CN116964991A - Diagnostic device and diagnostic method - Google Patents

Diagnostic device and diagnostic method Download PDF

Info

Publication number
CN116964991A
CN116964991A CN202280006885.9A CN202280006885A CN116964991A CN 116964991 A CN116964991 A CN 116964991A CN 202280006885 A CN202280006885 A CN 202280006885A CN 116964991 A CN116964991 A CN 116964991A
Authority
CN
China
Prior art keywords
configuration information
authentication
communication control
read
diagnostic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202280006885.9A
Other languages
Chinese (zh)
Inventor
森本贤一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial Safety Construction Of Corp
Original Assignee
Industrial Safety Construction Of Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2022147446A external-priority patent/JP7266925B1/en
Application filed by Industrial Safety Construction Of Corp filed Critical Industrial Safety Construction Of Corp
Publication of CN116964991A publication Critical patent/CN116964991A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a diagnostic device and a diagnostic method capable of early detecting unexpected changes of information used in the operation of a network system. The diagnostic device (12) periodically reads configuration information (53) set in the communication control device (27) from the communication control device (27), reads original configuration information (52, 54) from storage destinations (42, 50) in a network system in which past configuration information is stored as original configuration information (52, 54) in advance, periodically compares the configuration information (53) periodically read from the communication control device (27) with the original configuration information (52, 54) read from the storage destinations (42, 50), and notifies a manager of the communication control device (27) of the inconsistency when the current configuration information (53) read from the communication control device (27) and the original configuration information (52, 54) are inconsistent.

Description

Diagnostic device and diagnostic method
Technical Field
The present invention relates to a diagnostic apparatus and a diagnostic method.
Background
In general, in order to ensure security in a network, a communication control device such as a firewall is provided as a barrier at a connection portion with an external network. With respect to firewalls, various methods for ensuring high security are being studied with the progress of information communication technology in recent years.
For example, patent document 1 discloses the following technique: in a case where an access request for a server name is determined from an information communication terminal located outside the network, an address of the server is dynamically given to a server device located inside the network, and an access control list recording addresses of the server device and the information communication terminal is dynamically generated, thereby improving security performance.
Prior art literature
Patent literature
Patent document 1: japanese patent laid-open No. 2009-272659.
Disclosure of Invention
Problems to be solved by the invention
In recent years, in factories, infrastructures, production workshops, and the like, in order to facilitate efficient operation and maintenance by aggregating the operating states of hardware such as equipment, a control network provided for each equipment is generally connected across and configured as a wider network. Such a network is sometimes referred to as a OT (Operational Technology) network to distinguish it from a network for direct monitoring operation and control of devices.
The OT network is classified by providing barriers throughout the network and is designed for security separately according to importance of devices or each function so that it does not become interference with the control network or cause malfunction of the control computer. This method of implementing security is called deep Defense (depth).
Since setting information (hereinafter referred to as configuration information) inside communication control devices such as barriers provided at various locations of networks is important for ensuring security in each network, the communication control devices themselves notify a manager when the configuration information is changed, or keep a history of the change in a nonvolatile memory or the like so that unexpected changes can be detected, and generally confirm whether there is no unnecessary falsification in regular checks by the manager.
In this way, the communication control device needs to record and operate in a state where high security is ensured, but it is easy to stop such a notification function, change the history record, or delete the record itself for an improper program such as a malicious operator or virus that can tamper with the communication control device. Therefore, in a network system, a method of detecting unexpected changes in information for a device by means independent of the function or soundness of the device itself is required.
The present invention has been made to solve the above-described problems, and an object of the present invention is to provide a diagnostic apparatus and a diagnostic method capable of early detection of unexpected changes in information used for operating a network system.
Means for solving the problems
The diagnostic device according to one aspect of the present invention is provided in a network system including a network configured by connecting a plurality of sub-networks and a communication control device that operates according to configuration information set by a manager to control communication in a communication path, and diagnoses configuration information set in the communication control device. The diagnostic device periodically reads configuration information set in the communication control device from the communication control device, reads original configuration information from a storage destination in a network system in which past configuration information is stored as the original configuration information in advance, periodically compares the configuration information periodically read from the communication control device with the original configuration information read from the storage destination, and notifies a manager of the inconsistency if the current configuration information read from the communication control device does not coincide with the original configuration information.
The diagnostic device according to one aspect of the present invention is provided in a network system having a network configured by connecting a plurality of sub-networks and an authentication device that authenticates a login of a manager to a device provided in the network based on authentication information set by the manager, and diagnoses authentication information set in the authentication device. The diagnostic device periodically reads authentication information set in the authentication device from the authentication device, reads original authentication information from a storage destination in a network system in which past authentication information is stored as the original authentication information in advance, periodically compares the authentication information periodically read from the authentication device with the original authentication information read from the storage destination, and notifies a manager of the inconsistency if the current authentication information read from the authentication device does not coincide with the original authentication information.
In one embodiment of the present invention, a diagnostic device provided in a network system having a network configured by connecting a plurality of sub-networks and a communication control device that operates according to configuration information set by a manager to control communication in a communication path diagnoses configuration information set in the communication control device. In the diagnostic method, the following steps are performed by a diagnostic device: the configuration information set in the communication control device is periodically read from the communication control device, original configuration information is read from a storage destination in a network system in which past configuration information is stored as the original configuration information in advance, the configuration information periodically read from the communication control device and the original configuration information read from the storage destination are periodically compared, and when the current configuration information read from the communication control device and the original configuration information are inconsistent, the manager is notified of the inconsistency.
In one embodiment of the present invention, a diagnostic apparatus provided in a network system having a network configured by connecting a plurality of sub-networks and an authentication device for authenticating a manager to log in to a device provided in the network based on authentication information set by the manager diagnoses authentication information set in the authentication device. In the diagnostic method, the following steps are performed by a diagnostic device: the authentication information set in the authentication device is periodically read from the authentication device, the original authentication information is read from a storage destination in the network system where the past authentication information is stored as the original authentication information in advance, the authentication information periodically read from the authentication device and the original authentication information read from the storage destination are periodically compared, and when the current authentication information read from the authentication device and the original authentication information do not coincide, the manager is notified of the inconsistency.
Effects of the invention
According to the diagnostic apparatus and diagnostic method of one aspect of the present invention, the current configuration information set in the communication control device and the original configuration information of the storage destination are read, and compared, and if the two are inconsistent, the manager of the communication control device is notified of the inconsistency. Therefore, even if there is an unexpected change such as tampering in the configuration information, the unexpected change of the configuration information can be detected early, irrespective of the function and soundness of the communication control apparatus itself.
According to the diagnostic device and the diagnostic method of one embodiment of the present invention, the current authentication information set in the authentication device and the original authentication information of the storage destination are read, and when the two are inconsistent, the administrator is notified of the inconsistency. Therefore, even if there is an unexpected change such as tampering in the authentication information, the unexpected change of the authentication information can be detected early, without depending on the function and soundness of the authentication device itself.
Drawings
Fig. 1 is a schematic configuration diagram of a network system according to a first embodiment.
Fig. 2 is an explanatory diagram of the operation related to the diagnostic device.
Fig. 3 is a flowchart of the operation of the diagnostic device and firewall.
Fig. 4 is a schematic diagram of the structure of a network system according to the second embodiment.
Fig. 5 is a schematic diagram of the configuration of a network system in a modification.
Fig. 6 is a schematic diagram of the structure of a network system according to a third embodiment.
Detailed Description
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.
(first embodiment)
Fig. 1 is a schematic diagram of a network system in a first embodiment of the present invention.
The network system 1 includes a plurality of networks, namely, a OT (Operational Technology) network 2, a management network 3, and a private network 4, connected through a communication device group 11. The devices included in the OT network 2, the management network 3, and the private line network 4 are configured to be able to communicate with each other through the communication device group 11 outside the network to which they belong.
The communication device group 11 may be constituted by one or more communication devices. The diagnostic device 12 is connected to the communication device group 11 through a LAN (Local Area Network) or console, and can communicate with firewalls in the OT network 2, the management network 3, and the private network 4 via the communication device group 11. The diagnostic device 12 executes a program process provided in itself, and diagnoses the configuration information of the firewall 27 at a predetermined cycle. The diagnosis process of the diagnosis device 12 will be described in detail with reference to fig. 2 and 3.
The OT network 2 has any number of mechanical devices, including three mechanical devices 21-23 in this embodiment. The mechanical devices 21 to 23 are, for example, production lines of factories, and each include a plurality of devices (not shown). The mechanical devices 21 to 23 further include device control devices 24 to 26 for controlling the devices. The devices connected to the mechanical devices 21 to 23 and the devices control devices 24 to 26 are arranged as subnetworks, that is, LANs 1 to 3.
LAN1 to LAN3 connect the mechanical devices 21 to 23 to the communication device group 11 via the firewalls 27 to 29, respectively. The number of devices in each of the mechanical devices 21 to 23 is arbitrary. The three mechanical devices 21 to 23 may be installed in the same factory, or may be remotely located. The firewalls 27 to 29 are examples of communication control devices.
In addition, in the example of the figure, the OT network 2 includes three mechanical devices 21 to 23, but may also include any number of mechanical devices, such as one, two, or more than four. The respective mechanical devices 21 to 23 constitute any number of networks including the devices included in them and the device control devices 24 to 26, and may be connected to the communication device group 11 via a firewall.
The management network 3 comprises a central operations room 31 and a computer room 32. The central operation room 31 is provided with a monitoring terminal 33 used by a manager to monitor the entire network system 1. The computer room 32 is provided with a storage processing device 34 capable of storing the operation log of the entire network system 1. The LAN4 is constituted, which is a network configured to enable the monitoring terminal 33 in the central processing room 31 to be connected to the outside. The LAN5 is configured as a network capable of connecting the accumulation processing device 34 in the computer room 32 to the outside. In addition, other devices than the monitor terminal 33 and the accumulation processing device 34 may be provided and connected to the LAN4 and the LAN5, respectively.
More specifically, in the central operation room 31, the manager operates the monitoring terminal 33 to control the device control devices 24 to 26 in the OT network 2 via the communication device group 11, and as a result, control and monitoring of the devices of the machine devices 21 to 23 are performed. In the computer room 32, the accumulation processing device 34 receives the control logs of the device control devices 24 to 26, the operation logs of the devices of the machine devices 21 to 23, and the like in the OT network 2 via the communication device group 11, and records them in the accumulation processing device 34. The devices in the management network 3 may be arbitrarily configured according to the purpose or the like.
The private line network 4 is configured to be connectable to a general cloud service 41 or the like via a wide area network such as a WAN. Further, the private line network 4 has a main database 42 for recording configuration information of various devices within the network system 1. For convenience, the private line network 4 is shown as LAN6 and is connected to the group of communication devices 11 through a firewall 43. The firewall 43 acts according to the configuration information to control communications within the network system 1 via the communication path.
Here, firewalls 27 to 29, 35, 36, 43 are provided between the LANs 1 to 6 and the communication device group 11, respectively. The firewalls 27 to 29, 35, 36, and 43 define a pull-through rule for data passing through as configuration information. For example, according to the pull rule, the firewall 27 may pass data not only by limiting the data to the machine 21 as the destination but also by limiting the transmission source capable of transmitting data to the machine 21 to, for example, the monitor terminal 33. The firewall 27 may also define ports for data to pass through in a manner that allows data of a particular application to pass through, depending on the transmission destination and transmission source. Further, in the configuration information set in the firewalls 27 to 29, 35, 36, and 43, not only these pull-up rules but also the service executed at the time of starting itself, the ID and password of the manager of access, the setting of class map (class map), and the setting of communication related to the communication capability of the connection destination machine device 21 are stored. These configuration information are stored in the main database 42 in advance by an administrator's input or the like, and are acquired from the main database 42 at the time of initial setting or setting change of the firewalls 27 to 29, 35, 36, 43.
Fig. 2 is an explanatory diagram of the operation related to the diagnostic device 12. As shown in fig. 2, the network system 1 is provided with a diagnostic device 12, a firewall 27, and a main database 42. Since the firewalls 28, 29, 35, 36, 43 perform the same operation as the firewall 27, the description thereof is omitted here for simplicity of explanation, and the following explanation will be focused on the firewall 27.
The firewall 27 is a device having a storage area for storing a computing device, a program, or the like, and executes a predetermined program. The memory area includes a nonvolatile memory 50 that is not erased by power interruption, and a working memory 51 (e.g., RAM) that is used as a temporary memory area during execution of a program. As will be described later, the master configuration information 54 is recorded in the master database 42 by the manager before the firewall 27 is started up initially. In the nonvolatile memory 50, main configuration information 54 acquired at the time of initial startup of the firewall 27 is stored as initial configuration information 52 (Start up Config).
In detail, before the firewall 27 is initially started, the manager records the configuration information of the firewall 27 in the main database 42 as the main configuration information 54. That is, the master database 42 stores the master configuration information 54 as the original configuration information for a long period of time. The master database 42 may be encrypted.
At the time of initial startup of the firewall 27, the master configuration information 54 of the firewall 27 stored in the master database 42 is acquired by the initial setting of the manager, and is recorded in the nonvolatile memory 50 as initial configuration information 52.
The firewall 27 reads the initial configuration information 52 from the nonvolatile memory 50 at each start-up, and records it in the job memory 51 as Running configuration information 53 (Running Config). The running configuration information 53 is referenced by programs executing within the firewall 27.
In addition, the update of the master configuration information 54 can be performed at an arbitrary timing by an operation of the manager. Similarly, by the manager's operation, the firewall 27 can acquire the master configuration information 54 from the master database 42 at an arbitrary timing, and overwrite it as the initial configuration information 52 in the nonvolatile memory 50 for recording. Then, by the manager's operation, the firewall 27 can read out the initial configuration information 52 from the nonvolatile memory 50 at an arbitrary timing, and record it as the running configuration information 53 in the job memory 51. Further, by an operation of the manager, the initial configuration information 52 of the nonvolatile memory 50 and the in-operation configuration information 53 of the working memory 51 can be partially changed during the operation of the firewall 27.
The diagnostic device 12 includes a nonvolatile memory 55 and a working memory 56. The diagnostic device 12 acquires the master configuration information 54 stored in the master database 42 in advance via the LAN6, the communication device group 11, or the like, and temporarily stores the master configuration information in the nonvolatile memory 55 as master configuration information 57. Then, the diagnostic device 12 periodically acquires the initial configuration information 52 stored in the nonvolatile memory 50 as a storage destination and the current in-operation configuration information 53 deployed in the working memory 51 from the firewall 27 via the LAN1 or the communication device group 11, and records in the working memory 56 as initial configuration information 58 and in-operation configuration information 59, respectively.
The diagnostic device 12 compares the initial configuration information 58 and the running configuration information 59 recorded in the working memory 56 with each other, and compares the three configuration information, i.e., the main configuration information 57 recorded in the nonvolatile memory 55, to determine whether they match each other. Then, when these values do not match, the diagnostic device 12 notifies the manager through the monitor terminal 33 of the central control room 31 by email, push distribution, or the like, and through a display or the like indicating that the values do not match. The acquisition and comparison of the configuration information are repeated at predetermined intervals. In addition, the diagnostic device 12 may compare the initial configuration information 58 and the running configuration information 59 with values acquired in the past, and notify the manager of the inconsistency in the same manner as in the case of the inconsistency.
Fig. 3 is a flowchart showing the actions of the diagnostic device 12 and the firewall 27. The diagnostic device 12 and the firewall 27 operate in association with each other, and steps S61 to S72 as processing of the diagnostic device 12 are shown on the left side of the figure, and steps S73 to S76 as processing of the firewall 27 are shown on the right side of the figure. As shown in the figure, the processing of steps S62 to S64 of the diagnostic device 12 and the processing of steps S73 to S75 of the firewall 27 are related to each other.
The diagnostic device 12 executes the processing shown in fig. 3 at a predetermined cycle, and starts the illustrated processing without accepting an input from the user. After the diagnostic device 12 starts operating, in step S61, the master database 42 is first accessed to acquire master configuration information 54, and the master configuration information 57 is temporarily stored in the nonvolatile memory 55. The master database 42 stores the master configuration information 54 in a relatively high-robustness state using an encryption key or the like, for example, and the diagnostic device 12 obtains the master configuration information 54 by performing decryption processing or the like from the master database 42.
In step S62, the diagnostic device 12 registers the firewall 27 by software processing inside the diagnostic device 12. In the case of password authentication, the ID and the password are registered in advance in the diagnostic apparatus 12 as login information of the firewall 27, and the diagnostic apparatus 12 transmits a login request including these login information and an information acquisition request of the running configuration information 53 and the initial configuration information 52 to the firewall 27.
In step S73, the diagnostic device 12 logs in to the firewall 27. When receiving a login request and an information acquisition request including login information from the diagnostic apparatus 12, the firewall 27 first compares the received login information with authentication information stored in advance, and allows login when the ID and the password match. The firewall 27 is able to accept such a login process during normal actions and allow login when a login request is received during execution of the normal actions.
In step S74, the firewall 27 transmits the running configuration information 53 recorded in the work memory 51 to the diagnostic device 12 in response to the login request from the diagnostic device 12. In the firewall 27, a command for outputting the running configuration information 53 is generally prepared, and by executing the command, the outputted running configuration information 53 is transmitted to the diagnostic device 12.
In step S75, the firewall 27 transmits the initial-configuration information 52 stored in the nonvolatile memory 50 to the diagnostic apparatus 12. In the firewall, a command for reading the initial-configuration information 52 stored in the nonvolatile memory 50 and outputting it is prepared, and by executing the command, the output initial-configuration information 52 is transmitted to the diagnostic apparatus 12.
In step S76, when the transmission of the initial configuration information 52 and the running configuration information 53 is completed, the firewall 27 performs the logout process and continues the normal action.
The description will be given again with respect to the process of returning to the diagnostic device 12. The diagnostic device 12 acquires the in-operation configuration information 53 transmitted from the firewall 27 in step S74 in step S63, and acquires the initial configuration information 52 transmitted from the firewall 27 in step S75 in step S64. The diagnostic device 12 stores the acquired initial configuration information 52 and the running configuration information 53 in the work memory 56 together with the time stamp as initial configuration information 58 and running configuration information 59, respectively.
In step S65, the diagnostic device 12 compares the current in-operation configuration information 59 acquired and stored in the working memory 56 with the initial configuration information 58.
In step S66, when it is determined that the current running configuration information 59 matches the initial configuration information 58 (S66: yes), the diagnostic device 12 proceeds to step S67, and when it does not match (S66: no), the diagnostic device proceeds to step S72.
When the determination result that the in-operation configuration information 59 does not match the initial configuration information 58 is obtained in step S66 (S66: no), the diagnostic device 12 transmits the acquired current in-operation configuration information 53 to the monitor terminal 33 of the central operation room 31 when the initial configuration information 52 stored in the nonvolatile memory 55 does not match in step S72, and notifies the manager of the fact that the display unit of the monitor terminal 33 displays the fact that the obtained current in-operation configuration information does not match, for example.
On the other hand, if the determination result that the in-operation configuration information 59 and the initial configuration information 58 agree is obtained in step S66 (S66: yes), the diagnostic device 12 records a comparison result indicating that both agree in step S67, for example, in the nonvolatile memory 55. In this record, the initial configuration information 52 to be compared and the acquisition time (time stamp) of the running configuration information 53 are also recorded together.
After step S67, in step S68, the diagnostic device 12 compares the acquired current in-operation configuration information 53 with the main configuration information 54 stored in the nonvolatile memory 55.
In step S69, the diagnostic device 12 determines whether or not the current in-operation configuration information 59 acquired and stored in the working memory 56 matches the main configuration information 57 acquired and stored in the nonvolatile memory 55 in step S61. If the two are identical (Yes in S69), the diagnostic device 12 proceeds to the process in step S70, and if the two are not identical (No in S69), the diagnostic device 12 proceeds to the process in step S72.
When the determination result of the inconsistency between the two is obtained in step S69 (S69: no), the diagnostic device 12 transmits the obtained current running configuration information 59 and the main configuration information 57 stored in the nonvolatile memory 55 to the monitor terminal 33 of the central operation room 31 in step S72, and notifies the manager of the inconsistency by, for example, displaying the inconsistency on the display unit of the monitor terminal 33.
On the other hand, when the determination result of the coincidence of both is obtained in step S69 (S69: yes), in step S70, the diagnostic device 12 records a comparison result indicating that both coincide in the nonvolatile memory 55, for example.
After the process of step S70, in step S71, the diagnostic device 12 waits until the next diagnostic time. After waiting for the diagnosis time, the diagnosis device 12 executes the process of step S62 again. The standby time until the next diagnosis time indicates the interval of diagnosis, and is preferably 1 to several hours, but any time may be set. In this way, the diagnostic device 12 periodically determines whether or not the current in-operation configuration information 53 matches the initial configuration information 52, and whether or not the current in-operation configuration information 53 matches the main configuration information 54.
In the present embodiment, the comparison between the running configuration information 53 and the initial configuration information 52 and the comparison between the running configuration information 53 and the main configuration information 54 are performed, but the present invention is not limited thereto. The three pieces of the running configuration information 53, the initial configuration information 52, and the main configuration information 54 may be compared at the same time. In addition, at least one of the initial configuration information 52, the running configuration information 53, and the master configuration information 54 may also be compared with those of the past of the time-stamped records.
In addition, validity of the running configuration information 53, the initial configuration information 52, and the master configuration information 54 may be confirmed (verified). By including such processing, unexpected changes in the configuration information can be detected more reliably.
According to the diagnostic device 12 of the first embodiment, the running configuration information 53 in the firewall 27 and the initial configuration information 52 as the original configuration information are read and recorded, and when the read initial configuration information 52 and the running configuration information 53 are not identical, the administrator of the firewall 27 is notified of the inconsistency.
Because the firewall 27 is a computer that acts through software, there may be a functional deficiency (also known as vulnerability) that is unexpected to the manufacturer. A malicious third party rewrites the configuration information using such vulnerability. Although the firewall 27 has unexpected change detection and log functions, it is premised on normal operation of the target device, and for example, if logging is temporarily stopped, it takes time to detect a change.
In the present embodiment, the in-operation configuration information 53 and the initial configuration information 52, which is the original configuration information, are periodically compared. For both the initial configuration information 52 and the running configuration information 53, the possibility of unexpected changes occurring in a short time is low. Therefore, even if a malicious third person performs unexpected changes such as tampering with the in-operation configuration information 53, the diagnostic device 12 can detect the unexpected changes by comparing the initial configuration information 52 and the in-operation configuration information 53. Further, since the diagnostic device 12 of the present embodiment periodically performs such comparison processing, early detection of such a change is possible.
In addition, the diagnostic device 12 can also early diagnose the change of the initial configuration information 52 and the running configuration information 53 for the firewalls 27, 28, 29, 35, 36, 43 that are a plurality of communication control apparatuses, and therefore can easily change the number of firewalls that are diagnostic targets.
Further, according to the diagnostic apparatus 12 of the first embodiment, the initial configuration information 52 and the running configuration information 53 in the firewall 27 are periodically read and recorded with a time stamp attached. Then, the diagnostic device 12 compares the read initial configuration information 52 and the running configuration information 53 with the past initial configuration information 52 and the running configuration information 53, and when one of them is inconsistent, notifies the manager of the inconsistency. Thus, even when there is an unexpected change in both the initial configuration information 52 and the in-operation configuration information 53, the change can be detected.
In the network system 1 according to the first embodiment, the main configuration information 54 is stored in an external storage medium such as the main database 42, and when the firewall 27 is initially set, for example, the main configuration information 54 is acquired from the main database 42 and the initial configuration information 52 is set. The diagnostic device 12 compares the initial configuration information 58 and the running configuration information 59 read from the firewall 27 and recorded in the work memory 56 with the main configuration information 57 temporarily stored in the nonvolatile memory 55, and notifies the manager of the inconsistency if the initial configuration information and the running configuration information do not coincide with each other. By further performing such comparison, unexpected alteration of the arrangement information can be detected more reliably.
(second embodiment).
In the first embodiment, in the network system 1, the firewalls 27 to 29, 35, 36, 43 as the communication control devices are provided in correspondence with the LANs 1 to 6, respectively, and these LANs 1 to 6 are connected via the communication device group 11, but the present invention is not limited thereto. In the second embodiment, a method of configuring other communication control devices will be described.
Fig. 4 is a schematic diagram of the configuration of the network system 1A in the second embodiment. In the network system 1A shown in fig. 4, in comparison with the network system 1 of the first embodiment shown in fig. 1, the firewalls 27 to 29, 35, 36, 43 are not provided, but a communication device 81 as an L3 switch and a firewall 82 connected to the communication device 81 are provided.
In the OT network 2, LANs 1 to 3 for connecting the device control devices 24 to 26 of the three mechanical devices 21 to 23 and the communication device 81 may also function as VLAN (Virtual Local Area Network) provided with virtual segments. Similarly, in the management network 3, LANs 4 to 5 connected to the central operation room 31 and the monitor terminal 33, and to the computer room 32 and the accumulation processing device 34 and the communication device 81 may also function as VLANs. The LAN6 of the private network 4 may also be used as a VLAN. Note that, LANs 1 to 6 may not function as VLANs, and LANs 1 to 6 other than VLANs may be connected via the communication device 81 of the L3 switch.
The communication device 81 as an L3 switch connects these VLANs to each other, and the configuration information of the firewall 82 records a clear rule of data related to the VLAN. The data transfer rule indicates what data is allowed to pass through, similarly to the firewalls 27 to 29, 35, 36, and 43 of the first embodiment. The configuration information may include various setting information such as a service executed at the time of startup, in addition to the pull-up rule.
Diagnostic device 12 is configured to be accessible to firewall 82 via communication device 81. The diagnostic device 12 reads and compares the initial configuration information 52 stored in the nonvolatile memory 50 in the firewall 82, the running configuration information 53 stored in the working memory 51, and the master configuration information 54 stored in the master database 42, respectively, by the same processing as in the first embodiment shown in fig. 3. Then, as in the first embodiment, the diagnostic device 12 periodically compares the current running configuration information 53 with the initial configuration information 52, determines whether the two match, and compares the current running configuration information 53 with the main configuration information 54, and determines whether the two match. When the comparison results are inconsistent, the manager is notified.
According to the diagnostic device 12 of the second embodiment, even in the network system 1A in which LANs 1 to 6 are connected via the communication device 81 of the L3 switch, the configuration of the diagnostic device 12 is not significantly changed, and even if unexpected changes such as falsification exist in the initial configuration information 52 and the in-operation configuration information 53, the unexpected changes can be detected early, as in the first embodiment.
(modification)
In the second embodiment, the communication device 81 as the L3 switch is provided separately from the firewall 82, but is not limited thereto. As shown in fig. 5, a configuration information storage unit 83 for storing configuration information may be provided in the network system 1B as a storage destination, and a firewall 82B may be provided in which the communication device 81, the configuration information storage unit 83, and the diagnostic device 12 are integrated. In this way, replacement from an existing communication device group or firewall can be easily performed.
(third embodiment).
In the first and second embodiments, the diagnosis for confirming the validity of the configuration information set in the firewall 82 by the diagnostic device 12 is described as the diagnosis for confirming the validity of the information used in the network system, but the present invention is not limited to this. In the third embodiment, a technique for performing validity diagnosis of other information used in the network system will be described.
Fig. 6 is a schematic diagram showing the configuration of a network system 1C according to the third embodiment. As shown in fig. 6, the network system 1C of the third embodiment is further connected to the communication device 81 with an authentication apparatus 84, as compared with the network system 1B of the second embodiment shown in fig. 4.
Not limited to the case of including the OT network 2, as in the network system 1C, an authentication device 84 that determines a connected device or a person using the device and gives permission for network connection is sometimes included. As an example, by introducing an electronic certificate into a device such as a personal computer, network connection authentication based on the electronic certificate can be performed. Specifically, a RADIUS (Remote Authentication Dial In User Service) server or the like can be used. In order to identify the connected person, an authentication device 84 such as a AD (Active Directory) server that performs password or two-element authentication may be used. The authentication device 84 holds, without being limited to these specific examples, an identifier of a device or person that provided the connection permission or a device or person that did not provide the connection permission, and corresponding authentication information.
For example, the authentication device 84 is connected to the communication device 81 and the diagnostic device 12. The authentication device 84 performs authentication processing of a manager who is a user when the manager logs in to the communication apparatus 81 via the monitor terminal 33 of the central operation room 31. Authentication information input from the monitoring terminal 33 by the manager is transmitted to the authentication device 84 via the LAN4 and the communication means 81. When the received authentication information matches the authentication information stored in advance, the authentication device 84 stores the authentication information set by the monitoring terminal 33 as correct information, and grants access from the monitoring terminal 33 to the communication apparatus 81.
The authentication information thus set to the authentication device 84 is stored in the authentication device 84 and the master database 42. That is, before the authentication device 84 is initially started, the master authentication information is recorded in the master database 42 according to the setting of the manager. Then, at the time of initial startup, the authentication device 84 records the authentication information acquired via the LAN4 and the communication apparatus 81 as initial authentication information in a nonvolatile memory provided in the authentication device 84. The authentication device 84 reads initial authentication information from the nonvolatile memory at each start-up, and records the initial authentication information as running authentication information in a work memory included in the authentication device 84.
Then, the same processing as that shown in fig. 3 is performed between the diagnostic apparatus 12 and the connected authentication device 84. That is, the diagnostic device 12 acquires the master authentication information from the master database 42 and records the master authentication information in the nonvolatile memory 55. Further, when initial authentication information and running authentication information are acquired from the authentication device 84, the diagnostic device 12 records the initial authentication information and the running authentication information in the working memory 56. Then, when the running authentication information of the job memory 56 and the initial authentication information are compared, and the running authentication information of the job memory 56 and the main authentication information of the nonvolatile memory 55 are compared, and both of the comparison results are inconsistent, the manager is notified of the inconsistency.
As described above, the diagnostic apparatus 12 according to the third embodiment periodically reads the authentication information set in the authentication device 84 from the authentication device 84, and reads the original authentication information from the nonvolatile memory or the master database 42 of the authentication device 84 as the storage destination in the network system 1C, which stores the past authentication information in advance as the original authentication information (initial authentication information and master authentication information). Then, the diagnostic device 12 periodically compares the authentication information periodically read from the authentication apparatus 84 with the original authentication information read from the storage destination, and notifies the manager of the authentication apparatus 84 of the inconsistency if the current authentication information read from the authentication apparatus 84 does not coincide with the original authentication information.
According to the diagnostic device 12 of the third embodiment, it is possible to detect unexpected changes in the authentication information used in the authentication process of the authentication apparatus 84 in an early stage using the diagnostic device 12 without greatly changing the configuration of the diagnostic device 12 shown in the first and second embodiments. Further, by executing the processing described in the first embodiment or the second embodiment by the diagnostic device 12, the processing can be used in combination with the diagnosis of the validity of the configuration information of the firewall 27, and thus the configuration information of the firewall 27 and the authentication information of the authentication device 84 can be comprehensively diagnosed.
(modification)
In the third embodiment, the network system 1C in which the authentication device 84 is provided in parallel to the communication apparatus 81 is described, but the present invention is not limited to this. For example, as another network system, an authentication device 84 may be provided separately in each of the device control devices 24 to 26 of the OT network 2, the monitoring terminal 33 of the management network 3, the accumulation processing device 34, and the master database 42 of the private network 4. Further, an authentication device 84 may also be provided in each of the mechanical devices 21 to 23 included in the OT network 2. In this way, even when the authentication devices 84 are appropriately provided for the respective devices constituting the network system, the authentication information set in the respective authentication devices 84 can be legally diagnosed by using the diagnostic apparatus 12 of the third embodiment. The diagnostic device 12 may be provided in each authentication apparatus 84, may be provided in units of a sub-network, may be provided in units of the OT network 2 or the management network 3, or the like.
In the OT network 2 of a production site, infrastructure, or the like, if authentication processing of a device or equipment of a terminal depends on a remote equipment such as a cloud, operation or maintenance in the OT network 2 becomes difficult, and response performance may be deteriorated. In contrast, in the present modification, since authentication processing in the OT network 2, the management network 3, and the private network 4 is performed locally and authentication information of these other authentication devices can be periodically verified, unexpected changes in authentication information of the other authentication devices can be detected early regardless of the communication state.
The present invention is susceptible to various embodiments and modifications without departing from the broad spirit and scope of the invention. The above embodiments are for illustrating the present invention, and do not limit the scope of the present invention. That is, the scope of the invention is indicated by the claims rather than by the embodiments. Therefore, various modifications performed within the scope of the claims and the meaning of the equivalent invention are considered to be included in the scope of the present invention.
Description of symbols
1. 1A, 1B, 1C: a network system;
2: OT network (network);
11: a group of communication devices;
12: a diagnostic device;
27-29, 35, 36, 43, 82B: a firewall (communication control device);
42: a master database (storage destination);
50. 55: a nonvolatile memory (storage destination);
52. 58: initial configuration information (original configuration information);
53. 59: configuration information in operation;
54. 57: master configuration information (original configuration information);
81: a communication device;
84: authentication apparatus
LAN1 to LAN6: (subnetwork).

Claims (10)

1. A diagnostic apparatus provided in a network system having a network formed by connecting a plurality of sub-networks and a communication control device that operates according to configuration information set by a manager to control communication in a communication path, the diagnostic apparatus diagnosing the configuration information set in the communication control device,
periodically reading the configuration information set in the communication control apparatus from the communication control apparatus, reading the original configuration information from a storage destination in the network system that stores the past configuration information as the original configuration information in advance,
periodically comparing the configuration information periodically read from the communication control apparatus with the original configuration information read from the storage destination,
when the current configuration information read from the communication control device does not match the original configuration information, the manager is notified of the mismatch.
2. The diagnostic device of claim 1, wherein,
the storage destination is a nonvolatile memory of the communication control apparatus, initial configuration information stored in the nonvolatile memory as the original configuration information is read,
the initial configuration information is read as running configuration information into a work memory of the communication control apparatus at the time of startup of the communication control apparatus, the running configuration information is periodically read from the communication control apparatus operating in accordance with the running configuration information,
periodically comparing said initial configuration information read from said communication control device with current said on-the-fly configuration information,
and when the current running configuration information is inconsistent with the initial configuration information, notifying the manager of the inconsistency.
3. The diagnostic device according to claim 2, wherein,
recording the initial configuration information and the running configuration information read from the communication control apparatus,
periodically comparing the initial configuration information and the running configuration information read from the communication control apparatus with the recorded past initial configuration information and running configuration information respectively,
when the initial configuration information and the running configuration information read from the communication control apparatus do not match at least one of the recorded past initial configuration information and the running configuration information, notifying the manager of the discrepancy.
4. The diagnostic device of claim 1, wherein,
the storage destination is an external storage medium provided in the network system, main configuration information stored in the external storage medium as the original configuration information is read from the external storage medium, the current configuration information is read from the communication control apparatus,
periodically comparing the configuration information read from the communication control device with the master configuration information read from the external storage medium,
in the case where the current configuration information read from the communication control apparatus is inconsistent with the master configuration information, notifying the manager of the inconsistency.
5. The diagnostic apparatus according to claim 1, wherein the configuration information includes an identifier for indicating any one of a transmission source of data by the communication control device, a transmission destination of the data, and a service of the data.
6. The diagnostic apparatus according to claim 1, wherein the communication control device is a firewall respectively provided on communication paths of the sub-networks.
7. The diagnostic apparatus according to claim 1, wherein the communication control device is an L3 switch connected to the sub-network.
8. A diagnostic apparatus provided in a network system having a network formed by connecting a plurality of sub-networks and authentication equipment for authenticating the login of a manager to equipment provided in the network based on authentication information set by the manager, the diagnostic apparatus diagnosing the authentication information set in the authentication equipment,
periodically reading the authentication information set in the authentication device from the authentication device, reading the original authentication information from a storage destination in the network system that stores the past authentication information as the original authentication information in advance,
periodically comparing the authentication information periodically read from the authentication device with the original authentication information read from the storage destination,
when the current authentication information read from the authentication device does not match the original authentication information, the manager is notified of the discrepancy.
9. A diagnostic method for diagnosing configuration information set in a communication control device by a diagnostic means provided in a network system having a network constituted by connecting a plurality of sub-networks and a communication control device that operates to control communication in a communication path according to the configuration information set by a manager,
by means of the diagnostic device, the following steps are performed:
periodically reading the configuration information set in the communication control apparatus from the communication control apparatus, reading the original configuration information from a storage destination in the network system that stores the past configuration information as the original configuration information in advance,
periodically comparing the configuration information periodically read from the communication control apparatus with the original configuration information read from the storage destination,
when the current configuration information read from the communication control device does not match the original configuration information, the manager is notified of the mismatch.
10. A diagnostic method for diagnosing authentication information set in an authentication device by a diagnostic means provided in a network system having a network formed by connecting a plurality of sub-networks and an authentication device for authenticating a login of a manager to a device provided in the network based on authentication information set by the manager,
the following steps are performed by the diagnostic device:
periodically reading the authentication information set in the authentication device from the authentication device, reading the original authentication information from a storage destination in the network system that stores the past authentication information as the original authentication information in advance,
periodically comparing the authentication information periodically read from the authentication device with the original authentication information read from the storage destination,
when the current authentication information read from the authentication device does not match the original authentication information, the manager is notified of the discrepancy.
CN202280006885.9A 2022-09-15 2022-11-29 Diagnostic device and diagnostic method Pending CN116964991A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2022147446A JP7266925B1 (en) 2022-09-15 2022-09-15 Diagnostic device and diagnostic method
JP2022-147446 2022-09-15
PCT/JP2022/044056 WO2024057557A1 (en) 2022-09-15 2022-11-29 Diagnostic device and diagnosis method

Publications (1)

Publication Number Publication Date
CN116964991A true CN116964991A (en) 2023-10-27

Family

ID=88444703

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202280006885.9A Pending CN116964991A (en) 2022-09-15 2022-11-29 Diagnostic device and diagnostic method

Country Status (1)

Country Link
CN (1) CN116964991A (en)

Also Published As

Publication number Publication date
EP4362413A1 (en) 2024-05-01

Similar Documents

Publication Publication Date Title
CN109617813B (en) Enhanced intelligent process control switch port locking
US9602478B2 (en) Trust relationships in a computerized system
Jürjens et al. Specification-based testing of firewalls
CN104012027A (en) System and method for cloud based scanning for computer vulnerabilities in a network environment
CN104981784A (en) Software deployment and control method and system
CN112134956A (en) Distributed Internet of things instruction management method and system based on block chain
US10073980B1 (en) System for assuring security of sensitive data on a host
CN112769808B (en) Mobile fort machine for industrial local area network, operation and maintenance method thereof and computer equipment
CN103168458A (en) Method for managing keys in a manipulation-proof manner
Roepert et al. Assessing the security of OPC UA deployments
Grasselli et al. An industrial network digital twin for enhanced security of cyber-physical systems
WO2019187204A1 (en) Control device, in-vehicle communication system, communication control method, and program
CN116964991A (en) Diagnostic device and diagnostic method
JP7266925B1 (en) Diagnostic device and diagnostic method
CN112637229B (en) Network intrusion cooperative detection method based on security cloud
CN111343193B (en) Cloud network port security protection method and device, electronic equipment and storage medium
JP2017228887A (en) Control system, network device, and control method of control device
CN111786826A (en) Industrial control equipment operation and maintenance auditing system, industrial control equipment operation and maintenance method and computer equipment
Ulz et al. Secured remote configuration approach for industrial cyber-physical systems
JP2019083478A (en) Communication system, control device, gateway, communication control method, and program
JP7428297B2 (en) Security device, management device, communication system and security management method
Yang et al. Study on penetration testing platform oriented to CAN bus embedded system
CN116962149A (en) Network fault detection method and device, storage medium and electronic equipment
Elsharef Design of a Novel Manual and Automated Penetration Testing Framework for Connected Industrial Control Systems (ICS)
Morales-Gonzalez Survey on Smart Building Security State of the Art

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination