CN114598413B - Security distributed control system supporting time-sensitive network function - Google Patents

Security distributed control system supporting time-sensitive network function Download PDF

Info

Publication number
CN114598413B
CN114598413B CN202210087624.6A CN202210087624A CN114598413B CN 114598413 B CN114598413 B CN 114598413B CN 202210087624 A CN202210087624 A CN 202210087624A CN 114598413 B CN114598413 B CN 114598413B
Authority
CN
China
Prior art keywords
time
control module
module
sensitive
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210087624.6A
Other languages
Chinese (zh)
Other versions
CN114598413A (en
Inventor
巴静
王文海
李新玲
徐斌
马聪威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Original Assignee
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Uwntek Automation System Co ltd, Zhejiang University ZJU filed Critical Hangzhou Uwntek Automation System Co ltd
Priority to CN202210087624.6A priority Critical patent/CN114598413B/en
Publication of CN114598413A publication Critical patent/CN114598413A/en
Application granted granted Critical
Publication of CN114598413B publication Critical patent/CN114598413B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0638Clock or time synchronisation among nodes; Internode synchronisation
    • H04J3/0658Clock or time synchronisation among packet nodes
    • H04J3/0661Clock or time synchronisation among packet nodes using timestamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a secure distributed control system supporting time-sensitive network functions, which comprises: the distributed control module is positioned at the bottom layer of the safety distributed control system and is used for collecting industrial field state data and receiving field control data; the centralized control module is positioned at the top layer of the safety distributed control system and is used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation; the time sensitive network exchange control module group is connected with the distributed control module and the centralized control module and is used for synchronizing the time information of all modules, so that the distributed control module and the centralized control module work under a unified time reference, and each network port gate control table is set and executed according to a flow scheduling algorithm, so that the field control message sent by the centralized control module reaches each bottom control module at the same moment after passing through each stage of time sensitive exchange control module.

Description

Security distributed control system supporting time-sensitive network function
Technical Field
The present application relates to the field of industrial control network communications technologies, and in particular, to a secure distributed control system supporting a time-sensitive network function.
Background
A distributed control system is a specially designed control system for controlling complex, large and geographically distributed applications in an industrial process. The current distribution is that the communication mode of the control system is mainly divided into a field bus, a traditional industrial Ethernet and a standard Ethernet. The field bus has high arrangement cost and low bandwidth, and the large-scale application is limited. The traditional industrial Ethernet protocols are of various types, most of which require special hardware support and special integrated circuits, are mutually incompatible, and cannot support the development of future industrial networks. Standard ethernet is a best effort based transmission mechanism, and in a complex network environment, transmission delay and jitter are not controllable, and cannot be applied to a distributed control scenario with high cooperative and deterministic transmission requirements.
The distributed control system is also a complex physical information system, and faces information security and functional security threats, so that an attacker can invade the physical space by attacking the information space. At present, the industrial control field usually adopts technologies such as a firewall and a security gateway, the former technologies are usually realized on a fixed protocol system, so that the loopholes existing in the protocol system cannot be solved, the protection has boundary property, the expansion of the boundary means larger performance consumption, in addition, the abnormality cannot be distinguished from the traffic, and the traffic attack is easy to occur. The latter technology represented by industrial security gateway can only support the security isolation of specific industrial protocol, has no generality, and is difficult to realize IOT fusion.
Disclosure of Invention
The embodiment of the application aims to provide a safe distributed control system supporting a time-sensitive network function, which can greatly improve the dynamic cooperative control precision between distributed controllers and the safety reliability of data transmission, and simultaneously solve the problem that the current non-time-sensitive network controller cannot be accessed, and improve the expandability of the system.
According to a first aspect of embodiments of the present application, there is provided a secure distributed control system supporting time-sensitive network functions, comprising:
the distributed control module is positioned at the bottom layer of the safety distributed control system and is used for collecting industrial field state data and receiving field control data;
the centralized control module is positioned at the top layer of the safety distributed control system and is used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation;
the time sensitive network exchange control module group is connected with the distributed control module and the centralized control module and is used for synchronizing the time information of all modules, so that the distributed control module and the centralized control module work under a unified time reference, and each network port gate control table is set and executed according to a flow scheduling algorithm, so that the field control data sent by the centralized control module reaches each bottom control module at the same moment after passing through each level of time sensitive exchange control module.
Further, the distributed control module is a trusted control module or an untrusted control module, and the trusted control module or the untrusted control module is equally divided into a time-sensitive network control module and a non-time-sensitive network control module;
the time-sensitive network control module directly performs time synchronization with the time-sensitive network exchange control module;
the non-time-sensitive network control module needs to be time-synchronized with the time-sensitive network exchange control module through the time-synchronizing conversion module, and the time-synchronizing conversion module of the non-time-sensitive network control module is connected with the time-synchronizing module in the time-sensitive network exchange control module.
Further, the time synchronization conversion module comprises a time request module, an error calculation comparison module, a system time maintenance module and a time correction module; the time request module periodically sends a time request message to the time synchronization module, the time synchronization module sends a time response message containing synchronous time information to the error calculation comparison module after receiving the request message, the error calculation comparison module carries out error calculation and jitter filtering on the received synchronous time information and the system time in the system time maintenance module, the error calculation comparison module sends the error calculation and jitter filtering to the time correction module, the time correction module calculates a time correction value and sends the time correction value to the system time maintenance module, and the system time maintenance module completes system time updating according to the time correction value so as to ensure that the distributed control module and the time sensitive network exchange control module work under the same time reference, thereby realizing end-to-end deterministic communication and control.
Further, the time-sensitive exchange control module group is further configured to:
monitoring and filtering the flow of the non-trusted control module at the data link layer, and only receiving the flow of which the specific field of the message is matched and the frame length, the arrival time, the rate and the burst byte number meet preset requirements;
and changing the priority in the Vlan-Tag field in the data message for mapping to a flow scheduling gating table in the system.
Further, the time-sensitive exchange control module group comprises a plurality of time-sensitive exchange control modules, and the time-sensitive exchange control modules are in topological connection.
Further, the time-sensitive switching control module includes:
the centralized control module network interface or the uplink cascade network interface is used for exchanging data with a directly connected centralized control module or other time-sensitive exchange control modules with smaller stages, wherein the stages are the sum of the numbers of the time-sensitive exchange control modules contained on the paths of the current time-sensitive exchange module and the centralized control module;
the trusted control module network interface or the downlink cascade network interface is used for exchanging data with a directly connected trusted control module or other time-sensitive exchange control modules with smaller stages from the trusted control module, wherein the stages are the sum of the numbers of the time-sensitive exchange control modules contained on the paths of the current time-sensitive exchange module and the trusted control module;
the network interface of the non-trusted control module is used for exchanging data with the directly connected non-trusted control module;
the data exchange module is used for data exchange among all network interfaces of the time sensitive exchange control module;
the time synchronization module is used for performing time synchronization on all modules in the time sensitive exchange control module group by adopting a synchronization mechanism based on a hardware time stamp, and simultaneously sending nanosecond time information to a non-time sensitive network control module of the access system by a sending request mechanism;
the safety monitoring and filtering module is used for carrying out real-time data flow identity filtering, data frame size filtering, expected schedule filtering, data flow priority conversion, flow speed and data frame burst size monitoring and filtering on the flow, and then entering the data exchange module; if the flow comes from the non-trusted control module, the flow firstly passes through the safety monitoring and filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module;
and the dynamic cooperative control module is used for setting and executing each network port gate control table according to the flow scheduling algorithm.
Further, the network port gating table is based on a 3bit priority code in an 802.1Q Vlan tag, and has a numerical range of 0-7, and represents 8 priority queues respectively.
The technical scheme provided by the embodiment of the application can comprise the following beneficial effects:
according to the embodiment, the time-sensitive network with real-time performance and certainty is adopted, so that the problems that the field bus technology is high in arrangement cost, low in bandwidth, limited in large-scale application, not compatible with the traditional industrial Ethernet protocol, uncontrollable in standard Ethernet delay and jitter and the like are solved, and therefore large-scale networking data transmission with high bandwidth, low jitter and protocol universality can be achieved.
The invention adopts the flow scheduling algorithm of dynamic cooperative control, can eliminate the uncertain delay caused by best effort data flow to the key flows such as field state data, field control data and the like in the distributed control system, so that the centralized controller can acquire the field control message in real time in a preset period and find the field information data message dynamically at a preset moment, thereby realizing the accurate cooperative control among the distributed control modules.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a block diagram illustrating a secure distributed control system supporting time-sensitive network functions, according to an exemplary embodiment.
Fig. 2 is a functional block diagram of a time-sensitive network switching control module, according to an exemplary embodiment.
FIG. 3 is a block diagram illustrating a distributed control system networking based on a time sensitive network, according to an exemplary embodiment.
FIG. 4 is a flowchart illustrating a security monitoring module operation according to an exemplary embodiment.
Fig. 5 is a functional block diagram of a time synchronization interface sub-module of a non-time sensitive network control module, according to an example embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Referring to fig. 1, an embodiment of the present invention provides a secure distributed control system supporting a time-sensitive network function, including: the system comprises a distributed control module, a centralized control module and a time-sensitive network switching control module group.
The distributed control module is positioned at the bottom layer of the safety distributed control system and is used for collecting industrial field state data and receiving field control data.
Specifically, the distributed control module is a trusted control module or an untrusted control module, and for example, the untrusted control module may be a control module of a third party. The trusted control module or the untrusted control module is equally divided into a time sensitive network control module and a non-time sensitive network control module; the time-sensitive network control module directly performs time synchronization with the time-sensitive network exchange control module; the non-time-sensitive network control module needs to be time-synchronized with the time-sensitive network exchange control module through the time-synchronizing conversion module, and the time-synchronizing conversion module of the non-time-sensitive network control module is connected with the time-synchronizing module in the time-sensitive network exchange control module.
In the embodiment of the invention, the non-time-sensitive network control module can also be accessed into the system through the time synchronization interface submodule to realize high-precision time synchronization with all devices in the system, thereby achieving end-to-end deterministic communication, and enabling the distributed control modules to cooperatively complete microsecond-level time precision control tasks under a uniform time reference. Therefore, the secure distributed control system supporting the time-sensitive network function can be compatible with TSN (time-sensitive network) terminal equipment and non-TSN terminal equipment at the same time, and has expandability.
Further, as shown in fig. 5, the time synchronization conversion module includes a time request module, an error calculation comparison module, a system time maintenance module and a time correction module; the time request module periodically sends a time request message to the time synchronization module, the time synchronization module sends a time response message containing synchronous time information to the error calculation comparison module after receiving the request message, the error calculation comparison module carries out error calculation and jitter filtering on the received synchronous time information and the system time in the system time maintenance module, the error calculation comparison module sends the error calculation and jitter filtering to the time correction module, the time correction module calculates a time correction value and sends the time correction value to the system time maintenance module, and the system time maintenance module completes system time updating according to the time correction value so as to ensure that the distributed control module and the time sensitive network exchange control module work under the same time reference, thereby realizing end-to-end deterministic communication and control.
The centralized control module is positioned at the top layer of the safety distributed control system and is used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation; for example, industrial field status data is received during odd cycles and field control data is sent during even cycles.
The time-sensitive network switching control module group is connected with the distributed control modules and the centralized control module and is used for synchronizing the time information of all modules so that the modules work under a unified time reference, and setting and executing each network port gate control table according to a flow scheduling algorithm to ensure that the field control data sent by the centralized control module reaches each bottom control module at the same moment after passing through each stage of time-sensitive switching control modules.
Further, in order to access the untrusted control modules to the secure distributed control system without reducing the security of the system, the time sensitive switching control module group is further configured to:
monitoring and filtering the flow of the non-trusted control module at the data link layer, and only receiving the flow of which the specific field of the message is matched and the frame length, the arrival time, the rate and the burst byte number meet preset requirements; the priority in the Vlan-Tag field in the data message is changed for mapping to the traffic scheduling gating table inside the system to implement more accurate traffic scheduling.
Specifically, the time-sensitive exchange control module group includes a plurality of time-sensitive exchange control modules, and each time-sensitive exchange control module can be connected in any topology.
Specifically, the time-sensitive switching control module includes: the functional block diagram of the centralized control module network interface or the uplink cascade network interface, the trusted control module network interface or the downlink cascade network interface, the untrusted control module network interface, the data exchange module, the time synchronization module, the safety monitoring and filtering module and the dynamic cooperative control module is shown in the following figure 2.
The centralized control module network interface or the uplink cascade network interface is used for exchanging data with a directly connected centralized control module or other time-sensitive exchange control modules with smaller series of distance centralized control modules, wherein the series is the sum of the numbers of the time-sensitive exchange control modules contained on the paths of the current time-sensitive exchange module and the centralized control module; the centralized controller module sends a field control message to the trusted and untrusted control modules through the interface.
The trusted control module network interface or the downlink cascade network interface is used for exchanging data with a directly connected trusted control module or other time-sensitive exchange control modules with smaller series of the trusted control module, wherein the series is the sum of the numbers of the time-sensitive exchange control modules contained on the paths of the current time-sensitive exchange module and the trusted control module; the trusted control module sends a field state message to the centralized control module through the interface.
The network interface of the non-trusted control module is used for exchanging data with the directly connected non-trusted control module; the untrusted control module sends a field state message to the centralized control module through the interface.
The data exchange module is used for data exchange among all network interfaces of the time sensitive exchange control module; and receiving the field control message and the field state message according to a network switching protocol, and forwarding the field control message and the field state message to a designated network interface.
The time synchronization module is used for performing time synchronization on all modules in the time sensitive exchange control module group by adopting a synchronization mechanism based on a hardware time stamp, and simultaneously sending nanosecond time information to a non-time sensitive network control module of an access system by a sending request mechanism, and the time synchronization module maintains system time information of the time sensitive exchange module and simultaneously provides a time reference for the dynamic cooperative control module and all network ports; all equipment nodes in the distributed control system can realize high-precision time synchronization, work cooperatively under a unified time reference, and meanwhile, a common non-time-sensitive controller can be rapidly integrated into a large-scale networked time-sensitive network control system, so that the system has time-sensitive characteristics, and the applicability and compatibility of the system are improved.
The safety monitoring and filtering module is used for carrying out real-time data flow identity filtering, data frame size filtering, expected schedule filtering, data flow priority conversion, flow speed and data frame burst size monitoring and filtering on the flow, and then entering the data exchange module; if the flow comes from the non-trusted control module, the flow firstly passes through the safety monitoring and filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module; the module monitors and filters external traffic from multiple dimensions such as data identity, arrival time, sending rate, burst size, single frame size and the like, intercepts traffic which does not accord with the expected setting of the system at the data link layer, and greatly improves the safety and reliability of data transmission in the system.
The workflow of the safety monitoring filter module is shown in fig. 4 below. The data flow identity filtering is to classify and filter the message according to the key field in the message, so that the traffic category meeting the system requirement only enters the system, and the key field of the traffic identification includes but is not limited to destination MAC, source MAC, VLAN ID, source IP, destination IP, DSCP port number, source port number, destination port number and the like. Data frame size filtering is to filter data frames by setting a maximum data frame size that is allowed to pass through the control system. Expected schedule filtering further filters data outside of the expectation from the time dimension by configuring the gating queue to receive the data at the expected data transmission period and phase. The priority conversion sets internal priority for the data after access gating by rewriting the priority in the Vlan-Tag field in the data message, and is used for mapping to the flow scheduling gating table in the system to implement accurate flow scheduling. The flow rate and the burst size of the data frame are monitored and filtered, the token bucket algorithm is used for limiting the flow and the burst size of the data packet, and the system paralysis caused by external flow attack can be effectively prevented.
The dynamic cooperative control module is used for setting and executing each network port gate control table according to the flow scheduling algorithm. Under the unified time reference provided by the time synchronization module, the dynamic cooperative control module configures gating tables of all network ports in the time sensitive network switching control module group through a flow scheduling algorithm, and all nodes in the system transmit specific data in a determined time based on a unified scheduling strategy, so that uncertain jitter caused by non-time sensitive flow and time sensitive flow in a best effort transmission mode is effectively avoided, field state messages collected by all bottom layer control modules can be sent to the centralized control module in real time in a state data reporting period for unified control operation, and meanwhile, the field control messages dynamically sent by the centralized control module can accurately reach all bottom layer control modules at the same time in a control data issuing period, and high-precision distributed cooperative control is realized.
The network port gating table is based on a 3bit priority code in an 802.1Q Vlan tag, and the numerical range is 0-7, and respectively represents 8 priority queues. Mapping non-time sensitive traffic to a queue 0, namely assigning 0 to a Vlan tag priority field of a message, mapping the field state message and the field control message to queues A and B respectively, wherein 0< A, B < = 7, and opening gating switches of different queues at different time periods by a network port according to a gating table distributed by a traffic scheduling algorithm to ensure accurate arrival time of the traffic.
The data transmission period of the safety distributed control system supporting the time sensitive network function can be divided into a state reporting period and a control issuing period. The distributed control module starts to transmit the field state message at the starting time of the state reporting period, and the centralized control module transmits the field control message at the starting time of the control issuing period.
The field state message is industrial field state data collected by each distributed control module. The on-site state message and other non-time sensitive traffic sent to the centralized control module enter the time sensitive network switching control module from the trusted or untrusted control module network interface or the downlink cascade network interface, if the traffic comes from the untrusted control module, the traffic firstly passes through the safety monitoring filter module and then enters the data switching module, otherwise, the traffic directly enters the data switching module. The data exchange module transmits the flow to a designated network port, and the network port outputs the flow from the centralized control module network interface or transmits the flow to the centralized control module network interface through an uplink cascade network interface and outputs the flow in a state reporting period according to a gating table distributed by a flow scheduling algorithm, so as to uniformly control operation.
The field control message is field control data which is sent to each distributed control module after operation processing according to the collected field state information and other related information by the centralized control module. The field control message and other flow to the distributed controller enter the data exchange module from the centralized control module network interface or the uplink cascade network interface. The data exchange module transmits the flow to a designated network port, and the network port outputs the flow from the distributed control module network interface or transmits the flow to the distributed control module network interface through a downlink cascade network interface and outputs the flow in a fixed time unit for controlling the issuing period according to a gating table distributed by the flow scheduling algorithm. The on-site control message issued by the centralized control module can accurately reach each bottom control module at the same time, and high-precision distributed cooperative control is realized.
The flow scheduling algorithm calculates the total scheduling period, the scheduling time and the scheduling duration of the time sensitive flow and the non-time sensitive flow according to the network topology characteristics, the time sensitive network switching control module characteristics and the flow characteristics, and comprises the following steps:
1) Calculating the number n of time units for transmitting time sensitive data streams (i.e. industrial field state data) in the state reporting time period in the total scheduling period through the network topology characteristics state-st The network topology features are the series array h [ N ] of each distributed control module distance centralized control module]Wherein the time unit is the minimum time unit t of the time sensitive network switching control module for carrying out flow scheduling u . Configuring the number of time units for transmitting the field state message as n state-st ,n state-st The calculation steps of (1) are as follows
1-1, calculating the maximum number of stages of the distributed control module from the centralized control module, wherein N is the number of the distributed control modules, and the number of stages of any distributed control module i from the centralized control module is expressed as h i I is E N, according to h i The distributed control modules are ordered into an array h [ N ] by the numerical value of the distributed control modules]={h 1 …h N },h i ∈h[N]And optionally h i >=h i-1 The maximum number of system stages is h N
1-2, performing the j-th calculation, first calculating j=1, n state-st =h 1 After the following 1-2-1-2-3 are sequentially executed, judging whether j is equal to N, if not, executing 1-2-3 again, and if equal, N state-st The final value of (2) is the current calculated value, and jump to step 2);
1-2-1、n state-st =n state-st +1;
1-2-2、n state-st =Max(n state-st ,h j+1 +1), wherein Max is the larger value of the comma on both sides in brackets;
1-2-3、j=j+1。
2) Calculating the time unit t according to the characteristics of the time sensitive network switching control module and the flow characteristics u ,t u =t maxsdu =t send +t propagate +t process ,t maxsdu The time required to transmit a maximum packet is the value ofThe sum of processing delay, data propagation delay and data transmission delay of the time-sensitive network switching control module is calculated by the system hardware processing time length, the network line length, the maximum data packet size and the bandwidth respectively;
3) The number n of time units for transmitting the time-sensitive data stream in the status report period according to step 1) state-st Step 2) the time unit t u Calculating the state report period T by the flow proportion characteristics of time sensitive flow and non-time sensitive flow A ,T A =n state-st *(1+m A )*t u Wherein m is A Reporting period T for configuration state A The actual bandwidth ratio of non-time sensitive traffic to time sensitive traffic over a period of time;
4) Configuring gating tables of uplink network ports of all time-sensitive network switch control modules in the time-sensitive network switch control module group in fig. 1, at T A Within a period Q A /Q 0 :(0~n state-st *t u :10)/(n state-st *t- u ~T A 01), wherein Q A /Q 0 Represents the above-mentioned queue A and queue 0, (0 to n) state-st *t u 10) represents 0 to n state-st *t- u Opening the switch of the queue A at moment, closing the switch of the queue 0, (n) state-st *t u ~T A 01) represents n state-st *t u To T A At moment, closing the switch of the queue A and opening the switch of the queue 0;
5) The number of time units used for transmitting time sensitive data streams (field control data) in a control issuing time period in a total scheduling period is configured to be 1;
6) According to the number of time units used for transmitting time sensitive data stream in the control issuing time period in the step 5), the time unit t in the step 2) u Calculating the control issuing period T by the flow proportion characteristic of time sensitive flow and non-time sensitive flow B ,T B =(1+m B )*t u Wherein m is B To control the issuing period T B Actual bandwidth ratio of non-time sensitive traffic to time sensitive traffic over a period of time to h N The larger of (2);
7) The total scheduling period T is the sum of the status reporting period and the control issuing period, i.e., t=t A +T B
8) Configuring gating tables of network ports directly connected with N distributed control modules, namely trusted control module network interfaces and untrusted control module interfaces in FIG. 2, at T B Within a period Q B /Q 0 :(0~h N *t u :01)/(h N *t u ~T B :10 Where Q is B /Q 0 Represents the above-mentioned queue B and queue 0, (0-h) N *t u 01) represents 0 to h N *t u Closing a queue B switch at moment, opening a queue 0 switch, and h N *t u ~T B Represents h N *t u To T B At moment, a queue B switch is turned on, and a queue 0 switch is turned off;
9) Configuring a network port gate control table indirectly connected with N distributed control modules, namely a downlink cascade interface in fig. 2, calculating the number p of time-sensitive network exchange control modules spaced between the network port gate control table and the centralized control module, and calculating the number p of time-sensitive network exchange control modules spaced between the network port gate control table and the centralized control module at T B Within a period Q B /Q 0 :[(p+1)*t u ~(p+2)*t u :10]&[0~(p+1)*t u :01]&[(p+2)*t u ~T B :01]Wherein Q is B /Q 0 Represents the above-mentioned queue B and queue 0, [ (p+1) ×t u ~(p+2)*t u :10]Represents (p+1) t u To (p+2) t u The switch of the queue B is turned on at the moment, the switch of the queue 0 is turned off, [0 ] to (p+1) & ltt ] u :01]&[(p+2)*t u ~T B :01]Represents 0 to (p+1) t u Time of day and (p+2) t u To T B And closing the switch of the queue B at the moment, and opening the switch of the queue 0.
Table 1:
table 1 is a traffic scheduling period and a gating table of an example network topology, and the traffic scheduling period, the scheduling time of each uplink and downlink network port, and a timely long table, i.e. the gating table, are obtained according to the traffic scheduling algorithm. Wherein the mapping of the field state message to the A queue to the B queue, 1<A,B<=7, the non-time sensitive flow maps to a 0 queue, the gating queue identifier in the field state message reporting period TA is denoted as QA/Q0, and the gating queue identifier in the field control message issuing period TB is denoted as QB/Q0. According to the above-mentioned flow scheduling algorithm, sorting distributed control modules according to the hop count of distance centralized control module into h 4]= {2,3,4,5}, where the maximum hop count is h 4 The number of time unit values for transmitting the field state message is configured to be c=6, the bandwidth ratio of the non-time sensitive flow to the time sensitive flow is 1/3, and the state reporting period T is configured A In table 1, port numbers (1 to 9) -0 are the corresponding gating table configurations. The number of time units for transmitting the field control message is configured to be 1, d B =h 4 The configuration control issuing period TB is 6u, i.e. the network interfaces of the distributed control modules 4,5, 8, and 9 in table 1 are the corresponding gating table configurations, the port numbers (4-7) -1 in table 1 are the corresponding gating table configurations, the network interfaces not directly connected to the 4 distributed control modules are the downlink network interfaces of the time sensitive switching control modules 1, 2,3, 8, and 9 in fig. 3, and the port numbers 1- (1-2), 2- (1-3), and 3-9) -1 in table 1 are the corresponding gating table configurations.
According to the embodiment, the time-sensitive network with real-time performance and certainty is adopted, so that the problems that the field bus technology is high in arrangement cost, low in bandwidth, limited in large-scale application, not compatible with the traditional industrial Ethernet protocol, uncontrollable in standard Ethernet delay and jitter and the like are solved, and therefore large-scale networking data transmission with high bandwidth, low jitter and protocol universality can be achieved.
The invention adopts the flow scheduling algorithm of dynamic cooperative control, can eliminate the uncertain delay caused by best effort data flow to the key flows such as field state data, field control data and the like in the distributed control system, so that the centralized controller can acquire the field control message in real time in a preset period and find the field information data message dynamically at a preset moment, thereby realizing the accurate cooperative control among the distributed control modules.
The invention adopts the safety monitoring and filtering module, can monitor and filter all data streams conforming to IEEE802.1 standard at the data link layer, the protection strategy is not based on a specific upper layer protocol, the problem that the security of the strategy is influenced by the loopholes of the protocol itself, the CPU and the memory consumption are increased along with the increase of the interception range, the interception method can only be applied to a specific industrial protocol and the like is overcome, the invention has the advantages of safety and performance compared with the firewall and other technologies, has wider applicability compared with the industrial security gateway, is especially suitable for intercepting flow attack,
the invention adopts the time synchronization conversion module, solves the problem that the non-TSN control module can not access the TSN network, and the function enables the existing common industrial controller to be rapidly integrated into a large-scale networked TSN control system, thereby realizing high-precision time synchronization and cooperatively working under the time reference. And (3) accessing the mass-produced non-time-sensitive controller product into the system, wherein the synchronization precision of the measured non-time-sensitive controller product is within 1 us.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (5)

1. A secure distributed control system supporting time-sensitive network functions, comprising:
the distributed control module is positioned at the bottom layer of the safety distributed control system and is used for collecting industrial field state data and receiving field control data;
the centralized control module is positioned at the top layer of the safety distributed control system and is used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation;
the time sensitive network exchange control module group is connected with the distributed control modules and the centralized control module and is used for synchronizing the time information of all modules so that the modules work under a unified time reference, and setting and executing each network port gate control table according to a flow scheduling algorithm to ensure that the field control data sent by the centralized control module reaches each bottom control module at the same moment after passing through each level of time sensitive exchange control module;
the distributed control module is a trusted control module or an untrusted control module, and the trusted control module or the untrusted control module is equally divided into a time-sensitive network control module and a non-time-sensitive network control module;
the time-sensitive network control module directly performs time synchronization with the time-sensitive network exchange control module;
the non-time-sensitive network control module is required to be time-synchronized with the time-sensitive network exchange control module through a time-synchronizing conversion module, and the time-synchronizing conversion module of the non-time-sensitive network control module is connected with the time-synchronizing module in the time-sensitive network exchange control module;
the time synchronous conversion module comprises a time request module, an error calculation comparison module, a system time maintenance module and a time correction module; the time request module periodically sends a time request message to the time synchronization module, the time synchronization module sends a time response message containing synchronous time information to the error calculation comparison module after receiving the request message, the error calculation comparison module carries out error calculation and jitter filtering on the received synchronous time information and the system time in the system time maintenance module, the error calculation comparison module sends the error calculation and jitter filtering to the time correction module, the time correction module calculates a time correction value and sends the time correction value to the system time maintenance module, and the system time maintenance module completes system time updating according to the time correction value so as to ensure that the distributed control module and the time sensitive network exchange control module work under the same time reference, thereby realizing end-to-end deterministic communication and control.
2. The secure distributed control system according to claim 1, wherein said set of time sensitive switching control modules is further configured to:
monitoring and filtering the flow of the non-trusted control module at the data link layer, and only receiving the flow of which the specific field of the message is matched and the frame length, the arrival time, the rate and the burst byte number meet preset requirements;
and changing the priority in the Vlan-Tag field in the data message for mapping to a flow scheduling gating table in the system.
3. The secure distributed control system according to claim 1, wherein said set of time sensitive switch control modules comprises a plurality of time sensitive switch control modules, each time sensitive switch control module being topologically connected.
4. The secure distributed control system according to claim 1, wherein said time sensitive switching control module comprises:
the centralized control module network interface or the uplink cascade network interface is used for exchanging data with a directly connected centralized control module or other time-sensitive exchange control modules with smaller stages, wherein the stages are the sum of the numbers of the time-sensitive exchange control modules contained on the paths of the current time-sensitive exchange module and the centralized control module;
the trusted control module network interface or the downlink cascade network interface is used for exchanging data with a directly connected trusted control module or other time-sensitive exchange control modules with smaller stages from the trusted control module, wherein the stages are the sum of the numbers of the time-sensitive exchange control modules contained on the paths of the current time-sensitive exchange module and the trusted control module;
the network interface of the non-trusted control module is used for exchanging data with the directly connected non-trusted control module;
the data exchange module is used for data exchange among all network interfaces of the time sensitive exchange control module;
the time synchronization module is used for performing time synchronization on all modules in the time sensitive exchange control module group by adopting a synchronization mechanism based on a hardware time stamp, and simultaneously sending nanosecond time information to a non-time sensitive network control module of the access system by a sending request mechanism;
the safety monitoring and filtering module is used for carrying out real-time data flow identity filtering, data frame size filtering, expected schedule filtering, data flow priority conversion, flow speed and data frame burst size monitoring and filtering on the flow, and then entering the data exchange module; if the flow comes from the non-trusted control module, the flow firstly passes through the safety monitoring and filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module;
and the dynamic cooperative control module is used for setting and executing each network port gate control table according to the flow scheduling algorithm.
5. The secure distributed control system according to claim 1, wherein said network port gating table is based on a 3bit priority code in an 802.1Q Vlan tag, ranging in value from 0 to 7, representing 8 priority queues, respectively.
CN202210087624.6A 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function Active CN114598413B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210087624.6A CN114598413B (en) 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210087624.6A CN114598413B (en) 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function

Publications (2)

Publication Number Publication Date
CN114598413A CN114598413A (en) 2022-06-07
CN114598413B true CN114598413B (en) 2024-04-02

Family

ID=81804292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210087624.6A Active CN114598413B (en) 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function

Country Status (1)

Country Link
CN (1) CN114598413B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333860B (en) * 2022-10-12 2023-02-03 北京合众方达科技有限公司 TSN network control method based on zero trust
CN116319261B (en) * 2023-05-24 2023-08-18 北京智芯微电子科技有限公司 TSN network scheduling strategy optimization method and device, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101261518A (en) * 2008-03-28 2008-09-10 华中科技大学 Distributed process control system based on wireless personal area network and industrial ethernet network
CN106855709A (en) * 2015-12-09 2017-06-16 重庆川仪自动化股份有限公司 A kind of industrial management control system and method
CN111147176A (en) * 2019-12-04 2020-05-12 中国航空工业集团公司洛阳电光设备研究所 High-precision time synchronization system based on IEEE1588 protocol
CN111314228A (en) * 2020-05-11 2020-06-19 之江实验室 PLC control system supporting time-sensitive network function
WO2020136487A2 (en) * 2018-12-26 2020-07-02 Abb Schweiz Ag A tsn enabled controller
CN111600754A (en) * 2020-05-11 2020-08-28 重庆邮电大学 Industrial heterogeneous network scheduling method for interconnection of TSN (transmission time network) and non-TSN (non-Transmission time network)
CN112511462A (en) * 2020-12-17 2021-03-16 上海交通大学 Software-defined industrial heterogeneous time-sensitive network system and resource scheduling method
KR20210044683A (en) * 2019-10-15 2021-04-23 한양대학교 에리카산학협력단 Central network cofigurator, and time-sensitive networking control system including the same
CN112769514A (en) * 2020-12-22 2021-05-07 国家电网有限公司 Time-sensitive based communication device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101261518A (en) * 2008-03-28 2008-09-10 华中科技大学 Distributed process control system based on wireless personal area network and industrial ethernet network
CN106855709A (en) * 2015-12-09 2017-06-16 重庆川仪自动化股份有限公司 A kind of industrial management control system and method
WO2020136487A2 (en) * 2018-12-26 2020-07-02 Abb Schweiz Ag A tsn enabled controller
KR20210044683A (en) * 2019-10-15 2021-04-23 한양대학교 에리카산학협력단 Central network cofigurator, and time-sensitive networking control system including the same
CN111147176A (en) * 2019-12-04 2020-05-12 中国航空工业集团公司洛阳电光设备研究所 High-precision time synchronization system based on IEEE1588 protocol
CN111314228A (en) * 2020-05-11 2020-06-19 之江实验室 PLC control system supporting time-sensitive network function
CN111600754A (en) * 2020-05-11 2020-08-28 重庆邮电大学 Industrial heterogeneous network scheduling method for interconnection of TSN (transmission time network) and non-TSN (non-Transmission time network)
CN112511462A (en) * 2020-12-17 2021-03-16 上海交通大学 Software-defined industrial heterogeneous time-sensitive network system and resource scheduling method
CN112769514A (en) * 2020-12-22 2021-05-07 国家电网有限公司 Time-sensitive based communication device

Also Published As

Publication number Publication date
CN114598413A (en) 2022-06-07

Similar Documents

Publication Publication Date Title
Nasrallah et al. Ultra-low latency (ULL) networks: The IEEE TSN and IETF DetNet standards and related 5G ULL research
CN112105080B (en) Time-sensitive network data transmission system and transmission method
CN114598413B (en) Security distributed control system supporting time-sensitive network function
Molina et al. Software-defined networking in cyber-physical systems: A survey
EP1491006B1 (en) Method and apparatus for ethernet prioritized device clock synchronization
Pahlevan et al. Evaluation of time-triggered traffic in time-sensitive networks using the opnet simulation framework
EP3903454B1 (en) A tsn enabled controller
EP1650908A2 (en) Internal load balancing in a data switch using distributed network process
US11316654B2 (en) Communication device and method for operating a communication system for transmitting time critical data
CN111294291B (en) Protocol message processing method and device
TW201018136A (en) Network connection apparatus, and communication network and method applying the same
CN105100142A (en) Transmission control method and device of software defined network (SDN) protocol message
CN105471907A (en) Openflow based virtual firewall transmission control method and system
US20160294628A1 (en) Virtual Bandwidth Management Deployment Architectures
Nasrallah et al. Ultra-low latency (ULL) networks: A comprehensive survey covering the IEEE TSN standard and related ULL research
CN106341296A (en) Method of avoiding data message collision in communication network within transformer substation
US20230090803A1 (en) Network Infrastructure Device, Communication Terminal and Method for Synchronizing Control Applications via a Communication Network for Transferring Time-Critical Data
Jasperneite et al. How to guarantee realtime behavior using Ethernet
Wang et al. Time-sensitive networking for industrial automation: Challenges, opportunities, and directions
CN101355585A (en) System and method for protecting information of distributed architecture data communication equipment
Fischer et al. Security considerations for ieee 802.1 time-sensitive networking in converged industrial networks
CN112039746A (en) Industrial control network system
CN114884811B (en) Method for realizing centralized user configuration of time sensitive network
US11522762B2 (en) Coordination device and method for providing control applications via a communication network for transmitting time-critical data
Nsaibi Timing Performance Analysis of the Deterministic Ethernet Enhancements Time-Sensitive Networking (TSN) for Use in the Industrial Communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant