the upper computer.
And S105, receiving an access request execution result of the target industrial control equipment.
And S106, sending the execution result of the access request to an upper computer.
The embodiment provides an access control device for industrial control equipment, as shown in fig. 4, which is applied to a firewall, and includes:
the target information acquisition module 301 is used for sending a target information acquisition instruction to an upper computer when receiving an access request of the upper computer to a target industrial control device; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
A target information receiving module 302, configured to receive a target information response data packet of the upper computer, where the target information response data packet includes hardware identification information or identity certificate information of the upper computer; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
The identity verification module 303 is used for verifying the identity information of the upper computer according to the target information response data packet of the upper computer; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
And the access judgment module 304 is configured to determine whether to send an access request to the target industrial control device according to the identity information verification result of the upper computer. For details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
As an optional implementation manner of this embodiment, the target information response packet further includes security protection information of the upper computer; an access determination module comprising:
the safety judgment module is used for judging whether the upper computer meets a safety access condition or not according to the identity information verification result of the upper computer and the safety protection information of the upper computer; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
And the request sending module is used for sending the access request to the target industrial control equipment when the upper computer meets the safe access condition. For details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
As an optional implementation manner of this embodiment, the target information obtaining module 301 includes:
the change request identification module is used for identifying whether a data change request and/or a state change request for the target industrial control equipment exists in the access request or not when the access request of the upper computer for the target industrial control equipment is received; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
And the target information acquisition submodule is used for sending a target information acquisition instruction to the upper computer when a data change request and/or a state change request exist. For details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
As an optional implementation manner of this embodiment, the method further includes: the execution result receiving module is used for receiving an access request execution result of the target industrial control equipment; for details, refer to the corresponding parts of the above embodiments, and are not described herein again.
And the upper computer sending module is used for sending the access request execution result to an upper computer. For details, refer to the corresponding parts of the above embodiments, and are not described herein again.
The present embodiment provides an access control device for industrial control equipment, as shown in fig. 5, which is applied to an upper computer, and includes:
a port monitoring module 401, configured to monitor a target information obtaining instruction receiving port; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
A data response packet construction module 402, configured to, when a target information acquisition instruction is received, construct a target information response packet according to the target information acquisition instruction, where the target information response packet includes hardware identification information or identity certificate information of the upper computer; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
A data packet sending module 403, configured to send the target information response data packet. For details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
As an optional implementation manner of this embodiment, the data response packet constructing module 402 includes:
the safety protection information acquisition module is used for acquiring identity information and safety protection information; for details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
And the data response packet construction submodule is used for constructing a target information response data packet according to the identity information and the safety protection information. For details, reference is made to the corresponding parts of the above method embodiments, which are not described herein again.
The embodiment of the present application also provides an electronic device, as shown in fig. 6, including a processor 510 and a memory 520, where the processor 510 and the memory 520 may be connected by a bus or in other manners.
Processor 510 may be a Central Processing Unit (CPU). The Processor 510 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 520 may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the access control method of the industrial control device in the embodiment of the present invention, as a non-transitory computer-readable storage medium. The processor executes various functional applications and data processing of the processor by executing non-transitory software programs, instructions, and modules stored in the memory.
The memory 520 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 520 may optionally include memory located remotely from the processor, which may be connected to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 520, and when executed by the processor 510, perform an access control method for an industrial control device as in the embodiments shown in fig. 1 and 2.
The details of the electronic device may be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1 and 2, and are not described herein again.
The embodiment also provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions can execute the access control method of the industrial control equipment in any method embodiment. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. An access control method of industrial control equipment is characterized by being applied to a firewall and comprising the following steps:
when an access request of an upper computer to a target industrial control device is received, sending a target information acquisition instruction to the upper computer;
receiving a target information response data packet of the upper computer, wherein the target information response data packet comprises hardware identification information or identity certificate information of the upper computer;
verifying the identity information of the upper computer according to the target information response data packet of the upper computer;
and determining whether to send an access request to the target industrial control equipment or not according to the identity information verification result of the upper computer.
2. The method of claim 1, wherein the target information response packet further includes security protection information of the upper computer; determining whether to send an access request to the target industrial control equipment according to the identity information verification result of the upper computer comprises the following steps:
judging whether the upper computer meets a safe access condition or not according to the identity information verification result of the upper computer and the safety protection information of the upper computer;
and when the upper computer meets the safe access condition, sending an access request to the target industrial control equipment.
3. The method according to any one of claims 1 or 2, wherein when receiving an access request of an upper computer to a target industrial control device, sending a target information acquisition instruction to the upper computer, comprises:
when an access request of an upper computer to a target industrial control device is received, whether a data change request and/or a state change request to the target industrial control device exist in the access request is identified;
and when a data change request and/or a state change request exist, sending a target information acquisition instruction to the upper computer.
4. The method of claim 2, further comprising:
receiving an access request execution result of the target industrial control equipment;
and sending the access request execution result to an upper computer.
5. An industrial control equipment access control method is characterized by being applied to an upper computer and comprising the following steps:
monitoring a target information acquisition instruction receiving port;
when a target information acquisition instruction is received, constructing a target information response data packet according to the target information acquisition instruction, wherein the target information response data packet comprises hardware identification information or identity certificate information;
and sending the target information response data packet.
6. The method of claim 5, wherein constructing a target information response packet according to the target information retrieval instruction comprises:
acquiring identity information and safety protection information;
and constructing a target information response data packet according to the identity information and the safety protection information.
7. The utility model provides an industrial control equipment access control device which characterized in that, is applied to and prevents hot wall, includes:
the target information acquisition module is used for sending a target information acquisition instruction to the upper computer when receiving an access request of the upper computer to the target industrial control equipment;
the target information receiving module is used for receiving a target information response data packet of the upper computer, and the target information response data packet comprises hardware identification information or identity certificate information of the upper computer;
the identity verification module is used for verifying the identity information of the upper computer according to the target information response data packet of the upper computer;
and the access judgment module is used for determining whether to send an access request to the target industrial control equipment according to the identity information verification result of the upper computer.
8. The utility model provides an industrial control equipment access control device which characterized in that is applied to the host computer, includes:
the port monitoring module is used for monitoring a target information acquisition instruction receiving port;
the data response packet construction module is used for constructing a target information response data packet according to a target information acquisition instruction when the target information acquisition instruction is received, wherein the target information response data packet comprises hardware identification information or identity certificate information of the upper computer;
and the data packet sending module is used for sending the target information response data packet.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the industrial control device access control method according to any one of claims 1 to 6 are implemented when the processor executes the program.
10. A storage medium having stored thereon computer instructions, wherein the instructions, when executed by a processor, implement the steps of the industrial control device access control method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011644282.0A CN112866210A (en) | 2020-12-31 | 2020-12-31 | Industrial control equipment access control method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011644282.0A CN112866210A (en) | 2020-12-31 | 2020-12-31 | Industrial control equipment access control method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112866210A true CN112866210A (en) | 2021-05-28 |
Family
ID=76000950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011644282.0A Pending CN112866210A (en) | 2020-12-31 | 2020-12-31 | Industrial control equipment access control method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112866210A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113612838A (en) * | 2021-07-30 | 2021-11-05 | 三一汽车制造有限公司 | Mixing station control method and device, mixing station, electronic device and medium |
| CN113992437A (en) * | 2021-12-27 | 2022-01-28 | 广州得一物联科技有限公司 | Access control management method, device and system for Modbus equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330494A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
| CN104991528A (en) * | 2015-05-14 | 2015-10-21 | 福州福大自动化科技有限公司 | DCS information safety control method and control station |
| CN106789156A (en) * | 2016-11-11 | 2017-05-31 | 北京匡恩网络科技有限责任公司 | A kind of industry control network method of testing, apparatus and system |
| CN107222508A (en) * | 2017-07-14 | 2017-09-29 | 国家计算机网络与信息安全管理中心 | Safety access control method, equipment and system |
| US20180146001A1 (en) * | 2016-11-22 | 2018-05-24 | Daniel Chien | Network security based on device identifiers and network addresses |
-
2020
- 2020-12-31 CN CN202011644282.0A patent/CN112866210A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330494A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
| CN104991528A (en) * | 2015-05-14 | 2015-10-21 | 福州福大自动化科技有限公司 | DCS information safety control method and control station |
| CN106789156A (en) * | 2016-11-11 | 2017-05-31 | 北京匡恩网络科技有限责任公司 | A kind of industry control network method of testing, apparatus and system |
| US20180146001A1 (en) * | 2016-11-22 | 2018-05-24 | Daniel Chien | Network security based on device identifiers and network addresses |
| CN107222508A (en) * | 2017-07-14 | 2017-09-29 | 国家计算机网络与信息安全管理中心 | Safety access control method, equipment and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113612838A (en) * | 2021-07-30 | 2021-11-05 | 三一汽车制造有限公司 | Mixing station control method and device, mixing station, electronic device and medium |
| CN113992437A (en) * | 2021-12-27 | 2022-01-28 | 广州得一物联科技有限公司 | Access control management method, device and system for Modbus equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10229547B2 (en) | In-vehicle gateway device, storage control method, and computer program product | |
| CN104683336B (en) | A kind of Android private data guard method and system based on security domain | |
| KR101548041B1 (en) | Validation and/or authentication of a device for communication with a network | |
| US7673334B2 (en) | Communication system and security assurance device | |
| WO2021063068A1 (en) | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium | |
| US20130227650A1 (en) | Vehicle-Mounted Network System | |
| CN111131307B (en) | Method and system for controlling access authority | |
| CN101778099B (en) | Architecture accessing trusted network for tolerating untrusted components and access method thereof | |
| CN102355467B (en) | Power transmission and transformation equipment state monitoring system security protection method based on trust chain transmission | |
| CN102624699A (en) | Method and system for protecting data | |
| CN112866210A (en) | Industrial control equipment access control method and device and electronic equipment | |
| US9767264B2 (en) | Apparatus, method for controlling apparatus, and program | |
| CN102413220B (en) | Method for controlling right of using connection function and mobile terminal | |
| KR20200102213A (en) | Method and System for Providing Security on in-Vehicle Network | |
| CN114553540A (en) | Zero-trust-based Internet of things system, data access method, device and medium | |
| JP2011040918A (en) | Wireless lan access point; wireless lan terminal; and system, method and program for preventing wireless lan fraudulence | |
| US20150067784A1 (en) | Computer network security management system and method | |
| WO2016173267A1 (en) | Completeness checking method and apparatus | |
| CN106878233B (en) | Method for reading security data, security server, terminal and system | |
| CN104298924A (en) | Method and device for ensuring system safety and terminal | |
| CN106060087A (en) | Multi-factor host security access control system and method | |
| CN108664805B (en) | Application program safety verification method and system | |
| JP6560372B2 (en) | How to exchange link discovery information securely | |
| CN106162630B (en) | Encryption protection method for terminal equipment | |
| JP2017033225A (en) | Relay device, program, and information processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210528 |