CN115766095A - Industrial equipment identity authentication method and device, computer equipment and storage medium - Google Patents

Industrial equipment identity authentication method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN115766095A
CN115766095A CN202211293004.4A CN202211293004A CN115766095A CN 115766095 A CN115766095 A CN 115766095A CN 202211293004 A CN202211293004 A CN 202211293004A CN 115766095 A CN115766095 A CN 115766095A
Authority
CN
China
Prior art keywords
identity
industrial equipment
authentication
equipment
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211293004.4A
Other languages
Chinese (zh)
Inventor
李达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Likong Huacon Technology Co ltd
Original Assignee
Beijing Likong Huacon Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Likong Huacon Technology Co ltd filed Critical Beijing Likong Huacon Technology Co ltd
Priority to CN202211293004.4A priority Critical patent/CN115766095A/en
Publication of CN115766095A publication Critical patent/CN115766095A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides an industrial equipment identity authentication method, an industrial equipment identity authentication device, computer equipment and a storage medium, wherein the industrial equipment identity authentication method comprises the following steps: sending an identity information query instruction of a preset type to industrial equipment to be authenticated, wherein the type of the identity information is determined according to the configuration requirement of an access control strategy; acquiring identity information fed back by industrial equipment; verifying the identity of the industrial equipment; and when the verification result meets the identity verification requirement, sending the preset type of identity information to the safety equipment, so that the safety equipment configures a corresponding access control strategy for the industrial equipment based on the identity information. The invention can solve the technical problem that industrial equipment in an industrial control system faces huge network security risks due to lack of effective information security defense measures.

Description

Industrial equipment identity authentication method and device, computer equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication security, in particular to an industrial equipment identity authentication method and device, computer equipment and a storage medium.
Background
With the improvement of network security capability, access control strategies in security devices such as firewalls and the like are configured more and more based on identity information of clients instead of simple source IP, so that an attacker can be prevented from forging the IP or sending illegal attack traffic through a legal host. During service Access, the PC may perform identity authentication in the security device through a Lightweight Directory Access Protocol (LDAP) server, an Active Directory (AD) domain server, or a certificate, and Access a control policy after the authentication is passed, that is, perform policy configuration through identity information.
However, industrial devices, such as a Programmable Logic Controller (PLC), a smart meter, and the like, exist in the industrial control system, and since the industrial devices generally do not have a complete operating system, an identity authentication program cannot be deployed, and devices in the industrial control system generally run for a long time, which is inconvenient to upgrade or replace. Meanwhile, the computing power of the industrial equipment is limited, and a complex encryption and decryption algorithm cannot be realized, so that identity authentication cannot be realized by self, and an access control strategy based on identity information cannot be configured, so that an effective information security defense measure is lacked, and a huge network security risk is faced.
Disclosure of Invention
The application provides an industrial equipment identity authentication method and device, computer equipment and a storage medium, which are used for solving the technical problem that industrial equipment lacks effective information security defense measures in an industrial control system, so that huge network security risks are faced.
The first aspect of the present invention provides a method for authenticating an identity of an industrial device, which is applied to an authentication proxy node, wherein the authentication proxy node is respectively in communication connection with the industrial device and a security device, and the method comprises: sending an identity information query instruction of a preset type to industrial equipment to be authenticated, wherein the type of the identity information is determined according to the configuration requirement of an access control strategy; acquiring identity information fed back by industrial equipment; verifying the identity of the industrial equipment; and when the verification result meets the identity verification requirement, sending the preset type of identity information to the safety equipment, so that the safety equipment configures a corresponding access control strategy for the industrial equipment based on the identity information.
The industrial equipment identity authentication method provided by the embodiment of the invention can authenticate the identity of the equipment under the condition of not replacing the equipment, and can defend huge network security risks by configuring effective information security protection measures for the equipment based on the real identity of the equipment.
Optionally, before sending the preset type of identity information query instruction to the industrial device to be authenticated, the method further includes: sending an identity authentication request to the security device; and when the identity authentication result fed back by the safety equipment is passed, responding to identity information query operation of the industrial equipment.
Optionally, verifying the identity of the industrial device comprises: when the number of the identity information fed back by the industrial equipment is multiple, sequentially comparing each identity information with the corresponding preset identity information; and when the comparison results of all the identity information are consistent, judging that the verification result meets the identity verification requirement.
Optionally, the industrial device to be authenticated comprises a PLC type industrial device; verifying an identity of an industrial device, comprising: writing an initial value into a firmware program of a programmable logic controller in PLC type industrial equipment; acquiring a result value of the initial value after being processed by a firmware program; comparing the result value with a preset result value; and if the comparison result is consistent, judging that the verification result meets the identity verification requirement.
Optionally, after the step of verifying the identity of the industrial device to be authenticated, the method further includes: and when the verification result does not meet the identity verification requirement, sending verification failure prompt information to the safety equipment.
The invention provides a method for authenticating the identity of industrial equipment, which is applied to safety equipment, wherein the safety equipment is in communication connection with an authentication agent node; the method comprises the following steps: receiving identity information of the industrial equipment to be authenticated, which is sent by an authentication agent node; and executing the operation of configuring the access control strategy for the industrial equipment based on the identity information of the industrial equipment to be authenticated.
Optionally, before receiving the identity information of the industrial device to be authenticated, sent by the authentication proxy node, the method further includes: receiving an identity authentication request sent by an authentication agent node; sending an identity authentication result to the authentication agent node; and responding to the identity information receiving operation sent by the authentication proxy node passing the identity authentication.
Optionally, the method further comprises: and when receiving the prompt information of the failure of the identity verification of the industrial equipment to be authenticated, starting emergency treatment.
Optionally, after the step of configuring the access control policy for the industrial device is performed based on the identity information of the industrial device to be authenticated, the method further includes: and binding the life cycle of the identity characteristic information of the industrial equipment to be authenticated with the life cycle of the authentication agent node.
The third aspect of the present invention provides an identity authentication apparatus for industrial equipment, which is applied to an authentication proxy node, where the authentication proxy node is in communication connection with the industrial equipment and a security device, respectively, and includes: the first sending module is used for sending an identity information query instruction of a preset type to the industrial equipment to be authenticated, wherein the type of the identity information is determined according to the configuration requirement of the access control strategy; the first acquisition module is used for acquiring the identity information fed back by the industrial equipment; the first verification module is used for verifying the identity of the industrial equipment; and the second sending module is used for sending the preset type of identity information to the safety equipment when the verification result meets the identity verification requirement, so that the safety equipment configures a corresponding access control strategy for the industrial equipment based on the identity information.
The functions executed by each component in the industrial equipment identity authentication device provided by the present invention are all applied in any method embodiment of the first aspect, and therefore, the details are not described herein.
The fourth aspect of the present invention provides an identity authentication apparatus for industrial equipment, which is applied to security equipment, the security equipment is in communication connection with an authentication proxy node, and the authentication proxy node is in communication connection with the industrial equipment, and the apparatus includes: the first receiving module is used for receiving the identity information of the industrial equipment to be authenticated, which is sent by the authentication agent node; the first configuration module is used for executing the operation of configuring the access control strategy for the industrial equipment based on the identity information of the industrial equipment to be authenticated.
The fifth aspect of the present invention provides a computer device, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus; a memory for storing a computer program; and the processor is used for realizing the steps of the industrial equipment identity authentication method of the first aspect or the second aspect when executing the program stored in the memory.
A sixth aspect of the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to execute the industrial equipment identity authentication method according to the first aspect or the second aspect of the present invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flow chart of an identity authentication method for industrial equipment according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an identity authentication method for industrial equipment according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of an identity authentication method for industrial equipment according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an identity authentication apparatus for industrial equipment according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an identity authentication apparatus for industrial equipment according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer device of an industrial device identity authentication method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings of the embodiments of the present disclosure. It is to be understood that the described embodiments are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the disclosure without inventive step, are within the scope of protection of the disclosure.
Unless otherwise defined, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of the terms "a," "an," or "the" and similar referents in this disclosure also do not denote a limitation of quantity, but rather denote the presence of at least one. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
For the technical problems mentioned in the background art, the embodiment of the present invention provides an identity authentication method for industrial equipment, which is applied to an authentication proxy node, where the authentication proxy node is respectively in communication connection with the industrial equipment and a security device, where the authentication proxy node may be a PC, the industrial equipment may include but is not limited to a PLC, a Remote Terminal Unit (RTU), an intelligent instrument, an entrance guard, a camera, an automated PC, and the like, and the security device may be a firewall; as shown in fig. 1 and 2, the method includes the steps of:
step S110, sending an identity information query instruction of a preset type to the industrial equipment to be authenticated, wherein the type of the identity information is determined according to the configuration requirement of the access control strategy.
For example, the preset type of identity information of the industrial device may include, but is not limited to, any one or more of a device IP, a device MAC, a device model, a device version, a device name, device administrator information, and a verification expiration time. In the embodiment of the present application, the preset type of identity information is preferably a device IP.
And step S120, acquiring the identity information fed back by the industrial equipment. Illustratively, based on the query request of the authentication agent node, the industrial equipment feeds back the corresponding type of identity information of the industrial equipment.
And S130, verifying the identity of the industrial equipment.
Illustratively, authentication includes static authentication and dynamic authentication. Identity information that needs to be verified varies from industrial device to industrial device. Some industrial equipment only needs to verify static identity information, such as IP, MAC, open port list and other information; some industrial devices require dynamic identity information, such as firmware programs, to be run to verify the authenticity or validity of the device, such as PLC-type industrial devices.
Step S140, when the verification result meets the requirement of identity verification, the preset type of identity information is sent to the safety equipment, so that the safety equipment configures a corresponding access control strategy for the industrial equipment based on the identity information.
For example, the authentication agent node may periodically verify the authenticity or validity of the industrial device through steps S110 to S130, and update the identity information to the security device through step S140. In this embodiment, the identity information update period may be adaptively set according to actual needs, which is not limited herein.
The industrial equipment identity authentication method provided by the embodiment of the invention can authenticate the identity of the equipment under the condition of not replacing the equipment, and can defend huge network security risks by configuring effective information security protection measures for the equipment based on the real identity of the equipment.
As an optional embodiment of the present invention, before step S110, the method further includes:
step S210, sending an identity authentication request to the security device.
Illustratively, the security device is used for confirming the validity of the authentication agent node, and only the valid authentication agent node has the authority to authenticate the identity information of the industrial device. Therefore, before the identity verification of the industrial equipment, the authentication agent section needs to initiate identity authentication to the safety equipment and prove the identity validity of the authentication agent section. The safety device can carry out identity authentication on the authentication agent node through authentication modes such as LDAP authentication, AD domain authentication, certificate authentication, UKey authentication, user password authentication, biological characteristic authentication and the like.
And step S220, when the identity authentication result fed back by the safety equipment is passed, responding to the identity information query operation of the industrial equipment.
Illustratively, when the identity of the authentication agent node is authenticated to be legal by the security device, the authentication agent node starts to verify the identity of the industrial device, i.e. responds to the identity information query operation on the industrial device.
The industrial equipment identity authentication method provided by the embodiment of the invention can avoid the attack or control of an illegal authentication agent node on the industrial equipment.
As an optional implementation manner of the present invention, step S130 includes:
step S310, when the identity information fed back by the industrial device includes a plurality of identity information, sequentially comparing each of the identity information with the corresponding preset identity information.
Illustratively, the identity information includes a device IP and the device IP authentication priority is highest. The priority of other information is set according to the specific practice and is not limited herein. A group of verification identity information is preset in the authentication agent node and corresponds to the identity information of the industrial equipment to be authenticated, namely the identity information of a preset type, and the authenticity or the validity of the industrial equipment is confirmed in a mode of verifying the identity information. When the identity information comprises a plurality of identity information, as an optional verification mode, the plurality of identity information can be verified at the same time, and the priority problem is not considered at this time. In another optional verification mode, the identity information is compared and verified one by one according to the priority. Specifically, such as: verifying whether the IP of the industrial equipment is a preset value or not; verifying whether the MAC of the industrial equipment is a preset value; and verifying whether the port list opened by the industrial equipment is a preset value or not.
Step S320, when the comparison results of all the identity information are consistent, determining that the verification result meets the identity verification requirement.
Illustratively, when the comparison results of all identity information are consistent, the verification is passed, and the true existence or the legal existence of the verified industrial equipment is indicated.
The industrial equipment identity authentication method provided by the embodiment of the invention adopts a scientific verification mode and an evaluation standard, and improves the accuracy and reliability of the industrial equipment identity information verification. The security device is facilitated to configure a complete and reliable access control policy.
As an optional implementation manner of the present invention, step S130 includes:
step S410, writing an initial value into a firmware program of a programmable logic controller in the PLC type industrial device.
Illustratively, the industrial device realizes corresponding functions through corresponding firmware programs, different industrial devices realize different functions, and the corresponding firmware programs are different, so that the authenticity or the validity of the industrial device can be verified in a mode of writing initial values to run the firmware programs.
In step S420, a result value of the initial value processed by the firmware program is obtained.
Illustratively, the initial value outputs a corresponding result value through operation of the firmware program.
In step S430, the result value is compared with a preset result value.
Illustratively, the result value is compared with a result value preset in the authentication agent node, and based on the comparison result, whether the identity of the verified industrial device meets the requirement is determined.
Step S440, if the comparison result is consistent, the verification result is judged to meet the identity verification requirement.
For example, for an industrial device of PLC type, the authentication proxy node may write a value V1 to a certain point Tag1 of the firmware program of the industrial device, the industrial device calculates V2 from L (V1) and writes another point Tag2, and the authentication proxy node obtains the value of the point Tag2 and determines whether it is the same as L' (V1). Wherein, L is a preset ladder diagram logic in the industrial equipment, and L' is a logic which is equivalent to L in the authentication agent node.
For example, for a PLC type industrial device, the authentication proxy node may also obtain a value of Tag3 at a certain point of the industrial device, and determine whether the value is a preset value.
The industrial equipment identity authentication method provided by the embodiment of the invention adopts a verification mode of dynamic identity information, namely, by operating a firmware program in the industrial equipment, the misjudgment caused by the forged static identity information is avoided.
As an optional embodiment of the present invention, after step S130, the method further includes:
and step S510, when the verification result does not meet the identity verification requirement, sending verification failure prompt information to the safety equipment.
Illustratively, when at least one of the comparison results of the verified identity information is inconsistent, it is indicated that the identity of the verified industrial equipment is not true or illegal, the identity verification fails, and a verification failure prompt message is sent to the security equipment. It should be noted that, in consideration of the authentication mode of the authentication priority of the identity information, when the identity information is compared and authenticated one by one according to the priority, the authentication operation can be skipped when the first inconsistent identity information is authenticated, and the authentication failure prompt information is sent to the security device; as an optional manner, after all the identity information to be verified is verified, if at least one of the verification results is inconsistent, a verification failure prompt message may be sent to the security device.
The industrial equipment identity authentication method provided by the embodiment of the invention adopts a scientific verification mode and an evaluation standard, and improves the accuracy and reliability of the industrial equipment identity information verification. The security device is facilitated to configure a complete and reliable access control policy.
The embodiment of the invention provides an industrial equipment identity authentication method, which is applied to safety equipment, wherein the safety equipment is in communication connection with an authentication agent node, and the authentication agent node is in communication connection with the industrial equipment; as shown in fig. 3, the method comprises the steps of:
step S610, receiving the identity information of the industrial device to be authenticated, which is sent by the authentication proxy node.
Illustratively, the security device may be, but is not limited to, a firewall, a gatekeeper (network isolation appliance), a security gateway, and the like.
And step S620, based on the identity information of the industrial equipment to be authenticated, executing the operation of configuring the access control strategy for the industrial equipment.
Illustratively, the authenticated identity of the industrial device is used for the security device to specifically formulate an access policy for the industrial device. The identity of the authenticated industrial device may also be used for, but is not limited to, security device flow statistics, address translation, log queries, and the like.
The industrial equipment identity authentication method provided by the embodiment of the invention is configured with a targeted effective information security protection measure based on the real identity of the equipment, and can defend against huge network security risks.
As an optional embodiment of the present invention, before step S610, the method further includes:
step S710, receiving an identity authentication request sent by the authentication proxy node.
In this embodiment, step S710 is similar to step S210 in the above embodiments, and is not described herein again.
Step S720, sending the identity authentication result to the authentication agent node.
Illustratively, the identity authentication result includes authentication pass and authentication failure.
Step S730, responding to the identity information receiving operation sent by the authentication proxy node that passes the identity authentication.
Illustratively, after the identity authentication of the authentication proxy node is passed, the identity information of the industrial equipment sent by the authentication proxy node is received, i.e. the operation is received in response to the identity information.
The industrial equipment identity authentication method provided by the embodiment of the invention can avoid the attack or control of an illegal authentication agent node on an industrial control system.
As an optional embodiment of the present invention, after step S610, the method further includes:
step S810, when receiving the prompt information of the authentication failure of the industrial equipment to be authenticated, starting emergency treatment.
For example, emergency processing may include, but is not limited to, logging, sending alerts, adding security policies, coordinating with other security devices, and the like. The relative maturity of emergency treatment technology measures is not described herein.
The industrial equipment identity authentication method provided by the embodiment of the invention carries out emergency treatment on illegal industrial equipment in an industrial control system, and avoids network security risk caused by illegal attack of the illegal industrial equipment on the industrial control system.
As an optional implementation manner of the present invention, after step S620, the method further includes:
step S910, the life cycle of the industrial equipment identity characteristic information to be authenticated is bound with the life cycle of the authentication agent node.
Illustratively, the lifetime of the industrial device identity is bound to the lifetime of the authentication proxy node identity. Namely, if the identity of the authentication agent node fails, the identity of the industrial equipment which is verified by the authentication agent node also fails at the same time.
The industrial equipment identity authentication method provided by the embodiment of the invention binds the life cycle of the industrial equipment identity with the life cycle of the authentication agent node identity, and avoids the network security risk that the industrial equipment is possibly subjected to illegal attacks because the safety access strategy made by the safety equipment is invalid due to the fact that the industrial equipment identity information is not updated in time.
Fig. 4 is a schematic diagram of an industrial device identity authentication apparatus according to an embodiment of the present invention, which is applied to an authentication proxy node, where the authentication proxy node is in communication connection with an industrial device and a security device, respectively, and the industrial device identity authentication apparatus in this embodiment includes:
the first sending module 1010 is configured to send a preset type of identity information query instruction to the industrial device to be authenticated, where the type of the identity information is determined according to a configuration requirement of the access control policy. For details, refer to the description of step S110 in the above embodiment, and are not repeated herein.
The first obtaining module 1020 is configured to obtain identity information fed back by the industrial device. For details, refer to the description of step S120 in the above embodiment, which is not repeated herein.
A first verification module 1030 configured to verify an identity of the industrial device. For details, refer to the description of step S130 in the above embodiment, and are not repeated herein.
The second sending module 1040 is configured to, when the authentication result meets the requirement of identity authentication, send the preset type of identity information to the security device, so that the security device configures a corresponding access control policy for the industrial device based on the identity information. For details, refer to the description of step S140 in the above embodiment, and are not repeated herein.
As an optional implementation apparatus of the present invention, the apparatus further includes:
and the third sending module is used for sending the identity authentication request to the safety equipment. For details, refer to the description of step S210 in the above embodiment, and are not repeated herein.
And the first response module is used for responding to the identity information inquiry operation of the industrial equipment when the identity authentication result fed back by the safety equipment passes. For details, refer to the description of step S220 in the above embodiment, and are not repeated herein.
As an optional implementation apparatus of the present invention, the first verification module 1030 includes:
and the first comparison submodule is used for comparing each piece of identity information with the corresponding preset identity information in sequence when the identity information fed back by the industrial equipment comprises a plurality of pieces of identity information. For details, refer to the description of step S310 in the above embodiment, and are not repeated herein.
And the first judgment sub-module is used for judging that the verification result meets the identity verification requirement when the comparison results of all the identity information are consistent. For details, refer to the description of step S320 in the above embodiment, and are not repeated herein.
As an optional implementation apparatus of the present invention, the first verification module 1030 includes:
and the first input submodule is used for writing an initial value into a firmware program of a programmable logic controller in the PLC type industrial equipment. For details, refer to the description of step S410 in the above embodiment, and are not repeated herein.
And the first acquisition submodule is used for acquiring a result value of the initial value after being processed by the firmware program. For details, refer to the description of step S420 in the above embodiment, and are not repeated herein.
And the first comparison submodule is used for comparing the result value with a preset result value. For details, refer to the description of step S430 in the above embodiment, and are not repeated herein.
And the first judgment submodule is used for judging that the verification result meets the identity verification requirement if the comparison result is consistent. For details, refer to the description of step S440 in the above embodiment, which is not repeated herein.
As an optional implementation apparatus of the present invention, the apparatus further includes:
and the fourth sending module is used for sending verification failure prompt information to the safety equipment when the verification result does not meet the identity verification requirement. For details, refer to the description of step S440 in the above embodiment, which is not repeated herein.
Fig. 5 is a schematic diagram of an industrial device identity authentication apparatus according to an embodiment of the present invention, which is applied to a security device, where the security device is in communication connection with an authentication proxy node, and the authentication proxy node is in communication connection with an industrial device, where the industrial device identity authentication apparatus in this embodiment includes:
the first receiving module 1110 is configured to receive identity information of an industrial device to be authenticated, where the identity information is sent by an authentication proxy node. For details, refer to the description of step S610 in the above embodiment, which is not repeated herein.
A first configuration module 1120, configured to perform an operation of configuring an access control policy for the industrial device based on the identity information of the industrial device to be authenticated. For details, refer to the description of step S620 in the above embodiment, which is not repeated herein.
As an optional implementation apparatus of the present invention, the apparatus further includes:
and the second receiving module is used for receiving the identity authentication request sent by the authentication agent node. For details, refer to the description of step S710 in the above embodiment, and are not repeated herein.
And the fifth sending module is used for sending the identity authentication result to the authentication agent node. For details, refer to the description of step S720 in the above embodiment, and are not repeated herein.
And the first response module is used for responding to the identity information receiving operation sent by the authentication proxy node passing the identity authentication. For details, refer to the description of step S730 in the above embodiment, and are not repeated herein.
As an optional implementation apparatus of the present invention, the apparatus further includes:
and the first starting module is used for starting emergency treatment when receiving the prompt message of the authentication failure of the industrial equipment to be authenticated. For details, refer to the description of step S810 in the above embodiment, which is not repeated herein.
As an optional implementation apparatus of the present invention, the apparatus further includes:
and the first binding module is used for binding the life cycle of the identity characteristic information of the industrial equipment to be authenticated with the life cycle of the authentication agent node. For details, refer to the description of step S910 in the above embodiment, and are not repeated herein.
An embodiment of the present invention provides a computer apparatus, as shown in fig. 6, the apparatus includes one or more processors 1210 and a storage 1220, the storage 1220 includes a persistent memory, a volatile memory, and a hard disk, and one processor 1210 is taken as an example in fig. 6. The apparatus may further include: an input device 1230 and an output device 1240.
The processor 1210, memory 1220, input device 1230, and output device 1240 may be connected by a bus or other means, such as by a bus connection in fig. 6.
Processor 1210 may be a Central Processing Unit (CPU). Processor 1210 may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The memory 1220 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the industrial equipment authentication device, and the like. Further, the memory 1220 may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 1220 may optionally include memory located remotely from the processor 1210, and such remote memory may be connected to the industrial equipment identity authentication device via a network. The input device 1230 may receive a calculation request (or other numerical or character information) input by a user and generate a key signal input related to the industrial equipment authentication device. The output device 1240 may include a display device such as a display screen for outputting the calculation result.
Embodiments of the present invention provide a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and the computer-readable storage medium stores computer-executable instructions, where the computer-executable instructions may execute the industrial device identity authentication method in any of the above method embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk Drive (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
The logic and/or steps represented in the flowcharts or otherwise described herein, such as an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable storage medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable storage medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer cartridge (magnetic device), a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM or flash Memory), an optical fiber device, and a portable Compact Disc Read-Only Memory (CDROM). Additionally, the computer-readable storage medium may even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following technologies, which are well known in the art, may be used: discrete logic circuits having logic Gate circuits for implementing logic functions on data signals, application specific integrated circuits having appropriate combinational logic Gate circuits, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the description herein, reference to the description of the terms "this embodiment," "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction. In the description of the present disclosure, "plurality" means at least two, e.g., two, three, etc., unless explicitly defined otherwise.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. This need not be, nor should it be exhaustive of all embodiments. And obvious variations or modifications of the invention may be made without departing from the spirit or scope of the invention.

Claims (13)

1. An industrial equipment identity authentication method is applied to an authentication agent node and is characterized in that the authentication agent node is respectively in communication connection with industrial equipment and safety equipment; the method comprises the following steps:
sending an identity information query instruction of a preset type to industrial equipment to be authenticated, wherein the type of the identity information is determined according to the configuration requirement of an access control strategy;
acquiring identity information fed back by the industrial equipment;
verifying the identity of the industrial equipment;
and when the verification result meets the identity verification requirement, sending the preset type of identity information to the safety equipment, so that the safety equipment configures a corresponding access control strategy for the industrial equipment based on the identity information.
2. The industrial equipment identity authentication method according to claim 1, wherein before sending the preset type of identity information inquiry command to the industrial equipment to be authenticated, the method further comprises:
sending an identity authentication request to the security device;
and when the identity authentication result fed back by the safety equipment is passed, responding to identity information query operation of the industrial equipment.
3. The industrial equipment identity authentication method as claimed in claim 1, wherein the verifying the identity of the industrial equipment comprises:
when the number of the identity information fed back by the industrial equipment is multiple, sequentially comparing each piece of the identity information with corresponding preset identity information;
and when the comparison results of all the identity information are consistent, judging that the verification result meets the identity verification requirement.
4. The industrial equipment identity authentication method according to claim 1, wherein the industrial equipment to be authenticated comprises PLC type industrial equipment; the verifying the identity of the industrial device comprises:
writing an initial value into a firmware program of a programmable logic controller in the PLC type industrial equipment;
acquiring a result value of the initial value after being processed by the firmware program;
comparing the result value with a preset result value;
and if the comparison result is consistent, judging that the verification result meets the identity verification requirement.
5. The method for authenticating the identity of the industrial equipment according to claim 1, wherein after the step of verifying the identity of the industrial equipment to be authenticated, the method further comprises the following steps:
and when the verification result does not meet the identity verification requirement, sending verification failure prompt information to the safety equipment.
6. An industrial equipment identity authentication method is applied to safety equipment and is characterized in that the safety equipment is in communication connection with an authentication agent node, and the authentication agent node is in communication connection with the industrial equipment; the method comprises the following steps:
receiving identity information of the industrial equipment to be authenticated, which is sent by an authentication agent node;
and executing the operation of configuring the access control strategy for the industrial equipment based on the identity information of the industrial equipment to be authenticated.
7. The industrial equipment identity authentication method according to claim 6, wherein before receiving the identity information of the industrial equipment to be authenticated, which is sent by the authentication proxy node, the method further comprises:
receiving an identity authentication request sent by the authentication agent node;
sending an identity authentication result to the authentication agent node;
and responding to the identity information receiving operation sent by the authentication proxy node passing the identity authentication.
8. The industrial equipment identity authentication method of claim 6, further comprising:
and when receiving the prompt information of the authentication failure of the industrial equipment to be authenticated, starting emergency treatment.
9. The industrial equipment identity authentication method according to claim 6, wherein after the step of configuring the access control policy for the industrial equipment is performed based on the industrial equipment identity information to be authenticated, the method further comprises:
and binding the life cycle of the industrial equipment identity characteristic information to be authenticated with the life cycle of the authentication agent node.
10. An industrial equipment identity authentication device is applied to an authentication proxy node and is characterized in that the authentication proxy node is respectively in communication connection with industrial equipment and safety equipment; the device comprises:
the first sending module is used for sending an identity information query instruction of a preset type to the industrial equipment to be authenticated, wherein the type of the identity information is determined according to the configuration requirement of the access control strategy;
the first acquisition module is used for acquiring the identity information fed back by the industrial equipment;
the first verification module is used for verifying the identity of the industrial equipment;
and the second sending module is used for sending the preset type of identity information to the safety equipment when a verification result meets the identity verification requirement, so that the safety equipment configures a corresponding access control strategy for the industrial equipment based on the identity information.
11. An industrial equipment identity authentication device is applied to safety equipment and is characterized in that the safety equipment is in communication connection with an authentication agent node, and the authentication agent node is in communication connection with the industrial equipment; the device comprises:
the first receiving module is used for receiving the identity information of the industrial equipment to be authenticated, which is sent by the authentication agent node;
and the first configuration module is used for executing the operation of configuring the access control strategy for the industrial equipment based on the identity information of the industrial equipment to be authenticated.
12. The computer equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the steps of the industrial equipment identity authentication method according to any one of claims 1 to 5 or implementing the steps of the industrial equipment identity authentication method according to any one of claims 6 to 9 when executing the program stored in the memory.
13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the industrial device identity authentication method according to any one of claims 1 to 5, or carries out the steps of the industrial device identity authentication method according to any one of claims 6 to 9.
CN202211293004.4A 2022-10-21 2022-10-21 Industrial equipment identity authentication method and device, computer equipment and storage medium Pending CN115766095A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211293004.4A CN115766095A (en) 2022-10-21 2022-10-21 Industrial equipment identity authentication method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211293004.4A CN115766095A (en) 2022-10-21 2022-10-21 Industrial equipment identity authentication method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115766095A true CN115766095A (en) 2023-03-07

Family

ID=85352538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211293004.4A Pending CN115766095A (en) 2022-10-21 2022-10-21 Industrial equipment identity authentication method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115766095A (en)

Similar Documents

Publication Publication Date Title
US11509537B2 (en) Internet of things device discovery and deployment
US9112828B2 (en) Method for defending against session hijacking attacks and firewall
US7134140B2 (en) Token-based authentication for network connection
WO2019134234A1 (en) Rooting-prevention log-in method, device, terminal apparatus, and storage medium
US10652244B2 (en) Cross-site request forgery (CSRF) prevention
CN110222085B (en) Processing method and device for certificate storage data and storage medium
CN107396364B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
CN108289074B (en) User account login method and device
CN112468301A (en) Method, system, device and medium for cloud platform authentication based on block chain
CN107396362B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
CN111131303A (en) Request data verification system and method
CN113965395B (en) Method, system and device for safely accessing intranet in real time
CN113678131A (en) Protecting online applications and web pages using blockchains
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device
CN108600259B (en) Authentication and binding method of equipment, computer storage medium and server
CN116827551A (en) Method and device for preventing global override
CN107172082B (en) File sharing method and system
US20160277192A1 (en) Multifaceted assertion directory system
CN115766095A (en) Industrial equipment identity authentication method and device, computer equipment and storage medium
CN113901428A (en) Login method and device of multi-tenant system
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
CN113812125B (en) Verification method and device for login behavior, system, storage medium and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination