CN114282236A - Safety protection method, device, equipment and readable storage medium - Google Patents
Safety protection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN114282236A CN114282236A CN202111554963.2A CN202111554963A CN114282236A CN 114282236 A CN114282236 A CN 114282236A CN 202111554963 A CN202111554963 A CN 202111554963A CN 114282236 A CN114282236 A CN 114282236A
- Authority
- CN
- China
- Prior art keywords
- plc
- communication data
- safety protection
- data
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Programmable Controllers (AREA)
Abstract
The application discloses a safety protection method, a safety protection device, safety protection equipment and a readable storage medium. The method and the device can inquire the access authority of each PLC in the industrial network; if the access right of any PLC is lower than a preset condition, communication data received by the PLC are acquired in real time; detecting whether attack data exist in the communication data by using a preset safety protection rule; and if the communication data exists, the PLC does not respond to the communication data, and the identification information, the communication data and the attack behavior of the PLC are recorded so as to perform safety protection on the PLC. The scheme can detect abnormal flow in time, intercept and record related abnormal information, and can ensure the safety of equipment and an industrial network. Accordingly, the safety protection device, the equipment and the readable storage medium provided by the application also have the technical effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a security protection method, apparatus, device, and readable storage medium.
Background
At present, hackers generally attack PLC controllers with low access rights, because the higher the access rights are, the greater the attack difficulty is. If a hacker attacks a certain PLC controller, the access right may be modified, which may result in that the user may not access normally, and even the user program running in the device may be modified, resulting in serious consequences. The PLC controller is that: programmable Logic Controller (Programmable Logic Controller).
Therefore, how to perform safety protection on the PLC controller is a problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a safety protection method, apparatus, device and readable storage medium for performing safety protection on a PLC controller. The specific scheme is as follows:
in a first aspect, the present application provides a safety protection method applied to safety protection equipment, including:
inquiring the access authority of each PLC in the industrial network;
if the access right of any PLC is lower than a preset condition, communication data received by the PLC are acquired in real time;
detecting whether attack data exist in the communication data by using a preset safety protection rule;
and if so, enabling the PLC controller not to respond to the communication data, and recording the identification information of the PLC controller, the communication data and the attack behavior.
Preferably, the querying the access right of each PLC controller in the industrial network includes:
and inquiring the access authority of each PLC in the industrial network by using a preset script.
Preferably, the querying the access right of each PLC controller in the industrial network by using the preset script includes:
sending a query message to each PLC controller through an s7_ comm protocol by using a preset script;
and receiving response messages fed back by each PLC by using a preset script, and analyzing the response messages to obtain the access authority of each PLC.
Preferably, after querying the access right of each PLC controller in the industrial network, the method further includes:
and visually displaying the access authority of each PLC.
Preferably, the access right is full right, read right, lowest right or no upload permission.
Preferably, the method further comprises the following steps:
and if the access right of any PLC is lower than the preset condition, prompting a user to modify the access right of the PLC.
Preferably, the detecting whether attack data exists in the communication data by using a preset security protection rule includes:
extracting operational behavior data from the communication data;
if the operation behavior data is matched with attack characteristics preset in the safety protection rule, determining that the attack data exists in the communication data; otherwise, determining that the attack data does not exist in the communication data.
In a second aspect, the present application provides a safety device for a safety protection apparatus, including:
the query module is used for querying the access authority of each PLC in the industrial network;
the acquisition module is used for acquiring communication data received by any PLC in real time if the access authority of the PLC is lower than a preset condition;
the detection module is used for detecting whether attack data exist in the communication data by using a preset safety protection rule;
and the protection module is used for enabling the PLC to not respond to the communication data if the communication data is true, and recording the identification information of the PLC, the communication data and the attack behavior.
In a third aspect, the present application provides a safety shield apparatus comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the security protection method disclosed in the foregoing.
In a fourth aspect, the present application provides a readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the security protection method disclosed in the foregoing.
According to the scheme, the application provides a safety protection method applied to safety protection equipment, and the safety protection method comprises the following steps: inquiring the access authority of each PLC in the industrial network; if the access right of any PLC is lower than a preset condition, communication data received by the PLC are acquired in real time; detecting whether attack data exist in the communication data by using a preset safety protection rule; and if so, enabling the PLC controller not to respond to the communication data, and recording the identification information of the PLC controller, the communication data and the attack behavior.
Therefore, the access authority of each PLC in the industrial network can be inquired; if the access right of any PLC is lower than a preset condition, communication data received by the PLC are acquired in real time; detecting whether attack data exist in the communication data by using a preset safety protection rule; if the communication data exists, the PLC does not respond to the communication data, so that dangerous operation of the PLC is avoided, and meanwhile, the identification information, the communication data and the attack behavior of the PLC are recorded, so that safety protection is performed on the PLC. The scheme can detect abnormal flow in time, intercept and record related abnormal information, and can ensure the safety of equipment and an industrial network.
Accordingly, the safety protection device, the equipment and the readable storage medium provided by the application also have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a safety protection method disclosed in the present application;
FIG. 2 is a schematic view of an access rights visualization code disclosed herein;
FIG. 3 is a flow chart of an access rights query disclosed herein;
FIG. 4 is a schematic diagram of a script execution and results disclosed herein;
FIG. 5 is a flow chart of a response message analysis disclosed herein;
FIG. 6 is a schematic view of a safety shield apparatus according to the present disclosure;
figure 7 is a schematic view of a safety shield apparatus of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, hackers generally attack PLC controllers with low access rights, because the higher the access rights are, the greater the attack difficulty is. If a hacker attacks a certain PLC controller, the access right may be modified, which may result in that the user may not access normally, and even the user program running in the device may be modified, resulting in serious consequences. Therefore, the safety protection scheme is provided, the PLC can not respond to the communication data comprising the attack data, and dangerous operation of the PLC is avoided, so that safety protection is performed on the PLC, and safety of equipment and an industrial network can be guaranteed.
Referring to fig. 1, an embodiment of the present application discloses a safety protection method applied to safety protection equipment, including:
s101, inquiring the access authority of each PLC in the industrial network.
In this embodiment, the safety protection device may be connected to each PLC controller in the same industrial network, and the common safety protection devices include an industrial firewall, an industrial safety audit device, and the like. Each PLC controller is the same manufacturer and the same model, if: are Siemens S7-200smart series.
In one embodiment, querying access rights of each PLC controller in the industrial network includes: and inquiring the access authority of each PLC in the industrial network by using a preset script so as to improve the inquiring efficiency. The preset script may be a py script required by the ISF framework, but may be other types of scripts.
In one embodiment, querying the access authority of each PLC controller in the industrial network by using a preset script includes: sending a query message to each PLC controller through an s7_ comm protocol by using a preset script; and receiving response messages fed back by each PLC by using a preset script, and analyzing the response messages to obtain the access authority of each PLC.
Specifically, the access right of any PLC controller can be queried by sending relevant content indicated by the following code to the PLC controller through the s7_ comm protocol.
pp=″0300001f02f080320100000004000e00000401120a100200020000030005d0″.decode(″hex″)
sock.send(str(pp))
data=sock.recv(1024)
The hexadecimal string "pp" shown in the above code plays a decisive role in the query process. "0300001 f" in "pp" is the TPKT part of the s7_ comm protocol, defining the protocol version and payload length. "02 f 080" is a COTP part of the s7_ comm protocol, and defines PDU type and other information of the protocol. "320100000004000 e 0000" is the header part of the S7_ COMM protocol, and defines the information of protocol identification, load length of the S7_ COMM protocol, and the like. "0401120 a 100200020000030005 d 0" is the parameter part of the s7_ comm protocol, and defines the operation function code, the parameter object type, the data block sequence number and the address. The PLC controller comprises a data block, a storage block, a program block and the like, and the parameter object type refers to data, storage or programs and the like. The data block sequence number and address are: sequence number and address of data block, memory block or program block.
The response message fed back by the PLC controller may be: 000 c 293 b 7a 40 e0 dc a 0c 1857 b 08004500004313 a 600001 e 0603 b6 c 0a 80201 c 0a 802080066 e 1260004 a 7b 9 f 3150 f b 450182000 d 10200000300001 b 02 f 0803203000000040002000600000401 ff 0400100002, which is a hexadecimal string.
Wherein, the 1 st to 6 th bytes are destination mac, the 7 th to 12 th bytes are source mac, the 13 th to 14 th bytes are communication type Tpv4, the 15 th to 34 th bytes are IP layer data, the 35 th to 54 th bytes are TCP layer data, the 55 th to 58 th bytes are s7 communication TPKT data, the 59 th to 61 th bytes are COTP data, and the 62 th to 81 th bytes are application layer s7_ comm protocol payload data.
In bytes 62-81, bytes 62-73 are the header of the s7_ comm protocol, bytes 74-75 are the actions performed by the s7_ comm protocol, where the parameter is "read", bytes 76-81 are the PLC data values read (content of read operation), and bytes 80-81 (i.e., "0002") are the level values of the current access rights.
Therefore, the access authority level can be determined to be level 2 (or other levels) as long as the s7_ comm protocol is filtered out based on the back packet, the control field "read", and the last two bytes "0002".
In a specific embodiment, after querying the access authority of each PLC controller in the industrial network, the method further includes: and visually displaying the access authority of each PLC. As shown in fig. 2, the queried access right sets a print in the code for presentation.
And S102, if the access authority of any PLC is lower than a preset condition, acquiring the communication data received by the PLC in real time.
In one embodiment, the access rights are full rights (level 1), read rights (level 2), lowest rights (level 3), or no upload allowed (level 4), with the rights being progressively stricter from low to high. Thus, preset conditions can be set accordingly, such as: when the preset condition is set to be level 3, if the access authority of the PLC controller is level 1 or level 2, the communication data of the PLC controller is detected by using the preset safety protection rule. For another example: when the preset condition is set to be 4-level, if the access authority of the PLC controller is 1-level, 2-level or 3-level, the communication data of the PLC controller is detected by using the preset safety protection rule.
Of course, the preset condition may not adopt the level of the access authority of the PLC controller, but may set the level by itself. Such as: the preset condition is set to 6 levels, and no matter which level the access authority of the PLC controller is, the communication data of the PLC controller needs to be detected by using the preset safety protection rule.
S103, detecting whether attack data exist in the communication data by using a preset safety protection rule; if yes, executing S104; if not, no operation is performed.
And S104, enabling the PLC not to respond to the communication data, and recording the identification information, the communication data and the attack behavior of the PLC.
In a specific implementation manner, if the access right of any one PLC controller is lower than a preset condition, a user is prompted to modify the access right of the PLC controller, so that the access right of the PLC controller is improved, and the safety of the PLC controller is guaranteed.
In a specific embodiment, detecting whether attack data exists in communication data by using a preset security protection rule includes: extracting operation behavior data from the communication data; if the operation behavior data is matched with the attack characteristics preset in the safety protection rule, determining that attack data exists in the communication data; otherwise, determining that the attack data does not exist in the communication data. The security protection rules may be pre-set in a rule base. The rule base comprises a plurality of safety protection rules, and is arranged in the safety protection equipment. The rule base can continuously supplement new rules according to the attack means of hackers so as to achieve better detection effect.
In one embodiment, the security protection rule may be: alert s7comm any- > PLC's IP any (msg: "attack occurred!"; content: "| 0401120 a 100200020000030005 d0 |"; sid: 1000001; rev: 1;).
Where alert is an "action" field, indicating that alarm information is generated and data packets are recorded using a selected alarm method. s7comm is a "protocol" field specifying the protocol that needs to be secured. The first any may be the "source IP" field. The second any may be a "source port number" field. The IP of the PLC is: an "IP of guarded PLC controller" field. The third any means: a "destination port number (port number of the PLC controller being guarded)" field. msg means: information content prompted when an attack occurs. content means: attack the feature field, which triggers a rule action whenever it is detected. sid means: the ID number of the rule. rev means: the version of the rule is identified.
Therefore, the access authority of each PLC in the industrial network can be inquired; if the access right of any PLC is lower than a preset condition, communication data received by the PLC are acquired in real time; detecting whether attack data exist in the communication data by using a preset safety protection rule; if the communication data exists, the PLC does not respond to the communication data, so that dangerous operation of the PLC is avoided, and meanwhile, the identification information, the communication data and the attack behavior of the PLC are recorded, so that safety protection is performed on the PLC. The scheme can detect abnormal flow in time, intercept and record related abnormal information, and can ensure the safety of equipment and an industrial network.
The present embodiment provides a scheme for querying an access right of a PLC controller, where, for example, an S7-200Smart PLC controller sends a fixed message to obtain feedback data (i.e., a response message) of the S7-200Smart PLC controller, analyze each field in the feedback data, and identify a level of the access right according to a specific value of a parameter field that identifies a level of the access right.
Referring to fig. 3, the specific process implementation includes:
1. the Python script (i.e. the preset script) under the ISF framework is written according to the payload. Of course, the script can be written directly as python or other language without using ISF framework as long as the script can inquire the access right.
The communication protocol used by the S7-200Smart PLC controller is S7_ comm, and the communication port number is 102, then sending a packet to the device typically requires: establishing connection, establishing communication, designing and sending payload.
(1) A connection is established.
And performing three-way handshake with the PLC, establishing connection through Socket, wherein the connection belongs to a standard TCP connection mode and is automatically completed by the Socket. The key code for "establish connection" in the python script is as follows:
sock=socket.socket()
sock.connect((self.target,self.port))
pp=″0300001611e00000000100c0010ac1020100c2020101″.decode(″hex″)
sock.send(str(pp))
data=sock.recv(1024)
(2) and establishing communication.
Sending a COTP (Connection organization transmission Protocol) message and an s7_ comm message to the PLC, where the messages include a CPU frame number and a slot number of the PLC, and explicitly sending data and a communication request to which PLC, corresponding key codes in the python script are as follows:
pp=″0300001902f08032010000662100080000f0000001000101e0″.decode(″hex″)
sock.send(str(pp))
data=sock.recv(1024)
time.sleep(0.1)
(3) payload application data is designed and sent.
No matter what the payload needs to execute the two steps (1) and (2), but what kind of operation is executed in detail is strongly related to the content of the payload, the action that needs to be executed in this embodiment is to query the current access right level of the PLC, and then the corresponding key codes in the python script are as follows:
pp=″0300001f02f000320100000004000e00000401120a100200020000030005d0″.decode(″hex″)
sock.send(str(pp))
data=sock.recv(1024)
the hexadecimal string "pp" shown in this code plays a decisive role in the query process. "0300001 f" in "pp" is the TPKT part of the s7_ comm protocol, defining the protocol version and payload length. "02 f 080" is a COTP part of the s7_ comm protocol, and defines PDU type and other information of the protocol. "320100000004000 e 0000" is the header part of the S7_ COMM protocol, and defines the information of protocol identification, load length of the S7_ COMM protocol, and the like. "0401120 a 100200020000030005 d 0" is the parameter part of the s7_ comm protocol, and defines the operation function code, the parameter object type, the data block sequence number and the address. The PLC controller comprises a data block, a storage block, a program block and the like, and the parameter object type refers to data, storage or programs and the like. The data block sequence number and address are: sequence number and address of data block, memory block or program block.
2. And placing the script under a specified directory of the ISF framework.
The installation of the ISF framework needs to depend on a plurality of libraries, python ISF is input at a terminal after the ISF framework is installed one by one, an ISF interface is opened, and a py script written by '1' is put into a specified directory.
Assuming that the script name is "s 7_200_ password _ check.py", the script can be copied to the specified directory by inputting the instruction "cp s7_200_ password _ check.py icssploit/modules/applications/plcs/siemens/", at the terminal.
3. And executing the script to acquire PLC feedback data so as to identify the current access authority level of the PLC.
A command is entered in the command line of the ISF interface to execute the Py script. Firstly inputting "use applications/PLCs/siemens/s 7_200_ past _ check. py" to call. Please refer to fig. 4 for the operation and analysis result of the script, and as shown in fig. 4, the access right of the PLC is "read only". Therefore, the script can be obtained by analyzing the PLC feedback data: the access rights such as "read completely", "read only", "lowest right" or "not allow upload" can also be visualized, as shown in fig. 4, the result of the "read only" word will be seen on the terminal.
Specifically, the process of analyzing PLC feedback data by the script can refer to fig. 5. As shown in fig. 5, the script first determines whether the feedback data complies with the s7_ comm protocol; if yes, checking whether the control field corresponds to the read operation in the query message; if yes, checking whether the parameter field corresponds to parameters such as a data block sequence number and an address in the query message; if yes, determining that the feedback data is a response of the query message, acquiring the 80 th byte to the 81 th byte of the feedback data, and comparing the bytes with preset level values of all the authorities, thereby determining the current access authority of the PLC.
Therefore, the embodiment can write script to deeply analyze the key field of the response data, and when the current access authority level of the PLC is known to be lower, the PLC is in a high-risk state and is easy to be attacked by hackers, the level should be modified as soon as possible, and the safety of the controller is improved.
This embodiment provides a scheme for protecting a PLC controller, where the scheme sets a security protection rule according to a snort rule, and when an extranet device sends a payload that attacks the PLC controller, an alarm is issued: "attack has occurred! | A ". The payload attacking the PLC controller may be customized, for example: the relevant characteristics of the write operation, the relevant characteristics of the query access authority, and the like.
For example: the safety protection rules written are as follows: alert s7comm any- > PLC's IP any (msg: "attack occurred!"; content: "| 0401120 a 100200020000030005 d0 |"; sid: 1000001; rev: 1;).
Where alert is an "action" field, indicating that alarm information is generated and data packets are recorded using a selected alarm method. s7comm is a "protocol" field specifying the protocol that needs to be secured. The first any may be the "source IP" field. The second any may be a "source port number" field. The IP of the PLC is: an "IP of guarded PLC controller" field. The third any means: a "destination port number (port number of the PLC controller being guarded)" field. msg means: information content prompted when an attack occurs. content means: attack the feature field, which triggers a rule action whenever it is detected. sid means: the ID number of the rule. rev means: the version of the rule is identified.
Install this safety protection rule to industry and prevent hot wall, industry prevents that hot wall just can carry out safety protection to each PLC controller in the intranet, when the payload of outer net equipment sending attack PLC controller, can send out the alarm: "attack has occurred! | A ".
It can be seen that the present embodiment can utilize snort rule to carry out safety protection to the PLC controller. Based on the embodiment, a snort rule base can be constructed to improve the safety protection capability and enhance the safety of the industrial control system.
In the following, a safety protection device provided by an embodiment of the present application is described, and a safety protection device described below and a safety protection method described above may be referred to each other.
Referring to fig. 6, an embodiment of the present application discloses a safety protection device applied to safety protection equipment, including:
the query module 601 is used for querying the access authority of each PLC in the industrial network;
an obtaining module 602, configured to obtain, in real time, communication data received by any PLC controller if an access right of the PLC controller is lower than a preset condition;
the detecting module 603 is configured to detect whether attack data exists in the communication data by using a preset security protection rule;
and the protection module 604 is configured to, if yes, disable the PLC controller to not respond to the communication data, and record identification information, communication data, and an attack behavior of the PLC controller.
In one embodiment, the query module is specifically configured to:
and inquiring the access authority of each PLC in the industrial network by using a preset script.
In one embodiment, the query module is specifically configured to:
sending a query message to each PLC controller through an s7_ comm protocol by using a preset script;
and receiving response messages fed back by each PLC by using a preset script, and analyzing the response messages to obtain the access authority of each PLC.
In a specific embodiment, the method further comprises the following steps:
and the display module is used for visually displaying the access authority of each PLC.
In one embodiment, the access rights are full rights, read rights, minimum rights, or no upload allowed.
In a specific embodiment, the method further comprises the following steps:
and the prompting module is used for prompting a user to modify the access authority of the PLC if the access authority of any PLC is lower than a preset condition.
In a specific embodiment, the detection module is specifically configured to:
extracting operation behavior data from the communication data; if the operation behavior data is matched with the attack characteristics preset in the safety protection rule, determining that attack data exists in the communication data; otherwise, determining that the attack data does not exist in the communication data.
For more specific working processes of each module and unit in this embodiment, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
Therefore, the embodiment provides a safety protection device, which can detect abnormal flow in time, intercept and record related abnormal information, and ensure the safety of equipment and an industrial network.
In the following, a safety protection device provided in an embodiment of the present application is introduced, and a safety protection device described below and a safety protection method and apparatus described above may be referred to each other.
Referring to fig. 7, an embodiment of the present application discloses a safety protection device, including:
a memory 701 for storing a computer program;
a processor 702 for executing the computer program to implement the method disclosed in any of the embodiments above.
A readable storage medium provided by the embodiments of the present application is described below, and a readable storage medium described below and a security protection method, apparatus, and device described above may be referred to each other.
A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the security protection method disclosed in the foregoing embodiments. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
References in this application to "first," "second," "third," "fourth," etc., if any, are intended to distinguish between similar elements and not necessarily to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, or apparatus.
It should be noted that the descriptions in this application referring to "first", "second", etc. are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A safety protection method is characterized by being applied to safety protection equipment and comprising the following steps:
inquiring the access authority of each PLC in the industrial network;
if the access right of any PLC is lower than a preset condition, communication data received by the PLC are acquired in real time;
detecting whether attack data exist in the communication data by using a preset safety protection rule;
and if so, enabling the PLC controller not to respond to the communication data, and recording the identification information of the PLC controller, the communication data and the attack behavior.
2. The method of claim 1, wherein querying access rights of each PLC controller in the industrial network comprises:
and inquiring the access authority of each PLC in the industrial network by using a preset script.
3. The method of claim 2, wherein the querying access rights of each PLC controller in the industrial network using the preset script comprises:
sending a query message to each PLC controller through an s7_ comm protocol by using a preset script;
and receiving response messages fed back by each PLC by using a preset script, and analyzing the response messages to obtain the access authority of each PLC.
4. The method of claim 1, wherein after querying access rights of each PLC controller in the industrial network, the method further comprises:
and visually displaying the access authority of each PLC.
5. The method of claim 4, wherein the access rights are full rights, read rights, minimum rights, or no upload allowed.
6. The method of any one of claims 1-5, further comprising:
and if the access right of any PLC is lower than the preset condition, prompting a user to modify the access right of the PLC.
7. The method according to any one of claims 1 to 5, wherein the detecting whether attack data exists in the communication data by using a preset security protection rule comprises:
extracting operational behavior data from the communication data;
if the operation behavior data is matched with attack characteristics preset in the safety protection rule, determining that the attack data exists in the communication data; otherwise, determining that the attack data does not exist in the communication data.
8. A safety device is characterized in that, is applied to safety protection equipment, and comprises:
the query module is used for querying the access authority of each PLC in the industrial network;
the acquisition module is used for acquiring communication data received by any PLC in real time if the access authority of the PLC is lower than a preset condition;
the detection module is used for detecting whether attack data exist in the communication data by using a preset safety protection rule;
and the protection module is used for enabling the PLC to not respond to the communication data if the communication data is true, and recording the identification information of the PLC, the communication data and the attack behavior.
9. A safety shield apparatus, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the method of any one of claims 1 to 7.
10. A readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111554963.2A CN114282236A (en) | 2021-12-17 | 2021-12-17 | Safety protection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111554963.2A CN114282236A (en) | 2021-12-17 | 2021-12-17 | Safety protection method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114282236A true CN114282236A (en) | 2022-04-05 |
Family
ID=80872964
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111554963.2A Pending CN114282236A (en) | 2021-12-17 | 2021-12-17 | Safety protection method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114282236A (en) |
-
2021
- 2021-12-17 CN CN202111554963.2A patent/CN114282236A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8990923B1 (en) | Protection against unauthorized access to automated system for control of technological processes | |
| KR101977731B1 (en) | Apparatus and method for detecting anomaly in a controller system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| JP7038849B2 (en) | Network probes and methods for processing messages | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| EP2366241B1 (en) | Network analysis | |
| JP6711710B2 (en) | Monitoring device, monitoring method, and monitoring program | |
| Yau et al. | PLC forensics based on control program logic change detection | |
| Hui et al. | Investigating current plc security issues regarding siemens s7 communications and TIA portal | |
| CN112184091A (en) | Industrial control system security threat assessment method, device and system | |
| CN113596028B (en) | Method and device for handling network abnormal behaviors | |
| JP2006243878A (en) | Unauthorized access detection system | |
| CN114257413B (en) | Reaction blocking method and device based on application container engine and computer equipment | |
| CN109241730B (en) | Container risk defense method, device, equipment and readable storage medium | |
| CN111628994A (en) | Industrial control environment anomaly detection method, system and related device | |
| CN111343176A (en) | Network attack countering device, method, storage medium and computer equipment | |
| CN110022319B (en) | Attack data security isolation method and device, computer equipment and storage equipment | |
| Ovaz Akpinar et al. | Development of the ECAT preprocessor with the trust communication approach | |
| CN112822146A (en) | Network connection monitoring method, device, system and computer readable storage medium | |
| US11621972B2 (en) | System and method for protection of an ICS network by an HMI server therein | |
| CN108780486B (en) | Context aware security self-evaluation | |
| CN114282236A (en) | Safety protection method, device, equipment and readable storage medium | |
| Alsabbagh et al. | A fully-blind false data injection on PROFINET I/O systems | |
| CN109165513B (en) | System configuration information inspection method and device and server | |
| CN114978782A (en) | Industrial control threat detection method and device, industrial control equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |