CN114095375B - Network topology algorithm, industrial control safety simulation method and system - Google Patents

Abstract

The invention discloses a network topology algorithm, which comprises the steps of judging the attribute of a parent node model, acquiring a set of pre-generated positions, traversing the rest positions, judging the extension direction, creating a new model at the pre-generated positions, and establishing a parent-child node model relationship; judging whether the size of the network topology is proper or not, and if not, adjusting the size of the network topology; judging whether the position of the network topology is proper or not, and if not, adjusting the position of the network topology; a connection is created to connect node models having the same parent node. The invention is oriented to a discrete manufacturing enterprise, the network topology is generated by self definition, the field network environment of the discrete manufacturing enterprise is simulated, the safety rules and messages can be configured on the network topology, the occurrence of industrial control field safety strategies and threat events is simulated, the alarm information is displayed through safety detection and filtration, and the invention provides basis for the enterprise to formulate reasonable safety strategies and industrial control safety products. The invention also discloses an industrial control safety simulation method and system.

Description

Network topology algorithm, industrial control safety simulation method and system

Technical Field

The invention relates to the field of industrial safety, in particular to a network topology algorithm, an industrial control safety simulation method and a system.

Background

The industrial control system gradually enters an informatization and intelligent development stage, more and more industrial control systems and industrial control equipment are directly or indirectly connected with the Internet, and discrete manufacturing enterprises are also switched into open interconnection from the original closed industrial control environment, so that the information security problem of the industrial control system is also introduced.

But the general industrial control safety protection consciousness of discrete manufacturing enterprises is not high, the information safety problem severity is not known enough, the manufacturing cost of industrial control safety protection products is high, the variety is various, the general profit of the discrete manufacturing enterprises is low, the information safety budget is limited, the function of the industrial control safety products is known to be limited, and if the industrial control safety products are improperly configured, new safety problems are easily generated, so that the production of the enterprises is influenced. Therefore, under the influence of many factors, the industrial information security risk points of discrete manufacturing enterprises are continuously increased, and information security events are frequent, and the serious challenges are faced.

At present, industrial control safety simulation is not oriented to discrete manufacturing industry, network topology custom generation and self-adaption cannot be achieved, network topology and simulated industrial control safety protection products cannot be combined and configured correspondingly on the network topology, multi-protocol custom setting of industrial control abnormality and compliance messages cannot be achieved, the whole safety detection process of the simulated industrial control safety protection products is simulated, industrial control messages and alarm information are displayed, and part of industrial control safety simulation needs to be conducted by means of third-party software and cannot be independently operated.

Disclosure of Invention

Aiming at the technical problems, the invention provides a network topology algorithm, an industrial control safety simulation method and a system.

The technical scheme for solving the technical problems is as follows:

a network topology algorithm comprising the steps of:

s11, judging attributes of a parent node model, namely the IP, the position and the type of the parent node model, wherein the position comprises a row number and a column number;

s12, acquiring a set of pre-generated positions, solving a difference value between other node models below a father node model and different types of the node models and the column numbers of the father node model, acquiring left and right boundaries according to the difference value, summarizing all column numbers between the two boundaries, and deleting the used column numbers, wherein the rest column numbers are the set of pre-generated positions;

step S13, traversing the residual positions, judging whether a node model exists in a column where the current pre-generated position exists, if the node model exists, judging that the current pre-generated position blocks the existing node model, executing step S14, otherwise, judging that the current pre-generated position does not block the existing node model, and executing step S15;

s14, judging an expansion direction, and if the current position accords with the expansion direction, pre-generating the current position; if the current position does not accord with the expansion direction, discarding the current position and continuing traversing the rest positions; when no empty space exists, the boundary is the pre-generated position, and the blocked node model is moved outwards at the same time;

s15, creating a new model at the pre-generated position, and establishing a parent-child node model relation;

s16, judging whether the size of the network topology is proper, and if not, adjusting the size of the network topology;

s17, judging whether the position of the network topology is proper or not, and if not, adjusting the position of the network topology; and S18, creating a connecting line and connecting node models with the same father node.

Further, the method for calculating the difference value comprises the following steps:

among the node models with the difference value smaller than 0, the node model with the largest difference value is closest to the father node model, and the column number is the left boundary;

and in the node models with the difference value larger than 0, the node model with the smallest difference value is closest to the father node model, and the column number is the right boundary.

An industrial control safety simulation method, wherein the network topology algorithm is utilized to generate a network topology structure required by simulation, comprising the following steps:

s1, selecting a model in a simulation model library, and constructing a network topology by using a network topology generation algorithm;

step S2, configuring model parameters in the network topology, wherein the model parameters comprise a model IP address and a unit identifier;

s3, generating a routing rule according to the network topological structure and the parameters;

s4, carrying out protocol configuration on a lower computer model in the network topology;

s5, carrying out industrial message sending configuration according to the configured protocol;

s6, setting simulation model rules;

s7, starting network communication and sending a message;

s8, safety detection and alarm information display are carried out.

Further, the routing rule in the step 3 includes summarizing a path pool and generating a routing table; the summarized path pool is a collection of two adjacent IPs in the network topology, and the path pool is updated after model parameters in the network topology are modified; the step of generating the routing table comprises the following steps: the node model IP is circularly traversed, a pair of start IP and end IP are firstly determined, then a path pool is recursively traversed, adjacent IP is searched by taking the start IP as a starting point, each path in network topology is searched, and the searched paths in the searching process are recorded until the end IP is found; if the end point of the search is not the end IP, the previous path is returned.

The invention also discloses an industrial control safety simulation system, which comprises a simulation model library module, a network topology module, a simulation model sending configuration module, a simulation model rule setting module, a network communication module and a simulation alarm information display module;

the simulation model library module is used for integrating the models required by the system and selecting a proper model for the network topology module to construct the network topology structure of the enterprise;

the network topology module generates a network topology structure required by simulation by using a model in the simulation model library module through a network topology generation algorithm; configuring model parameters in the network topology; generating a routing rule according to the network topology structure and the parameters;

the simulation model sending configuration module is used for configuring various industrial protocols and constructing an industrial message;

the simulation model rule setting module is used for carrying out security policy configuration;

the network communication module is used for realizing network communication of the system and realizing circulation of industrial messages;

the simulation alarm information display module is used for displaying real-time and historical alarm information, wherein the information comprises, but is not limited to, time, industrial protocol type, equipment IP, port number, alarm type, alarm description and industrial message.

Further, the simulation model library module comprises, but is not limited to, internet, an upper computer, a lower computer and an industrial firewall.

Further, the simulation model sending configuration module comprises a lower computer supporting protocol configuration and an industrial message sending configuration;

the lower computer supports protocol configuration and is used for configuration of various industrial protocols;

and the industrial message sending configuration constructs the industrial message according to the support protocol type set in the lower computer support protocol configuration.

Further, the lower computer support protocol configuration employs, but is not limited to, modbusTCP.

Further, the simulation model rule setting module comprises industrial protocol white list rule configuration and ACL rule configuration;

the industrial protocol white list rule configuration integrates common characteristics of the allowed industrial protocol data packets, and builds allowed industrial protocol characteristics;

and the ACL rule configuration prevents the unauthorized user from accessing the important resources by setting rules.

Compared with the prior art, the invention has the following technical effects:

the invention can self-define the network topology according to the common model of the discrete manufacturing industry, and the network topology can self-adapt, namely, the expansion and the filling of the model position can be automatically carried out; the method can configure security rules and messages with compliance and non-compliance on network topology in a self-defined manner, realize data circulation, detect and intercept the messages according to the set security rules, and perform real-time alarm display and historical alarm information inquiry, so that enterprises have clear knowledge on the function use and policy setting effect of industrial control security products.

The industrial control safety simulation can simulate and build the network topology structure of the discrete manufacturing enterprise, simulate the occurrence of a safety event, realize the reproduction of the enterprise safety event and the formulation and debugging of a safety strategy by simulating and configuring the rule of the industrial control safety product, directly strike the information safety pain point and the difficulty of the discrete manufacturing enterprise, strengthen the safety consciousness of the enterprise and simultaneously make the enterprise deepen the understanding of the functions of the industrial control safety product, thereby formulating a reasonable safety strategy and having great social and economic values.

Drawings

FIG. 1 is a flow chart of the network topology generation of the present invention;

FIG. 2 is a flow chart of the industrial control safety simulation method of the present invention;

FIG. 3 is a functional block diagram of the industrial control safety simulation system of the present invention.

Detailed Description

The principles and features of the present invention are described below with reference to the drawings, the examples are illustrated for the purpose of illustrating the invention and are not to be construed as limiting the scope of the invention.

Example 1

Referring to fig. 1, a network topology algorithm comprises the steps of:

s11, judging attributes of a parent node model, namely the IP, the position and the type of the parent node model, wherein the position comprises a row number and a column number;

s12, acquiring a set of pre-generated positions, solving a difference value between other node models below a father node model and different types of the node models and the column numbers of the father node model, acquiring left and right boundaries according to the difference value, summarizing all column numbers between the two boundaries, and deleting the used column numbers, wherein the rest column numbers are the set of pre-generated positions;

step S13, traversing the residual positions, judging whether a node model exists in a column where the current pre-generated position exists, if the node model exists, judging that the current pre-generated position blocks the existing node model, executing step S14, otherwise, judging that the current pre-generated position does not block the existing node model, and executing step S15;

s14, judging an expansion direction, and if the current position accords with the expansion direction, pre-generating the current position; if the current position does not accord with the expansion direction, discarding the current position and continuing traversing the rest positions; when no empty space exists, the boundary is the pre-generated position, and the blocked node model is moved outwards at the same time;

s15, creating a new model at the pre-generated position, and establishing a parent-child node model relation;

s16, judging whether the size of the network topology is proper, and if not, adjusting the size of the network topology;

s17, judging whether the position of the network topology is proper or not, and if not, adjusting the position of the network topology; and S18, creating a connecting line and connecting node models with the same father node.

The method for calculating the difference in step S12 is as follows:

among the node models with the difference value smaller than 0, the node model with the largest difference value is closest to the father node model, and the column number is the left boundary;

and in the node models with the difference value larger than 0, the node model with the smallest difference value is closest to the father node model, and the column number is the right boundary.

The invention custom generates the network topology according to the common model of the discrete manufacturing industry, and the network topology can be self-adaptive, namely, the expansion and the filling of the model position can be automatically carried out.

Example 2

Referring to fig. 2, the invention further provides an industrial control safety simulation method, which comprises the following steps:

s1, selecting a model in a simulation model library to build by adopting a network topology algorithm, wherein the simulation model comprises discrete manufacturing equipment such as Internet, an upper computer, a lower computer, an industrial firewall and the like and industrial control safety products; except for the Internet model, other node models draw vertical lines of half node model height upwards; and (3) downwards drawing a vertical line with the height of half of the node model by using the node model with the downward connection, and connecting the node models with the same father node by using a horizontal line.

S2, configuring model parameters in the network topology, wherein the model parameters comprise a lower computer IP address and a unit identifier;

s3, generating a routing rule according to the network topology and the model parameters; the method specifically comprises the steps of summarizing a path pool and generating a routing table.

A path pool is a collection of two adjacent IPs in a network topology. The path pool is updated after the model parameters in the network topology are modified.

The routing table takes the node model IP as a key value and stores a path set from the IP to all the IPs in the network topology. And circularly traversing the node model IP, firstly determining a pair of start IP and end IP, then recursively traversing the path pool, taking the start IP as a starting point, and searching each path in the network topology by continuously searching adjacent IP until the end IP is found. And recording the searched path in the searching process, and returning to the previous path if the searching end point is not the end IP.

S4, carrying out protocol configuration on a lower computer model in the network topology;

in an actual industrial control field, a plurality of industrial protocol types exist, and the message format of each industrial protocol is different, so that a plurality of industrial protocol configurations are provided, and common industrial protocols include modbuss TCP, which is an industrial field bus protocol standard.

S5, carrying out industrial message sending configuration according to the configured protocol;

the industrial message sending configuration performs corresponding protocol configuration according to different protocol frame formats, for example, modbusTCP protocol includes:

transaction identification is started from '00 01' by default, and when network communication is started, a ModbusTCP protocol message is sent out every time, and the transaction identifier of the message is increased by 1.

Protocol length, and sum according to the length accumulation of the unit identifier, the function code and the protocol data.

The unit identifier is bound with the lower computer IP. After the upper computer model determines the lower computer IP, the unit identifier is also determined.

Function code, in order to simulate flexibility of modbusTCP protocol message, the upper computer model supports the function code of the definition except the basic function code of modbusTCP (0 x01 read coil, 0x05 write single coil, 0x0F write multiple coils, 0x02 read discrete quantity input, 0x04 read input register, 0x03 read holding register, 0x06 write single holding register, 0x10 write multiple holding registers), but the function code format must conform to basic hexadecimal format.

Protocol message, the protocol message is also in order to simulate flexibility of ModbusTCP protocol message, and the message length is not limited, but the protocol message must meet hexadecimal format requirement.

S6, setting simulation model rules;

like ACL rules, etc., ACL rules mainly include source security domain, destination security domain, source IP, destination IP, start time, end time, execution action, service, etc. ModbusTCP protocol whitelist rules may include IP addresses, function codes, coil or register address ranges, etc.

S7, starting network communication and sending a message;

s8, safety detection and alarm information display are carried out.

The invention can self-define and generate the network topology according to the common model of the discrete manufacturing industry, and the network topology can self-adapt, namely automatically expand and complement the model position, can self-define and configure the safety rules and the compliance and non-compliance messages on the network topology, realize the circulation of data, can detect and intercept the messages according to the set safety rules, and can perform real-time alarm display and history alarm information inquiry, so that enterprises have clear knowledge on the function use and strategy setting effect of industrial control safety products.

Example 3

Referring to fig. 3, the invention discloses an industrial control safety simulation system, which comprises a simulation model library module, a network topology module, a simulation model sending configuration module, a simulation model rule setting module, a network communication module and a simulation alarm information display module.

The simulation model library module is used for integrating the models required by the system and selecting a proper model for the network topology module to construct the network topology structure of the enterprise.

Specifically, the simulation model library module comprises industrial control equipment and industrial control safety products commonly used in the industrial control simulation environment of a discrete manufacturing enterprise, such as the Internet, an upper computer, a lower computer, an industrial firewall and the like, and is used for integrating models required by a simulation system and selecting a proper model for a network topology module to construct a network topology structure of the enterprise.

A network topology module which generates a network topology structure required for simulation by using a network topology generation algorithm by using the model in the simulation model library module; configuring model parameters in the network topology; generating a routing rule according to the network topology structure and the parameters; wherein the network topology comprises a tree network topology.

The simulation model sending configuration module is used for configuring various industrial protocols and constructing an industrial message; specifically, the simulation model sending configuration module comprises a lower computer supporting protocol configuration and an industrial message sending configuration;

the lower computer supports protocol configuration and is used for the configuration of various industrial protocols; wherein, the lower computer supports protocol configuration to adopt, but not limited to ModbusTCP; the industrial message sending configuration is carried out, and the industrial message is constructed according to the support protocol type set in the lower computer support protocol configuration; the industrial message sending configuration constructs industrial messages according to the supporting protocol types set in the lower computer supporting protocol configuration, wherein the industrial messages comprise compliant and non-compliant messages, such as messages which do not accord with the integrity, messages with function codes which do not accord with the protocol requirements, and the like.

The simulation model rule setting module is used for carrying out security policy configuration; the simulation model rule setting module comprises industrial protocol white list rule configuration and ACL rule configuration; the industrial protocol white list rule configuration integrates common characteristics of the allowed industrial protocol data packets, and builds allowed industrial protocol characteristics; and the ACL rule configuration prevents the unauthorized user from accessing the important resources by setting rules.

And the network communication module is used for realizing network communication of the system and realizing circulation of industrial messages.

The simulation alarm information display module is used for displaying real-time information and historical alarm information; the display content in the simulation alarm information display module comprises, but is not limited to, time, industrial protocol type, equipment IP, port number, alarm type, alarm description and industrial message.

The invention is oriented to a discrete manufacturing enterprise, the network topology is generated by self definition, the field network environment of the discrete manufacturing enterprise is simulated, the safety rules and messages can be configured on the network topology, the occurrence of industrial control field safety strategies and threat events is simulated, the alarm information is displayed through safety detection and filtration, and the invention provides basis for the enterprise to formulate reasonable safety strategies and industrial control safety products.

The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (7)

1. The industrial control safety simulation method is characterized by comprising the following steps of:

s1, selecting a model in a simulation model library, and constructing a network topology by using a network topology generation algorithm;

step S2, configuring model parameters in the network topology, wherein the model parameters comprise a model IP address and a unit identifier;

s3, generating a routing rule according to the network topological structure and the parameters;

s4, carrying out protocol configuration on a lower computer model in the network topology;

s5, carrying out industrial message sending configuration according to the configured protocol;

s6, setting simulation model rules;

s7, starting network communication and sending a message;

s8, safety detection and alarm information display are carried out;

the network topology generation algorithm in the step S1 includes the following steps:

s11, judging attributes of a parent node model, namely the IP, the position and the type of the parent node model, wherein the position comprises a row number and a column number;

s12, acquiring a set of pre-generated positions, solving a difference value between other node models below a father node model and different types of the node models and the column numbers of the father node model, acquiring left and right boundaries according to the difference value, summarizing all column numbers between the two boundaries, and deleting the used column numbers, wherein the rest column numbers are the set of pre-generated positions;

step S13, traversing the residual positions, judging whether a node model exists in a column where the current pre-generated position exists, if the node model exists, judging that the current pre-generated position blocks the existing node model, executing step S14, otherwise, judging that the current pre-generated position does not block the existing node model, and executing step S15;

s14, judging an expansion direction, and if the current position accords with the expansion direction, pre-generating the current position; if the current position does not accord with the expansion direction, discarding the current position and continuing traversing the rest positions; when no empty space exists, the boundary is the pre-generated position, and the blocked node model is moved outwards at the same time;

s15, creating a new model at the pre-generated position, and establishing a parent-child node model relation;

s16, judging whether the size of the network topology is proper, and if not, adjusting the size of the network topology;

s17, judging whether the position of the network topology is proper or not, and if not, adjusting the position of the network topology; s18, creating a connecting line, and connecting node models with the same father node;

the method for calculating the difference value comprises the following steps: among the node models with the difference value smaller than 0, the node model with the largest difference value is closest to the father node model, and the column number is the left boundary; and in the node models with the difference value larger than 0, the node model with the smallest difference value is closest to the father node model, and the column number is the right boundary.

2. The industrial control safety simulation method according to claim 1, wherein the routing rule in the step S3 includes summarizing a path pool and generating a routing table; the summarized path pool is a collection of two adjacent IPs in the network topology, and the path pool is updated after model parameters in the network topology are modified; the step of generating the routing table comprises the following steps: the node model IP is circularly traversed, a pair of start IP and end IP are firstly determined, then a path pool is recursively traversed, adjacent IP is searched by taking the start IP as a starting point, each path in network topology is searched, and the searched paths in the searching process are recorded until the end IP is found; if the end point of the search is not the end IP, the previous path is returned.

3. The industrial control safety simulation system is characterized by comprising a simulation model library module, a network topology module, a simulation model sending configuration module, a simulation model rule setting module, a network communication module and a simulation alarm information display module;

the simulation model library module is used for integrating the models required by the system and selecting a proper model for the network topology module to construct the network topology structure of the enterprise;

the network topology module generates a network topology structure required by simulation by using a model in the simulation model library module through a network topology generation algorithm; configuring model parameters in the network topology; generating a routing rule according to the network topology structure and the parameters;

the network topology generation algorithm comprises the following steps:

s11, judging attributes of a parent node model, namely the IP, the position and the type of the parent node model, wherein the position comprises a row number and a column number;

s12, acquiring a set of pre-generated positions, solving a difference value between other node models below a father node model and different types of the node models and the column numbers of the father node model, acquiring left and right boundaries according to the difference value, summarizing all column numbers between the two boundaries, and deleting the used column numbers, wherein the rest column numbers are the set of pre-generated positions;

step S13, traversing the residual positions, judging whether a node model exists in a column where the current pre-generated position exists, if the node model exists, judging that the current pre-generated position blocks the existing node model, executing step S14, otherwise, judging that the current pre-generated position does not block the existing node model, and executing step S15;

s14, judging an expansion direction, and if the current position accords with the expansion direction, pre-generating the current position; if the current position does not accord with the expansion direction, discarding the current position and continuing traversing the rest positions; when no empty space exists, the boundary is the pre-generated position, and the blocked node model is moved outwards at the same time;

s15, creating a new model at the pre-generated position, and establishing a parent-child node model relation;

s16, judging whether the size of the network topology is proper, and if not, adjusting the size of the network topology;

s17, judging whether the position of the network topology is proper or not, and if not, adjusting the position of the network topology; s18, creating a connecting line, and connecting node models with the same father node;

the method for calculating the difference value comprises the following steps: among the node models with the difference value smaller than 0, the node model with the largest difference value is closest to the father node model, and the column number is the left boundary; among the node models with the difference value larger than 0, the node model with the smallest difference value is nearest to the father node model, and the column number is the right boundary;

the simulation model sending configuration module is used for configuring various industrial protocols and constructing an industrial message;

the simulation model rule setting module is used for carrying out security policy configuration;

the network communication module is used for realizing network communication of the system and realizing circulation of industrial messages;

the simulation alarm information display module is used for displaying real-time and historical alarm information, wherein the information comprises, but is not limited to, time, industrial protocol type, equipment IP, port number, alarm type, alarm description and industrial message.

4. An industrial personal safety simulation system as claimed in claim 3, wherein the simulation model library module includes, but is not limited to, internet, host computer, lower computer, industrial firewall.

5. The industrial control safety simulation system according to claim 4, wherein the simulation model sending configuration module comprises a lower computer supporting protocol configuration and an industrial message sending configuration;

the lower computer supports protocol configuration and is used for configuration of various industrial protocols;

and the industrial message sending configuration constructs the industrial message according to the support protocol type set in the lower computer support protocol configuration.

6. The industrial personal safety simulation system of claim 4, wherein the lower computer support protocol configuration uses, but is not limited to, modbust.

7. The industrial control safety simulation system according to claim 3, wherein the simulation model rule setting module comprises industrial protocol white list rule configuration and ACL rule configuration;

the industrial protocol white list rule configuration integrates common characteristics of the allowed industrial protocol data packets, and builds allowed industrial protocol characteristics;

and the ACL rule configuration prevents the unauthorized user from accessing the important resources by setting rules.