CN117195240B - Trusted DCS host computer data configuration verification and release method and system - Google Patents

Trusted DCS host computer data configuration verification and release method and system Download PDF

Info

Publication number
CN117195240B
CN117195240B CN202311448083.6A CN202311448083A CN117195240B CN 117195240 B CN117195240 B CN 117195240B CN 202311448083 A CN202311448083 A CN 202311448083A CN 117195240 B CN117195240 B CN 117195240B
Authority
CN
China
Prior art keywords
verification
data
trusted
release
configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311448083.6A
Other languages
Chinese (zh)
Other versions
CN117195240A (en
Inventor
柳曦
张津
杨渊
杨柳
贾泽冰
孙浩沩
焦龙
王晓凯
钟庆尧
张军
翟亮晶
高少华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Thermal Power Research Institute Co Ltd
Original Assignee
Xian Thermal Power Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Thermal Power Research Institute Co Ltd filed Critical Xian Thermal Power Research Institute Co Ltd
Priority to CN202311448083.6A priority Critical patent/CN117195240B/en
Publication of CN117195240A publication Critical patent/CN117195240A/en
Application granted granted Critical
Publication of CN117195240B publication Critical patent/CN117195240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明涉及工业自动化技术领域,公开了可信DCS上位机数据组态验证及发布方法及系统,将数据组态存储于逻辑缓存中,经可信验证后发布于物理库中供上位机存取数据;具体包括以下步骤:对当前用户身份进行识别,若身份识别失败则结束发布;若身份识别成功则以当前用户数据组态发布事件的ID进行SHA运算得到可信度量计算值;并以当前用户数据组态发布事件的ID的关键字查阅可信度量哈希表,将可信度量哈希表中基准度量值与可信度量计算值对比,若不一致则判断当前用户数据组态发布事件无效,发布结束;若一致,则对数组组态进行有效性验证,若验证失败,则发布结束;若验证成功则将逻辑缓存中数据组态发布至物理库,发布结束。

The invention relates to the technical field of industrial automation, and discloses a trusted DCS host computer data configuration verification and publishing method and system. The data configuration is stored in a logic cache, and is published in a physical library after trusted verification for the host computer to access the data. The method specifically comprises the following steps: identifying the current user identity, and ending the publishing if the identity identification fails; performing SHA operation with the ID of the current user data configuration publishing event to obtain a trusted metric calculation value if the identity identification succeeds; and looking up a trusted metric hash table with the keyword of the ID of the current user data configuration publishing event, comparing a reference metric value in the trusted metric hash table with a trusted metric calculation value, and judging that the current user data configuration publishing event is invalid if they are inconsistent, and ending the publishing; if they are consistent, performing validity verification on the array configuration, and ending the publishing if the verification fails; and ending the publishing if the verification succeeds, publishing the data configuration in the logic cache to the physical library.

Description

可信DCS上位机数据组态验证及发布方法和系统Trusted DCS host computer data configuration verification and release method and system

技术领域Technical Field

本发明涉及工业自动化技术领域,具体涉及一种可信DCS上位机数据组态验证及发布方法和系统。The present invention relates to the technical field of industrial automation, and in particular to a method and system for verifying and publishing data configuration of a trusted DCS host computer.

背景技术Background technique

分散控制系统(DCS)上位机数据库是系统运行基础,与上位机其他数据接口进行频繁数据交互,因此保障其完整性及有效性尤为重要,普通分散控制系统中数据组态直接装填至上位机数据库,可能存在数据有效性及完整性不足的问题。同时,随着电力系统信息化的发展,针对电力系统的恶意威胁层出不穷,如何有效提高系统安全防护能力是亟需解决的问题。The host computer database of the distributed control system (DCS) is the basis for system operation. It frequently interacts with other data interfaces of the host computer. Therefore, it is particularly important to ensure its integrity and effectiveness. In ordinary distributed control systems, data configuration is directly loaded into the host computer database, which may have problems with insufficient data effectiveness and integrity. At the same time, with the development of power system informatization, malicious threats to power systems are emerging in an endless stream. How to effectively improve the system's security protection capabilities is an urgent problem to be solved.

发明内容Summary of the invention

本发明的目的在于提供一种可信DCS上位机数据组态验证及发布方法和系统,以克服现有技术存在的缺陷,本发明能够保证上位机物理库数据完整性及有效性,有效提高系统安全防护能力。The purpose of the present invention is to provide a trusted DCS host computer data configuration verification and release method and system to overcome the defects of the prior art. The present invention can ensure the integrity and validity of the host computer physical library data and effectively improve the system security protection capability.

为达到上述目的,本发明采用如下技术方案:In order to achieve the above object, the present invention adopts the following technical scheme:

可信DCS上位机数据组态验证及发布方法,将数据组态存储于逻辑缓存中,经可信验证后发布于物理库中供上位机存取数据;A trusted DCS host computer data configuration verification and publishing method stores the data configuration in a logical cache and publishes it in a physical library after trusted verification for the host computer to access the data;

所述经可信验证后发布于物理库中供上位机存取数据,具体包括以下步骤:The data is published in the physical library after being verified as trustworthy so that the host computer can access the data, which specifically includes the following steps:

S1:对当前用户身份进行识别,若身份识别失败则结束发布;若身份识别成功则执行S2;S1: Identify the current user's identity. If the identity identification fails, the publishing ends; if the identity identification succeeds, S2 is executed;

S2:以当前用户数据组态发布事件的ID进行SHA运算得到可信度量计算值;并以当前用户数据组态发布事件的ID的关键字查阅可信度量哈希表,将可信度量哈希表中基准度量值与可信度量计算值对比,若不一致则判断当前用户数据组态发布事件无效,发布结束;若一致,则执行S3;S2: Perform SHA operation with the ID of the current user data configuration release event to obtain the trusted metric calculation value; and use the keyword of the ID of the current user data configuration release event to look up the trusted metric hash table, and compare the benchmark metric value in the trusted metric hash table with the trusted metric calculation value. If they are inconsistent, the current user data configuration release event is judged to be invalid and the release ends; if they are consistent, execute S3;

S3:对数组组态进行有效性验证,若验证失败,则发布结束;若验证成功则执行S4;S3: Verify the validity of the array configuration. If the verification fails, the release ends; if the verification succeeds, execute S4;

S4:将逻辑缓存中数据组态发布至物理库,发布结束。S4: Publish the data configuration in the logical cache to the physical library, and the publishing is completed.

进一步地,所述数据组态包括:厂站配置、装置信息、测点组信息以及测点信息。Furthermore, the data configuration includes: plant configuration, device information, measurement point group information and measurement point information.

进一步地,所述S3具体包括以下步骤:Furthermore, the S3 specifically includes the following steps:

S31:遍历逻辑缓存中厂站配置列表,逐一进行厂站配置验证,具体如下:S31: Traverse the plant station configuration list in the logic cache and verify the plant station configuration one by one, as follows:

(a)遍历当前厂站配置对应的装置信息列表,并记录装置IP,对于当前装置下的测点组信息及对应测点信息进行验证,验证内容包括:测点名有效性、遥控测点分合规则合理性以及测点阈值合理性,若验证内容中存在验证不合理项,将验证不合理项存入数据验证报告;(a) Traverse the device information list corresponding to the current plant configuration and record the device IP, verify the measurement point group information and corresponding measurement point information under the current device, including: the validity of the measurement point name, the rationality of the remote control measurement point division and combination rules, and the rationality of the measurement point threshold. If there are unreasonable verification items in the verification content, store the unreasonable verification items in the data verification report;

(b)装置信息列表遍历完成后,若存在装置IP重复,视为验证不合理项,将验证不合理项存入数据验证报告;(b) After the device information list is traversed, if there is a duplicate device IP, it is considered an unreasonable verification item and the unreasonable verification item is stored in the data verification report;

S32:若数据验证报告存在验证不合理项,则发布失败;否则,执行S4。S32: If there are unreasonable verification items in the data verification report, the release fails; otherwise, execute S4.

进一步地,所述S4具体包括以下步骤:Furthermore, the S4 specifically includes the following steps:

S41:对物理库和逻辑缓存进行可信验证及完整性度量,若发现物理库或逻辑缓存被篡改或破坏,则发送可信验证失败报告,发布结束;否则,执行S42;S41: Perform trust verification and integrity measurement on the physical library and the logical cache. If it is found that the physical library or the logical cache is tampered with or damaged, a trust verification failure report is sent and the release ends; otherwise, execute S42;

S42:对比物理库文件与逻辑缓存文件,若文件中数据分区对比结果不一致,则对发生变化或新增的分区进行装库操作,将发生变化或新增的分区中的逻辑缓存数据装填至物理库;若数据分区对比结果一致,表示两库数据一致无更新,则不进行装库操作。S42: Compare the physical library file with the logical cache file. If the data partition comparison results in the files are inconsistent, perform a library loading operation on the changed or newly added partitions, and load the logical cache data in the changed or newly added partitions into the physical library. If the data partition comparison results are consistent, indicating that the data in the two libraries are consistent and have not been updated, no library loading operation is performed.

可信DCS上位机数据组态验证及发布系统,将数据组态存储于逻辑缓存中,经可信验证后发布于物理库中供上位机存取数据;The trusted DCS host computer data configuration verification and publishing system stores the data configuration in the logical cache and publishes it in the physical library after trusted verification for the host computer to access the data;

具体包括身份识别模块、对比模块、验证模块及发布模块,其中:Specifically, it includes identity recognition module, comparison module, verification module and release module, among which:

身份识别模块:用于对当前用户身份进行识别,若身份识别失败则结束发布;若身份识别成功则进入对比模块;Identity recognition module: used to identify the current user's identity. If the identity recognition fails, the release ends; if the identity recognition succeeds, the comparison module is entered;

对比模块:用于以当前用户数据组态发布事件的ID进行SHA运算得到可信度量计算值;并以当前用户数据组态发布事件的ID的关键字查阅可信度量哈希表,将可信度量哈希表中基准度量值与可信度量计算值对比,若不一致则判断当前用户数据组态发布事件无效,发布结束;若一致,则进入验证模块;Comparison module: used to perform SHA operation with the ID of the current user data configuration release event to obtain the trusted metric calculation value; and use the keyword of the ID of the current user data configuration release event to look up the trusted metric hash table, and compare the benchmark metric value in the trusted metric hash table with the trusted metric calculation value. If they are inconsistent, the current user data configuration release event is judged to be invalid and the release ends; if they are consistent, enter the verification module;

验证模块:用于对数组组态进行有效性验证,若验证失败,则发布结束;若验证成功则进入发布模块;Verification module: used to verify the validity of array configuration. If the verification fails, the release ends; if the verification succeeds, the release module is entered;

发布模块:用于将逻辑缓存中数据组态发布至物理库,发布结束。Publishing module: used to publish the data configuration in the logical cache to the physical library, and the publishing is completed.

进一步地,所述数据组态包括:厂站配置、装置信息、测点组信息以及测点信息。Furthermore, the data configuration includes: plant configuration, device information, measurement point group information and measurement point information.

进一步地,所述验证模块中,具体包括以下步骤:Furthermore, the verification module specifically includes the following steps:

S31:遍历逻辑缓存中厂站配置列表,逐一进行厂站配置验证,具体如下:S31: Traverse the plant station configuration list in the logic cache and verify the plant station configuration one by one, as follows:

(a)遍历当前厂站配置对应的装置信息列表,并记录装置IP,对于当前装置下的测点组信息及对应测点信息进行验证,验证内容包括:测点名有效性、遥控测点分合规则合理性以及测点阈值合理性,若验证内容中存在验证不合理项,将验证不合理项存入数据验证报告;(a) Traverse the device information list corresponding to the current plant configuration and record the device IP, verify the measurement point group information and corresponding measurement point information under the current device, including: the validity of the measurement point name, the rationality of the remote control measurement point division and combination rules, and the rationality of the measurement point threshold. If there are unreasonable verification items in the verification content, store the unreasonable verification items in the data verification report;

(b)装置信息列表遍历完成后,若存在装置IP重复,视为验证不合理项,将验证不合理项存入数据验证报告;(b) After the device information list is traversed, if there is a duplicate device IP, it is considered an unreasonable verification item and the unreasonable verification item is stored in the data verification report;

S32:若数据验证报告存在验证不合理项,则发布失败;否则,进入发布模块。S32: If there are unreasonable verification items in the data verification report, the release fails; otherwise, enter the release module.

进一步地,所述发布模块中,具体包括以下步骤:Furthermore, the publishing module specifically includes the following steps:

S41:对物理库和逻辑缓存进行可信验证及完整性度量,若发现物理库或逻辑缓存被篡改或破坏,则发送可信验证失败报告,发布结束;否则,执行S42;S41: Perform trust verification and integrity measurement on the physical library and the logical cache. If it is found that the physical library or the logical cache is tampered with or damaged, a trust verification failure report is sent and the release ends; otherwise, execute S42;

S42:对比物理库文件与逻辑缓存文件,若文件中数据分区对比结果不一致,则对发生变化或新增的分区进行装库操作,将发生变化或新增的分区中的逻辑缓存数据装填至物理库;若数据分区对比结果一致,表示两库数据一致无更新,则不进行装库操作。S42: Compare the physical library file with the logical cache file. If the data partition comparison results in the files are inconsistent, perform a library loading operation on the changed or newly added partitions, and load the logical cache data in the changed or newly added partitions into the physical library. If the data partition comparison results are consistent, indicating that the data in the two libraries are consistent and have not been updated, no library loading operation is performed.

与现有技术相比,本发明具有以下有益的技术效果:Compared with the prior art, the present invention has the following beneficial technical effects:

本发明采用逻辑缓存分区存储用户数据组态,经数据验证及可信验证后才会装填至物理库,保证上位机物理库数据完整性及有效性;同时对数据组态发布及数据库装填等系统行为进行可信验证,保证主客体行为可信性及系统数据未遭遇恶意篡改或破坏,另外,数据经逻辑缓存装填至物理库时采取分区装填方式,仅装填发生变化或新增分区,保证数据装填效率。The present invention adopts logical cache partitions to store user data configurations, which will be loaded into the physical library only after data verification and trustworthy verification, to ensure the data integrity and validity of the physical library of the host computer; at the same time, trustworthy verification is performed on system behaviors such as data configuration release and database loading to ensure the credibility of subject and object behaviors and that system data has not been maliciously tampered with or destroyed. In addition, when data is loaded into the physical library through the logical cache, a partitioned loading method is adopted, and only changes are made to the loading or new partitions are added to ensure data loading efficiency.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

说明书附图用来提供对本发明的进一步理解,构成本发明的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。The drawings in the specification are used to provide further understanding of the present invention and constitute a part of the present invention. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations on the present invention.

图1为本发明实施例一中可信DCS上位机数据组态验证及发布方法的流程图;1 is a flow chart of a method for verifying and publishing data configuration of a trusted DCS host computer in a first embodiment of the present invention;

图2为本发明实施例二中可信DCS上位机数据组态验证及发布系统的结构图。FIG. 2 is a structural diagram of a trusted DCS host computer data configuration verification and release system in Embodiment 2 of the present invention.

具体实施方式Detailed ways

以下结合附图及具体实施例对本发明进行进一步详细说明。The present invention is further described in detail below with reference to the accompanying drawings and specific embodiments.

为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the scheme of the present invention, the technical scheme in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of the present invention.

需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second", etc. in the specification and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchanged where appropriate, so that the embodiments of the present invention described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device that includes a series of steps or units is not necessarily limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

实施例一Embodiment 1

参见图1,本发明提供一种可信DCS上位机数据组态验证及发布方法,数据组态首先存储于逻辑缓存中,经可信验证后发布于物理库中供上位机存取数据,保证数据组态完整性及有效性,所述数据组态包括:厂站配置、装置信息、测点组信息以及测点信息。Referring to FIG. 1 , the present invention provides a trusted DCS host computer data configuration verification and publishing method, wherein the data configuration is first stored in a logical cache, and after trusted verification, is published in a physical library for the host computer to access data, thereby ensuring the integrity and validity of the data configuration, wherein the data configuration includes: plant station configuration, device information, measurement point group information, and measurement point information.

所述经可信验证后发布于物理库中供上位机存取数据,具体包括以下步骤:The data is published in the physical library after being verified as trustworthy so that the host computer can access the data, which specifically includes the following steps:

S1:对当前用户身份进行识别,若身份识别失败则结束发布;若身份识别成功则执行S2;S1: Identify the current user's identity. If the identity identification fails, the publishing ends; if the identity identification succeeds, S2 is executed;

S2:以当前用户数据组态发布事件的ID(身份标识号)进行SHA(安全散列算法)运算得到可信度量计算值;并以当前用户数据组态发布事件的ID的关键字查阅可信度量哈希表,将可信度量哈希表中基准度量值与可信度量计算值对比,若不一致则判断当前用户数据组态发布事件无效,发布结束;若一致,则执行S3;S2: Perform SHA (Secure Hash Algorithm) operation with the ID (identity number) of the current user data configuration release event to obtain the trusted metric calculation value; and use the keyword of the ID of the current user data configuration release event to look up the trusted metric hash table, and compare the benchmark metric value in the trusted metric hash table with the trusted metric calculation value. If they are inconsistent, the current user data configuration release event is judged to be invalid and the release ends; if they are consistent, execute S3;

S3:对数组组态进行有效性验证,若验证失败,则发布结束;若验证成功则执行S4;S3: Verify the validity of the array configuration. If the verification fails, the release ends; if the verification succeeds, execute S4;

具体包括以下步骤:The specific steps include:

S31:遍历逻辑缓存中厂站配置列表,逐一进行厂站配置验证,具体如下:S31: Traverse the plant station configuration list in the logic cache and verify the plant station configuration one by one, as follows:

(a)遍历当前厂站配置对应的装置信息列表,并记录装置IP(网际互连协议),对于当前装置下的测点组信息及对应测点信息进行验证,验证内容包括:测点名有效性、遥控测点分合规则合理性以及测点阈值合理性,若验证内容中存在验证不合理项,将验证不合理项存入数据验证报告;(a) Traverse the device information list corresponding to the current plant configuration and record the device IP (Internet Protocol), verify the measurement point group information and corresponding measurement point information under the current device, including: the validity of the measurement point name, the rationality of the remote control measurement point division and combination rules, and the rationality of the measurement point threshold. If there are unreasonable verification items in the verification content, store the unreasonable verification items in the data verification report;

(b)装置信息列表遍历完成后,若存在装置IP重复,视为验证不合理项,将验证不合理项存入数据验证报告;(b) After the device information list is traversed, if there is a duplicate device IP, it is considered an unreasonable verification item and the unreasonable verification item is stored in the data verification report;

S32:若数据验证报告存在验证不合理项,则发布失败;否则,执行S4。S32: If there are unreasonable verification items in the data verification report, the release fails; otherwise, execute S4.

S4:将逻辑缓存中数据组态发布至物理库,发布结束;S4: Publish the data configuration in the logical cache to the physical library, and the publishing is completed;

具体包括以下步骤:The specific steps include:

S41:对物理库和逻辑缓存进行可信验证及完整性度量,若发现物理库或逻辑缓存被篡改或破坏,则发送可信验证失败报告,发布结束;否则,执行S42;S41: Perform trust verification and integrity measurement on the physical library and the logical cache. If it is found that the physical library or the logical cache is tampered with or damaged, a trust verification failure report is sent and the release ends; otherwise, execute S42;

S42:对比物理库文件与逻辑缓存文件,若文件中数据分区对比结果不一致,则对发生变化或新增的分区进行装库操作,将发生变化或新增的分区中的逻辑缓存数据装填至物理库;若数据分区对比结果一致,表示两库数据一致无更新,则不进行装库操作。S42: Compare the physical library file with the logical cache file. If the data partition comparison results in the files are inconsistent, perform a library loading operation on the changed or newly added partitions, and load the logical cache data in the changed or newly added partitions into the physical library. If the data partition comparison results are consistent, indicating that the data in the two libraries are consistent and have not been updated, no library loading operation is performed.

实施例二Embodiment 2

参见图2,本发明还提供一种可信DCS上位机数据组态验证及发布系统,将数据组态存储于逻辑缓存中,经可信验证后发布于物理库中供上位机存取数据;所述数据组态包括:厂站配置、装置信息、测点组信息以及测点信息。Referring to FIG. 2 , the present invention also provides a trusted DCS host computer data configuration verification and publishing system, which stores the data configuration in a logical cache and publishes it in a physical library after trusted verification for the host computer to access the data; the data configuration includes: plant configuration, device information, measurement point group information, and measurement point information.

具体包括身份识别模块、对比模块、验证模块及发布模块,其中:Specifically, it includes identity recognition module, comparison module, verification module and release module, among which:

身份识别模块:用于对当前用户身份进行识别,若身份识别失败则结束发布;若身份识别成功则进入对比模块;Identity recognition module: used to identify the current user's identity. If the identity recognition fails, the release ends; if the identity recognition succeeds, the comparison module is entered;

对比模块:用于以当前用户数据组态发布事件的ID进行SHA运算得到可信度量计算值;并以当前用户数据组态发布事件的ID的关键字查阅可信度量哈希表,将可信度量哈希表中基准度量值与可信度量计算值对比,若不一致则判断当前用户数据组态发布事件无效,发布结束;若一致,则进入验证模块;Comparison module: used to perform SHA operation with the ID of the current user data configuration release event to obtain the trusted metric calculation value; and use the keyword of the ID of the current user data configuration release event to look up the trusted metric hash table, and compare the benchmark metric value in the trusted metric hash table with the trusted metric calculation value. If they are inconsistent, the current user data configuration release event is judged to be invalid and the release ends; if they are consistent, enter the verification module;

验证模块:用于对数组组态进行有效性验证,若验证失败,则发布结束;若验证成功则进入发布模块;Verification module: used to verify the validity of array configuration. If the verification fails, the release ends; if the verification succeeds, the release module is entered;

具体包括以下步骤:The specific steps include:

S31:遍历逻辑缓存中厂站配置列表,逐一进行厂站配置验证,具体如下:S31: Traverse the plant station configuration list in the logic cache and verify the plant station configuration one by one, as follows:

(a)遍历当前厂站配置对应的装置信息列表,并记录装置IP,对于当前装置下的测点组信息及对应测点信息进行验证,验证内容包括:测点名有效性、遥控测点分合规则合理性以及测点阈值合理性,若验证内容中存在验证不合理项,将验证不合理项存入数据验证报告;(a) Traverse the device information list corresponding to the current plant configuration and record the device IP, verify the measurement point group information and corresponding measurement point information under the current device, including: the validity of the measurement point name, the rationality of the remote control measurement point division and combination rules, and the rationality of the measurement point threshold. If there are unreasonable verification items in the verification content, store the unreasonable verification items in the data verification report;

(b)装置信息列表遍历完成后,若存在装置IP重复,视为验证不合理项。将验证不合理项存入数据验证报告;(b) After the device information list is traversed, if there is a duplicate device IP, it is considered an unreasonable verification item. The unreasonable verification item is stored in the data verification report;

S32:若数据验证报告存在验证不合理项,则发布失败;否则,进入发布模块。S32: If there are unreasonable verification items in the data verification report, the release fails; otherwise, enter the release module.

发布模块:用于将逻辑缓存中数据组态发布至物理库,发布结束;Publishing module: used to publish the data configuration in the logical cache to the physical library, and the publishing is completed;

具体包括以下步骤:The specific steps include:

S41:对物理库和逻辑缓存进行可信验证及完整性度量,若发现物理库或逻辑缓存被篡改或破坏,则发送可信验证失败报告,发布结束;否则,执行S42;S41: Perform trust verification and integrity measurement on the physical library and the logical cache. If it is found that the physical library or the logical cache is tampered with or damaged, a trust verification failure report is sent and the release ends; otherwise, execute S42;

S42:对比物理库文件与逻辑缓存文件,若文件中数据分区对比结果不一致,则对发生变化或新增的分区进行装库操作,将发生变化或新增的分区中的逻辑缓存数据装填至物理库;若数据分区对比结果一致,表示两库数据一致无更新,则不进行装库操作。S42: Compare the physical library file with the logical cache file. If the data partition comparison results in the files are inconsistent, perform a library loading operation on the changed or newly added partitions, and load the logical cache data in the changed or newly added partitions into the physical library. If the data partition comparison results are consistent, indicating that the data in the two libraries are consistent and have not been updated, no library loading operation is performed.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Furthermore, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to the embodiments of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

最后应当说明的是:以上实施例仅用于说明本发明的技术方案而非对其保护范围的限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:本领域技术人员阅读本发明后依然可对发明的具体实施方式进行种种变更、修改或者等同替换,但这些变更、修改或者等同替换,均在发明待批的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit its protection scope. Although the present invention has been described in detail with reference to the above embodiments, ordinary technicians in the field should understand that after reading the present invention, those skilled in the art can still make various changes, modifications or equivalent substitutions to the specific implementation methods of the invention, but these changes, modifications or equivalent substitutions are all within the protection scope of the pending claims of the invention.

Claims (2)

1. The method for verifying and releasing the data configuration of the trusted DCS upper computer is characterized in that the data configuration is stored in a logic cache, and the data configuration comprises the following steps: the factory station configuration, the device information, the measuring point group information and the measuring point information are issued to a host computer in a physical library to access data after trusted verification;
the trusted verification is issued to a host computer in a physical library to access data, and the method specifically comprises the following steps of:
S1: identifying the current user identity, and ending release if the identity identification fails; if the identity recognition is successful, S2 is executed;
S2: performing SHAI operation on the ID of the current user data configuration release event to obtain a trusted measurement calculation value; referring to the trusted measurement hash table by using the key words of the ID of the current user data configuration release event, comparing the reference measurement value in the trusted measurement hash table with the trusted measurement calculation value, and if the reference measurement value is inconsistent with the trusted measurement calculation value, judging that the current user data configuration release event is invalid, and ending release; if so, executing S3;
s3: verifying the validity of the array configuration, and ending release if the verification fails; if the verification is successful, S4 is executed;
s31: traversing the station configuration list in the logic cache, and carrying out station configuration verification one by one, wherein the method comprises the following steps:
(a) Traversing a device information list corresponding to the current station configuration, recording the device IP, and verifying the measuring point group information and the corresponding measuring point information under the current device, wherein the verification content comprises: the validity of the measurement point name, the rationality of the remote control measurement point opening and closing rule and the rationality of the measurement point threshold value, if the verification unreasonable item exists in the verification content, the verification unreasonable item is stored into the data verification report;
(b) After the traversing of the device information list is completed, if the device IP is repeated, the device IP is regarded as an unreasonable verification item, and the unreasonable verification item is stored into a data verification report;
s32: if the data verification report has a verification unreasonable item, the release fails; otherwise, executing S4;
S4: the data configuration in the logic cache is released to the physical library, and release is finished;
S41: performing trusted verification and integrity measurement on the physical library and the logic cache, and if the physical library or the logic cache is tampered or destroyed, sending a trusted verification failure report, and ending the release; otherwise, S42 is performed;
S42: comparing the physical library file with the logic cache file, if the comparison result of the data partition in the file is inconsistent, carrying out library loading operation on the partition which is changed or added, and loading the logic cache data in the partition which is changed or added into the physical library; if the data partition comparison results are consistent, the data of the two libraries are consistent and no update exists, and the library loading operation is not performed.
2. The trusted DCS upper computer data configuration verification and release system is characterized in that the data configuration is stored in a logic cache, and the data configuration comprises: the factory station configuration, the device information, the measuring point group information and the measuring point information are formally released in a physical library to access data by a host computer after credible verification;
the system specifically comprises an identity recognition module, a comparison module, a verification module and a release module, wherein:
An identity recognition module: the method is used for identifying the current user identity, and if the identity identification fails, the release is ended; if the identity identification is successful, entering a comparison module;
And a comparison module: performing SHAI operation on the ID of the release event according to the current user data configuration to obtain a trusted measurement calculation value; referring to the trusted measurement hash table by using the key words of the ID of the current user data configuration release event, comparing the reference measurement value in the trusted measurement hash table with the trusted measurement calculation value, and if the reference measurement value is inconsistent with the trusted measurement calculation value, judging that the current user data configuration release event is invalid, and ending release; if the two types of data are consistent, entering a verification module;
And (3) a verification module: the method comprises the steps of verifying the validity of an array configuration, and ending release if the verification fails; if the verification is successful, entering a release module;
s31: traversing the station configuration list in the logic cache, and carrying out station configuration verification one by one, wherein the method comprises the following steps:
(a) Traversing a device information list corresponding to the current station configuration, recording the device IP, and verifying the measuring point group information and the corresponding measuring point information under the current device, wherein the verification content comprises: the validity of the measurement point name, the rationality of the remote control measurement point opening and closing rule and the rationality of the measurement point threshold value, if the verification unreasonable item exists in the verification content, the verification unreasonable item is stored into the data verification report;
(b) After the traversing of the device information list is completed, if the device IP is repeated, the device IP is regarded as an unreasonable verification item, and the unreasonable verification item is stored into a data verification report;
s32: if the data verification report has a verification unreasonable item, the release fails; otherwise, entering a release module;
and the release module is used for: the method comprises the steps of publishing data configuration in a logic cache to a physical library, and ending the publishing;
S41: performing trusted verification and integrity measurement on the physical library and the logic cache, and if the physical library or the logic cache is tampered or destroyed, sending a trusted verification failure report, and ending the release; otherwise, S42 is performed;
S42: comparing the physical library file with the logic cache file, if the comparison result of the data partition in the file is inconsistent, carrying out library loading operation on the partition which is changed or added, and loading the logic cache data in the partition which is changed or added into the physical library; if the data partition comparison results are consistent, the data of the two libraries are consistent and no update exists, and the library loading operation is not performed.
CN202311448083.6A 2023-11-02 2023-11-02 Trusted DCS host computer data configuration verification and release method and system Active CN117195240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311448083.6A CN117195240B (en) 2023-11-02 2023-11-02 Trusted DCS host computer data configuration verification and release method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311448083.6A CN117195240B (en) 2023-11-02 2023-11-02 Trusted DCS host computer data configuration verification and release method and system

Publications (2)

Publication Number Publication Date
CN117195240A CN117195240A (en) 2023-12-08
CN117195240B true CN117195240B (en) 2024-05-28

Family

ID=88998346

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311448083.6A Active CN117195240B (en) 2023-11-02 2023-11-02 Trusted DCS host computer data configuration verification and release method and system

Country Status (1)

Country Link
CN (1) CN117195240B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001216020A (en) * 2000-02-03 2001-08-10 Hitachi Ltd Distributed control system and its data verification method
US6393420B1 (en) * 1999-06-03 2002-05-21 International Business Machines Corporation Securing Web server source documents and executables
KR20080021970A (en) * 2006-09-05 2008-03-10 한국전력공사 Power plant online real time performance monitoring system
CN103941652A (en) * 2013-01-22 2014-07-23 浙江安科网络技术有限公司 Method and device suitable for security protection and security audit of various DCS production control systems
CN104751063A (en) * 2014-12-31 2015-07-01 国家电网公司 Operation system trusted guide method based on real mode technology
CN107689887A (en) * 2017-08-23 2018-02-13 福建福清核电有限公司 A kind of nuclear power plant's control system controls change online management system temporarily
CN108628872A (en) * 2017-03-17 2018-10-09 广州康昕瑞基因健康科技有限公司 Genetic analysis database batch data introduction method and system
CN110990336A (en) * 2019-12-10 2020-04-10 北京慧虹远航科技有限公司 Functional design method and system for industrial control
CN115712271A (en) * 2022-11-11 2023-02-24 四川启睿克科技有限公司 Automatic data acquisition system for old production equipment
CN115994122A (en) * 2023-03-24 2023-04-21 北京江民新科技术有限公司 Method, system, equipment and storage medium for caching information
CN116011026A (en) * 2023-03-23 2023-04-25 西安热工研究院有限公司 Method, system, equipment and storage medium for fast and secure verification of database configuration
CN116405283A (en) * 2023-04-06 2023-07-07 陈俊宏 Data encryption authentication system based on information data protection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150205966A1 (en) * 2014-01-17 2015-07-23 MalCrawler Co. Industrial Control System Emulator for Malware Analysis

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6393420B1 (en) * 1999-06-03 2002-05-21 International Business Machines Corporation Securing Web server source documents and executables
JP2001216020A (en) * 2000-02-03 2001-08-10 Hitachi Ltd Distributed control system and its data verification method
KR20080021970A (en) * 2006-09-05 2008-03-10 한국전력공사 Power plant online real time performance monitoring system
CN103941652A (en) * 2013-01-22 2014-07-23 浙江安科网络技术有限公司 Method and device suitable for security protection and security audit of various DCS production control systems
CN104751063A (en) * 2014-12-31 2015-07-01 国家电网公司 Operation system trusted guide method based on real mode technology
CN108628872A (en) * 2017-03-17 2018-10-09 广州康昕瑞基因健康科技有限公司 Genetic analysis database batch data introduction method and system
CN107689887A (en) * 2017-08-23 2018-02-13 福建福清核电有限公司 A kind of nuclear power plant's control system controls change online management system temporarily
CN110990336A (en) * 2019-12-10 2020-04-10 北京慧虹远航科技有限公司 Functional design method and system for industrial control
CN115712271A (en) * 2022-11-11 2023-02-24 四川启睿克科技有限公司 Automatic data acquisition system for old production equipment
CN116011026A (en) * 2023-03-23 2023-04-25 西安热工研究院有限公司 Method, system, equipment and storage medium for fast and secure verification of database configuration
CN115994122A (en) * 2023-03-24 2023-04-21 北京江民新科技术有限公司 Method, system, equipment and storage medium for caching information
CN116405283A (en) * 2023-04-06 2023-07-07 陈俊宏 Data encryption authentication system based on information data protection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Automation framework for verification of LAMPS and DCS in airbag control unit (ACU)";A. Yamini等;《2017 International Conference on Inventive Communication and Computational Technologies (ICICCT)》;20170717;第1-4页 *
"核电厂非安全级DCS验证系统测试方法";王晋等;《中国高新技术企业》;20171231;第194-195页 *

Also Published As

Publication number Publication date
CN117195240A (en) 2023-12-08

Similar Documents

Publication Publication Date Title
US12105822B2 (en) Immutable bootloader and firmware validator
CA3034034C (en) Data storage, data check, and data linkage method and apparatus
Wang et al. An exhaustive research on the application of intrusion detection technology in computer network security in sensor networks
US9270467B1 (en) Systems and methods for trust propagation of signed files across devices
US12032696B2 (en) Confidence-enabled data storage systems
CN111222176B (en) Blockchain-based cloud storage possession proof method, system and medium
BR102015017215A2 (en) computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium
US20210133079A1 (en) Validation of log files using blockchain system
WO2021139308A1 (en) Cloud server monitoring method, apparatus and device, and storage medium
CN111183620B (en) Intrusion investigation
CN108319858A (en) For the data dependence graph construction method and device of uneasy total function
CN113328914B (en) Fuzzy test method and device for industrial control protocol, storage medium and processor
CN114936366A (en) Malicious software family tag correction method and device based on hybrid analysis
EP3848835B1 (en) Systems and methods for protecting against unauthorized memory dump modification
CN114357445A (en) Method, device and storage medium for identifying attack path on terminal side
US20240020391A1 (en) Log-based vulnerabilities detection at runtime
CN117195240B (en) Trusted DCS host computer data configuration verification and release method and system
CN111245897A (en) Data processing method, device, system, storage medium and processor
KR102393913B1 (en) Apparatus and method for detecting abnormal behavior and system having the same
CN117061254B (en) Abnormal traffic detection method, device and computer equipment
CN117034360A (en) File disclosure risk detection method, equipment, storage medium and device
CN112966310B (en) SQLite-based fine-grained data integrity verification method and device
CN116010951A (en) Electric power block chain smart contract security detection method, device, equipment and medium
CN117093404B (en) Method, system and equipment for automatically recovering untrusted process in trusted dynamic measurement process
CN112272165A (en) Rule matching method and device for message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant