CN115150143A - Industrial control equipment network access authentication method, device, equipment and storage medium - Google Patents
Industrial control equipment network access authentication method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115150143A CN115150143A CN202210730676.0A CN202210730676A CN115150143A CN 115150143 A CN115150143 A CN 115150143A CN 202210730676 A CN202210730676 A CN 202210730676A CN 115150143 A CN115150143 A CN 115150143A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- equipment
- control equipment
- authentication
- legal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000004044 response Effects 0.000 claims abstract description 27
- 230000006870 function Effects 0.000 claims description 25
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method, a system, equipment and a storage medium for network access authentication of industrial control equipment, wherein the method comprises the following steps: the method for authenticating and registering each legal industrial control device which is allowed to access the network comprises the following steps: carrying out authentication registration on each legal industrial control device; taking the value of the self-defined object ID-0x80 as an identity key certificate for authentication and registration; generating registration information by constructing corresponding relations between the legal industrial control devices and the identity key certificates, and storing the registration information into a preset storage device; the authentication of the to-be-networked industrial control equipment comprises the following steps: obtaining a response of a modbus protocol of the industrial control equipment to be accessed to the network; and taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device. The invention can realize the safe network access authentication of the PLC, RTU and other equipment without installing an authentication program, thereby improving the convenience and the safety of the authentication when the dumb terminal equipment is accessed into the SCADA system.
Description
Technical Field
The invention relates to the technical field of industrial control system safety, in particular to a method, a device, equipment and a storage medium for industrial control equipment network access authentication.
Background
Along with the development of long-distance oil and gas pipelines, the automation and informatization levels of oil and gas pipeline regulation are increasingly and remarkably improved, and the oil and gas pipelines are developing deeply towards the intelligent direction. The core role of the system foundation of an oil and gas pipeline SCADA (supervisory control and data acquisition) system in a pipeline regulation system is more and more prominent, and the requirement on information security is urgent.
The inventor finds that in the field of SCADA systems, the requirement on real-time performance is high, and on the other hand, a large number of different manufacturers exist for various types of dummy terminal equipment such as PLC, RTU and the like; because the dumb terminal equipment does not have a human-computer interaction interface, the security control of access can not be realized by adopting the general technical modes based on accounts, passwords, secret keys, certificates, 802.1X and the like which are commonly adopted in the current engineering.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.
Disclosure of Invention
The invention aims to realize the convenience and the safety of authentication when a dummy terminal accesses an SCADA system.
The invention provides a network access authentication method for industrial control equipment, which comprises the following steps:
the method for authenticating and registering each legal industrial control device which is allowed to access the network comprises the following steps:
determining at least one specific device characteristic of the legal industrial control device, and generating a device fingerprint corresponding to the legal industrial control device according to the value of the specific device characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
based on the modbus protocol 02B function code, the value of the user-defined object ID-0x80 is used as an identity key certificate for authentication and registration; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information to a preset storage device;
and authenticating the to-be-networked industrial control equipment, wherein the authentication comprises the following steps:
acquiring the response of the modbus protocol of the industrial control equipment to be networked;
and taking the value of the user-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the present invention, the authenticating the to-be-networked industrial control device further includes:
and after receiving the network access request of the to-be-networked industrial control equipment, sending a modbus protocol equipment identification code (0 x 2B) reading request.
Preferably, in the present invention, the length of the value of the custom object ID-0x80 is the length of the information character of the identity key credential.
Preferably, in the present invention, the dummy terminal includes:
PLC equipment or RTU.
Preferably, in the present invention, the generating an apparatus fingerprint corresponding to the dumb terminal according to the value of the specific apparatus characteristic includes:
and calculating a preset algorithm for the values of the specific equipment characteristics, and taking the calculation result as the equipment fingerprint.
Preferably, in the present invention, the preset algorithm includes:
and (4) carrying out hash calculation.
In another aspect of the embodiments of the present invention, an industrial control device networking authentication apparatus is further provided, including:
the registration unit comprises an acquisition module, a key generation module and an association module, and is used for authenticating and annotating each legal industrial control device which is allowed to access the network, wherein:
the acquisition module is used for determining at least one specific equipment characteristic of the legal industrial control equipment and generating an equipment fingerprint corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
the key generation module is used for taking the value of the user-defined object ID-0x80 as an identity key certificate for authentication and registration based on the modbus protocol 02B function code; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
the association module is used for generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate and storing the registration information into a preset storage device;
the authentication unit comprises an instruction module and a matching module, and is used for authenticating the industrial control equipment to be networked, wherein:
the response acquisition module is used for acquiring the response of the modbus protocol of the industrial control equipment to be networked;
and the matching module is used for generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device by taking the value of the user-defined object ID-0x80 in the response as an identity key certificate.
Preferably, in the present invention, the authentication unit further includes:
and the request feedback module is used for sending a modbus protocol reading equipment identification code (0 x 2B) request after receiving the network access request of the to-be-networked industrial control equipment.
In another aspect of the embodiments of the present invention, an industrial control device networking authentication device is further provided, including:
a memory for storing a computer program;
and the processor is used for calling and executing the computer program to realize the steps of the industrial control equipment network access authentication method.
In another aspect of the embodiment of the present invention, a storage medium is further provided, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the network access authentication method for the industrial control device as described in any one of the above are implemented.
The industrial control equipment network access authentication equipment comprises a computer program stored on a medium, wherein the computer program comprises program instructions, and when the program instructions are executed by a computer, the computer is enabled to execute the method in the aspects, and the same technical effects are achieved.
Compared with the prior art, the invention has the following beneficial effects:
the method comprises the steps of generating an equipment fingerprint according to the value of the specific equipment characteristic of legal industrial control equipment, and taking the equipment fingerprint as an identity key certificate for authentication and registration; then, setting the value of the user-defined object ID-0x80 as the value of the identity key certificate through a function code based on the modbus protocol 02B; then, the corresponding relation between each legal industrial control device and the identity key certificate is respectively established to authenticate and register each legal industrial control device and store corresponding registration information (the registration information comprises the corresponding relation); therefore, when the industrial control equipment is connected with the SCADA system through network access, the industrial control equipment to be authenticated can be authenticated by acquiring the value (namely the identity key certificate) of the user-defined object ID-0x80 in the response of the modbus protocol of the industrial control equipment to be networked.
Therefore, the method can meet the network access authentication of various dummy terminal equipment such as PLC, RTU and the like; according to the invention, the safe network access authentication of the PLC, RTU and other equipment can be realized without installing an authentication program, so that the convenience and the safety of the authentication when the dumb terminal equipment is accessed into the SCADA system are improved.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical means of the present invention more clearly understood and to make the technical means implementable in accordance with the content of the description, and to make the above and other objects, technical features, and advantages of the present invention more comprehensible, one or more preferred embodiments are listed below, and are described in detail below with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings required for the embodiments will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a step diagram of the network access authentication method for industrial control equipment according to the present invention;
FIG. 2 is a schematic structural diagram of the network access authentication device of the industrial control equipment in the invention
Fig. 3 is a schematic structural diagram of the network access authentication device of the industrial control device in the invention.
Detailed Description
The following detailed description of the present invention is provided in conjunction with the accompanying drawings, but it should be understood that the scope of the present invention is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element or component but not the exclusion of any other element or component.
In this document, the terms "first", "second", etc. are used to distinguish two different elements or portions, and are not used to define a particular position or relative relationship. In other words, the terms "first," "second," etc. may also be interchanged with one another in some embodiments.
Example one
In order to implement convenience and security of authentication when a dumb terminal accesses an SCADA system, as shown in fig. 1, an embodiment of the present invention provides a network access authentication method for industrial control equipment, including:
the network access authentication method for the industrial control equipment in the embodiment of the invention is integrally divided into two stages, namely an authentication registration stage and a network access authentication stage, wherein the authentication registration of each legal industrial control equipment which is allowed to access a network comprises the following steps:
s11, determining at least one specific device characteristic of the legal industrial control device, and generating a device fingerprint corresponding to the legal industrial control device according to the value of the specific device characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
in the network access authentication method for the industrial control equipment in the embodiment of the invention, the execution main body can be an authentication agent which can be respectively in communication connection with the SCADA system and each industrial control equipment (such as a dumb terminal device).
In the authentication registration stage, each industrial control device which needs to be accessed to the network and connected with the SCADA system is authenticated and registered; the industrial control equipment in the embodiment of the invention mainly refers to some dumb terminal equipment which does not have a human-computer interaction interface and cannot be provided with an authentication program, such as PLC equipment or RTU (remote terminal Unit) and the like; in practical applications, even a terminal device which is provided with a human-computer interaction interface and can be provided with an authentication program, the industrial control device can realize communication based on the modbus protocol, and the modbus protocol 02B function code can be configured.
In the embodiment of the present invention, some specific device characteristic attributes of these industrial control devices are used as parameters for generating device fingerprints, for example, the device characteristic attributes may be a device name, a device model, a device number, a manufacturer to which the device belongs, a protocol port number, an MAC address, an IP address, an IMEI number, and the like; in practical application, the manufacturer name (VendorName), the product code (ProductCode), the software version number, the product name, the model name and other equipment information can be used as specific equipment characteristics; the communication identification such as the MAC address, the IP address, the IMEI number and the like can be further combined to be used as specific equipment characteristics, and the equipment fingerprint is generated based on a fingerprint algorithm; .
Specifically, the device fingerprint may be made by arranging the values of the device feature attributes in a set order to generate a result value; further, in order to better improve the security of the authentication, when the device fingerprint is generated in the embodiment of the present invention, the value of each specific device feature may be used as an input to perform calculation through a specific preset algorithm, and then the calculation result is used as the device fingerprint. In practical applications, the preset algorithm may include a hash calculation, and a result of the hash calculation is used as a specific value of the device fingerprint.
S12, based on the modbus protocol 02B function code, taking the value of the user-defined object ID-0x80 as an identity key certificate for authentication and registration; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
in the embodiment of the invention, the identity key certificate for authentication and registration is generated according to the equipment fingerprint of the industrial control equipment; in practical applications, the identity key credential needs to be stored as a value of custom object ID-0x 80.
S13, generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information to a preset storage device;
after the identity key certificate of the legal industrial control equipment is generated, the registration information of the industrial control equipment can be generated by establishing the corresponding relation between the identity key certificate and the legal industrial control equipment. In practice, the registration information may be stored in a storage device (i.e., a predetermined storage device) accessible by the authentication agent.
After the certification registration of the legal industrial control device is completed, when a certain industrial control device is connected to the SCADA system through network access, it is necessary to perform security certification (i.e., enter a network access certification stage) with respect to the industrial control device to determine whether the industrial control device is the legal industrial control device, which specifically includes:
s14, obtaining a response of the modbus protocol of the industrial control equipment to be networked;
in the embodiment of the invention, the authentication can be realized in an active detection mode, namely, when the safety authentication is carried out on the industrial control equipment to be accessed, the authentication agent can firstly send an authentication message to the industrial control equipment; the authentication message is used for obtaining a response of a modbus protocol of the industrial control equipment to be networked, and the value of the user-defined object ID-0x80 in the response is the identity key voucher.
And S15, taking the value of the user-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
The value of the self-defined object ID-0x80 included in the response message in the embodiment of the invention is the identity key certificate; therefore, the authentication agent can generate an authentication result through matching and other preset rules according to the identity key certificate and the registration information in the preset storage device so as to determine whether the industrial control equipment is legal or not.
In practical applications, the specific authentication process may be:
based on the network communication message, discovering that the industrial control equipment is accessed to the network, and judging the industrial control equipment to be modbus communication through the communication port and the communication message characteristics; encapsulating a function code modbus protocol message with a function code of 0x2B, sending the message to industrial control equipment accessing a network, and receiving a corresponding feedback message (response message); therefore, by analyzing the identity key certificate in the feedback message, when the equipment identity authentication is carried out, the storage device is detected through a related algorithm based on the identity key certificate, if the retrieval is successful, the equipment authentication is successful, and if the retrieval is failed, the equipment authentication is failed.
Further, in the embodiment of the present invention, before authenticating the dummy terminal, a step of identifying the terminal may be additionally included to determine whether the type of the authentication terminal belongs to the dummy terminal, and then the authentication method in the embodiment of the present invention is applied to the terminal device serving as the dummy terminal.
In summary, in the embodiments of the present invention, an apparatus fingerprint is generated according to a value of a specific apparatus characteristic of a legal industrial control apparatus, and the apparatus fingerprint is used as an identity key credential for performing authentication registration; then, setting the value of the user-defined object ID-0x80 as the value of the identity key certificate through a function code based on the modbus protocol 02B; then, the corresponding relation between each legal industrial control device and the identity key certificate is respectively established to authenticate and register each legal industrial control device and store corresponding registration information (the registration information comprises the corresponding relation); in this way, when the industrial control equipment is connected with the SCADA system through network access, the industrial control equipment to be authenticated can be authenticated by acquiring the value (namely, the identity key certificate) of the custom object ID-0x80 in the response of the modbus protocol of the industrial control equipment to be networked.
Therefore, the embodiment of the invention can meet the network access authentication of various dummy terminal equipment such as PLC, RTU and the like; according to the embodiment of the invention, the safe network access authentication of the PLC, RTU and other equipment can be realized without installing an authentication program, so that the convenience and the safety of the authentication when the dummy terminal equipment is accessed into the SCADA system are improved.
Example two
Corresponding to the method embodiment, on the other side of the embodiment of the present invention, an industrial control device network access authentication apparatus is further provided, and fig. 2 shows a schematic structural diagram of the industrial control device network access authentication apparatus provided in the embodiment of the present invention, where the industrial control device network access authentication apparatus is an apparatus corresponding to the industrial control device network access authentication method in the embodiment corresponding to fig. 1, that is, the industrial control device network access authentication method in the embodiment corresponding to fig. 1 is implemented by using a virtual apparatus, and each virtual module constituting the industrial control device network access authentication apparatus may be executed by an electronic device, such as a network device, a terminal device, or a server. Specifically, the network access authentication device of the industrial control equipment in the embodiment of the present invention serves as an authentication agent, and specifically includes:
the registration unit 01 includes an acquisition module 11, a key generation module 12, and an association module 13, and is configured to perform authentication on each legal industrial control device that is allowed to access the network, where:
the acquisition module 11 is configured to determine at least one specific device feature of the legitimate industrial control device, and generate a device fingerprint corresponding to the legitimate industrial control device according to a value of the specific device feature; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
the key generation module 12 is configured to use a value of a custom object ID-0x80 as an identity key credential for performing authentication registration based on a modbus protocol 02B function code; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
the association module 13 is configured to generate registration information by establishing a correspondence between each of the legal industrial control devices and the identity key credential, and store the registration information in a preset storage device;
the authentication unit 02 includes an instruction module 21 and a matching module 22, and is configured to authenticate the to-be-networked industrial control device, where:
the response obtaining module 21 is used for obtaining a response of the modbus protocol of the to-be-networked industrial control device;
and the matching module 22 is configured to use the value of the custom object ID-0x80 in the response as an identity key credential, and generate an authentication result of the to-be-networked industrial control device according to the corresponding relationship in the preset storage device and through a preset rule.
Preferably, in this embodiment of the present invention, the authentication unit 02 further includes:
and a request feedback module (not shown in the figure), configured to send a modbus protocol reading device identification code (0 x 2B) request after receiving the network access request of the to-be-networked industrial control device.
It should be noted that, for specific implementation and technical effects of the network access authentication apparatus for industrial control equipment in the embodiment of the present invention, reference may be made to the network access authentication method for industrial control equipment corresponding to fig. 1, which is not described herein again.
EXAMPLE III
Corresponding to the method embodiment, the embodiment of the invention also provides an industrial control equipment network access authentication device, such as a terminal, a server and the like. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, big data and artificial intelligence platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, and the like.
An exemplary diagram of a hardware structure block diagram of the industrial control device network access authentication device provided in the embodiment of the present application is shown in fig. 3, and may include:
a processor 1, a communication interface 2, a memory 3 and a communication bus 4;
wherein, the processor 1, the communication interface 2 and the memory 3 complete the communication with each other through the communication bus 4;
optionally, the communication interface 2 may be an interface of a communication module, such as an interface of a GSM module;
the processor 1 may be a central processing unit CPU or an Application Specific Integrated Circuit ASIC or one or more Integrated circuits configured to implement embodiments of the present Application.
The memory 3 may comprise high-speed RAM memory and may also comprise non-volatile memory, such as at least one disk memory.
The processor 1 is specifically configured to execute the computer program stored in the memory 3, so as to execute the following steps:
the method for authenticating and registering each legal industrial control device which is allowed to access the network comprises the following steps:
determining at least one specific device characteristic of the legal industrial control device, and generating a device fingerprint corresponding to the legal industrial control device according to the value of the specific device characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
based on the modbus protocol 02B function code, the value of the user-defined object ID-0x80 is used as an identity key certificate for authentication and registration; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information to a preset storage device;
and authenticating the to-be-networked industrial control equipment, wherein the authentication comprises the following steps:
obtaining a response of the modbus protocol of the industrial control equipment to be networked;
and taking the value of the user-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the embodiment of the present invention, the authenticating the to-be-networked industrial control device further includes:
and after receiving the network access request of the to-be-networked industrial control equipment, sending a modbus protocol equipment identification code (0 x 2B) reading request.
The product can execute the method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For details of the technology that are not described in detail in this embodiment, reference may be made to the method for authenticating the industrial control device through network access provided in the embodiment of the present invention.
Example four
In an embodiment of the present invention, there is also provided a storage medium storing a program adapted to be executed by a processor, the program being configured to:
the method for authenticating and registering each legal industrial control device which is allowed to access the network comprises the following steps:
determining at least one specific equipment characteristic of the legal industrial control equipment, and generating an equipment fingerprint corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
based on the modbus protocol 02B function code, the value of the user-defined object ID-0x80 is used as an identity key certificate for authentication and registration; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information to a preset storage device;
and authenticating the to-be-networked industrial control equipment, wherein the authentication comprises the following steps:
acquiring the response of the modbus protocol of the industrial control equipment to be networked;
and taking the value of the user-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the embodiment of the present invention, the authenticating the to-be-networked industrial control device further includes:
and after receiving the network access request of the industrial control equipment to be accessed, sending a modbus protocol equipment identification code (0 x 2B) reading request.
Alternatively, the detailed function and the extended function of the program may be as described above.
The product can execute the method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to methods provided in other embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
It should be understood that the technical problems can be solved by combining and combining the features of the embodiments from the claims.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A network access authentication method for industrial control equipment, the method is characterized by comprising the following steps:
the method for authenticating and registering each legal industrial control device which is allowed to access the network comprises the following steps:
determining at least one specific device characteristic of the legal industrial control device, and generating a device fingerprint corresponding to the legal industrial control device according to the value of the specific device characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
based on the modbus protocol 02B function code, the value of the user-defined object ID-0x80 is used as an identity key certificate for authentication and registration; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information to a preset storage device;
and authenticating the to-be-networked industrial control equipment, comprising the following steps of:
obtaining a response of the modbus protocol of the industrial control equipment to be networked;
and taking the value of the user-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
2. The industrial control equipment network access authentication method according to claim 1, wherein the authenticating the industrial control equipment to be networked further comprises:
and after receiving the network access request of the to-be-networked industrial control equipment, sending a modbus protocol equipment identification code (0 x 2B) reading request.
3. The industrial control equipment network access authentication method as claimed in claim 1 or 2, wherein the length of the value of the custom object ID-0x80 is the length of the information character of the identity key certificate.
4. The industrial control equipment network access authentication method according to claim 1 or 2, wherein the dummy terminal comprises:
PLC devices or RTUs.
5. The industrial control device network access authentication method according to claim 1 or 2, wherein the generating of the device fingerprint corresponding to the dumb terminal according to the value of the specific device feature includes:
and calculating a preset algorithm for the values of the specific equipment characteristics, and taking the calculation result as the equipment fingerprint.
6. The industrial control equipment network access authentication method according to claim 5, wherein the preset algorithm comprises:
and (4) performing hash calculation.
7. The utility model provides an industrial control equipment authentication device that networks which characterized in that includes:
the registration unit comprises an acquisition module, a key generation module and an association module, and is used for authenticating and annotating each legal industrial control device which is allowed to access the network, wherein:
the acquisition module is used for determining at least one specific equipment characteristic of the legal industrial control equipment and generating an equipment fingerprint corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model, equipment number, affiliated manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal which can be configured with a modbus protocol 02B function code;
the key generation module is used for taking the value of the user-defined object ID-0x80 as an identity key certificate for authentication and registration based on the modbus protocol 02B function code; the identity key certificate is generated according to the equipment fingerprint of the legal industrial control equipment;
the association module is used for generating registration information by constructing a corresponding relation between each legal industrial control device and the identity key certificate and storing the registration information into a preset storage device;
the authentication unit comprises an instruction module and a matching module and is used for authenticating the to-be-networked industrial control equipment, wherein:
the response acquisition module is used for acquiring the response of the modbus protocol of the industrial control equipment to be networked;
and the matching module is used for generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device by taking the value of the user-defined object ID-0x80 in the response as an identity key certificate.
8. The industrial control equipment network access authentication device according to claim 7, wherein the authentication unit further comprises:
and the request feedback module is used for sending a modbus protocol reading equipment identification code (0 x 2B) request after receiving the network access request of the to-be-networked industrial control equipment.
9. The utility model provides an industrial control equipment authentication equipment that networks which characterized in that includes:
a memory for storing a computer program;
a processor, configured to invoke and execute the computer program to implement the steps of the network access authentication method for the industrial control device according to any one of claims 1 to 6.
10. A storage medium, characterized by comprising a software program, wherein the software program is adapted to execute the steps of the method for authenticating the industrial control device to network according to any one of claims 1 to 6 by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210730676.0A CN115150143B (en) | 2022-06-24 | 2022-06-24 | Network access authentication method, device, equipment and storage medium for industrial control equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210730676.0A CN115150143B (en) | 2022-06-24 | 2022-06-24 | Network access authentication method, device, equipment and storage medium for industrial control equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115150143A true CN115150143A (en) | 2022-10-04 |
| CN115150143B CN115150143B (en) | 2024-03-12 |
Family
ID=83407998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210730676.0A Active CN115150143B (en) | 2022-06-24 | 2022-06-24 | Network access authentication method, device, equipment and storage medium for industrial control equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150143B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115755847A (en) * | 2022-11-18 | 2023-03-07 | 北京卓识网安技术股份有限公司 | Industrial control system grade protection evaluation method and system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017002019A1 (en) * | 2015-06-29 | 2017-01-05 | Abb Schweiz Ag | Method and system to increase processing capability of field devices in an industrial control system |
| US20170070600A1 (en) * | 2015-09-03 | 2017-03-09 | Lsis Co., Ltd. | Communications device supporting dynamic modbus protocol mapping |
| CN109995696A (en) * | 2017-12-29 | 2019-07-09 | 广州瀚新智能科技有限公司 | A kind of system identifying device-fingerprint |
| CN110741615A (en) * | 2017-04-20 | 2020-01-31 | 沙特阿拉伯石油公司 | Securing SCADA network access from a remote terminal unit |
| US20200169548A1 (en) * | 2017-07-20 | 2020-05-28 | Alibaba Group Holding Limited | Network access authentication method, apparatus, and system |
| CN112199663A (en) * | 2020-12-03 | 2021-01-08 | 飞天诚信科技股份有限公司 | Authentication method and system for no user name |
| CN112615829A (en) * | 2020-12-08 | 2021-04-06 | 北京北信源软件股份有限公司 | Terminal access authentication method and system |
| CN112929166A (en) * | 2021-02-03 | 2021-06-08 | 中国人民解放军火箭军工程大学 | Master station, slave station and data transmission system based on Modbus-TCP protocol |
| CN113709127A (en) * | 2021-08-18 | 2021-11-26 | 深圳市联软科技股份有限公司 | Printer counterfeit detection blocking system and method |
| CN114124473A (en) * | 2021-11-02 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Network access authentication system and authentication method based on port mirror image |
| CN114157461A (en) * | 2021-11-22 | 2022-03-08 | 绿盟科技集团股份有限公司 | Industrial control protocol data stream processing method, device, equipment and storage medium |
-
2022
- 2022-06-24 CN CN202210730676.0A patent/CN115150143B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017002019A1 (en) * | 2015-06-29 | 2017-01-05 | Abb Schweiz Ag | Method and system to increase processing capability of field devices in an industrial control system |
| US20170070600A1 (en) * | 2015-09-03 | 2017-03-09 | Lsis Co., Ltd. | Communications device supporting dynamic modbus protocol mapping |
| CN110741615A (en) * | 2017-04-20 | 2020-01-31 | 沙特阿拉伯石油公司 | Securing SCADA network access from a remote terminal unit |
| US20200169548A1 (en) * | 2017-07-20 | 2020-05-28 | Alibaba Group Holding Limited | Network access authentication method, apparatus, and system |
| CN109995696A (en) * | 2017-12-29 | 2019-07-09 | 广州瀚新智能科技有限公司 | A kind of system identifying device-fingerprint |
| CN112199663A (en) * | 2020-12-03 | 2021-01-08 | 飞天诚信科技股份有限公司 | Authentication method and system for no user name |
| CN112615829A (en) * | 2020-12-08 | 2021-04-06 | 北京北信源软件股份有限公司 | Terminal access authentication method and system |
| CN112929166A (en) * | 2021-02-03 | 2021-06-08 | 中国人民解放军火箭军工程大学 | Master station, slave station and data transmission system based on Modbus-TCP protocol |
| CN113709127A (en) * | 2021-08-18 | 2021-11-26 | 深圳市联软科技股份有限公司 | Printer counterfeit detection blocking system and method |
| CN114124473A (en) * | 2021-11-02 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Network access authentication system and authentication method based on port mirror image |
| CN114157461A (en) * | 2021-11-22 | 2022-03-08 | 绿盟科技集团股份有限公司 | Industrial control protocol data stream processing method, device, equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115755847A (en) * | 2022-11-18 | 2023-03-07 | 北京卓识网安技术股份有限公司 | Industrial control system grade protection evaluation method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115150143B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11838841B2 (en) | System, apparatus and method for scalable internet of things (IOT) device on-boarding with quarantine capabilities | |
| US9386015B2 (en) | Security model for industrial devices | |
| JP7411774B2 (en) | Techniques for certificate handling in the core network domain | |
| CN112491776B (en) | Security authentication method and related equipment | |
| CN113343196A (en) | Internet of things security authentication method | |
| CN115022047B (en) | Account login method and device based on multi-cloud gateway, computer equipment and medium | |
| US8176533B1 (en) | Complementary client and user authentication scheme | |
| CN115150143B (en) | Network access authentication method, device, equipment and storage medium for industrial control equipment | |
| KR20200125279A (en) | User Identification Method Using Block Chain and System thereof | |
| CN115102769A (en) | SCADA system access authentication method, device, equipment and storage medium | |
| CN111885057A (en) | Message middleware access method, device, equipment and storage medium | |
| CN111800390A (en) | Abnormal access detection method, device, gateway equipment and storage medium | |
| CN115208669B (en) | Distributed identity authentication method and system based on blockchain technology | |
| CN109699030A (en) | Unmanned plane authentication method, device, equipment and computer readable storage medium | |
| CN112702743B (en) | Network data monitoring and protecting method based on artificial intelligence | |
| CN111459899B (en) | Log sharing method and device and terminal equipment | |
| CN115001790A (en) | Secondary authentication method and device based on equipment fingerprint and electronic equipment | |
| CN113987451B (en) | Security authentication method and system for notebook terminal equipment | |
| CN114362960B (en) | Resource account data supervision method and device, computer equipment and medium | |
| Kyrillidis et al. | A smart card web server in the web of things | |
| CN114090996A (en) | Multi-party system mutual trust authentication method and device | |
| CN116561728A (en) | Identity authentication method, device, equipment and medium | |
| CN115733674A (en) | Security reinforcement method and device, electronic equipment and readable storage medium | |
| CN117579306A (en) | Device authentication method, network system, electronic device, and computer storage medium | |
| CN115396276A (en) | Method, device, equipment and medium for processing internet platform interface document |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |