JP2001273210A - Method and device for preventing invasion from external network - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve a problem that it is possible to perform illegal access by breaking through a firewall when a process controller for collecting the control data of a control station is captured by the illegal access from the outside and the control station is accessed by a regular procedure. SOLUTION: When the presence of the illegal access to the firewall for plant between an information system LAN and the control station is reported, after all interfaces inside the firewall for plant are shut down, the operation of the device itself is stopped as well. Since all routes from the external network to the control station are shut down, illegal access is not performed to the control station.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and an apparatus for preventing unauthorized intrusion from an external network, and more particularly to a method and an apparatus for preventing intrusion from an external network suitable for use in a plant control device. .

[0002]

2. Description of the Related Art At present, networking is progressing, and even a control station for controlling a plant has been connected to an external network such as the Internet. Since a control system including such a control station may be intruded from outside, security measures are an important issue. FIG. 4 shows an example of a control system including a control station connected to an external network. In FIG. 4, reference numeral 1 denotes an information system firewall, which is connected to a public network such as the Internet and an information system LA.
N (local area network) 2.
The information firewall 1 eliminates unauthorized access to the information LAN 2 from an external network such as a public line network.

The information LAN 2 includes an information firewall 1, a host computer 3, and an intrusion detection system 4.
And the computer 5 are connected. The intrusion detection system 4 monitors traffic on the information LAN 2 and detects an intrusion into a device on the information LAN 2 from outside. When an intrusion is detected, an intrusion history log is left inside, or an administrator is notified of the intrusion through the network.

[0004] Reference numeral 6 denotes a plant firewall placed between the computer 5 and the control system information LAN 7. The plant firewall 6 is configured as an application gateway type firewall, that is, a proxy firewall, and controls access between the process controller 5 and the gateway 10 based on an access control rule according to a preset security policy. That is, the plant firewall 6
Controls access of the process controller 5 and the gateway 10 based on an application level protocol. The control system information LAN 7 is connected to an enclosure 8, an operation controller 9, and a gateway 10 in addition to the plant firewall 6.

[0005] Encon 8, operation control 9, gateway 1
0 and the control station 12 are interconnected by a control LAN 11. Gateway 10 is control station 1
2, which operates as a gateway between the computer 5 and the control station 12 using communication means unique to the control station 12.

In such a system, the control station 12 can be accessed from an external network such as a public line network. However, in order to prevent unauthorized access, the information system firewall 1 and the plant firewall 6 are duplicated. Defense is in place.

[0007]

However, a control system connected to such an external network includes:
There were the following issues.

If an unauthorized access from the outside breaks through the information firewall 1 and the computer 5 is hijacked and the computer 5 is accessed by a regular means,
It could not detect that it was a communication from an intruder. In other words, in such a case, the plant firewall 6 could not detect an unauthorized intrusion.

[0009] The plant firewall 6 is the last blockage of the control station 12 and poses a serious threat to the plant, for example, if the access control routine that has been set is tampered with when it is invaded. If the access control routine is falsified, the plant firewall 6 recognizes an unauthorized access from an intruder as a legitimate access, and relays the access to the gateway 10. That is, it is impossible to prevent unauthorized access to the control station 12, and there is a problem that control information may be stolen or tampered with, leading to a serious accident.

Therefore, the problem to be solved by the present invention is:
It is an object of the present invention to provide a method and an apparatus for preventing intrusion from an external network in which a plant firewall is prevented from being taken over by an unauthorized intruder and an intruder cannot access a control station.

[0011]

Means for Solving the Problems In order to solve such problems, the invention according to claim 1 of the present invention is connected when it is notified that an unauthorized access from an external network has been detected. The operation of all the interface cards is stopped, and then the operation of the interface card itself is stopped to prevent unauthorized access. Since all routes are blocked, unauthorized access does not enter.

According to a second aspect of the present invention, in the first aspect of the present invention, a dedicated communication path is used as a communication path for notifying unauthorized access. Intrusion of unauthorized access can be more reliably prevented.

According to a third aspect of the present invention, there is provided an intrusion detection device for detecting an unauthorized access from an external network, and a relay device which is located on an internal network and receives an unauthorized access notification from the intrusion detection device. However, when the relay device receives the notification of the unauthorized access, it stops the operation of all the interface cards therein, and then stops its own operation so that the unauthorized access does not enter the relay device and beyond. It was made.

According to a fourth aspect of the present invention, in the third aspect of the invention, a dedicated communication path is provided as a communication path through which the intrusion detection device transmits a notification of unauthorized intrusion to the relay device.

According to a fifth aspect of the present invention, there is provided an intrusion detecting device for detecting an unauthorized access from an external network, a control station, a process controller accessing the control station, and a process control device disposed between the process control device and the control station. When the firewall is notified of the unauthorized access from the intrusion detection device, the firewall stops the operation of the interface card connecting the computer and the intrusion detection device and the control station. The operation of the firewall itself is stopped so that unauthorized access does not enter the control station. Unauthorized access to the control station can be reliably prevented.

According to a sixth aspect of the present invention, in the fifth aspect of the invention, a dedicated communication path is used as a communication path between the intrusion detection device and the firewall. Unauthorized access can be more reliably prevented.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention will be described below in detail with reference to the drawings. FIG. 1 is a diagram showing the configuration of a system for implementing a method for preventing intrusion from an external network according to the present invention. The same elements as those in FIG. 4 are denoted by the same reference numerals, and description thereof will be omitted. The feature of this configuration is that the intrusion detection system 4
On the communication path 20 from the plant firewall 6 to the plant firewall 6. This communication path 20 is installed independently of the information LAN 2. The plant firewall 6 operates as a relay device.

FIG. 2 is a flowchart showing a method of preventing intrusion from an external network operating on the system of FIG. 1 and an operation example of the apparatus. This flowchart shows the operation of the plant firewall 6, and the flowchart surrounded by a dotted line on the right side is an operation unique to this embodiment.

The operation of this embodiment will be described below with reference to this flowchart. Intrusion detection system 4 is an information system L
When the unauthorized intrusion into the AN 2 is detected, the plant firewall 6 is notified of the detection. This notification is performed via the communication path 20. Upon receiving this notification, the plant firewall 6 performs an emergency stop process and then stops its own operation. Since the operation of the plant firewall 6 stops, as can be seen from FIG.
The control station 12 is disconnected from an external network such as a public network. Therefore, even if there is an unauthorized access, the access does not reach the control station 12.

If there is no notification of unauthorized intrusion detection, access control is performed based on an access control rule when there is an access request from the computer 5, and the gateway 1
When there is a reply from 0 to the process control 5, the reply is relayed to the process control 5.

Next, the emergency stop processing will be described. When the emergency stop process is started, first, the session between the currently managed computer 5 and the gateway 10 is immediately terminated. Next, all the network interface cards in the plant firewall 6 are brought down to stop their operation. In the case of the system shown in FIG. 1, all three interface cards of the interface card connected to the interface card intrusion detection system 4 connected to the computer 5 and the interface card connected to the gateway 10 are brought down. When the down is completed, a log is recorded, an alert is displayed, and the process ends. As described above, since its own function is stopped after the emergency stop processing, all the connection paths to the gateway 10 are cut off. Therefore, it cannot enter the control station 12.

FIG. 3 shows the structure of the plant firewall 6. Reference numeral 61 denotes a program controller interface card for connecting with the program controller 5. Reference numeral 62 denotes an intrusion detection system interface card, which is connected to the intrusion detection system 4 via the communication path 20. Reference numeral 63 denotes a gateway interface card, and gateway 1
Connect between 0. A control unit 64 controls the entire plant firewall 6.

When the intrusion detection system 4 detects an unauthorized access, the intrusion detection system 4 notifies the plant firewall 6 via the communication path 20 of the detection. This notification is input to the control unit 64 via the intrusion detection system interface 62. The control unit 64 performs the processing according to the flowchart of the emergency stop processing described on the right side of FIG. That is, all the ongoing sessions are terminated, the interface card 61 for the computer, the interface card 62 for the intrusion detection system, and the interface card 63 for the gateway are shut down, and a log is recorded and an alert is displayed. Stop. When there is no notification of the unauthorized access, the control unit 64 relays the access between the computer 5 and the gateway 10.

In the embodiment shown in FIG. 1, the intrusion detection system 4 performs the notification of the detection of the illegal access through the dedicated communication path 20, but may perform the notification through the information LAN 2. However, providing a dedicated communication path is advantageous in security.

[0024]

As is apparent from the above description,
According to the present invention, the following effects can be expected. According to the first aspect of the present invention, when it is notified that an unauthorized access from an external network has been detected, the operation of all the connected interface cards is stopped, and then the operations of the interface cards themselves are also stopped and the unauthorized operation is stopped. To prevent unauthorized access. Since all the routes are blocked, unauthorized access does not enter the inside of the network.

According to the second aspect of the present invention, a dedicated communication path is used as a communication path for notifying unauthorized access. Since unauthorized access notification is not hindered, it is possible to more reliably prevent unauthorized access.

According to a third aspect of the present invention, there is provided an intrusion detection device for detecting an unauthorized access from an external network, and a relay device which is located in an internal network and receives an unauthorized access notification from the intrusion detection device. However, when the relay device receives the notification of the unauthorized access, it stops the operation of all the interface cards therein, and thereafter stops its own operation. Since all the routes are blocked, unauthorized access does not enter the relay device.

According to a fourth aspect of the present invention, a dedicated communication path is provided as a communication path through which the intrusion detection device transmits a notification of unauthorized intrusion to the relay device. Since the notification is not obstructed, unauthorized intrusion can be more reliably prevented.

According to a fifth aspect of the present invention, there is provided an intrusion detecting device for detecting an unauthorized access from an external network, a control station, a process controller accessing the control station, and a process control device disposed between the process control device and the control station. When the firewall is notified of the unauthorized access from the intrusion detection device, the firewall stops the operation of the interface card connecting the computer and the intrusion detection device and the control station. Stopped the operation of the firewall itself. Since unauthorized access to the control station can be reliably prevented, the control data is not falsified or the control is not disturbed.

According to a sixth aspect of the present invention, a dedicated communication path is used as a communication path between the intrusion detection device and the firewall. Unauthorized access can be more reliably prevented.

[Brief description of the drawings]

FIG. 1 is a configuration diagram showing one embodiment of the present invention.

FIG. 2 is a flowchart showing the operation of one embodiment of the present invention.

FIG. 3 is a configuration diagram showing a configuration of a plant firewall.

FIG. 4 is a configuration diagram of a system including a conventional control station.

[Explanation of symbols]

 REFERENCE SIGNS LIST 1 information firewall 2 information LAN 4 intrusion detection system 5 process control 6 plant firewall 7 control system LAN 10 gateway 12 control station 20 communication path 61 process control interface card 62 intrusion detection system interface card 63 gateway interface card 64 control unit

Claims (6)

[Claims] When an unauthorized access from an external network is detected, the operation of all connected interface cards is stopped, and then the operation of the interface card itself is stopped to prevent the intrusion of the unauthorized access. A method for preventing intrusion from an external network, wherein the intrusion is prevented. 2. The method for preventing intrusion from an external network according to claim 1, wherein a dedicated communication path is used as a communication path for notifying unauthorized access from the external network. 3. An intrusion detection device for detecting an unauthorized access from an external network, and a relay device in the middle of an internal network and receiving an unauthorized access notification from the intrusion detection device. Upon receiving the notification of the unauthorized access, the operation of all the interface cards inside the interface card is stopped, and then the operation of the interface card itself is stopped, so that the unauthorized access does not enter the relay device and thereafter. To prevent intrusion from external networks. 4. A device for preventing intrusion from an external network according to claim 3, wherein a dedicated communication channel is provided as a communication channel for transmitting a notification of unauthorized intrusion to the relay device by the intrusion detection device. 5. An intrusion detection device for detecting unauthorized access from an external network, a control station, a control computer for accessing the control station, and a firewall disposed between the control computer and the control station. Upon receiving a notification of unauthorized access from the intrusion detection device, the firewall stops the operation of the interface card connecting the computer and the intrusion detection device and the control station, and then stops the operation of the firewall itself. And preventing unauthorized access from entering the control station. 6. The apparatus for preventing intrusion from an external network according to claim 5, wherein a dedicated communication path is used as a communication path by which the intrusion detection apparatus notifies the firewall of unauthorized intrusion.