CN115344000A - PLC control logic safety protection method based on information coding technology - Google Patents
PLC control logic safety protection method based on information coding technology Download PDFInfo
- Publication number
- CN115344000A CN115344000A CN202110525125.6A CN202110525125A CN115344000A CN 115344000 A CN115344000 A CN 115344000A CN 202110525125 A CN202110525125 A CN 202110525125A CN 115344000 A CN115344000 A CN 115344000A
- Authority
- CN
- China
- Prior art keywords
- control logic
- user
- plc
- signature
- calculation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
- G05B19/054—Input/output
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/10—Plc systems
- G05B2219/12—Plc mp multi processor system
- G05B2219/1203—Expand logical expression over multiple controllers
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Programmable Controllers (AREA)
Abstract
The invention discloses a PLC control logic safety protection method based on an information coding technology. The method acts on the stage of logging in a system by a user and the stages of editing, compiling, storing, downloading, loading and operating PLC control logic, wherein the editing stage carries out access control on the user and carries out integrity and confidentiality protection on a source code generated by editing; in the compiling stage, access control is carried out on a user, and integrity and confidentiality protection is carried out on the object code generated by compiling; the storage process carries out encryption and signature calculation on the source code and the target code so as to realize safety protection; in the downloading stage, access control is carried out on a user, a target code is signed, and bidirectional identity authentication is carried out in the downloading process; in the loading stage, executable tasks are generated after the signature checking calculation; and the operation stage executes the process control logic and performs operation value check so as to ensure the safety of the task stage. The method improves the safety of the PLC control logic in all directions, improves the safety of the whole control system and further ensures the safe operation of the controlled equipment.
Description
Technical Field
The invention relates to the field of industrial control, in particular to a PLC control logic safety protection method based on an information coding technology.
Background
With the development of information technology, the industrial automation process is gradually accelerated, and the PLC, as a core control unit of an industrial control system, is widely applied to the field of industrial automation, and has an important position in industrial production, and the reliability and safety thereof directly relate to the safety and stability of the whole control system.
The safety of the PLC control logic relates to the safe and stable operation of the whole system, and relates to a plurality of stages of editing, compiling, storing, downloading, loading and operating, and the information leakage and damage of any link can influence the normal operation of the control system and the controlled equipment, thereby causing immeasurable loss. In order to improve the safety of the PLC control logic, some researches provide solutions for improving safety guarantee and active defense. However, the existing active defense method for PLC control logic has the following weaknesses: 1) The method can not act on the PLC full task stages of editing, compiling, storing, downloading, loading, running and the like, and the protection is not comprehensive enough; 2) Lack of integrity measurement for the control logic, and inability to verify whether the control logic is illegally tampered; 3) And due to the lack of user access control, any user can operate the system, and the access risk is increased. Therefore, the safety guarantee capability of the PLC system is still in a weak stage.
In order to meet the safety requirement of industrial automation on a control system and improve the safety guarantee capability of a PLC system, the invention provides a PLC control logic safety protection scheme based on an information coding technology in combination with the defects of the prior art. The scheme covers the stages of editing, compiling, storing, downloading, loading and operating the PLC control logic, performs confidentiality and integrity protection on the control logic, provides identity authentication and authority control for an access user by combining an access control technology based on roles, and ensures the legality of accessing a PLC control logic source code and a PLC control logic target code, the confidentiality and integrity of storage and transmission and the credibility of loading and operating, thereby improving the safety of a PLC system.
Disclosure of Invention
In order to realize the purpose, the invention implements the following technical scheme: a PLC control logic safety protection method based on an information coding technology. The method acts on the stage of logging in a system by a user and the stages of editing, compiling, storing, downloading, loading and operating PLC control logic, wherein the editing stage carries out access control on the user and carries out integrity and confidentiality protection on a source code generated by editing; in the compiling stage, access control is carried out on a user, and integrity and confidentiality protection is carried out on the object code generated by compiling; the storage process carries out encryption and signature calculation on the source code and the target code so as to realize safety protection; in the downloading stage, access control is carried out on a user, a target code is signed, and bidirectional identity authentication is carried out in the downloading process; in the loading stage, executable tasks are generated after the signature checking calculation; and the operation stage executes the process control logic and performs operation value check so as to ensure the safety of the task stage. The method improves the safety of the PLC control logic in all directions, improves the safety of the whole control system and further ensures the safe operation of the controlled equipment.
A PLC control logic safety protection method based on information coding technology is characterized in that: role objects of role-based access control include: a user needing access to the system; the role objects of the encryption calculation and the signature calculation comprise: the source code of the PLC control logic edited by the user and the object code generated after the source code is compiled.
A PLC control logic safety protection method based on information coding technology is characterized in that: the method acts on the stages of logging in a system by a user and editing, compiling, storing, downloading, loading and running the PLC control logic, and takes safety protection measures in each stage:
step 1, user role authority control: a system administrator endows a user role for an access user according to actual requirements and binds corresponding authority;
step 2, the user logs in the system: the authorized user performs identity authentication by inputting a user name and a password and inputting biological characteristic information; if the system passes the verification, allowing the user to log in the system, and allowing the user to perform corresponding operation on the PLC by the system according to the role authority;
step 3, editing and storing: an authorized user writes a source code of a control logic through logic configuration software; after the code is written, performing encryption calculation and digital signature calculation on the source code to realize security and confidentiality protection;
step 4, compiling and storing: an authorized user compiles a source code generated in an editing stage through logic configuration software, generates a target code after compiling, and performs encryption calculation and digital signature calculation on the target code to realize security and confidentiality protection;
step 5, downloading: an authorized user reads the target code through logic configuration software and sends the control logic with the signature information to the PLC through a secure channel; after the PLC controller conducts signature checking calculation, digital signature is conducted on the target code again through the digital certificate of the PLC controller, and the control logic task is added into a task white list;
step 6, loading: the PLC confirms that the task to be loaded is in a task white list according to the received control instruction, conducts signature checking calculation on a target code to be loaded, loads the target code after the signature checking is passed, and generates a corresponding control logic task;
and 7, operating: the PLC executes the control logic task according to the received control instruction, runs the corresponding process control logic, and checks the running value after the execution is finished.
Wherein, the main characteristics of step 1 are: a PLC control logic access control method based on an information coding technology is provided. The method adopts an access control technology based on roles: according to different post responsibilities of users using the system, different user groups are divided, each user group is bound with corresponding operation actions, the system sets roles in the user groups, and corresponding permissions are granted to the roles according to the operation actions and operation objects which can be executed by the user groups. The rights a particular user has are determined by the role that the user is in.
The main characteristic of the step 2 is that the user identity authentication adopts a mode of combining user name/password verification and biological characteristic identification. After the two verification items are passed, the identity authentication is judged to be successful, and the user can perform subsequent operation.
The main characteristic of the step 3 and the step 4 is that a PLC control logic integrity and confidentiality safety protection method based on an information coding technology is provided. The method adopts a symmetric cryptographic algorithm to carry out encryption calculation on a source code and a target code of the PLC control logic for confidentiality protection, adopts an asymmetric cryptographic algorithm to carry out signature calculation on the source code or the target code of the PLC control logic for integrity protection, and is characterized in that:
the confidentiality protection method adopts a symmetric cryptographic algorithm. Carrying out encryption calculation on the edited source code by using a random key generated by an internal or external encryption chip of the system, and storing a ciphertext obtained after the encryption calculation and required information in a safe region of a target file or a disk; when an authorized user or a PLC controller needs to operate the control logic, the original information of the source code can be restored through decryption calculation and then the operation can be carried out. Performing confidentiality protection on the object code generated after compiling by adopting the same encryption and decryption method;
the integrity protection method adopts an asymmetric cryptographic algorithm. And performing signature calculation on the hash value of the source code by using a private key of a digital certificate of the user, and storing the signature value obtained by calculation in a secure area of a target file or a disk. When an authorized user or a PLC (programmable logic controller) needs to operate the control logic, firstly, the validity and the validity of a signature certificate are verified, and a public key carried in the signature certificate is used for verifying and calculating the digital signature; if the verification is passed, the original source code is judged to be not modified, and the operation can be carried out. And adopting the same signature and signature verification method to carry out integrity protection on the object code generated after compiling.
The step 5 is mainly characterized in that the PLC control logic is downloaded to the PLC controller through a secure channel, the secure channel carries out bidirectional authentication on the identities of the upper computer and the PLC controller by adopting a digital certificate signature method, encrypts data to be transmitted by adopting a randomly generated session key, and verifies the integrity of the data.
The invention has the beneficial effects that:
firstly, the role objects of the encryption calculation and the signature calculation include: source codes of PLC control logic edited by a user and object codes generated after the source codes are compiled; role objects of role-based access control include: a user who needs access to the system. The action phases of the protocol include: editing, compiling, storing, downloading, loading and running the PLC control logic. The method has the advantages that the protection target is clear, the full life cycle of the protected object is covered, the safety of the control logic is protected in an all-round way, and the existence of a protection vulnerability is avoided;
thirdly, the method adopts a symmetric cryptographic algorithm to carry out encryption calculation on the source code and the target code of the control logic, and the source code and the target code are stored in a ciphertext mode, so that the confidentiality of the PLC control logic is ensured, the key information of the control system is protected from being illegally stolen, and the occurrence of major safety accidents is avoided;
and secondly, performing signature calculation on a source code and a target code of the PLC control logic by adopting an asymmetric cryptographic algorithm. The user or the PLC controller can execute subsequent operation only after the control logic passes the check label, and if the system finds that the control logic is illegally tampered, the subsequent operation is refused to be executed, so that the integrity of the PLC control logic is ensured, and accidents are prevented;
finally, the method ensures that only authorized users can execute the operation within the authority range through the authority control technology based on the role, and unauthorized users or illegal users cannot execute the operation. Through the role-based authority control, unauthorized users or illegal users can be effectively prevented from executing the operations of editing, compiling, storing, downloading, loading and running of the control logic, and the control logic is prevented from being maliciously damaged.
Drawings
The invention is further illustrated with reference to the following figures and examples:
FIG. 1 is a typical PLC control logic generation and user execution process;
FIG. 2 is a schematic diagram of user organization and role authorization;
fig. 3 is a process of encrypted signature verification and decryption.
Claims (9)
1. A PLC control logic safety protection method based on information coding technology is characterized in that: the method acts on the stage of logging in a system by a user and the stages of editing, compiling, storing, downloading, loading and operating PLC control logic, wherein the editing stage carries out access control on the user and carries out integrity and confidentiality protection on a source code generated by editing; in the compiling stage, access control is carried out on a user, and integrity and confidentiality protection is carried out on the object code generated by compiling; the storage process carries out encryption and signature calculation on the source code and the target code so as to realize safety protection; in the downloading stage, access control is carried out on a user, a target code is signed, and bidirectional identity authentication is carried out in the downloading process; in the loading stage, executable tasks are generated after the signature checking calculation; the operation stage executes the process control logic and carries out operation value check so as to ensure the safety of the task stage; the method improves the safety of the PLC control logic in all directions, improves the safety of the whole control system and further ensures the safe operation of the controlled equipment.
2. The PLC control logic safety protection method based on the information coding technology as claimed in claim 1, wherein: role objects of role-based access control include: a user needing access to the system; the role objects of the encryption calculation and the signature calculation comprise: the source code of the PLC control logic edited by the user and the object code generated after the source code is compiled.
3. The PLC control logic safety protection method based on the information coding technology as claimed in claim 1, wherein: the method acts on the stages of logging in a system by a user and editing, compiling, storing, downloading, loading and operating PLC control logic, and safety protection measures are taken in each stage:
step 1, user role authority control: a system administrator endows a user role for an access user according to actual requirements and binds corresponding authority;
step 2, the user logs in the system: the authorized user performs identity authentication by inputting a user name and a password and inputting biological characteristic information; if the system passes the verification, allowing the user to log in the system, and allowing the user to perform corresponding operation on the PLC by the system according to the role authority;
and step 3, editing and storing: an authorized user writes a source code of a control logic through logic configuration software; after the code is written, performing encryption calculation and digital signature calculation on the source code to realize security and confidentiality protection;
step 4, compiling and storing: an authorized user compiles a source code generated in an editing stage through logic configuration software, generates a target code after compiling, and performs encryption calculation and digital signature calculation on the target code to realize security and confidentiality protection;
step 5, downloading: an authorized user reads the target code through the logic configuration software and sends the control logic with the signature information to the PLC through the secure channel; after the PLC controller conducts signature checking calculation, digital signature is conducted on the target code again through the digital certificate of the PLC controller, and the control logic task is added into a task white list;
step 6, loading: the PLC confirms that the task to be loaded is in the task white list according to the received control instruction, conducts signature checking calculation on the target code to be loaded, loads the target code after the signature checking is passed, and generates a corresponding control logic task;
and 7, operating: the PLC executes the control logic task according to the received control instruction, runs the corresponding process control logic, and checks the running value after each execution is finished.
4. The PLC control logic safety protection method based on the information coding technology as claimed in claim 3, wherein: the step 1 is mainly characterized in that: the PLC control logic access control method based on the information coding technology is provided;
the method adopts the access control technology based on roles: according to different post responsibilities of users using the system, different user groups are divided, each user group is bound with corresponding operation actions, the system sets roles in the user groups, and corresponding permissions are granted to the roles according to the operation actions and operation objects which can be executed by the user groups; the permissions a particular user has are determined by the role that the user is in.
5. The PLC control logic safety protection method based on the information coding technology as claimed in claim 3, wherein: the step 2 is mainly characterized in that: the identity authentication of the user adopts a mode of combining user name/password verification and biological characteristic identification; after the two verification items are passed, the identity authentication is judged to be successful, and the user can perform subsequent operation.
6. The PLC control logic safety protection method based on the information coding technology as claimed in claim 3, wherein: the main characteristics of the step 3 and the step 4 are as follows: the PLC control logic integrity and confidentiality safety protection method based on the information coding technology is provided; the method adopts a symmetric cryptographic algorithm to perform encryption calculation on a source code and a target code of the PLC control logic for confidentiality protection, and adopts an asymmetric cryptographic algorithm to perform signature calculation on the source code or the target code of the PLC control logic for integrity protection.
7. The PLC control logic confidentiality protection method according to claim 6, wherein: the confidentiality protection method adopts a symmetric cryptographic algorithm, utilizes a random key generated by an internal or external encryption chip of the system to carry out encryption calculation on an edited source code, and stores a ciphertext obtained after the encryption calculation and required information in a safe region of a target file or a disk; when an authorized user or a PLC controller needs to operate the control logic, the original information of the source code can be restored through decryption calculation, and the confidentiality protection of the target code generated after compiling is carried out by adopting the same encryption and decryption methods.
8. The PLC control logic integrity protection method of claim 6, wherein: the integrity protection method adopts an asymmetric cryptographic algorithm, utilizes a private key of a digital certificate of the integrity protection method to perform signature calculation on a hash value of a source code, stores the calculated signature value in a safe region of a target file or a disk, firstly verifies the legality and validity of the signature certificate when an authorized user or a PLC (programmable logic controller) needs to operate a control logic, and performs signature verification calculation on the digital signature by using a public key carried in the signature certificate; if the verification is passed, the original source code is judged to be not modified, the operation can be carried out, and the integrity protection is carried out on the target code generated after compiling by adopting the same signature and verification method.
9. The PLC control logic safety protection method based on the information coding technology as claimed in claim 3, wherein: the main characteristics of the step 5 are as follows: the PLC control logic is downloaded to the PLC controller through a secure channel, the secure channel carries out bidirectional authentication on the identities of the upper computer and the PLC controller by adopting a digital certificate signature method, encrypts data to be transmitted by adopting a randomly generated session key, and verifies the integrity of the data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110525125.6A CN115344000A (en) | 2021-05-14 | 2021-05-14 | PLC control logic safety protection method based on information coding technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110525125.6A CN115344000A (en) | 2021-05-14 | 2021-05-14 | PLC control logic safety protection method based on information coding technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115344000A true CN115344000A (en) | 2022-11-15 |
Family
ID=83947005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110525125.6A Pending CN115344000A (en) | 2021-05-14 | 2021-05-14 | PLC control logic safety protection method based on information coding technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115344000A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580491A (en) * | 2022-12-07 | 2023-01-06 | 信联科技(南京)有限公司 | Industrial control programming platform based on state cryptographic algorithm, construction method and operation method |
| CN116663075A (en) * | 2023-07-24 | 2023-08-29 | 信联科技(南京)有限公司 | Industrial control programming platform safety communication method and system based on cryptographic algorithm |
-
2021
- 2021-05-14 CN CN202110525125.6A patent/CN115344000A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580491A (en) * | 2022-12-07 | 2023-01-06 | 信联科技(南京)有限公司 | Industrial control programming platform based on state cryptographic algorithm, construction method and operation method |
| CN116663075A (en) * | 2023-07-24 | 2023-08-29 | 信联科技(南京)有限公司 | Industrial control programming platform safety communication method and system based on cryptographic algorithm |
| CN116663075B (en) * | 2023-07-24 | 2023-12-15 | 信联科技(南京)有限公司 | Industrial control programming platform safety communication method and system based on cryptographic algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111049825B (en) | Secure multi-party computing method and system based on trusted execution environment | |
| JP6357158B2 (en) | Secure data processing with virtual machines | |
| CN105491062B (en) | A kind of client software guard method, device and client | |
| CN110325995A (en) | The industrial control platform of safety | |
| CN102456111B (en) | Method and system for license control of Linux operating system | |
| CN107508801B (en) | Method and device for preventing file from being tampered | |
| CN115344000A (en) | PLC control logic safety protection method based on information coding technology | |
| US7853787B2 (en) | Peripheral device for programmable logic controller | |
| CN115580491B (en) | Industrial control programming platform based on state cryptographic algorithm, construction method and operation method | |
| CN102244659A (en) | Execution method and apparatus of security policy script and security policy system | |
| CN104573549A (en) | Credible method and system for protecting confidentiality of database | |
| CN110765449A (en) | Identity authentication method, equipment and medium based on security chip | |
| CN103500202A (en) | Security protection method and system for light-weight database | |
| CN102663317A (en) | Security strengthening system for business receipts and key data flow process | |
| CN115730339B (en) | Plug-in code anti-disclosure method and system based on IDE source code protection | |
| CN114095228A (en) | Safe access method, system and device for data of Internet of things based on block chain and edge calculation and storage medium | |
| CN110611659B (en) | Method, device and system for protecting service essence of power monitoring system | |
| CN116599750A (en) | System and method for ensuring traceability of data change by utilizing encryption technology | |
| CN112434270A (en) | Method and system for enhancing data security of computer system | |
| CN105022651B (en) | A kind of method for preventing piracy in equipment production process and firmware programming device | |
| CN114520735B (en) | User identity authentication method, system and medium based on trusted execution environment | |
| KR20200115902A (en) | Method for Providing Secret Security Processing by using Smart Contract | |
| CN114817956A (en) | USB communication object verification method, system, device and storage medium | |
| CN111385083B (en) | Key protection method and key protection system | |
| CN106254332A (en) | Method, device and the server of a kind of safety desktop stream compression |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |