CN115150143B - Network access authentication method, device, equipment and storage medium for industrial control equipment - Google Patents
Network access authentication method, device, equipment and storage medium for industrial control equipment Download PDFInfo
- Publication number
- CN115150143B CN115150143B CN202210730676.0A CN202210730676A CN115150143B CN 115150143 B CN115150143 B CN 115150143B CN 202210730676 A CN202210730676 A CN 202210730676A CN 115150143 B CN115150143 B CN 115150143B
- Authority
- CN
- China
- Prior art keywords
- industrial control
- equipment
- authentication
- control equipment
- network access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000004044 response Effects 0.000 claims abstract description 25
- 230000006870 function Effects 0.000 claims description 27
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000004891 communication Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a network access authentication method, a network access authentication system, network access authentication equipment and a storage medium of industrial control equipment, wherein the network access authentication method comprises the following steps: authentication registration is carried out on each legal industrial control device allowed to access the network, and the authentication registration comprises the following steps: performing authentication registration on each legal industrial control device; taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration; generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device; authenticating the to-be-network-accessed industrial control equipment comprises the following steps: acquiring a response of a modbus protocol of the industrial control equipment to be accessed into the network; and taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-accessed industrial control equipment through a preset rule according to the corresponding relation in the preset storage device. The invention can realize the safe network access authentication of the devices such as the PLC, the RTU and the like without installing an authentication program, thereby improving the convenience and the safety of authentication when the dummy terminal device is accessed into the SCADA system.
Description
Technical Field
The invention relates to the technical field of industrial control system security, in particular to a network access authentication method, a network access authentication device, network access authentication equipment and a network access authentication storage medium for industrial control equipment.
Background
Along with the development of long oil and gas pipelines, the automation and informatization levels of oil and gas pipeline regulation are remarkably improved, and the intelligent direction is deepened. The system basic core function of an oil gas pipeline SCADA (data acquisition and monitoring control) system in a pipeline regulation system is more remarkable, and the requirement for information security is also urgent.
The inventor finds that in the field of SCADA systems, the requirements on real-time performance are high, and on the other hand, a large number of different manufacturers exist a plurality of types of dummy terminal equipment such as PLC, RTU and the like; because the dumb terminal equipment has no man-machine interaction interface, the security control for access cannot be realized by adopting the general technical modes based on account, password, secret key, certificate, 802.1X and the like in the current engineering.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person of ordinary skill in the art.
Disclosure of Invention
The invention aims to realize convenience and safety of authentication when the dummy terminal is accessed into the SCADA system.
The invention provides a network access authentication method of industrial control equipment, which comprises the following steps:
authentication registration is carried out on each legal industrial control device allowed to access the network, and the authentication registration comprises the following steps:
determining at least one specific equipment characteristic of the legal industrial control equipment, and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
based on the modbus protocol 02B function code, taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
authenticating the to-be-networked industrial control equipment comprises the following steps:
acquiring a response of a modbus protocol of the to-be-accessed industrial control equipment;
and taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the present invention, the authenticating the to-be-network-accessed industrial control device further includes:
and after receiving the network access request of the to-be-accessed industrial control equipment, sending a request of modbus protocol for reading equipment identification codes (0 x 2B).
Preferably, in the present invention, the length of the value of the custom object ID-0x80 is the information character length of the identity key credential.
Preferably, in the present invention, the dummy terminal includes:
PLC devices or RTUs.
Preferably, in the present invention, the generating, according to the value of the specific device feature, a device fingerprint corresponding to the dumb terminal includes:
and calculating the values of the specific equipment characteristics by a preset algorithm, and taking the calculation result as the equipment fingerprint.
Preferably, in the present invention, the preset algorithm includes:
and (5) hash calculation.
In another aspect of the embodiment of the present invention, there is also provided an apparatus for authenticating network access of an industrial control device, including:
the registration unit comprises an acquisition module, a key generation module and an association module, and is used for carrying out authentication annotating on each legal industrial control device allowed to access the network, wherein:
the acquisition module is used for determining at least one specific equipment characteristic of the legal industrial control equipment and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
the key generation module is used for taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration based on the modbus protocol 02B function code; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
the association module is used for generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
the authentication unit comprises an instruction module and a matching module and is used for authenticating the to-be-networked industrial control equipment, wherein:
the response acquisition module is used for acquiring a response of the modbus protocol of the to-be-accessed industrial control equipment;
and the matching module is used for taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-accessed industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the present invention, the authentication unit further includes:
and the request feedback module is used for sending a request of a modbus protocol for reading the equipment identification code (0 x 2B) after receiving the network access request of the to-be-accessed industrial control equipment.
In another aspect of the embodiment of the present invention, there is also provided an industrial control device network access authentication device, including:
a memory for storing a computer program;
and the processor is used for calling and executing the computer program to realize the steps of the network access authentication method of the industrial control equipment.
In another aspect of the embodiments of the present invention, there is further provided a storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the network access authentication method of an industrial control device as set forth in any one of the above.
The industrial control equipment network access authentication equipment comprises a computer program stored on a medium, wherein the computer program comprises program instructions which, when executed by a computer, cause the computer to execute the method described in the above aspects and achieve the same technical effects.
Compared with the prior art, the invention has the following beneficial effects:
the invention generates the device fingerprint according to the value of the specific device characteristic of legal industrial control device, and takes the device fingerprint as the identity key certificate for authentication registration; then, setting the value of the custom object ID-0x80 as the value of the identity key credential based on the modbus protocol 02B function code; then, each legal industrial control device is authenticated and registered by respectively establishing the corresponding relation between each legal industrial control device and the identity key certificate, and corresponding registration information (the registration information comprises the corresponding relation) is stored; thus, when the industrial control equipment is connected with the SCADA system through network access, the industrial control equipment to be authenticated can be authenticated by acquiring the value (namely, the identity key credential) of the self-defined object ID-0x80 in the response of the modbus protocol of the industrial control equipment to be network access.
From the above, the invention can meet the network access authentication of various types of PLC, RTU and other dummy terminal equipment; according to the invention, the safety network access authentication of the devices such as the PLC, the RTU and the like can be realized without installing an authentication program, so that the convenience and the safety of authentication when the dumb terminal device is accessed into the SCADA system are improved.
The foregoing description is only an overview of the present invention, and it is to be understood that it is intended to provide a more clear understanding of the technical means of the present invention and to enable the technical means to be carried out in accordance with the contents of the specification, while at the same time providing a more complete understanding of the above and other objects, features and advantages of the present invention, and one or more preferred embodiments thereof are set forth below, together with the detailed description given below, along with the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed for the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a step diagram of an industrial control equipment network access authentication method in the invention;
fig. 2 is a schematic structural diagram of an internet access authentication device for an industrial control device according to the present invention
Fig. 3 is a schematic structural diagram of an industrial control device network access authentication device according to the present invention.
Detailed Description
The following detailed description of embodiments of the invention is, therefore, to be taken in conjunction with the accompanying drawings, and it is to be understood that the scope of the invention is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the term "comprise" or variations thereof such as "comprises" or "comprising", etc. will be understood to include the stated element or component without excluding other elements or other components.
The terms "first," "second," and the like herein are used for distinguishing between two different elements or regions and are not intended to limit a particular position or relative relationship. In other words, in some embodiments, the terms "first," "second," etc. may also be interchanged with one another.
Example 1
In order to achieve convenience and safety of authentication when a dummy terminal is accessed to a SCADA system, as shown in fig. 1, in an embodiment of the present invention, an industrial control device network access authentication method is provided, which includes the steps of:
in the embodiment of the invention, the network access authentication method of the industrial control equipment is totally divided into two stages, namely an authentication registration stage and a network access authentication stage, wherein the authentication registration is carried out on each legal industrial control equipment allowed to access the network, and the method comprises the following steps:
s11, determining at least one specific equipment characteristic of the legal industrial control equipment, and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
in the network access authentication method of the industrial control equipment, an execution main body can be an authentication agent, and the authentication agent can be respectively in communication connection with the SCADA system and each industrial control equipment (such as a dummy terminal device).
In the authentication registration stage, each industrial control device which needs to be connected with the SCADA system in the future is authenticated and registered; the industrial control equipment in the embodiment of the invention mainly refers to some dumb terminal equipment which does not have a human-computer interaction interface and cannot install an authentication program, such as a PLC (programmable logic controller) equipment or an RTU (real time Unit) and the like; in practical application, even if a terminal device capable of installing an authentication program is provided with a man-machine interface, the industrial control device may be configured with a modbus protocol 02B function code so long as the industrial control device can realize communication based on a modbus protocol.
In the embodiment of the invention, certain specific equipment characteristic attributes of the industrial control equipment are used as parameters for generating equipment fingerprints, for example, equipment names, equipment models, equipment numbers, manufacturers, protocol port numbers, MAC addresses, IP addresses, IMEI numbers and the like can be used; in practical application, the device information such as vendor name (VendorName), product code (product code), software version number, product name, model name and the like can be used as specific device characteristics; the device fingerprint can be generated based on a fingerprint algorithm by further combining communication identifications such as the MAC address, the IP address, the IMEI number and the like in the device fingerprint as specific device characteristics; .
Specifically, a result value can be generated to make a device fingerprint by arranging the values of the characteristic attributes of each device according to a set sequence; furthermore, in order to better improve the security of authentication, when the embodiment of the invention generates the device fingerprint, the value of each specific device characteristic can be used as input to calculate through a specific preset algorithm, and then the calculation result is used as the device fingerprint. In practical application, the preset algorithm may include hash calculation, and the result of the hash calculation is used as a specific value of the device fingerprint.
S12, based on a modbus protocol 02B function code, taking a value of a user-defined object ID-0x80 as an identity key certificate for authentication registration; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
in the embodiment of the invention, the identity key certificate for authentication registration is generated according to the equipment fingerprint of the industrial control equipment; in practical applications, the identity key credential needs to be stored as a value of custom object ID-0x 80.
S13, generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
after the identity key certificate of legal industrial control equipment is generated, the registration information of the industrial control equipment can be generated by establishing the corresponding relation between the identity key certificate and the legal industrial control equipment. In practical applications, the registration information may be stored in a storage device (i.e., a preset storage device) that is accessible to an authentication agent.
After authentication registration of legal industrial control equipment is completed, when a certain industrial control equipment is connected with an SCADA system in a network access manner, security authentication (i.e. entering a network access authentication stage) is required to be performed relative to the industrial control equipment to confirm whether the industrial control equipment is the legal industrial control equipment or not, and the method specifically comprises the following steps:
s14, obtaining a response of a modbus protocol of the to-be-networked industrial control equipment;
in the embodiment of the invention, authentication can be realized in an active detection mode, namely, when safety authentication is carried out on an industrial control device to be accessed to the network, an authentication agent can firstly send an authentication message to the industrial control device; the authentication message is used for acquiring a response of a modbus protocol of the to-be-accessed industrial control equipment, and a value of a user-defined object ID-0x80 in the response is an identity key certificate.
S15, taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
The value of the self-defined object ID-0x80 included in the response message in the embodiment of the invention is identity key certificate; thus, the authentication proxy can generate an authentication result by matching preset rules according to the identity key certificate and the registration information in the preset storage device, so as to determine whether the industrial control equipment is legal or not.
In practical applications, the specific authentication process may be:
based on the network communication message, the industrial control equipment is found to access the network, and the modbus communication is determined through the communication port and the communication message characteristics; encapsulating a function code modbus protocol message with a function code of 0x2B, sending the function code modbus protocol message to industrial control equipment of an access network, and receiving a corresponding feedback message (response message); in this way, by analyzing the identity key credential in the feedback message, when the equipment identity authentication is performed, the storage device is detected through the related algorithm based on the identity key credential, the equipment authentication is successful if the retrieval is successful, and the equipment authentication is failed if the retrieval is failed.
Further, in the embodiment of the present invention, before the authentication of the dumb terminal, a step of terminal identification may be further included to determine whether the type of the authenticated terminal belongs to the dumb terminal, and then the authentication method in the embodiment of the present invention is applied to the terminal device serving as the dumb terminal.
In summary, the embodiment of the invention generates the device fingerprint according to the value of the specific device feature of the legal industrial control device, and uses the device fingerprint as the identity key certificate for authentication registration; then, setting the value of the custom object ID-0x80 as the value of the identity key credential based on the modbus protocol 02B function code; then, each legal industrial control device is authenticated and registered by respectively establishing the corresponding relation between each legal industrial control device and the identity key certificate, and corresponding registration information (the registration information comprises the corresponding relation) is stored; thus, when the industrial control equipment is connected with the SCADA system through network access, the industrial control equipment to be authenticated can be authenticated by acquiring the value (namely, the identity key credential) of the self-defined object ID-0x80 in the response of the modbus protocol of the industrial control equipment to be network access.
From the above, the embodiment of the invention can meet the network access authentication of various types of PLC, RTU and other dummy terminal equipment; according to the embodiment of the invention, the safety network access authentication of the equipment such as the PLC and the RTU can be realized without installing an authentication program, so that the convenience and the safety of authentication when the dumb terminal equipment is accessed into the SCADA system are improved.
Example two
Corresponding to the method embodiment, on the other side of the embodiment of the present invention, there is further provided an industrial control equipment network access authentication device, and fig. 2 is a schematic structural diagram of the industrial control equipment network access authentication device provided in the embodiment of the present invention, where the industrial control equipment network access authentication device is a device corresponding to the industrial control equipment network access authentication method in the embodiment corresponding to fig. 1, that is, the industrial control equipment network access authentication method in the embodiment corresponding to fig. 1 is implemented by means of a virtual device, and each virtual module forming the industrial control equipment network access authentication device may be executed by an electronic device, for example, a network device, a terminal device or a server. Specifically, the network access authentication device of the industrial control equipment in the embodiment of the invention is used as an authentication agent, and specifically comprises:
the registration unit 01 comprises an acquisition module 11, a key generation module 12 and an association module 13, and is used for carrying out authentication annotating on each legal industrial control device allowed to access the network, wherein:
the acquisition module 11 is configured to determine at least one specific device feature of the legal industrial control device, and generate a device fingerprint corresponding to the legal industrial control device according to a value of the specific device feature; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
the key generation module 12 is configured to use a value of the custom object ID-0x80 as an identity key credential for performing authentication registration based on a modbus protocol 02B function code; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
the association module 13 is configured to generate registration information by constructing a correspondence between each legal industrial control device and the identity key credential, and store the registration information in a preset storage device;
the authentication unit 02 includes an instruction module 21 and a matching module 22, and is configured to authenticate the to-be-network-accessed industrial control device, where:
the instruction module 21 is used for acquiring a response of the modbus protocol of the to-be-accessed industrial control equipment;
the matching module 22 is configured to use the value of the custom object ID-0x80 in the response as an identity key credential, and generate an authentication result of the to-be-networked industrial control device according to the corresponding relationship in the preset storage device and a preset rule.
Preferably, in an embodiment of the present invention, the authentication unit 02 further includes:
and the request feedback module (not shown in the figure) is used for sending a request of a modbus protocol for reading the equipment identification code (0 x 2B) after receiving the network access request of the industrial control equipment to be accessed to the network.
It should be noted that, the specific implementation manner and the technical effect of the network access authentication device of the industrial control device in the embodiment of the present invention may refer to the network access authentication method of the industrial control device corresponding to fig. 1, and will not be described herein.
Example III
Corresponding to the method embodiment, the embodiment of the invention also provides the network access authentication equipment of the industrial control equipment, such as a terminal, a server and the like. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, etc.
An example diagram of a hardware structure block diagram of an industrial control device network access authentication device provided in an embodiment of the present application is shown in fig. 3, and may include:
a processor 1, a communication interface 2, a memory 3 and a communication bus 4;
wherein the processor 1, the communication interface 2 and the memory 3 complete the communication with each other through the communication bus 4;
alternatively, the communication interface 2 may be an interface of a communication module, such as an interface of a GSM module;
the processor 1 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present application.
The memory 3 may comprise a high-speed RAM memory or may further comprise a non-volatile memory, such as at least one disk memory.
Wherein the processor 1 is specifically configured to execute a computer program stored in the memory 3 to perform the following steps:
authentication registration is carried out on each legal industrial control device allowed to access the network, and the authentication registration comprises the following steps:
determining at least one specific equipment characteristic of the legal industrial control equipment, and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
based on the modbus protocol 02B function code, taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
authenticating the to-be-networked industrial control equipment comprises the following steps:
acquiring a response of a modbus protocol of the to-be-accessed industrial control equipment;
and taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the embodiment of the present invention, the authenticating the to-be-network-accessed industrial control device further includes:
and after receiving the network access request of the to-be-accessed industrial control equipment, sending a request of modbus protocol for reading equipment identification codes (0 x 2B).
The product can execute the method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Technical details which are not described in detail in the embodiment of the present invention can be referred to the network access authentication method of the industrial control device provided in the embodiment of the present invention.
Example IV
In an embodiment of the present invention, there is also provided a storage medium storing a program adapted to be executed by a processor, the program being configured to:
authentication registration is carried out on each legal industrial control device allowed to access the network, and the authentication registration comprises the following steps:
determining at least one specific equipment characteristic of the legal industrial control equipment, and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
based on the modbus protocol 02B function code, taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
authenticating the to-be-networked industrial control equipment comprises the following steps:
acquiring a response of a modbus protocol of the to-be-accessed industrial control equipment;
and taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device.
Preferably, in the embodiment of the present invention, the authenticating the to-be-network-accessed industrial control device further includes:
and after receiving the network access request of the to-be-accessed industrial control equipment, sending a request of modbus protocol for reading equipment identification codes (0 x 2B).
Alternatively, the refinement function and the extension function of the program may be described with reference to the above.
The product can execute the method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Technical details not described in detail in this embodiment may be found in the methods provided in other embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
It should be understood that in the embodiments of the present application, the claims, the various embodiments, and the features may be combined with each other, so as to solve the foregoing technical problems.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. The network access authentication method of the industrial control equipment is characterized by comprising the following steps:
authentication registration is carried out on each legal industrial control device allowed to access the network, and the authentication registration comprises the following steps:
determining at least one specific equipment characteristic of the legal industrial control equipment, and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
based on the modbus protocol 02B function code, taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
authenticating the to-be-network-accessed industrial control equipment comprises the following steps:
acquiring a response of a modbus protocol of the to-be-accessed industrial control equipment;
taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-networked industrial control equipment through a preset rule according to the corresponding relation in the preset storage device;
the authentication of the to-be-network-accessed industrial control equipment further comprises:
and after receiving the network access request of the to-be-accessed industrial control equipment, sending a request of modbus protocol for reading equipment identification codes (0 x 2B).
2. The network access authentication method of industrial control equipment according to claim 1, wherein the value of the custom object ID-0x80 is the information character length of the identity key credential.
3. The network access authentication method of an industrial control device according to claim 1, wherein the dumb terminal comprises:
PLC devices or RTUs.
4. The network access authentication method of the industrial control device according to claim 1, wherein the generating the device fingerprint corresponding to the dumb terminal according to the value of the specific device feature includes:
and calculating the values of the specific equipment characteristics by a preset algorithm, and taking the calculation result as the equipment fingerprint.
5. The network access authentication method of industrial control equipment according to claim 4, wherein the preset algorithm comprises:
and (5) hash calculation.
6. An industrial control equipment network access authentication device, which is characterized by comprising:
the registration unit comprises an acquisition module, a key generation module and an association module, and is used for carrying out authentication annotating on each legal industrial control device allowed to access the network, wherein:
the acquisition module is used for determining at least one specific equipment characteristic of the legal industrial control equipment and generating equipment fingerprints corresponding to the legal industrial control equipment according to the value of the specific equipment characteristic; the value of the specific equipment characteristic comprises one or more of equipment name, equipment model number, equipment number, manufacturer, protocol port number, MAC address, IP address and IMEI number; the legal industrial control equipment comprises a dummy terminal capable of configuring a modbus protocol 02B function code;
the key generation module is used for taking the value of the user-defined object ID-0x80 as an identity key credential for authentication registration based on the modbus protocol 02B function code; the identity key certificate is generated according to the device fingerprint of the legal industrial control device;
the association module is used for generating registration information by constructing the corresponding relation between each legal industrial control device and the identity key certificate, and storing the registration information into a preset storage device;
the authentication unit comprises an instruction module and a matching module and is used for authenticating the to-be-network industrial control equipment, wherein:
the instruction module is used for acquiring a response of a modbus protocol of the to-be-accessed industrial control equipment;
the matching module is used for taking the value of the self-defined object ID-0x80 in the response as an identity key certificate, and generating an authentication result of the to-be-accessed industrial control equipment through a preset rule according to the corresponding relation in the preset storage device;
the authentication unit further includes:
and the request feedback module is used for sending a request of a modbus protocol for reading the equipment identification code (0 x 2B) after receiving the network access request of the to-be-accessed industrial control equipment.
7. An industrial control device network access authentication device, comprising:
a memory for storing a computer program;
a processor for invoking and executing said computer program to implement the steps of the industrial control device network access authentication method according to any of claims 1-5.
8. A storage medium comprising a software program adapted to be executed by a processor with the steps of the network access authentication method for an industrial control device according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210730676.0A CN115150143B (en) | 2022-06-24 | 2022-06-24 | Network access authentication method, device, equipment and storage medium for industrial control equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210730676.0A CN115150143B (en) | 2022-06-24 | 2022-06-24 | Network access authentication method, device, equipment and storage medium for industrial control equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115150143A CN115150143A (en) | 2022-10-04 |
| CN115150143B true CN115150143B (en) | 2024-03-12 |
Family
ID=83407998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210730676.0A Active CN115150143B (en) | 2022-06-24 | 2022-06-24 | Network access authentication method, device, equipment and storage medium for industrial control equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150143B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115755847A (en) * | 2022-11-18 | 2023-03-07 | 北京卓识网安技术股份有限公司 | Industrial control system grade protection evaluation method and system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017002019A1 (en) * | 2015-06-29 | 2017-01-05 | Abb Schweiz Ag | Method and system to increase processing capability of field devices in an industrial control system |
| CN109995696A (en) * | 2017-12-29 | 2019-07-09 | 广州瀚新智能科技有限公司 | A kind of system identifying device-fingerprint |
| CN110741615A (en) * | 2017-04-20 | 2020-01-31 | 沙特阿拉伯石油公司 | Securing SCADA network access from a remote terminal unit |
| CN112199663A (en) * | 2020-12-03 | 2021-01-08 | 飞天诚信科技股份有限公司 | Authentication method and system for no user name |
| CN112615829A (en) * | 2020-12-08 | 2021-04-06 | 北京北信源软件股份有限公司 | Terminal access authentication method and system |
| CN112929166A (en) * | 2021-02-03 | 2021-06-08 | 中国人民解放军火箭军工程大学 | Master station, slave station and data transmission system based on Modbus-TCP protocol |
| CN113709127A (en) * | 2021-08-18 | 2021-11-26 | 深圳市联软科技股份有限公司 | Printer counterfeit detection blocking system and method |
| CN114124473A (en) * | 2021-11-02 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Network access authentication system and authentication method based on port mirror image |
| CN114157461A (en) * | 2021-11-22 | 2022-03-08 | 绿盟科技集团股份有限公司 | Industrial control protocol data stream processing method, device, equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101977401B1 (en) * | 2015-09-03 | 2019-05-13 | 엘에스산전 주식회사 | Commucation device providing dynamic modbus protocol mapping |
| CN109286932B (en) * | 2017-07-20 | 2021-10-19 | 阿里巴巴集团控股有限公司 | Network access authentication method, device and system |
-
2022
- 2022-06-24 CN CN202210730676.0A patent/CN115150143B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017002019A1 (en) * | 2015-06-29 | 2017-01-05 | Abb Schweiz Ag | Method and system to increase processing capability of field devices in an industrial control system |
| CN110741615A (en) * | 2017-04-20 | 2020-01-31 | 沙特阿拉伯石油公司 | Securing SCADA network access from a remote terminal unit |
| CN109995696A (en) * | 2017-12-29 | 2019-07-09 | 广州瀚新智能科技有限公司 | A kind of system identifying device-fingerprint |
| CN112199663A (en) * | 2020-12-03 | 2021-01-08 | 飞天诚信科技股份有限公司 | Authentication method and system for no user name |
| CN112615829A (en) * | 2020-12-08 | 2021-04-06 | 北京北信源软件股份有限公司 | Terminal access authentication method and system |
| CN112929166A (en) * | 2021-02-03 | 2021-06-08 | 中国人民解放军火箭军工程大学 | Master station, slave station and data transmission system based on Modbus-TCP protocol |
| CN113709127A (en) * | 2021-08-18 | 2021-11-26 | 深圳市联软科技股份有限公司 | Printer counterfeit detection blocking system and method |
| CN114124473A (en) * | 2021-11-02 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Network access authentication system and authentication method based on port mirror image |
| CN114157461A (en) * | 2021-11-22 | 2022-03-08 | 绿盟科技集团股份有限公司 | Industrial control protocol data stream processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115150143A (en) | 2022-10-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11296881B2 (en) | Using IP heuristics to protect access tokens from theft and replay | |
| CN108769186B (en) | Service authority control method and device | |
| CN111433770B (en) | Method and apparatus for user authentication and computer readable medium | |
| US20210126769A1 (en) | Integration of blockchain-enabled readers with blockchain network using machine-to-machine communication protocol | |
| CN115150143B (en) | Network access authentication method, device, equipment and storage medium for industrial control equipment | |
| CN112491776A (en) | Security authentication method and related equipment | |
| CN115022047B (en) | Account login method and device based on multi-cloud gateway, computer equipment and medium | |
| US8176533B1 (en) | Complementary client and user authentication scheme | |
| WO2020025056A1 (en) | Method, device, system, and mobile terminal for security authorization | |
| CN113259429B (en) | Session maintenance management and control method, device, computer equipment and medium | |
| CN115102769A (en) | SCADA system access authentication method, device, equipment and storage medium | |
| CN112468497B (en) | Block chain terminal equipment authorization authentication method, device, equipment and storage medium | |
| WO2017153990A1 (en) | System and method for device authentication using hardware and software identifiers | |
| CN107172082B (en) | File sharing method and system | |
| CN109699030A (en) | Unmanned plane authentication method, device, equipment and computer readable storage medium | |
| CN114257406A (en) | Equipment communication method and device based on identification algorithm and computer equipment | |
| CN111193776B (en) | Method, device, equipment and medium for automatically logging in client under cloud desktop environment | |
| CN111162914B (en) | IPv4 identity authentication method and system of Internet of things based on PUF | |
| CN111935122A (en) | Data security processing method and device | |
| CN117478326B (en) | Key escrow method, device, terminal equipment and storage medium | |
| CN112417393B (en) | Identity verification method, device, computer equipment and computer readable storage medium | |
| CN111917575B (en) | Gateway offline configuration method, system, terminal equipment and storage medium | |
| CN114091119A (en) | Information processing method, information processing device, electronic equipment and computer readable storage medium | |
| CN117354033A (en) | Access method of cloud computing system and related components | |
| CN115733674A (en) | Security reinforcement method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |