CN116094745A - Industrial control network safety protection method and device, terminal equipment and storage medium - Google Patents

Industrial control network safety protection method and device, terminal equipment and storage medium Download PDF

Info

Publication number
CN116094745A
CN116094745A CN202211354744.4A CN202211354744A CN116094745A CN 116094745 A CN116094745 A CN 116094745A CN 202211354744 A CN202211354744 A CN 202211354744A CN 116094745 A CN116094745 A CN 116094745A
Authority
CN
China
Prior art keywords
message
access control
component
communication
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211354744.4A
Other languages
Chinese (zh)
Inventor
张静
张小东
刘攀
杨光
刘建辉
程建
潘瑜
陈飞
陈少鹏
郭涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gongxin Junyang Beijing Technology Co ltd
Shenzhen Deep Combustion Gas Technology Research Institute
Shenzhen Gas Corp Ltd
Original Assignee
Gongxin Junyang Beijing Technology Co ltd
Shenzhen Deep Combustion Gas Technology Research Institute
Shenzhen Gas Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gongxin Junyang Beijing Technology Co ltd, Shenzhen Deep Combustion Gas Technology Research Institute, Shenzhen Gas Corp Ltd filed Critical Gongxin Junyang Beijing Technology Co ltd
Priority to CN202211354744.4A priority Critical patent/CN116094745A/en
Publication of CN116094745A publication Critical patent/CN116094745A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an industrial control network safety protection method, a device, terminal equipment and a storage medium, wherein the method comprises the following steps: the flow acquisition component acquires the first network card flow, performs message identification based on the access control component according to the first network card flow, verifies the access control rule and obtains an access control rule verification result; when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message type of the message based on the communication instruction, and forwarding the message to a safety communication component; and encrypting the message based on the secure communication component, and transmitting the encrypted message to a master station side device based on a second network card. The invention adopts differential safety protection to the communication message, improves the communication efficiency while ensuring the data safety, and simultaneously maintains the normal communication of the communication link through a real-time monitoring and self-healing mechanism, thereby improving the reliability of the system.

Description

Industrial control network safety protection method and device, terminal equipment and storage medium
Technical Field
The present invention relates to the field of communications security technologies, and in particular, to an industrial control network security protection method, an industrial control network security protection device, a terminal device, and a storage medium.
Background
The industrial control SCADA system network is generally composed of a master station local area network, a substation local area network and a wide area network connecting the master station and the substation. Because substation local area networks (such as a voltage regulating station, a valve chamber, a door station, an LNG station in the gas industry, a transformer substation in the electric industry, a new energy power station and the like) are scattered in physical positions and unattended in most cases, wide area networks generally use wireless private networks of operators, security protection mechanisms such as encryption and authentication are weak, master station resources face illegal access, and industrial control data, particularly control instructions face eavesdropping and tampering risks in the transmission process.
Aiming at the security risk faced by the industrial control network, the prior solution mainly adopts the steps of respectively serially connecting and deploying industrial control firewalls at the network boundaries of the main station and the sub-stations, and protecting the industrial control network through security measures such as network access control, network attack detection, industrial control virus protection, VPN all-link encryption communication, flow control and the like based on industrial control protocol analysis.
The prior art solves the safety protection problem of the industrial control network to a certain extent, but the following defects still exist:
(1) The reliability guarantee mechanism is not enough. Although industrial control firewalls basically have the capability of hard bypass when power failure or hardware failure occurs, because the security mechanisms of industrial control virus detection, network attack detection and other software layers are generally complex, unpredictable anomalies are easy to occur to cause functional failure, and the existing mechanisms do not have the capability of automatically conducting a network and automatically repairing, thereby causing industrial control network interruption and affecting the normal operation of an industrial control system.
(2) The real-time performance of the industrial control system is greatly influenced by VPN full-link encryption. Unlike the conventional IT network focusing on confidentiality protection, the industrial control network safety protection requirement focuses on protecting the integrity of important data, so as to prevent the industrial control system from being unavailable due to the fact that the important data is tampered or destroyed, and thus, safety accidents are caused.
Accordingly, there is a need for improvement and advancement in the art.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an industrial control network safety protection method, device, terminal equipment and storage medium aiming at the defects in the prior art, and aims to solve the problems that a reliability guarantee mechanism is insufficient and the real-time influence of VPN full-link encryption on an industrial control system is large in the prior art.
In a first aspect, the present invention provides an industrial control network security protection method, where the method includes:
the flow acquisition component acquires the first network card flow, performs message identification based on the access control component according to the first network card flow, verifies the access control rule and obtains an access control rule verification result;
when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message type of the message based on the communication instruction, and forwarding the message to a safety communication component;
and encrypting the message based on the secure communication component, and transmitting the encrypted message to a master station side device based on a second network card.
In one implementation, the method further comprises:
starting a depth safety protection component based on the self-healing component, and isolating the depth safety protection component;
determining, based on the safety guard component, whether a runtime exceeds a safety runtime threshold;
and if the running time exceeds the safe running time threshold, the deep safety protection component is restored to normal running, and the real-time monitoring component is notified to restore monitoring based on the self-healing component.
In one implementation, the verifying the access control rule, to obtain an access control rule verification result, includes:
the first network card flow is sent to a flow access control component;
based on the flow access control component, carrying out preliminary analysis on the message, and identifying a source IP/MAC/port, a destination IP/MAC/port, a transmission layer protocol type and a data packet capturing time;
and performing white list matching on the message to obtain the verification result of the access control rule.
In one implementation manner, the verifying the access control rule, to obtain an access control rule verification result, further includes:
if the message is not matched with the white list, determining that the access control rule verification result is that the access control rule is not satisfied, and discarding the message.
In one implementation manner, when the access control verification result is that the access control rule is satisfied, receiving a communication instruction, and marking a message based on the communication instruction by a message type includes:
judging whether a communication instruction is received or not, wherein the communication instruction is a bypass instruction;
if the communication instruction is not received, forwarding the message to a deep safety protection component, then carrying out message deep analysis according to the deep safety protection component, and identifying abnormal behavior, an abnormal instruction and a message type;
if no abnormality exists, the message type of the message is marked.
In one implementation manner, the encrypting the message based on the secure communication component and sending the encrypted message to the master station side device based on the second network card includes:
determining whether encryption processing is needed for the message based on the secure communication component;
if the message is determined to need to be encrypted, performing bidirectional identity authentication and communication key negotiation, if the negotiation is successful, encrypting HASH and plaintext of the message by using a communication key, and transmitting the message to a master station side device based on a second network card;
if the fact that the message does not need to be encrypted is determined, the message is signed, and the message is sent to the master station side device based on the second network card.
In one implementation, the method further comprises:
and after receiving the message, the security communication component of the master station side device verifies the signature by adopting the public key of the substation side device, and forwards the signature to the master station after the signature verification is passed.
In a second aspect, the present invention provides an industrial control network safety protection device, where the device includes:
the access control verification module is used for acquiring the first network card flow by the flow acquisition component, carrying out message identification according to the first network card flow based on the access control component, verifying the access control rule and obtaining an access control rule verification result;
the message type marking module is used for receiving a communication instruction when the access control verification result is that the access control rule is met, marking the message type based on the communication instruction, and forwarding the message to the safety communication assembly;
and the message encryption processing module is used for encrypting the message based on the secure communication assembly and transmitting the encrypted message to the master station side device based on the second network card.
In one implementation, the apparatus further includes:
the assembly isolation operation module is used for starting the depth safety protection assembly based on the self-healing assembly and isolating and operating the depth safety protection assembly;
a runtime determination module to determine, based on the safety guard component, whether a runtime exceeds a safety runtime threshold;
and the operation monitoring and recovering module is used for recovering the deep safety protection assembly to normal operation if the operation time exceeds the safety operation time threshold value, and notifying the real-time monitoring assembly to recover monitoring based on the self-healing assembly.
In one implementation, the access control verification module includes:
the first flow sending unit is used for sending the first network card flow to the flow access control assembly;
the message analysis and identification unit is used for carrying out preliminary analysis on the message based on the flow access control component and identifying a source IP/MAC/port, a destination IP/MAC/port, a transmission layer protocol type and a data packet capturing time;
and the matching verification result unit is used for carrying out white list matching on the message to obtain the access control rule verification result.
In one implementation, the access control verification module further includes:
and the message discarding unit is used for determining that the access control rule verification result does not meet the access control rule if the message is not matched with the white list, and discarding the message.
In one implementation, the message type marking module includes:
the instruction receiving judging unit is used for judging whether a communication instruction is received or not, wherein the communication instruction is a bypass instruction;
the message type identification unit is used for forwarding the message to the deep security protection assembly if the communication instruction is not received, then carrying out message deep analysis according to the deep security protection assembly, and carrying out the identification of abnormal behavior, abnormal instruction and message type;
and the message type marking unit is used for marking the message type of the message if no abnormality exists.
In one implementation manner, the message encryption processing module includes:
an encryption processing judging unit for determining whether encryption processing is required for the message based on the secure communication component;
the encryption processing unit is used for carrying out bidirectional identity authentication and communication key negotiation if the fact that the message needs to be encrypted is determined, carrying out encryption processing on HASH and plaintext of the message by using a communication key if the negotiation is successful, and sending the message to the master station side device on the basis of the second network card;
and the unencrypted processing unit is used for signing the message if the fact that the message does not need to be encrypted is determined, and transmitting the message to the master station side device based on the second network card.
In one implementation, the apparatus further includes:
and the verification forwarding module is used for verifying the signature by adopting the public key of the substation side device after the secure communication component of the master station side device receives the message, and forwarding the signature to the master station after the signature verification is passed.
In a third aspect, an embodiment of the present invention further provides a terminal device, where the terminal device is a business display terminal or a screen-throwing terminal, where the terminal device includes a memory, a processor, and an industrial control network security protection program stored in the memory and capable of running on the processor, and when the processor executes the industrial control network security protection program, the processor implements the steps of the industrial control network security protection method in any one of the foregoing solutions.
In a fourth aspect, an embodiment of the present invention further provides a computer readable storage medium, where the computer readable storage medium stores an industrial network security protection program, where the industrial network security protection program, when executed by a processor, implements the steps of the industrial network security protection method according to any one of the foregoing aspects.
The beneficial effects are that: compared with the prior art, the invention provides an industrial control network safety protection method, which comprises the steps of firstly collecting first network card flow through a flow collection assembly, carrying out message identification based on the first network card flow by an access control assembly, verifying an access control rule, and obtaining an access control rule verification result. And then, when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message based on the communication instruction, and forwarding the message to a secure communication component. And finally, encrypting the message based on the secure communication component, and transmitting the encrypted message to a master station side device based on a second network card. Because the invention designs a self-defined high-efficiency safety communication protocol based on a national cryptographic algorithm to carry out two-way identity authentication on two communication parties, adopts a differential safety protection strategy for communication messages with different functions, only carries out signature protection for acquisition monitoring and query messages, ensures the credibility of message sources, carries out encryption and integrity protection for control messages and parameters, ensures the confidentiality and integrity of important commands, and the differential protection strategy improves the communication efficiency on the premise of ensuring the safety of important data, further ensures the real-time performance of an industrial control network and realizes the high-efficiency safety communication between different networks or network partitions; meanwhile, a software function real-time monitoring and autonomous healing mechanism is designed, the running state of key components is monitored in real time, and when the functions such as virus protection, attack protection and the like fail due to abnormality, a link maintaining mechanism is started at first, so that a communication link can still maintain normal communication, and continuous and stable running of an industrial control network is ensured; and secondly, an autonomous healing mechanism is started, the crashed component is successfully repaired and automatically switched to a normal protection mode after stably operating for a period of time, and the reliability of the system is improved through a real-time monitoring mechanism and the component autonomous healing mechanism.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will briefly explain the drawings used in the embodiments or the descriptions in the prior art, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained according to the drawings without inventive effort for those skilled in the art.
Fig. 1 is a schematic flow chart of a specific implementation of an industrial control safety protection method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a safety boundary protection system of an industrial control safety device according to an embodiment of the present invention.
FIG. 3 is a diagram illustrating the logical relationships between components of an industrial control safety device according to an embodiment of the present invention.
Fig. 4 is a flowchart of a normal operation of the industrial control safety device according to the embodiment of the present invention.
Fig. 5 is a diagram illustrating a process of encrypting safety communication by a deep safety protection component of the industrial control safety protection device according to the embodiment of the present invention.
Fig. 6 is a diagram of an autonomous healing process of a deep safety protection component of the industrial control safety device according to an embodiment of the present invention.
Fig. 7 is a device operation state diagram of the industrial control safety device according to the embodiment of the present invention in a component failure state.
Fig. 8 is a schematic block diagram of an industrial control safety protection device according to an embodiment of the present invention.
Fig. 9 is a schematic diagram of a safety boundary protection system deployment of an industrial control safety protection device according to an embodiment of the present invention.
Fig. 10 is a schematic block diagram of an internal structure of a terminal device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and effects of the present invention clearer and more specific, the present invention will be described in further detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The embodiment provides an industrial control network safety protection method, by which high-efficiency safety communication between different networks or network partitions can be realized; meanwhile, the reliability of the system is improved through a real-time monitoring mechanism and a component self-healing mechanism. When the method is implemented, firstly, a flow acquisition component acquires the flow of a first network card, an access control component carries out message identification according to the flow of the first network card, and verifies an access control rule to obtain a result; then when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message type based on the communication instruction, and simultaneously forwarding the message type to a safety communication component; and finally, the safety communication assembly encrypts the message and sends the message to the master station side device based on the second network card. According to the invention, by adopting differentiated security protection strategies for the communication messages with different functions, the communication efficiency is improved on the premise of guaranteeing the security communication of important data, the real-time performance of an industrial control network is further guaranteed, and the efficient security communication between different networks or network partitions is realized.
For example, fig. 4 is a flowchart illustrating a normal operation of the industrial control safety device according to the embodiment of the present invention. Firstly, the flow of the network card 1 is collected through a flow collection component and forwarded to a flow access control component, the flow access control component carries out message identification and matches with a white list access control rule, whether the access control rule is met or not is verified, and if the access control rule is not met, an alarm is sent out and a packet is lost; if the access control rule is met, judging whether a bypass instruction is received, if the bypass instruction is not received, forwarding the bypass instruction to a deep security protection component, carrying out message deep analysis by the deep security protection component, judging whether an abnormality exists, and if the abnormality does not exist, marking the type of the message and forwarding the message to a security communication component; finally, determining whether the message needs to be encrypted or not based on the secure communication component, if the message needs to be encrypted, performing bidirectional identity authentication and communication key negotiation, if the negotiation is successful, encrypting the HASH and the plaintext of the message by using the communication key, sending the encrypted message to a master station side device by using the network card 2, and ending the flow of the message decryption by the master station side device; if the message is determined not to be encrypted, the public key of the device at the master station side is used for signing the message and then the message is sent to the master station by the network card 2, the device at the master station side uses the private key preset by the device at the sub-station side for verifying the signature, and the process is ended after the verification is passed. According to the embodiment, the differentiated safety protection strategy is adopted for the communication messages with different functions, so that the communication efficiency is improved on the premise of guaranteeing the safety of important data, the instantaneity of an industrial control network is further guaranteed, and the efficient and safe communication between different networks or network partitions is realized.
Fig. 2 is a schematic diagram of a safety boundary protection system of an industrial control safety device according to an embodiment of the present invention. The hardware layer core component comprises a domestic CPU, a business secret code card and a bypass network card; the software layer mainly comprises a domestic safety operating system and an intelligent safety protection engine. The hardware layer of the communication system comprises a hardware layer, a bypass network card and a security communication module, wherein the hardware layer of the communication system comprises a national encryption card, a security communication module and a bypass network card, wherein the hardware layer of the national encryption card provides SM1/SM2/SM3/SM 4-based data encryption and decryption, integrity protection and signature protection for the security communication module, and the bypass network card provides a hard bypass function; the safety protection engine of the software layer consists of a flow acquisition component, a flow access control component, a deep safety protection component, an autonomous healing component, a safety communication component and a real-time monitoring component, and provides functions of flow analysis, network access control, virus protection, network attack protection, safety communication, fault self-healing and the like. FIG. 3 is a diagram illustrating the operational logic relationship between components of an industrial control safety device according to an embodiment of the present invention.
Exemplary method
The embodiment provides an industrial control network safety protection method which can be applied to various terminal devices. As shown in fig. 1, the method comprises the following steps:
and step S100, the flow acquisition component acquires the first network card flow, performs message identification according to the first network card flow based on the access control component, verifies the access control rule and obtains an access control rule verification result.
In this embodiment, firstly, a flow acquisition component acquires a first network card flow, and forwards the first network card flow to a flow access control component; then the flow access control component carries out preliminary analysis on the message and identifies the source IP/MAC/port, the destination IP/MAC/port, the type of a transmission layer protocol and the capturing time of the data packet; and finally, carrying out white list matching on the message to obtain the verification result of the access control rule. The flow access control component performs preliminary analysis and white list matching on the message, preliminarily screens out the message conforming to the rule, and only transmits the message conforming to the access control rule to the next-stage component for further processing, thus preliminarily ensuring the safety of the communication message. The flow acquisition component is used for acquiring network flow sent to the master station by the substation local area network in real time; the flow access control component is used for carrying out protocol identification, format check and state check on the collected network flow and carrying out access control based on five-tuple, sending the data packet conforming to the white list rule to the deep protection component for further check, and directly discarding the data packet which does not conform to the white list rule.
In another embodiment, if the message does not match the white list, determining that the access control rule verification result is that the access control rule is not satisfied, and discarding the message. The messages which do not accord with the access control rule are discarded in time, so that the passing of harmful messages is avoided, the safety of data transmission is ensured, and meanwhile, the transmission efficiency is improved.
And step 200, when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message type of the message based on the communication instruction, and forwarding the message to a safety communication component.
In this embodiment, the message satisfying the access control rule needs to be marked by the message type and forwarded to the secure communication component for further processing. As shown in fig. 4, it is first determined whether a communication instruction is received, the communication instruction being a bypass instruction, that is, whether a bypass instruction is received; if the bypass instruction is not received, forwarding the message to a deep security protection component, and then carrying out deep analysis on the message by the deep security protection component and identifying abnormal behaviors, abnormal instructions and message types; if no abnormality is identified, directly marking the message type of the message, and forwarding the message to a safety communication component; if a bypass instruction is received, the message type is marked directly and forwarded to the secure communication component. The deep safety protection component is used for carrying out deep analysis on the received message, carrying out message deep monitoring, including protocol identification, format check, state check, protocol consistency, integrity check, abnormal behavior and abnormal instruction identification, and message type identification, marking the message type (whether to control the message) if no abnormality exists, and forwarding the message type (whether to control the message) to the safety communication component, and timely identifying industrial control viruses and network attacks, and if network attacks or viruses are found, directly losing packets and generating an alarm. The message to be transmitted is deeply analyzed by the deep safety protection component, dangerous attacks are timely found and warning is given, so that the message transmitted to the safety communication component is safer and more reliable, and the safety of data transmission is further ensured.
And step S300, encrypting the message based on the secure communication component, and transmitting the encrypted message to a master station side device based on a second network card.
In this embodiment, the secure communication component needs to encrypt the received message and send the encrypted message to the master station device. Fig. 5 is a diagram illustrating a process of encrypting safety communication by a deep safety protection component of the industrial control safety protection device according to the embodiment of the present invention. Firstly, the safety communication component receives a message, and determines whether encryption processing is required to be carried out on the received message or not based on the safety communication component; then, if the message is determined to need to be encrypted, performing two-way identity authentication and communication key negotiation, if the key negotiation is successful, encrypting the HASH and the plaintext of the message by using the negotiated communication key, and then transmitting the encrypted HASH and plaintext to a master station side device by a second network card; if the message does not need to be encrypted, the public key of the master station side device is used for directly signing the message and then the message is sent to the master station side device by the second network card. The safety communication assembly is used for acquiring a self-defined safety communication protocol and establishing communication connection with the safety protection device at the master station side, performing unencrypted protection on the monitoring and inquiring message, performing signature protection only, and performing encryption and integrity protection on the control message and parameters of the control message, so that confidentiality and integrity of an important command are ensured. The embodiment designs a self-defined high-efficiency safety communication protocol based on a national cryptographic algorithm to carry out two-way identity authentication on two communication parties, adopts a differential safety protection strategy for communication messages with different functions, only carries out signature protection for acquisition monitoring and query messages, ensures the credibility of message sources, carries out encryption and integrity protection for control messages and parameters, ensures the confidentiality and integrity of important commands, improves the communication efficiency on the premise of ensuring the safety of important data through the differential protection strategy, further ensures the real-time performance of an industrial control network, and realizes the high-efficiency safety communication between different networks or network partitions;
in another embodiment, the method further comprises the steps of:
step S201, starting a depth safety protection component based on an autonomous healing component, and isolating the depth safety protection component;
step S202, determining whether the running time exceeds a safe running time threshold value based on the safety protection component;
and step 203, if the running time exceeds the safe running time threshold, the deep safety protection component is restored to normal running, and the real-time monitoring component is notified to restore monitoring based on the self-healing component.
In the embodiment, the depth safety protection component is monitored in real time by adopting a real-time monitoring mechanism and an autonomous healing mechanism so as to realize normal connection of the communication link and keep stable operation of the communication link. In specific implementation, fig. 6 is a schematic diagram of a depth safety protection component autonomous healing process of the industrial control safety protection device according to the embodiment of the present invention. When the real-time monitoring component monitors that the depth safety protection component is abnormally crashed, the real-time monitoring component immediately sends a bypass instruction to the flow access control component, the flow access control component does not forward the message to the depth safety protection component any more, but directly forwards the message to the safety communication component, and simultaneously sends a repair instruction to the autonomous healing component, and the autonomous healing component starts repairing the depth safety protection component. Firstly, the self-healing component tries to restart the deep safety protection component, and if the starting is unsuccessful, an alarm is sent out; if the starting is successful, the self-healing component isolates the deep safety protection component; and then determining whether the operation time of the depth safety protection component exceeds a safety operation time threshold, wherein the safety operation time threshold is a preset time threshold, if the operation time of the depth safety protection component exceeds the safety operation time threshold, the depth safety protection component can continue to operate safely, the normal operation of the depth safety protection component is restored, the autonomous healing component informs the real-time monitoring component to restore the monitoring of the depth safety protection component, a restoration instruction is sent to inform the flow access control component to forward network flow to the depth safety protection component again, and the depth safety protection component is accessed to a safety protection engine again after the operation of the depth safety protection component is stable for a period of time. The real-time monitoring component is used for collecting the running state information of the depth safety protection component in real time, judging whether the function fails or not by comparing the static threshold value and the availability or not, and informing the self-healing component to carry out the repairing operation. The operational state of the device in the event of a failure of the deep safety protection assembly is shown in fig. 7. In the embodiment, a software function real-time monitoring and autonomous healing mechanism is designed to monitor the running state of key components in real time, and when the functions such as virus protection, attack protection and the like fail due to system abnormality, a link maintaining mechanism is started first, so that a communication link can still be kept normally communicated, and continuous and stable running of an industrial control network is ensured; and secondly, an autonomous healing mechanism is started, the collapsed component is successfully repaired and automatically switched to a normal protection mode after stable operation is carried out for a period of time, and the reliability of the system is improved through a real-time monitoring mechanism and the component autonomous healing mechanism.
In another embodiment, the method further comprises:
and after receiving the message, the security communication component of the master station side device verifies the signature by adopting the public key of the substation side device, and forwards the signature to the master station after the signature verification is passed. The security of the transmitted message is ensured through signature verification.
Exemplary apparatus
Based on the above embodiment, the present invention also provides a device generating module for industrial control network security protection, as shown in fig. 8, where the device in this embodiment includes an access control verification module 10, a message type marking module 20, and a message encryption processing module 30. The message type marking module 20 is configured to receive a communication instruction and mark a message type based on the communication instruction and forward the message to the secure communication component when the access control verification result is that the access control rule is satisfied. The message encryption processing module 30 is configured to encrypt the message based on the secure communication component, and send the encrypted message to the master station device based on the second network card.
In one implementation, the apparatus further includes:
the assembly isolation operation module is used for starting the depth safety protection assembly based on the self-healing assembly and isolating and operating the depth safety protection assembly;
a runtime determination module to determine, based on the safety guard component, whether a runtime exceeds a safety runtime threshold;
and the operation monitoring and recovering module is used for recovering the deep safety protection assembly to normal operation if the operation time exceeds the safety operation time threshold value, and notifying the real-time monitoring assembly to recover monitoring based on the self-healing assembly.
In one implementation, the apparatus includes an access control verification module, the access control verification module including:
the first flow sending unit is used for sending the first network card flow to the flow access control assembly;
the message analysis and identification unit is used for carrying out preliminary analysis on the message based on the flow access control component and identifying a source IP/MAC/port, a destination IP/MAC/port, a transmission layer protocol type and a data packet capturing time;
and the matching verification result unit is used for carrying out white list matching on the message to obtain the access control rule verification result.
In one implementation, the apparatus includes an access control verification module, the access control verification module further comprising:
and the message discarding unit is used for determining that the access control rule verification result does not meet the access control rule if the message is not matched with the white list, and discarding the message.
In one implementation, the apparatus includes a message type marking module, where the message type marking module includes:
the instruction receiving judging unit is used for judging whether a communication instruction is received or not, wherein the communication instruction is a bypass instruction;
the message type identification unit is used for forwarding the message to the deep security protection assembly if the communication instruction is not received, then carrying out message deep analysis according to the deep security protection assembly, and carrying out the identification of abnormal behavior, abnormal instruction and message type;
and the message type marking unit is used for marking the message type of the message if no abnormality exists.
In one implementation, the apparatus includes a message encryption processing module, where the message encryption processing module includes:
an encryption processing judging unit for determining whether encryption processing is required for the message based on the secure communication component;
the encryption processing unit is used for carrying out bidirectional identity authentication and communication key negotiation if the fact that the message needs to be encrypted is determined, carrying out encryption processing on HASH and plaintext of the message by using a communication key if the negotiation is successful, and sending the message to the master station side device on the basis of the second network card;
and the unencrypted processing unit is used for signing the message if the fact that the message does not need to be encrypted is determined, and transmitting the message to the master station side device based on the second network card.
In one implementation, the apparatus further includes:
and the verification forwarding module is used for verifying the signature by adopting the public key of the substation side device after the secure communication component of the master station side device receives the message, and forwarding the signature to the master station after the signature verification is passed.
The working principle of each template in the industrial control network safety protection system of the embodiment is the same as that of each step in the method embodiment, and is not repeated here.
Fig. 9 is a schematic diagram of a safety boundary protection system deployment of an industrial control safety protection device according to an embodiment of the present invention. In practical application, one set of the network boundary of the master station is deployed in a centralized manner, one set of the network boundary of each remote station is deployed, and distributed deployment and centralized management are realized.
Based on the above embodiment, the present invention further provides a terminal device, where the schematic block diagram of the terminal device may be shown as 10, and the terminal device is an upper computer, such as a computer device, in the above embodiment. The terminal device may include one or more processors 100 (only one shown in fig. 10), a memory 101, and a computer program 102 stored in the memory 101 and executable on the one or more processors 100, such as a program for industrial network security. One or more processors 100, when executing computer programs 102, may implement the various steps of a method embodiment for industrial control network security. Alternatively, the functions of the templates/units in the embodiments of the apparatus for industrial control network security protection may be implemented by one or more processors 100 when executing computer program 102, which is not limited herein.
In one embodiment, the processor 100 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In one embodiment, the memory 101 may be an internal storage unit of the electronic device, such as a hard disk or a memory of the electronic device. The memory 101 may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a flash card (flash card) or the like, which are provided on the electronic device. Further, the memory 101 may also include both an internal storage unit and an external storage device of the electronic device. The memory 101 is used to store computer programs and other programs and data required by the terminal device. The memory 101 may also be used for temporarily storing data that has been output or is to be output.
It will be appreciated by those skilled in the art that the functional block diagram shown in fig. 10 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the terminal device to which the present inventive arrangements are applied, and that a particular terminal device may include more or less components than those shown, or may combine some of the components, or may have a different arrangement of components.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, operational database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual operation data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
In summary, the invention discloses an industrial control network security protection method, a device, a terminal device and a storage medium, wherein the method comprises the following steps: the flow acquisition component acquires the first network card flow, performs message identification based on the access control component according to the first network card flow, verifies the access control rule and obtains an access control rule verification result; when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message type of the message based on the communication instruction, and forwarding the message to a safety communication component; and encrypting the message based on the secure communication component, and transmitting the encrypted message to a master station side device based on a second network card. The invention adopts differential safety protection to the communication message, improves the communication efficiency while ensuring the data safety, and simultaneously maintains the normal communication of the communication link through a real-time monitoring and self-healing mechanism, thereby improving the reliability of the system.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An industrial control network safety protection method, which is characterized by comprising the following steps:
the flow acquisition component acquires the first network card flow, performs message identification based on the access control component according to the first network card flow, verifies the access control rule and obtains an access control rule verification result;
when the access control verification result is that the access control rule is met, receiving a communication instruction, marking the message type of the message based on the communication instruction, and forwarding the message to a safety communication component;
and encrypting the message based on the secure communication component, and transmitting the encrypted message to a master station side device based on a second network card.
2. The industrial control network safety protection method according to claim 1, further comprising:
starting a depth safety protection component based on the self-healing component, and isolating the depth safety protection component;
determining whether a runtime exceeds a safe runtime threshold based on the deep security component;
and if the running time exceeds the safe running time threshold, the deep safety protection component is restored to normal running, and the real-time monitoring component is notified to restore monitoring based on the self-healing component.
3. The industrial control network security protection method according to claim 1, wherein the verifying the access control rule, to obtain an access control rule verification result, includes:
the first network card flow is sent to a flow access control component;
based on the flow access control component, carrying out preliminary analysis on the message, and identifying a source IP/MAC/port, a destination IP/MAC/port, a transmission layer protocol type and a data packet capturing time;
and performing white list matching on the message to obtain the verification result of the access control rule.
4. The industrial control network security protection method according to claim 3, wherein the step of verifying the access control rule to obtain an access control rule verification result further comprises:
if the message is not matched with the white list, determining that the access control rule verification result is that the access control rule is not satisfied, and discarding the message.
5. The industrial network security protection method according to claim 1, wherein when the access control verification result is that an access control rule is satisfied, receiving a communication instruction, and marking a message based on the communication instruction by a message type, includes:
judging whether a communication instruction is received or not, wherein the communication instruction is a bypass instruction;
if the communication instruction is not received, forwarding the message to a deep safety protection component, then carrying out message deep analysis according to the deep safety protection component, and identifying abnormal behavior, an abnormal instruction and a message type;
if no abnormality exists, the message type of the message is marked.
6. The industrial control network security protection method according to claim 1, wherein the encrypting the message based on the secure communication component and transmitting the encrypted message to the master station device based on the second network card comprises:
determining whether encryption processing is needed for the message based on the secure communication component;
if the message is determined to need to be encrypted, performing bidirectional identity authentication and communication key negotiation, if the negotiation is successful, encrypting HASH and plaintext of the message by using a communication key, and transmitting the message to a master station side device based on a second network card;
if the fact that the message does not need to be encrypted is determined, the message is signed, and the message is sent to the master station side device based on the second network card.
7. The industrial control network safety protection method according to claim 1, further comprising:
and after receiving the message, the security communication component of the master station side device verifies the signature by adopting the public key of the substation side device, and forwards the signature to the master station after the signature verification is passed.
8. An industrial control network safety protection device, characterized in that the device comprises:
the access control verification module is used for acquiring the first network card flow by the flow acquisition component, carrying out message identification according to the first network card flow based on the access control component, verifying the access control rule and obtaining an access control rule verification result;
the message type marking module is used for receiving a communication instruction when the access control verification result is that the access control rule is met, marking the message type based on the communication instruction, and forwarding the message to the safety communication assembly;
and the message encryption processing module is used for encrypting the message based on the secure communication assembly and transmitting the encrypted message to the master station side device based on the second network card.
9. A terminal device, characterized in that the terminal device comprises a memory, a processor and an industrial network security protection program stored in the memory and operable on the processor, the processor implementing the steps of the industrial network security protection method according to any one of claims 1-7 when executing the industrial network security protection program.
10. A computer readable storage medium, wherein an industrial network security protection program is stored on the computer readable storage medium, and when the industrial network security protection program is executed by a processor, the steps of the industrial network security protection method according to any one of claims 1-7 are implemented.
CN202211354744.4A 2022-11-01 2022-11-01 Industrial control network safety protection method and device, terminal equipment and storage medium Pending CN116094745A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211354744.4A CN116094745A (en) 2022-11-01 2022-11-01 Industrial control network safety protection method and device, terminal equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211354744.4A CN116094745A (en) 2022-11-01 2022-11-01 Industrial control network safety protection method and device, terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116094745A true CN116094745A (en) 2023-05-09

Family

ID=86210953

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211354744.4A Pending CN116094745A (en) 2022-11-01 2022-11-01 Industrial control network safety protection method and device, terminal equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116094745A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117354057A (en) * 2023-12-01 2024-01-05 杭州海康威视数字技术股份有限公司 Malicious traffic detection method, device and equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117354057A (en) * 2023-12-01 2024-01-05 杭州海康威视数字技术股份有限公司 Malicious traffic detection method, device and equipment
CN117354057B (en) * 2023-12-01 2024-03-05 杭州海康威视数字技术股份有限公司 Malicious traffic detection method, device and equipment

Similar Documents

Publication Publication Date Title
CN110996318B (en) Safety communication access system of intelligent inspection robot of transformer substation
CN108965215B (en) Dynamic security method and system for multi-fusion linkage response
CN106789015B (en) Intelligent power distribution network communication safety system
CN106357690B (en) data transmission method, data sending device and data receiving device
CN111447276B (en) Encryption continuous transmission method with key agreement function
CN113824705B (en) Safety reinforcement method for Modbus TCP (transmission control protocol)
CN103297429A (en) Embedded upgrading file transmission method
CN106685775A (en) Self-inspection type invasion prevention method and system for intelligent household electrical appliance
CN104506500A (en) GOOSE message authentication method based on transformer substation
CN103441983A (en) Information protection method and device based on link layer discovery protocol
CN116094745A (en) Industrial control network safety protection method and device, terminal equipment and storage medium
CN111147247B (en) Key updating method, device, computer equipment and storage medium
CN116405302A (en) System and method for in-vehicle safety communication
CN1791098B (en) Method for realizing safety coalition synchronization
WO2012171283A1 (en) Method and system for third-party authentication and method for managing authentication state of terminal device
KR102190618B1 (en) Apparatus and method for securing train control message
CN104104573A (en) Method and system for controlling IPsec tunnel of network devices
CN107968777B (en) Network security monitoring system
WO2022110688A1 (en) Field bus-based data transmission method and system, and field bus-based identity verification method and system
CN112995140B (en) Safety management system and method
CN109560928A (en) A kind of encryption method based on state's net cryptographic protocol
CN114584970A (en) Communication authentication method, subscription verification method, and communication method
CN109194490B (en) Power distribution network communication security authentication system and method
CN113242214A (en) Encryption authentication device, system and method between power secondary equipment board cards
CN107516044A (en) A kind of recognition methods, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination