CN116155527A - Industrial control system operation and maintenance system and method - Google Patents
Industrial control system operation and maintenance system and method Download PDFInfo
- Publication number
- CN116155527A CN116155527A CN202211442118.0A CN202211442118A CN116155527A CN 116155527 A CN116155527 A CN 116155527A CN 202211442118 A CN202211442118 A CN 202211442118A CN 116155527 A CN116155527 A CN 116155527A
- Authority
- CN
- China
- Prior art keywords
- maintenance
- gateway
- request data
- access request
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the field of control system operation and maintenance, and provides an industrial control system operation and maintenance system and method. And the operation and maintenance personnel send the request data through the portable terminal, and in the process of transmitting the request data, the request data is encrypted twice through the virtual special network tunnel and the security gateway and is authenticated twice through the security gateway and the operation and maintenance gateway, so that the potential safety hazard of the network is reduced, and the remote operation and maintenance is realized more safely. In addition, operation and maintenance personnel access the operation and maintenance gateway through the portable terminal, and the operation and maintenance gateway accesses the springboard machine server through the security gateway, and the operation and maintenance of a plurality of production line servers are realized by means of the springboard machine server, so that the operation and maintenance work of the operation and maintenance personnel is facilitated.
Description
Technical Field
The invention relates to the field of operation and maintenance of industrial control systems, in particular to an operation and maintenance system and method of an industrial control system.
Background
The industrial control system is physically isolated from the traditional IT network, and most viruses or attacks can be prevented from directly entering the industrial control system by the isolation, so that industrial control manufacturers do not consider too much safety factors when designing products, a plurality of controller devices can directly log in without authentication, data transmitted in the middle are displayed in clear text, and on-site devices are discretely distributed, if faults exist, operation and maintenance personnel must run to the site for maintenance.
With the rapid development of intelligent manufacturing, centralized office and remote office become development trends, more and more terminal devices need operation and maintenance in an industrial control system, and safe operation and maintenance is a very important thing for the industrial control system. Safe operation and maintenance is a key problem faced by industrial control system operation. The security operation and maintenance work directly relates to the operation condition of the enterprise business.
The current mature operation and maintenance mode mainly comprises third-party software. However, if the third party software is directly connected with the internet, such as a software vulnerability component, a large network potential safety hazard can be brought to the industrial control system. In addition, the positions of the terminal equipment in the industrial control system are distributed, the network is independent, and unified management is difficult. Therefore, the development of the operation and maintenance system and the method of the industrial control system can reduce the potential safety hazard of the network, ensure that the operation and maintenance are safer, and ensure that operation and maintenance staff can perform the operation and maintenance work more conveniently, thus the system and the method are the problems which need to be solved urgently.
Disclosure of Invention
Aiming at the problem that the existing operation and maintenance mode has network hidden danger, the invention provides an operation and maintenance system and method for an industrial control system, which are used for reducing network potential safety hazard, realizing safer remote operation and maintenance work and being used for facilitating operation and maintenance work of operation and maintenance personnel.
In one aspect, the invention provides an industrial control system operation and maintenance system, which comprises the Internet and an industrial control network, wherein the industrial control system operation and maintenance system further comprises a virtual special gateway and a portable terminal connected with the Internet; the portable terminal is used for sending access request data by a user; a virtual private network tunnel with an encryption function is constructed between the Internet and the virtual private gateway; the Internet is connected with the virtual special gateway through the virtual special network tunnel; the virtual private network tunnel is used for encrypting the access request data and sending the encrypted access request data to the virtual private gateway; the virtual private gateway is connected with an operation and maintenance gateway; the virtual special gateway is used for decrypting the encrypted access request data, performing first authentication on the access request data obtained by decryption, re-encrypting the decrypted access request data after authentication is successful, and sending the re-encrypted access request data to the operation and maintenance gateway; the operation and maintenance gateway is connected with the industrial control network; the operation and maintenance gateway is used for decrypting the access request data after the re-encryption, carrying out second authentication on the decrypted access request data, and sending the access request data obtained by decryption to the industrial control network after the second authentication is passed; the industrial control network is connected with a security gateway; the industrial control network is used for forwarding the access request data sent by the operation and maintenance gateway to the security gateway; the safety gateway is connected with a group of springboard machine servers, and each springboard machine server is connected with a group of production line servers; the safety gateway is used for accessing the corresponding board hopping machine server based on the access request data forwarded by the industrial control network, and the access to the production line server connected with the board hopping machine server is realized through the accessed board hopping machine server.
Further, the access request data includes an operation and maintenance account number and an IP address of the springboard server to be accessed.
Further, a first access control strategy is preset in the virtual private gateway, and the first access control strategy is used for providing access rights corresponding to the operation and maintenance account numbers; a first preset module is configured in the virtual private gateway, and the first preset module is used for resetting the first access control strategy.
Further, a second access control strategy is preset in the operation and maintenance gateway, and the second access control strategy is used for providing fine granularity authority control according to a minimization principle; a second preset module is configured in the operation and maintenance gateway, and the second preset module is used for resetting the second access control strategy.
Further, each springboard machine server is configured with different IP addresses; IP addresses corresponding to the springboard machine servers are prestored in the security gateway.
In another aspect, the present invention provides an industrial control system operation and maintenance method based on the operation and maintenance system described in the above aspects, including:
s1, sending access request data to the Internet through a portable terminal, encrypting the access request data through a virtual private network tunnel by the Internet, and sending the encrypted access request data to a virtual private gateway;
s2, the virtual special gateway decrypts the received access request data, performs first authentication on the decrypted access request data, encrypts the access request data obtained by decryption if the authentication is successful, and then sends the encrypted access request data to the operation and maintenance gateway;
s3, decrypting the received encrypted access request data by the operation and maintenance gateway, performing second authentication on the decrypted access request data, and forwarding the access request data obtained by decryption to the security gateway through the industrial control network if the authentication is successful;
s4, the security gateway accesses the corresponding springboard machine server based on access request data forwarded by the industrial control network, and accesses the production line server connected with the springboard machine server through the accessed springboard machine server.
Further, the method further comprises: at least one operation and maintenance account number is set, and different operation and maintenance account numbers correspond to different access rights.
Further, in step S1, transmitting the access request data to the internet through the portable terminal includes: the portable terminal inputs an operation and maintenance account number to log on an operation and maintenance webpage, and after logging on, access request data are sent to the Internet through the operation and maintenance webpage; the access request data comprises an operation and maintenance account number and an IP address of the springboard server to be accessed.
Further, the operation and maintenance method further comprises: after the portable terminal sends a connection request to the virtual private gateway through the Internet, and after the portable terminal sends the connection request to the virtual private gateway through the Internet, local loopback connection is established between the portable terminal and the virtual private gateway, and if the virtual private gateway returns connection request success information through local loopback connection, normal communication can be performed between the portable terminal and the virtual private gateway; if the virtual private gateway does not return the successful information of the connection request, the portable terminal cannot normally communicate with the virtual private gateway.
Further, performing the first authentication on the access request data decrypted in step S2 includes: based on a first control access policy, authenticating whether an operation and maintenance account number included in the decrypted access request has the authority to access the IP address of the springboard machine server to be accessed;
the second authentication of the decrypted access request data in step S3 includes: based on a second control access strategy, authenticating an operation and maintenance account number included in the decrypted access request data in a fine granularity authority control mode according to a minimization principle;
in step S4, the security gateway accessing the corresponding springboard machine server based on the access request data forwarded by the industrial control network includes: the security gateway matches the IP address of the springboard machine server to be accessed in the access request data forwarded by the industrial control network with the pre-stored IP address of the springboard machine server, if the matching is successful, the springboard machine server successfully matched is accessed, and the access to the production line server connected with the springboard machine server is realized through the accessed springboard machine server; if the match is unsuccessful, access is denied.
The invention has the beneficial effects that:
according to the invention, the access request data is sent through the portable terminal, in the request data transmission process, the request data is encrypted twice through the virtual private network tunnel and the security gateway, and the security authentication is carried out twice through the security gateway and the operation and maintenance gateway, so that the potential safety hazard of the network is reduced, and the remote operation and maintenance is realized more safely. In addition, operation and maintenance personnel access the operation and maintenance gateway through the portable terminal, and the operation and maintenance gateway accesses the springboard machine server through the security gateway, and the operation and maintenance of a plurality of production line servers are realized by means of the springboard machine server, so that the operation and maintenance work of the operation and maintenance personnel is facilitated.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an embodiment of an industrial control system operation and maintenance system according to the present invention.
FIG. 2 is a flow chart of an operation and maintenance method of the industrial control system according to the present invention.
Detailed Description
In order to make the technical solution of the present invention better understood by those skilled in the art, the technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
As shown in fig. 1, the present invention provides an embodiment of an industrial control system operation and maintenance system including the internet 2 and an industrial control network 6, the industrial control system operation and maintenance system further including a virtual private gateway 4 and a portable terminal 1 accessing the internet 2. The portable terminal 1 is used for a user to send access request data; a virtual private network tunnel 3 having an encryption function is constructed between the internet 2 and the virtual private gateway 4. The Internet 2 is connected with a virtual private gateway 4 through a virtual private network tunnel 3; the virtual private network tunnel 3 is used for encrypting the access request data and for transmitting the encrypted access request data to the virtual private gateway 4. The virtual private gateway 4 is connected with an operation and maintenance gateway 5. The virtual private gateway 4 is configured to decrypt the encrypted access request data, perform a first authentication on the access request data obtained by decryption, re-encrypt the decrypted access request data after the authentication is successful, and send the re-encrypted access request data to the operation and maintenance gateway 5. The operation and maintenance gateway 5 is connected with the industrial control network 6; the operation and maintenance gateway 5 is configured to decrypt the re-encrypted access request data, perform a second authentication on the decrypted access request data, and send the access request data obtained by decrypting the second authentication to the industrial control network 6 after the second authentication is passed. The industrial control network 6 is connected to a security gateway 7. The industrial control network 6 is configured to forward the access request data sent by the operation and maintenance gateway 5 to the security gateway 7. The security gateway 7 is connected to a set of springboard machine servers, each of which is connected to a set of production line servers. The security gateway 7 is used for accessing the corresponding board machine server based on the access request data forwarded by the industrial control network 6, and accessing the production line server connected with the board machine server is realized through the accessed board machine server.
Wherein, can set up at least one fortune dimension account as required, every fortune dimension personnel can have at least one fortune dimension account, fortune dimension personnel can select different fortune dimension accounts according to actual need.
According to the requirements, a plurality of springboard machine servers A1, A2, A3, and the number of the springboard machine servers is increased, an (n is a positive integer in total), each springboard machine server can be connected with at least one production line server, as shown in fig. 1, the springboard machine server A1 is connected with three production line servers, the springboard machine server An is connected with three production line servers, and each production line server is provided with a first-level network card and a second-level network card. It should be noted that, for simplifying the view structure, the numbers of the production line servers and the springboard machine servers shown in the drawings are exemplary, and specifically, the corresponding numbers of the springboard servers and the production line servers may be connected according to actual situations.
The operation and maintenance gateway 5 may be an operation and maintenance gateway with a video recording function, where the operation and maintenance gateway with a video recording function is used for recording and storing all operation and maintenance works for viewing by operation and maintenance personnel.
The operation and maintenance personnel send access request data (comprising operation and maintenance account numbers selected by the operation and maintenance personnel) through the portable terminal, and in the process of transmitting the request data, the request data is encrypted twice through the virtual special network tunnel and the security gateway and is authenticated twice through the security gateway and the operation and maintenance gateway, so that potential network safety hazards are reduced, and the remote operation and maintenance can be carried out more safely. In addition, operation and maintenance personnel access the operation and maintenance gateway through the portable terminal, and the operation and maintenance gateway accesses the springboard machine server through the security gateway, and the operation and maintenance of a plurality of production line servers are realized by means of the springboard machine server, so that the operation and maintenance work of the operation and maintenance personnel is facilitated.
The invention provides another embodiment of an operation and maintenance system embodiment of an industrial control system, wherein a first access control strategy is preset in a virtual special gateway, and the first access control strategy is used for providing access rights corresponding to operation and maintenance accounts. A first preset module is configured in the virtual private gateway, and the first preset module is used for resetting the first access control strategy. The operation and maintenance gateway is internally provided with a second access control strategy in advance, and the second access control strategy is used for providing fine granularity authority control according to a minimization principle. A second preset module is configured in the operation and maintenance gateway, and the second preset module is used for resetting the second access control strategy. Different IP addresses are configured for each springboard machine server, and the IP addresses corresponding to each springboard machine server are prestored in the safety gateway.
In implementation, a virtual private network tunnel 3 having an encryption function is established between the internet 2 and the virtual private gateway 4. The operation and maintenance personnel send a connection request to the virtual private gateway 4 through the Internet by the portable terminal 1, and after the portable terminal 1 sends the connection request to the virtual private gateway 4 through the Internet 2, a local loop connection is established between the portable terminal 1 and the virtual private gateway 4, and if the virtual private gateway 4 returns successful information of the connection request through local exchange connection, normal communication can be carried out between the portable terminal 1 and the virtual private gateway 4; if the virtual private gateway 4 does not return the connection request success information, the portable terminal 1 cannot normally communicate with the virtual private gateway 4, for example, if the portable terminal 1 can send a ping command to the virtual private gateway 4, if the ping is enabled, the portable terminal 1 and the virtual private gateway 4 can normally communicate, and if the ping is disabled, the portable terminal 1 and the virtual private gateway cannot normally communicate.
The operation and maintenance personnel can input operation and maintenance account numbers with different authorities to log on land and maintenance webpages through the portable terminal 1 according to actual needs, and access request data are sent to the Internet 2 through the operation and maintenance webpages, wherein the access request data comprise the operation and maintenance account numbers and the IP address of the springboard machine server to be accessed. The internet 2 is connected to the virtual private gateway 4 through a virtual private network tunnel 3, and the virtual private network tunnel 3 is used for encrypting access request data and transmitting the encrypted access request data to the virtual private gateway 4.
The virtual private gateway 4 authenticates whether the operation and maintenance account included in the decrypted access request has the authority to access the IP address of the springboard server to be accessed based on the first control access policy, and if the authentication is successful, re-encrypts the decrypted access request data and sends the re-encrypted access request data to the operation and maintenance gateway 5. The operation and maintenance gateway 5 authenticates the operation and maintenance account number included in the decrypted access request data in a fine granularity authority control manner according to a minimization principle based on the second control access policy, and if the authentication is successful, sends the access request data obtained by decryption to the industrial control network 6. The industrial control network 6 forwards the access request data sent by the operation and maintenance gateway 5 to the security gateway 7. The security gateway 7 matches the IP address of the springboard machine server to be accessed in the access request data forwarded by the industrial control network 6 with the pre-stored IP address of the springboard machine server, if the matching is successful, the springboard machine server successfully matched is accessed, and the access to the production line server connected with the springboard machine server is realized through the accessed springboard machine server; if the match is unsuccessful, the access is denied.
According to the method and the device, a plurality of operation and maintenance accounts are applied to support operation and maintenance of different places of different users; by setting different operation and maintenance accounts to correspond to different authorities, illegal unauthorized access is strictly prevented; information leakage is prevented by encrypting twice in the transmission process of the access request; meanwhile, authentication safety is improved through authentication of different degrees for two times, so that remote operation and maintenance of a plurality of production line servers by a user through the portable terminal are realized, potential network safety hazards are reduced to a great extent, and the remote operation and maintenance are safer.
As shown in fig. 2, the present invention provides an embodiment of an operation and maintenance method of an industrial control system based on the above-described embodiment, the operation and maintenance method of the industrial control system including:
s1, sending access request data to the Internet through a portable terminal, encrypting the access request data through a virtual private network tunnel by the Internet, and sending the encrypted access request data to a virtual private gateway;
s2, the virtual special gateway decrypts the received access request data, performs first authentication on the decrypted access request data, encrypts the access request data obtained by decryption if the authentication is successful, and then sends the encrypted access request data to the operation and maintenance gateway;
s3, decrypting the received encrypted access request data by the operation and maintenance gateway, performing second authentication on the decrypted access request data, and forwarding the access request data obtained by decryption to the security gateway through the industrial control network if the authentication is successful;
s4, the security gateway accesses the corresponding springboard machine server based on access request data forwarded by the industrial control network, and accesses the production line server connected with the springboard machine server through the accessed springboard machine server.
In this embodiment, the method further includes: at least one operation and maintenance account number is set, and different operation and maintenance account numbers correspond to different access rights.
In this embodiment, in step S1, transmitting access request data to the internet through the portable terminal includes: the portable terminal inputs an operation and maintenance account number to log on an operation and maintenance webpage, and after logging on, access request data are sent to the Internet through the operation and maintenance webpage; the access request data comprises an operation and maintenance account number and an IP address of the springboard server to be accessed.
In this embodiment, the operation and maintenance method further includes: after the portable terminal sends a connection request to the virtual private gateway through the Internet, and after the portable terminal sends the connection request to the virtual private gateway through the Internet, local loopback connection is established between the portable terminal and the virtual private gateway, and if the virtual private gateway returns connection request success information through local loopback connection, normal communication can be performed between the portable terminal and the virtual private gateway; if the virtual private gateway does not return the successful information of the connection request, the portable terminal cannot normally communicate with the virtual private gateway.
In this embodiment, the first authentication of the decrypted access request data in step S2 includes: based on a first control access policy, authenticating whether an operation and maintenance account number included in the decrypted access request has the authority to access the IP address of the springboard machine server to be accessed;
the second authentication of the decrypted access request data in step S3 includes: based on a second control access strategy, authenticating an operation and maintenance account number included in the decrypted access request data in a fine granularity authority control mode according to a minimization principle;
in step S4, the security gateway accessing the corresponding springboard machine server based on the access request data forwarded by the industrial control network includes: the security gateway matches the IP address of the springboard machine server to be accessed in the access request data forwarded by the industrial control network with the pre-stored IP address of the springboard machine server, if the matching is successful, the springboard machine server successfully matched is accessed, and the access to the production line server connected with the springboard machine server is realized through the accessed springboard machine server; if the match is unsuccessful, access is denied.
Although the present invention has been described in detail by way of preferred embodiments with reference to the accompanying drawings, the present invention is not limited thereto. Various equivalent modifications and substitutions may be made in the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and it is intended that all such modifications and substitutions be within the scope of the present invention/be within the scope of the present invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. The operation and maintenance system of the industrial control system comprises the Internet and an industrial control network, and is characterized by further comprising a virtual special gateway and a portable terminal connected with the Internet;
the portable terminal is used for sending access request data by a user;
a virtual private network tunnel with an encryption function is constructed between the Internet and the virtual private gateway;
the Internet is connected with the virtual special gateway through the virtual special network tunnel;
the virtual private network tunnel is used for encrypting the access request data and sending the encrypted access request data to the virtual private gateway;
the virtual private gateway is connected with an operation and maintenance gateway;
the virtual special gateway is used for decrypting the encrypted access request data, performing first authentication on the access request data obtained by decryption, re-encrypting the decrypted access request data after authentication is successful, and sending the re-encrypted access request data to the operation and maintenance gateway;
the operation and maintenance gateway is connected with the industrial control network;
the operation and maintenance gateway is used for decrypting the access request data after the re-encryption, carrying out second authentication on the decrypted access request data, and sending the access request data obtained by decryption to the industrial control network after the second authentication is passed;
the industrial control network is connected with a security gateway;
the industrial control network is used for forwarding the access request data sent by the operation and maintenance gateway to the security gateway;
the safety gateway is connected with a group of springboard machine servers, and each springboard machine server is connected with a group of production line servers;
the safety gateway is used for accessing the corresponding board hopping machine server based on the access request data forwarded by the industrial control network, and the access to the production line server connected with the board hopping machine server is realized through the accessed board hopping machine server.
2. The industrial control system operation and maintenance system of claim 1, wherein the access request data includes an operation and maintenance account number and an IP address of a springboard server to be accessed.
3. The operation and maintenance system of an industrial control system according to claim 2, wherein a first access control policy is preset in the virtual private gateway, and the first access control policy is used for providing access rights corresponding to the operation and maintenance account;
a first preset module is configured in the virtual private gateway, and the first preset module is used for resetting the first access control strategy.
4. The operation and maintenance system of an industrial control system according to claim 2, wherein a second access control policy is preset in the operation and maintenance gateway, and the second access control policy is used for providing fine granularity authority control according to a minimization principle;
a second preset module is configured in the operation and maintenance gateway, and the second preset module is used for resetting the second access control strategy.
5. The industrial control system operation and maintenance system according to claim 1, wherein each springboard machine server is configured with a different IP address; IP addresses corresponding to the springboard machine servers are prestored in the security gateway.
6. An industrial control system operation and maintenance method based on the operation and maintenance system according to any one of claims 1 to 5, comprising:
s1, sending access request data to the Internet through a portable terminal, encrypting the access request data through a virtual private network tunnel by the Internet, and sending the encrypted access request data to a virtual private gateway;
s2, the virtual special gateway decrypts the received access request data, performs first authentication on the decrypted access request data, encrypts the access request data obtained by decryption if the authentication is successful, and then sends the encrypted access request data to the operation and maintenance gateway;
s3, decrypting the received encrypted access request data by the operation and maintenance gateway, performing second authentication on the decrypted access request data, and forwarding the access request data obtained by decryption to the security gateway through the industrial control network if the authentication is successful;
s4, the security gateway accesses the corresponding springboard machine server based on access request data forwarded by the industrial control network, and accesses the production line server connected with the springboard machine server through the accessed springboard machine server.
7. The industrial control system operation and maintenance method of claim 6, wherein the method further comprises: at least one operation and maintenance account number is set, and different operation and maintenance account numbers correspond to different access rights.
8. The operation and maintenance method of an industrial control system according to claim 6, wherein in step S1, transmitting access request data to the internet through the portable terminal comprises: the portable terminal inputs an operation and maintenance account number to log on an operation and maintenance webpage, and after logging on, access request data are sent to the Internet through the operation and maintenance webpage; the access request data comprises an operation and maintenance account number and an IP address of the springboard server to be accessed.
9. The industrial control system operation and maintenance method of claim 6, wherein the operation and maintenance method further comprises: after the portable terminal sends a connection request to the virtual private gateway through the Internet, and after the portable terminal sends the connection request to the virtual private gateway through the Internet, local loopback connection is established between the portable terminal and the virtual private gateway, and if the virtual private gateway returns connection request success information through local loopback connection, normal communication can be performed between the portable terminal and the virtual private gateway; if the virtual private gateway does not return the successful information of the connection request, the portable terminal cannot normally communicate with the virtual private gateway.
10. The operation and maintenance method of the industrial control system according to claim 8, wherein the first authentication of the decrypted access request data in step S2 includes: based on a first control access policy, authenticating whether an operation and maintenance account number included in the decrypted access request has the authority to access the IP address of the springboard machine server to be accessed;
the second authentication of the decrypted access request data in step S3 includes: based on a second control access strategy, authenticating an operation and maintenance account number included in the decrypted access request data in a fine granularity authority control mode according to a minimization principle;
in step S4, the security gateway accessing the corresponding springboard machine server based on the access request data forwarded by the industrial control network includes: the security gateway matches the IP address of the springboard machine server to be accessed in the access request data forwarded by the industrial control network with the pre-stored IP address of the springboard machine server, if the matching is successful, the springboard machine server successfully matched is accessed, and the access to the production line server connected with the springboard machine server is realized through the accessed springboard machine server; if the match is unsuccessful, access is denied.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211442118.0A CN116155527A (en) | 2022-11-17 | 2022-11-17 | Industrial control system operation and maintenance system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211442118.0A CN116155527A (en) | 2022-11-17 | 2022-11-17 | Industrial control system operation and maintenance system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116155527A true CN116155527A (en) | 2023-05-23 |
Family
ID=86349672
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211442118.0A Pending CN116155527A (en) | 2022-11-17 | 2022-11-17 | Industrial control system operation and maintenance system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116155527A (en) |
-
2022
- 2022-11-17 CN CN202211442118.0A patent/CN116155527A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
CN109561047B (en) | Encrypted data storage system and method based on key remote storage | |
CN106789015B (en) | Intelligent power distribution network communication safety system | |
CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
CN103248479A (en) | Cloud storage safety system, data protection method and data sharing method | |
CN105656862B (en) | Authentication method and device | |
WO2003107153A2 (en) | Method for configuring and commissioning csss | |
CN103441991A (en) | Mobile terminal security access platform | |
CN109995530B (en) | Safe distributed database interaction system suitable for mobile positioning system | |
CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
CN107769913A (en) | A kind of communication means and system based on quantum UKey | |
CN104219077A (en) | Information management system for middle and small-sized enterprises | |
CN105471901A (en) | Industrial information security authentication system | |
CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
CN112865965A (en) | Train service data processing method and system based on quantum key | |
CN114466353A (en) | App user ID information protection device and method, electronic equipment and storage medium | |
CN116155527A (en) | Industrial control system operation and maintenance system and method | |
CN111669746B (en) | Protection system for information security of Internet of things | |
CN116248302A (en) | SSL VPN communication tunnel module, application monitoring module and mobile terminal safety access system | |
CN102780812B (en) | Method and system for achieving safe input by using mobile terminal | |
CN111917800A (en) | External authorization system and method based on protocol | |
CN115883211B (en) | File transfer system oriented to enterprise data security | |
CN110661803A (en) | Gate encryption control system and method | |
US12124560B2 (en) | Keystroke cipher password management system and method for managing and protecting master passwords without exposing to others | |
TWI811178B (en) | Cybersecurity method and system based on multiparty and multifactor dynamic strong encryption authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |