JP2003333023A - Data relay program for plant supervisory control and system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To safely and surely execute data relay for plant supervisory control via a communication line between a plant controller and a remote supervisory controller. <P>SOLUTION: The data relay program for the plant supervisory control is executed by each computer. Data for the plant supervisory control is compressed. Check sum is calculated by a prescribed method and added to the compressed data. Unused random numbers and location information are derived from a random number table and encrypted by an XOR for each bit of the random numbers, the compressed data for the plant supervisory control, and the added check sum. The location information is added. The encrypted data with the location information is generated and transmitted. The random numbers, corresponding to the received location information, are derived. The compressed data is found by decoding, when the random numbers are not used. The check sum is calculated and compared. If there is matching, the original data is obtained by being expanded. Also, security and reliability can be further improved by using the physical random number and a message digest function. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a plant monitoring control data relay program and system applied to a large-scale process plant such as a power plant, an electric power plant, and an industrial plant.

[0002]

2. Description of the Related Art In a large-scale process plant such as a power plant, an electric power plant, an industrial plant, for example, FIG.
A supervisory control system having the configuration shown in is adopted. Figure 8
In the above, in the supervisory control system, a plurality of control devices 1 are installed, and these control devices 1 are generally configured by using a microprocessor, and a plant state signal measured by the sensor 2 and a pre-recorded program. And the command signal to the plant equipment is calculated based on the parameters and the plant is controlled through the actuator 3 by the plant state signal and the command signal to the plant equipment.

The controller 1 also aggregates the plant status signals in real time to provide the operator with a plant status through the man-machine interface computer 4 and transmits a command signal to the plant equipment in accordance with the operator's operation. And control. In addition, the plurality of control devices 1
And the plurality of control devices 1 and the man-machine interface computer 4 are connected by an in-plant LAN 5, and data such as the above-mentioned plant state signal and command signal are transmitted through this in-plant LAN 5.

By the way, in order to operate the plant normally, the controller 1 must be maintained regularly or as needed. Maintenance of the control device 1 is performed by directly connecting the maintenance device to the control device 1 itself using a dedicated interface or through a dedicated network in the plant.

Further, as shown in FIG. 8, with the recent development of communication technology, it has become possible to perform monitoring control and maintenance from a remote monitoring control maintenance device 6 installed in a remote place through a communication line 7. . Note that data necessary for operations such as plant monitoring, control, and maintenance that are transmitted and received between the remote monitoring control maintenance device 6 and the plant control device 1 are also referred to as plant monitoring control data.

Data communication with such a remote place is
At present, it is carried out via a dedicated line based on the circuit switching system. However, with the spread and sophistication of open networks such as the Internet, an open network based on a packet switching system that has cost and performance advantages, for example, the Internet using TCP / IP (Transmission Control Protocol) as a communication protocol It is expected to be done via.

[0007]

However, when remote monitoring control and maintenance are performed using an open network such as the Internet based on TCP / IP as described above, there are the following problems.

(1) Since the open network is accessible by a third party, data communication contents may be intercepted by the third party and important information may leak to the outside. (2) Data may be tampered with by a malicious third party. The tampered plant monitoring control data may threaten the normal operation of the plant and eventually the safety of the public.

In this respect, Mie DES (Data Encryption St
andard; United States National Standard X3.92-1981
/ R1987) and RSA (US Pat. No. 4,405,82)
If the data for plant monitoring control to be transmitted is encrypted / decrypted by using an advanced encryption technology such as No. 9), the above-mentioned problems relating to data transmission via an open network can be solved to a considerable extent. it can.

However, these advanced cryptographic techniques
It requires a lot of data processing for encryption and decryption, and is not always suitable for supervisory control and maintenance of a plant that requires high speed. Also, even with these ciphers, absolute security is not guaranteed theoretically.

Further, a Vernam cryptosystem in which a random number having the same length as the original data is used as a disposable encryption key, that is, a disposable (use only once) encryption key consisting of random numbers having the same length as the original data is used for each digit. The method of taking an exclusive OR (XOR) for encryption and then taking the exclusive OR of the original data and the encryption key for decryption is simple in data processing and safe in terms of information theory.

Therefore, it is considered to use the above-mentioned Vernam cryptosystem for transmission of plant monitoring control data via an open network.

In the above-mentioned Vernam cryptosystem, the sender and the receiver must share a random number having the same length as the original data and a huge amount of data. In a limited case, this is not a big problem.

However, even in the above-mentioned Vernam cryptosystem, the security is not guaranteed if the random number used as the encryption key is not a true random number but a pseudorandom number having some regularity. Moreover, even if the encryption key is thrown away after being used only once, if the random number used as the encryption key is known before use, the encryption will be easily deciphered.

The present invention has been made in view of the above circumstances, and it is possible to safely and reliably perform plant monitoring control data relay via a communication line between a plant control device and a remote monitoring control device. Data relay program and system for advanced plant monitoring and control.

[0016]

In order to solve the above-mentioned problems, according to the invention described in claim 1, it is connected to a control device of a plant so as to be able to perform data communication, and a plurality of random numbers are identified at their respective storage positions. A first computer capable of accessing the first random number table that is held as possible, and a second random number table for the remote monitoring control device of the plant, which has the same structure as the first random number table. A program for relaying digital data (plant monitoring control data) relating to plant monitoring control, which can be executed by a second computer, and is used for the plant monitoring control from one of the first and second computers. When transmitting data to the other computer via a communication line, one of the data transmitting A compression means for compressing the control data and a checksum calculation for calculating the checksum value from the compressed data using a predetermined calculation method and adding the calculated checksum value to the compressed plant monitoring control data. Means, means for extracting an unused random number and position information of the random number from a random number table corresponding to the data transmitting computer, and bits of the extracted random number and the plant monitoring control data to which the checksum value is added An encryption that takes exclusive OR for each to encrypt the plant monitoring control data and adds the position information to the encrypted plant monitoring control data to generate encrypted plant monitoring control data with position information As means, they are made to function respectively.

According to a second aspect of the invention, the encrypted plant monitoring control data with position information transmitted from the other data receiving side computer from the one data transmitting side computer via the communication line. And a retrieval judgment means for retrieving a random number corresponding to the position information based on the position information, extracting a random number table corresponding to the other computer, and judging whether or not the extracted random number is unused. If the result is unused, a decrypting means for decrypting the encrypted plant monitoring control data by the extracted random number, and calculating a checksum value from the decrypted data using the predetermined calculation method, Comparing means for comparing the calculated checksum value with the checksum value added to the decrypted plant monitoring control data; If the additional checksum value and the calculated check sum value by the comparison of the comparison means match, the data decompression means for decompressing said decrypted plant monitoring control data, thereby to function.

According to the invention of claim 3, the communication line is an open network.

According to the fourth aspect of the present invention, the decrypting means includes a means for issuing a warning and a comparing means for issuing a warning when the retrieval determining means determines that the extracted random number is not unused. Means for issuing a warning when the calculated checksum value and the additional checksum value do not match as a result of the comparison.

According to a fifth aspect of the present invention, the first and second computers are their own computers, and the encrypted plant monitoring control data with position information is transmitted to another computer via the communication line. A sending side application program that functions as a sending means for sending,
A receiving side application program that causes the own computer to function as a receiving unit that receives the encrypted plant monitoring control data with position information transmitted via the communication line is implemented as one process, The plant monitoring control data relay program is implemented in the first and second computers as a process different from the transmission side application program and the reception side application program, while the first and second computers Each of the data transmission side computers has a fixed length buffer, and the encryption means of the data transmission side computer includes means for storing the position information-encrypted plant monitoring control data in the fixed length buffer. Means fixed above Means for reading the encrypted plant monitoring control data with position information stored in a buffer and transmitting it to the data receiving side computer via the communication line, wherein the receiving means of the data receiving side computer is the communication line Is a means for receiving the encrypted plant supervisory control data with position information transmitted via and storing it in the fixed length buffer, the search judgment means of the data receiving side computer is in the fixed length buffer. It includes means for reading the stored encrypted plant monitoring control data with position information and searching a random number table corresponding to the data receiving computer based on the read position information.

According to a sixth aspect of the present invention, the plant control device is connected for data communication, and the first
A third computer connected by a dedicated communication line to the computer, and the remote monitoring control device includes a fourth computer connected by a dedicated communication line to the second computer. The fourth computer includes a transmission-side application program that causes the own computer to function as a transmission unit that transmits the encrypted plant monitoring control data with position information to another computer through the communication line, and the own computer. A reception side application program that functions as a receiving unit that receives the encrypted plant monitoring control data with position information transmitted via the open network is installed, and the plant monitoring control data relay program is installed. To the first and second computers On the other hand, the encrypting means of the data transmitting side computer is configured so that the encrypted plant monitoring control data with position information is connected to the data transmitting side computer via the dedicated communication line. 4 to one of the computers, and the transmitting means of the one computer receives the encrypted plant supervisory control data with position information transmitted via the dedicated communication line to perform the communication. Means for transmitting to the other computer of the third and fourth computers via a line, the third and fourth computers
The receiving means of the other computer in the computer receives the encrypted plant monitoring control data with position information transmitted via the communication line, and the other computer via the dedicated communication line. Means for transmitting to the data receiving side computer connected to the data receiving side computer, the search determining means of the data receiving side computer,
It includes means for searching a random number table corresponding to the data receiving computer based on the position information of the encrypted plant monitoring control data with position information transmitted from the receiving means.

According to the invention described in claim 7, each random number stored in the random number table is a physical random number having no regularity.

According to an eighth aspect of the present invention, in the data transmission side computer, the physical random number generated by the physical random number generator for generating the physical random number having no regularity is different from the communication line. Of the physical random number generated by the physical random number generation device by causing the received physical random number to function as a means for storing the received physical random number in the random number table as the random number. It functions as means for receiving the received physical random number through the second communication line for random number transmission different from the communication line and storing the received physical random number in the random number table as the random number.

In order to solve the above problems, according to the invention of claim 9, the plant control device is connected so as to be capable of data communication, and a communication line is provided between the plant control device and the remote monitoring control device. Is a plant monitoring control data relay system that relays digital data (plant monitoring control data) related to plant monitoring control, and stores a random number table that stores a plurality of random numbers so that each storage location can be identified. Means, a compression means for compressing the plant monitoring control data transmitted from one of the plant control device and the remote monitoring control device, and a checksum value is calculated from the compressed data using a predetermined calculation method. , A checksum that adds the calculated checksum value to the compressed plant monitoring control data Calculating means, means for extracting an unused random number and position information of the random number from the random number table, and exclusive OR for each bit of the extracted random number and the plant monitoring control data to which the checksum value is added To encrypt the plant monitoring and control data,
An encryption unit that adds the position information to the encrypted plant monitoring control data to generate encrypted plant monitoring control data with position information.

According to the tenth aspect of the present invention, digital data relating to plant monitoring control is connected to the plant control device so that data communication is possible, and the plant control device and the remote monitoring control device are connected via a communication line. A plant monitoring control data relay system for relaying (plant monitoring control data), comprising: a random number table storage means for storing a random number table for holding a plurality of random numbers so that respective storage positions can be identified; and a predetermined calculation. Encryption plant monitoring including position information of the random number generated by exclusive OR of compressed plant monitoring control data including a checksum value calculated using a method and random numbers at predetermined positions in the random number table Control data is transmitted from one of the plant control device and the remote monitoring control device to the communication line. When transmitted via the encrypted plant monitoring control data, the random number table is searched based on the position information in the encrypted plant monitoring control data, and the random number corresponding to the position information is extracted to determine whether the extracted random number is unused. Search determination means for performing, the decryption means for decrypting the encrypted plant monitoring control data by a random number that is taken out when the determination result is unused, and the predetermined calculation method from the decrypted data. A checksum value is calculated by using the comparison means for comparing the calculated checksum value with the checksum value added to the decrypted plant monitoring control data, and the checksum value calculated by the comparison of this comparison means. And the additional checksum value match, the data expansion means for expanding the decrypted plant monitoring control data is provided.

According to the eleventh aspect of the invention, a physical random number generator for generating a physical random number having no regularity, and a physical random number generated by the physical random number generator for random number transmission different from the communication line. And a storage unit that receives the received physical random number via the communication line and stores the received physical random number in the random number table as the random number.

According to the twelfth aspect of the present invention, the physical random number generation device is a device for constantly generating the physical random number, and the storage means is a device for generating physical random numbers from the physical random number constantly generated by the physical random number generation device. , A means for receiving a physical random number within a predetermined range and storing it in the random number table.

In order to solve the above-mentioned problems, according to the invention of a thirteenth aspect, a first computer connected to a plant control device in a data communicable manner, and a second computer for remote monitoring control of the plant. Is a program for relaying digital data (plant monitoring control data) relating to plant monitoring control, each of which is capable of transmitting the plant monitoring control data from one of the first and second computers to the communication line. Calculating means for calculating the checksum value of the plant monitoring control data using a predetermined message digest function when transmitting to the other computer via the The checksum value is transmitted to the other data receiving computer via the communication line. After transmitting the checksum value, as transmission means for transmitting the plant monitoring control data to the other data receiving side computer via the communication line, each is caused to function as the other data receiving side computer, Receiving means for respectively receiving the checksum value and the plant monitoring control data transmitted from the one data transmitting computer via the communication line, and the received plant monitoring control using the predetermined message digest function. Second calculating means for calculating the checksum value of the data for use, the checksum value calculated by the second calculating means and the checksum value received by the receiving means are compared, and the result of this comparison is coincidence. The data for plant monitoring control received by the receiving means, Comparing means deemed to be caused to function respectively.

In the fourteenth aspect of the present invention, the receiving means, when the checksum value is received, transmits data indicating confirmation of reception of the checksum value via the communication line to the one data transmitting side. A means for transmitting to the computer, wherein the transmitting means receives the reception confirmation data transmitted via the communication line; and, after the reception confirmation data is received, the plant monitoring control data. Means for transmitting to the other data receiving computer via the communication line.

According to a fifteenth aspect of the present invention, each of the first and second computers is provided with a time data transmission device for transmitting data representing a time synchronized and coincident with each other, and the first computer of the data transmission side computer. The first calculation means is the first data transmitted from the time data transmission device.
Means for calculating the checksum value of the plant monitoring control data to which the first time data has been added by using the predetermined message digest function, The transmitting means includes means for adding the first time data to the plant monitoring control data and transmitting the data to the other data receiving side computer via the communication line, and receiving by the other data receiving side computer. Means, based on the time data transmitted from the time data transmission device,
Means for storing the time when the checksum value is received as second time data, and the first time data and the second time data in the plant monitoring control data to which the received first time data is added And means for determining whether or not the plant monitoring control data is valid according to the comparison result.

In the sixteenth aspect of the present invention, each of the first and second computers is provided with a random number table that holds a plurality of random numbers so that their respective storage positions can be identified. A transmitting means of the computer; a compressing means for compressing the first time data;
Corresponds to a checksum calculation means for calculating a checksum value from compressed data using a predetermined calculation method and adding the calculated checksum value to the compressed first time data, and the data transmission side computer. Means for extracting an unused random number and position information of the random number from the random number table, and bitwise exclusive OR of the extracted random number and the first time data to which the checksum value is added. Encryption means for encrypting the first time data, adding the position information to the encrypted first time data, and generating encrypted first time data with position information; Means for transmitting the first time data with position information to the other data receiving side computer via the communication line, the other data receiving side computer The communication means receives the encrypted first time data with the position information transmitted from the one data transmission side computer via the communication line, and the communication means in the received first time data. Search determination means for searching the random number table corresponding to the other computer based on the position information, extracting the random number corresponding to the position information, and determining whether or not the extracted random number is unused, and the result of the determination is unused. If it is, a decryption unit that decrypts the encrypted first time data by the taken random number, and a checksum value is calculated from the decrypted first time data using the predetermined calculation method. , A comparison means for comparing the calculated checksum value with the checksum value added to the decoded first time data, and a calculation check by comparing the comparison means. If the Kkusamu value and additional checksum value and matches, and a data expanding means for expanding the first time data is the decoding.

In order to solve the above problems, according to the invention of claim 17, digital data (plant monitoring control data) relating to plant monitoring control is relayed via a communication line between the plant control device and the remote monitoring control device. A plant monitoring control data relay system, comprising: first calculating means for calculating a checksum value of the plant monitoring control data using a predetermined message digest function; and the calculated checksum value for the communication line. Transmitting means for transmitting to the other data receiving side computer via the checksum value, and then transmitting the plant monitoring control data to the other data receiving side computer via the communication line; Checksum sent from one data sending computer via the communication line And receiving means for receiving a plant monitoring control data, respectively, using said predetermined message digest function, and second calculating means for calculating a checksum value of the plant monitoring control data received,
The checksum value calculated by the second calculating means and the checksum value received by the receiving means are compared, and only when the comparison results in a match, the plant monitoring control received by the receiving means is performed. And a comparison means that regards the data as valid data.

[0033]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of a plant monitoring control data relay program and system according to the present invention will be described below with reference to the drawings.

(First Embodiment) FIG. 1 shows a plant monitoring control data relay program (hereinafter simply referred to as a data relay program) 50 according to a first embodiment of the present invention.
FIG. 3 is a diagram showing a plurality of computers 51 and 52 in which is mounted (in the case of a program, this means that the program is installed in a computer in a practical form).

FIG. 2 is a plant monitoring system including a plant monitoring control system PS equipped with a plurality of computers (first computer 51 and second computer 52) in which the data relay program 50 shown in FIG. 1 is installed. It is a block diagram which shows a control system. In FIG. 2, the same parts as those in FIG. 8 are designated by the same reference numerals and the description thereof will be omitted.

In the present embodiment, in addition to the configuration of FIG. 8, as shown in FIG. 2, the first computer 51 in which the data relay program 50 is installed is directly connected to the in-plant LAN 5 as a dedicated communication line. Has been done. Also,
The second computer 52 is installed in the remote monitoring control device 54.

The first computer 51 is connected to the second computer 52 mounted on the remote monitoring control maintenance device 54 installed at a remote place with respect to the control device 1 via a communication line, for example, TCP / IP. It is a system that relays plant monitoring control data via an open network 55 such as the Internet. That is, the first computer 51 in which the data relay program 50 is installed functions as the plant monitoring control data relay system 3. As a result, the remote monitoring control maintenance device 54 can remotely perform remote monitoring control or maintenance of the plant.

Next, based on FIG. 1, the plant monitoring control data sent from the data sending system 60
Remote control and maintenance device 54 via computer 51 of
A configuration for transmitting data to the server will be described.

The data transmission side system 60 shown in FIG.
This is a computer system including a computer (third computer), and this system 60 is installed in a plant monitoring control data relay system PS, and is connected to each control device 1 by a LAN 5 in the plant so that data communication is possible. .

The data transmission side system 60 has a transmission side application program (hereinafter simply referred to as a transmission side application) 61 for controlling the plant and a network interface 62 for data communication with the open network 55. Has been done.

That is, the data transmission side system 60 is
Via the function of transmitting digital data for plant monitoring control (plant monitoring control data) obtained from the plant via the sensor 2 or the like based on the transmission side application 61 to the first computer 51, and the network interface 62. And has a function of transmitting the data transmitted from the first computer 51 to the open network 55.

Further, the data receiving side system 65 is a computer (fourth type) installed in the remote monitoring control maintenance device 54.
Computer system), including
The system 65 includes a reception side application program (hereinafter, simply referred to as a reception side application) 66 for executing processing relating to the plant monitoring control based on the transmitted plant monitoring control data, and data to the open network 55. A network interface 67 for communication is installed respectively.

That is, the data receiving side system 65 is
A function of executing a process relating to plant monitoring control based on the plant monitoring control data based on the reception side application 66, and a function of receiving plant monitoring control data from the open network 55 based on the network interface 67. Have respectively.

The first computer 51 includes a memory 71, which is a storage medium such as a semiconductor memory, and a hard disk,
CD (Compact Disc) -ROM, DVD (Digital Vers
atile Disc) -a mass storage device 72 such as a ROM.

The memory 71 has an operating system (Operat) (not shown).
ing System) and the data relay program 50 is installed. As the installation method, loading from the mass storage device 72 via a recording medium, downloading via the open network 55, or the like can be applied.

The mass storage device 72 has, for example, several hundred MB.
A random number table (table file) 73 that holds the above random numbers so that the storage position (storage address) of each random number can be identified is stored in advance, and the first computer 51 designates the storage address and sets the desired storage address. It is possible to take out the random numbers from the random number table 73.

The first computer 51 has a data encryption section 75 as a function realized by the program 50 stored in the memory 71. Hereinafter, the “unit” represents the function of the computer realized by the program, that is, the process executed by the computer according to the program.

That is, the data encryption unit 75 receives the plant monitoring control data transmitted by the transmission processing of the data transmitting system 60 based on the transmitting application 61 and compresses the plant monitoring control data. Check sum value of the data compression unit 80 and the plant monitoring control data compressed by the data compression unit 80 (the plant monitoring control data is divided, and the data in each divided block is regarded as a numerical value, and the sum thereof is calculated. And a checksum calculator 81 for calculating the calculated value) and adding it to the plant monitoring control data.

In addition, the memory 7 of the first computer 51
The data encryption unit 75 realized by the program 50 stored in the first random number table management unit 8 extracts an unused random number and the storage address of the random number from the random number table 73.
2 and the plant monitoring control data obtained by exclusive ORing the plant monitoring control data to which the checksum value is added by the checksum calculating unit 82 and the random number fetched by the transmitting side random number table managing unit 17. And an encryption unit 84 for adding a random number storage address to the encrypted plant monitoring control data.

Here, as a concrete compression method by the data compression unit 80, Lempel-Ziv (J. Ziv and A. Lempe
l, “Compression of individual sequences via varia
ble-rate coding ”, IEEE Trans. Inform. Theory, vo
l, IT-24, no.5, pp.530-536, Sept. 1978), etc. are used. The purpose of this data compression is to reduce the amount of data to be transmitted, reduce the data redundancy, and achieve complete secrecy by the encryption of the encryption unit 83.

As a method of calculating the checksum value by the checksum calculator 81, for example, CRC32 (IS
O 3309 standard; 32-bit length Cyclic Redundancy C
hecksum) is used.

The data transmission side system 60 has the first computer 51 via the network interface 62.
The data receiving side system 65 receives the encrypted plant monitoring control data with the storage address output by the function of the encryption unit 83 of 0, and transmits the data via the open network 55.
It is designed to be sent to.

Further, the data receiving system 65 receives the encrypted plant monitoring control data with the storage address transmitted from the open network 55 through the network interface 67 and transmits it to the second computer 52. Has become.

The second computer 52 includes a memory 91, which is a storage medium such as a semiconductor memory, and a hard disk,
CD (Compact Disc) -ROM, DVD (Digital Vers
atile Disc) -a mass storage device 92 such as a ROM.

The data relay program 50 is installed in the memory 91 in addition to the OS (not shown). As the installation method, loading from the mass storage device 92 via a recording medium, downloading via the open network 55, or the like can be applied.

In the mass storage device 92, a random number table (table file) 93, which is logically the same as the random number table 72 and stores the same random number at the same storage address, is stored in advance. The second computer 52 can retrieve the desired random number from the random number table 93 by designating its storage address.

The second computer 52 has a data decoding section 95 as a function realized by the program 50 stored in the memory 91.

The data decryption unit 95 receives the encrypted plant monitoring control data with the storage address received by the reception process based on the network interface 67 of the data receiving side system 65, and adds the storage address added to the received data. And a decryption unit 100 that retrieves the stored random number table management unit and passes it to a random number table management unit described later, and stores and manages a used random number storage address region and an unused random number storage address region in the random number table 92 so that they can be updated. When the storage address passed from 100 is included in an unused storage address area, the random number table management unit 101 that returns the random number stored in the storage address is included.

Further, the decoding section 10 of the data decoding section 95
0 also includes a function of decrypting the encrypted plant monitoring control data by using the random number returned from the random number table management unit 101.

Further, the data decoding function 95 realized by the program 50 stored in the memory 91 of the second computer 52 checks the checksum value of the plant monitoring control data decoded by the decoding unit 100. A checksum comparing unit 102 that calculates using the same method as the sum 81 and compares with the checksum value added to the plant monitoring control data, and the plant monitoring control data as a reverse operation of compression by the data compression unit 80. Stretch,
Data decompression unit 10 for transmitting to the data receiving side system 65
Includes 3 and 3.

Next, the plant monitoring control data transmission / reception operation between the plant monitoring control data relay system (first computer) 51 and the remote monitoring control maintenance device 54 according to the present embodiment will be described.

By the process of the data transmission side system 60 based on the transmission side application 61, the first computer 5 which is the plant monitoring control data relay system.
1, the plant monitoring control data for plant monitoring control is transmitted via the in-plant LAN 5.

The transmitted plant monitoring control data is
The compressed data for monitoring and controlling the plant, which is received and compressed by the data compression unit 80 of the first computer 51, is stored in the checksum calculation unit 81 of the first computer 51.
Passed to.

For the compressed plant monitoring control data, the checksum calculator 81 of the first computer 51 calculates the checksum value of the plant monitoring control data. Then, the checksum calculation unit 81 adds the calculated checksum value to the plant monitoring control data, and passes it to the encryption unit 83 as the plant monitoring control data with the checksum value.

At this time, by the process of the encryption unit 83 of the first computer 51, a random number having the same length as the passed plant monitoring control data with the checksum value is processed by the random number table management unit 82. It is retrieved from the random number table 73.

The random number table management section 82 stores and manages the used storage address area and the unused storage address area in the random number table 73, and always responds to a random number request from the encryption section 83. Unused random numbers are retrieved from the random number table 73 and returned.

The bitwise exclusive OR (X) of the plant monitoring control data with the checksum value and the random number
OR) is calculated as encrypted data of the plant monitoring control data with the checksum value.

Then, by the process of the encryption unit 83, the random number table 7 of the random numbers used for the exclusive OR calculation process for the calculated encrypted plant monitoring control data.
The storage address in No. 3 is added, and the data is transmitted to the data transmission side system 60 as encrypted plant monitoring control data with the storage address. The storage address itself is not encrypted.

The encrypted plant monitoring control data with the storage address transmitted by the processing of the encryption unit 83 of the first computer 51 is the data transmission side system 60.
Is transmitted to the data receiving system 65 via the open network 55.

In the data receiving side system 65, the network interface 67 receives the encrypted plant monitoring control data with the storage address transmitted via the open network 55 and transmits it to the second computer 52. It

At this time, by the processing of the decryption unit 100 in the second computer 52, the transmitted encrypted plant monitoring control data with the storage address is received,
The storage address added to the data is read.
Then, by the processing of the decryption unit 100, a request for returning a random number corresponding to the read storage address is sent to the random number table management unit 101.

The random number table management unit 101 extracts the random number stored in the storage address from the random number table 93 and decrypts the random number only when the transmitted storage address is included in the unused storage address area. Part 1
Returned to 00. Then, the random number table management unit 101
Updates and stores the storage address in which the extracted random number is stored as a used storage address area.

Further, when the transmitted storage address is included in the used storage address area, the random number table management unit 101 issues a warning and does not return the random number.

That is, in this embodiment, an unused random number is always used as a random number for encrypting the plant monitoring control data, and when a random number request for a used storage address is transmitted, An error occurred,
Alternatively, it is determined that there is a possibility of an intentional attack for illegally reading the random number table 93, and a warning is issued.

When the random number is normally returned from the random number table management unit 101, the decryption unit 100 performs the exclusive logic for each bit between the returned random number and the encrypted plant monitoring control data. The sum (XOR) is calculated.

At this time, due to the property of the exclusive OR, the calculated result is the plant monitoring control data (compressed plant) to which the checksum value is added before being encrypted by the encryption unit 83. Monitoring control data (plain text data)}. This plant monitoring control data is sent to the checksum comparing unit 102.

In the checksum comparing section 102, a checksum value is calculated from the plant monitoring control data (plain text data) by the same method as the checksum calculating section 81.
The calculated checksum value is compared with the checksum value added to the plant monitoring control data (plaintext data).

At this time, if the calculated checksum value and the additional checksum value match, the processing of the checksum comparing section 102 sends the compressed plant monitoring control data to the data expanding section 103.

On the other hand, if the calculated checksum value and the additional checksum value do not match, there is a possibility that an error has occurred or the data has been tampered with, so the checksum comparison unit 102 issues a warning.

In the data decompression unit 103, the compressed plant monitoring control data sent is decompressed as an inverse operation of the compression by the data compression unit 80, and the decompressed plant monitoring control data is the data receiving side system. 65 is transmitted. In the data receiving side system 65, a process based on the transmitted plant monitoring control data is executed by a process based on the receiving side application 66.

As described above, according to this embodiment,
An exclusive OR (XOR) is performed by managing the use / non-use of the random numbers in the random number tables 73 and 93, and using a cryptographic key / decryption key for a random number that is theoretically unreadable and is used only once (disposable) The encryption / decryption based on is executed. Therefore, even if an unauthorized read of the random number tables 73 and 93, which is the only weak point of the main encryption / decryption, should occur, the security of the data transmission / reception process can be kept high.

That is, even if the random number is successfully read from the random number table 73 and the random number table 93 by some means, the random number is managed as being used.
The illegal read random number is not used for encryption,
Safe data transmission / reception processing can be performed.

Further, since the encryption / decryption by exclusive OR (XOR) has a small amount of calculation and can be processed at high speed, the plant monitoring of about 100 KB required for plant monitoring control, maintenance, etc. is performed. Control data is, for example, 1
It is possible to encrypt and decrypt within 0 msec. Therefore, the process plant can be remotely monitored and controlled / maintained safely and in real time.

(Second Embodiment) FIG. 3 is a diagram showing a plurality of computers 105 and 106 in which a data relay program 50 according to a second embodiment of the present invention is installed.
In the present embodiment, the same or corresponding portions as those in the above-described first embodiment will be denoted by the same reference numerals as those in FIG. 1 and the description thereof will be omitted or simplified. The same applies to the description of the other embodiments.

In the first embodiment, a separate computer from the first computer 105 is used, and the transmission side application 61 and the network interface 62 are respectively mounted on the computer to configure the data transmission side system 60. In form, FIG.
As shown in FIG. 3, the transmission side application 61 and the network interface 62 are mounted on the first computer 105, respectively. That is, in this embodiment, the transmission side application 61 is operated on the same computer 105 as a process separate from the data relay program 50.

As a function (process) realized by the transmitting side application 61, the first computer 105 has a transmitting side application executing section 107.

Similarly, the receiving side application 66 and the network interface 67 are respectively mounted on the second computer 106, and the receiving side application 66 operates on the same computer 131 as a process separate from the data relay program 50. It is designed to let you. This receiver application 6
As a function (process) realized by the second computer 106, the second computer 106 includes the reception side application execution unit 1
It is equipped with 08.

Further, in this embodiment, the first computer 105 has two fixed length buffers 110 and 111.
The data transfer between the process based on the data encryption function 75 of the first computer 105 and the process based on the transmission side application execution unit 107 is performed via the fixed length buffers 110 and 111. It has become.

Similarly, in this embodiment, the second computer 106 has two fixed length buffers 112 and 11.
3, the data transfer between the process based on the data decoding function 95 of the second computer 106 and the process based on the reception side application execution unit 108 is performed via the fixed length buffers 112 and 113. It is like this.

Further, in this embodiment, the data used by the function of the random number table management unit 82 of the first computer 105 is stored in the file of the memory 71 and used by the function of the random number table management 101 of the second computer 106. The data to be stored is stored in the file of the memory 91.

In this embodiment, the first computer 105 and the second computer 106 have OSs.
As an OS having a memory 71 and 91 protection function and a file access control function for each user (for example,
UNIX (AT & T, USA), LINUX, etc. are installed.

Next, the plant monitoring control data relay system (first computer) 105 according to the present embodiment.
The plant monitoring control data transmission / reception operation between the remote monitoring control maintenance device 54 and the remote monitoring control maintenance device 54 will be described focusing on the operation different from the first embodiment.

That is, according to the present embodiment, the data relay program 50 and the transmission side application 61.
Are installed as different processes on the same computer 105, and an OS having a memory protection function is installed as its OS.
The transmission side application execution unit 107 of the first computer 105 based on 1 cannot access the data (random number table 73 and the like) used in the process of the data encryption unit 75 based on the data relay program 50.

Since the OS having the file access control function for each user is installed as the OS, the user right of the transmission side application 61 is set to the use data storage file and the random number table file of the random number table management unit 82. The sender application 61 is set by setting the user authority of 73 to be inaccessible.
The transmission side application execution unit 107 of the first computer 105 based on the
3 It can be executed as a user authority that cannot be accessed.

Therefore, even if the transmitting side application 61 that directly operates the network interface 62 is externally operated by an unauthorized method, it is possible to prevent unauthorized access to the files used by the random number table 73 and the random number table management unit 82. You can

Further, when the transmission side application execution unit 107 based on the transmission side application 61 of the first computer 105 transmits the plant monitoring control data to the data encryption unit 75 based on the program 50,
A fixed length buffer 110 that is accessible from both sides is used. That is, the transmission side application execution unit 107
Is a fixed length buffer 110 for plant monitoring control data.
Stored in the fixed-length buffer 110.
The plant monitoring and control data stored in is read out.

Similarly, the data encryption unit 75 of the first computer 105 stores the encrypted encrypted plant monitoring control data in the fixed length buffer 111, and the transmission side application execution unit 107 stores the fixed length buffer in the fixed length buffer 111. 11
The encrypted plant monitoring control data stored in No. 1 is read out.

As described above, in the present configuration, the data transfer between the transmission-side application execution unit 107 based on the transmission-side application 61 of the first computer 105 and the data encryption unit 75 based on the program 50 is performed with a fixed-length buffer. Since the process is performed via 110 and 111, the process that receives the data does not receive the data having a length longer than the predetermined length.

That is, when data transmission from the transmission side application execution unit 107 to the data encryption unit 75 is performed via a buffer with an indefinite length, an unauthorized process impersonating the transmission side application execution unit 107 has an indefinite length. It is conceivable to send an amount of data that exceeds the initial limit to the buffer and cause this data to overflow. At this time, the data encryption unit 75 based on the data relay program 50 malfunctions due to the data overflowing from the buffer, or the data relay program 50 itself is tampered with.
There is a possibility that the function of 5 will be tampered with.

However, in the present embodiment, as described above, the transmission side application execution unit 10 based on the transmission side application 61 of the first computer 105.
7 and the data encryption unit 75 based on the program 50 are used to transfer data between the fixed length buffers 110 and 11.
1 through the first computer 105
Even if an illegal process is generated by some means and the transmission side application execution unit 107 is disguised, it is possible to prevent the data relay program 50 from being operated by an unreasonable method.

If an unauthorized process masquerading as the transmission side application execution unit 107 is created and appropriate data is passed to the data encryption unit 75 for encryption, the returned encrypted data and the original It is possible to obtain the random number used for encryption by calculating the exclusive OR with the data. However, since the obtained random number is recorded in the random number table management unit 82 as used, it is not used for subsequent data encryption.

In this embodiment, as described above,
Sender application 6 of first computer 105
Although the transfer of data between the transmission side application execution unit 107 based on 1 and the data encryption unit 75 based on the program 50 via the fixed length buffers 110 and 111 has been described, the reception side application 61 of the second computer 106 is described. Data transfer between the receiving-side application execution unit 108 based on the above and the data decoding unit 95 based on the program 50 via the fixed-length buffers 112 and 113 is performed in the same manner. As a result, the same effect can be obtained.

(Third Embodiment) FIG. 4 is a diagram showing a plurality of computers 131 and 132 in which a data relay program 50A according to a third embodiment of the present invention is installed. In the present embodiment, the same or corresponding portions as those in the above-described first embodiment will be denoted by the same reference numerals as those in FIG. 1 and the description thereof will be omitted or simplified.

In this embodiment, as in the first embodiment, the data relay program 50 is installed in each of the first computer 131 and the second computer 132, which are a plurality of hardware.

Further, in this embodiment, the data transmission side system 60A and the first computer 131 are connected by the dedicated communication line 137, while the data reception side system 6 is connected.
Similarly, a dedicated communication line 138 is also connected between 0A and the second computer 132. This dedicated communication line 13
7, 138, RS-232C, USB (Universa
l Serial Bus, IEEE-1394) etc. are used. The dedicated communication lines 137 and 138 are Et as the in-plant LAN 5.
Unlike hernet LAN, the physical connection distance is limited and the connection of a new device can be detected.

Further, the data transmission side system 60A is
A communication control unit 139 for controlling data communication via the dedicated communication line 137 is provided, and the data encryption unit 75A of the first computer 131 has a dedicated function as a function realized by the program 50A stored in the memory 71. Communication line 1
A communication control unit 140 for controlling data communication via 37 is provided.

Similarly, the data receiving side system 65A is
The data decoding unit 95A, which is provided with the communication control unit 141 for controlling data communication via the dedicated communication line 138 and is realized by the program 50A stored in the memory 91 of the second computer 132, includes the dedicated communication line 138. A communication control unit 142 is provided for controlling data communication via the.

These communication control units 139, 140, 14
1 and 142 are adapted to transmit the received data using a fixed length buffer (not shown) as in the case of the second embodiment.

Next, the plant monitoring control data relay system (first computer) 131 according to the present embodiment.
The plant monitoring control data transmission / reception operation between the remote monitoring control maintenance device 54 and the remote monitoring control maintenance apparatus 54 will be described focusing on the operation different from the first and second embodiments.

The communication control unit 139 of the system 60A on the data transmission side transmits the data for plant monitoring control sent by the processing based on the application 61 on the transmission side to the data encryption unit of the first computer 131 via the dedicated communication line 137. The encrypted plant monitoring control data received from the communication control unit 140 is transmitted to the data receiving side system 65A via the network interface 62 while being transmitted to the communication control unit 140 in 75A.

Further, the communication control unit 141 of the data receiving side system 65A uses the data decryption unit in the second computer 132 for the encrypted plant monitoring control data received via the network interface 67 via the dedicated communication line 138. The data is transmitted to the communication control unit 142 of 95A and the plant monitoring control data received from the communication control unit 142 is transmitted to the receiving system 65A.

That is, according to this embodiment, a computer separate from the computer (data transmission side system 60A) in which the transmission side application 61 is installed and the computer (data reception side system 65A) in which the reception side application 66 is installed. The programs 50A are respectively installed in 131 and 132 to realize the data encryption unit 75A and the data decryption unit 95A.

Then, between the data transmitting side system 60A and the first computer 131 and between the second computer 132 and the data receiving side system 65A,
By transmitting data via the dedicated communication lines 137 and 138, respectively, the same effect as that of the second embodiment can be obtained.

(Fourth Embodiment) In the present embodiment, in the first to third embodiments, the random number tables 73 and 93 store physical random numbers according to the following invention, and the physical random numbers are not shown. It is generated by a physical random number generating means.

That is, the physical random number of the "physical random number generator" disclosed in Japanese Patent No. 3034516 is a random number taken out from the N-bit uniform random number table, and is disclosed in Japanese Patent No. P298.
The physical random number of “Physical random number generation device and method and physical random number recording medium” disclosed in No. 0576 is a random number improved so that bit data of 2 bits or more has differential nonlinearity.

The physical random numbers according to these inventions are true random numbers having no regularity, unlike pseudo random numbers generated by a mathematical algorithm.

As described above, according to the present embodiment, since the random numbers 73 and 93 store the true random numbers having no regularity generated by the physical random number generating means, the random number tables are read illegally. It is possible to further improve the certainty of the prevention of the above.

(Fifth Embodiment) FIG. 5 is a diagram showing a plurality of computers 151 and 152 in which a data relay program 50B according to a fifth embodiment of the present invention is installed. In the present embodiment, the same or corresponding portions as those in the above-described first embodiment will be denoted by the same reference numerals as those in FIG. 1 and the description thereof will be omitted or simplified.

In this embodiment, the random number tables 73 and 93 are used.
On the other hand, the physical random number generator 160 for supplying the physical random numbers described in the fourth embodiment is provided.

Further, the first computer 151 and the second computer 152 are connected to the random number transmission communication line 161.
And 162 are connected to the physical random number generator 160 for data communication, and the data encryption unit 75B of the first computer 151 is transmitted from the physical random number generator 160 via the random number transmission communication line 161. A random number receiving unit 163 that receives a random number and passes it to the random number table management unit 82A is included. In addition, the second computer 152
The data encryption unit 95B includes a random number reception unit 164 that receives the random number transmitted from the physical random number generation device 160 via the communication line 162 for transmitting random numbers and passes it to the random number table management unit 101A.

Random number table 73 and random number table 93
Since the random number in is used as a disposable encryption key,
It is necessary to supply new random numbers (unused random numbers) as needed. Therefore, in the present embodiment, the physical random number generator 16
The random number generated at 0 is transmitted to the first computer 151 and the second computer 152 via the communication lines 161 and 162 for transmitting random numbers independent of the open network 55.

At this time, the physical random number generator 160 is constantly generating and transmitting a large amount of random numbers, for example, a random number of 1 million bits per second, and the random number receiving units of the first computer 151 and the second computer 152. 163 and 164 receive random numbers within a predetermined range from the random numbers transmitted via the random number transmission communication lines 161 and 162, and receive random number table management units 82A and 1A.
01A, and the random number table management units 82A and 101
A stores the passed random numbers in random number tables 73 and 93, respectively.

As a result, since unused (disposable) random numbers can always be stored as random numbers stored in the random number tables 73 and 93, theoretically unreadable disposable random numbers are used as encryption keys. As a result, the safety and reliability of transmission and reception of plant monitoring control data can be maintained at a high level.

In the above description, the random number transmission lines 161 and 162 separate from the open network 55 are used for transmitting and receiving the random numbers, but the present invention is not limited to this. It is also possible to use the open network 55.

By the way, in the first to fifth embodiments, in order to facilitate the description, the plant monitoring control data sent from the data sending side system 60 of the control device 1 is remotely sent via the first computer 51. The configuration for transmitting to the monitoring control maintenance device 54 has been described, but the present invention is not limited to this configuration.

That is, the plant monitoring control data is transmitted from the second computer 52 of the remote monitoring control maintenance device 54 to the control device 1 via the first computer 51, in other words, the first computer 51 and the first computer 51. Data communication for plant monitoring control can be performed mutually between the control device 1 and the remote monitoring control maintenance device 54 via the second computer 52.

In this case, the plant monitoring control data relay system PS is equipped with a data receiving side system 65 in addition to the data transmitting side system 60, and the remote monitoring control maintenance device 54 is equipped with a data receiving side system 65. The data transmission side system 60 is installed.

At this time, since the same data relay program 50 is installed in the first computer 51 and the second computer 52, the first computer 5
1 can be made to function as the decoding unit 100, the random number table management unit 101, the checksum comparison unit 102, and the data decompression unit 103, which are the functions on the data receiving side. Similarly, the second computer 52 can be made to function as the data compression unit 80, the checksum calculation unit 81, the random number table management unit 82, and the encryption unit 83, which are the functions on the data transmission side.

Therefore, even when the plant monitoring control data is transmitted from the second computer 52 of the remote monitoring control maintenance device 54 to the control device 1 via the first computer 51, the above-mentioned data transmission side system 60.
The plant monitoring control data sent from the computer is transmitted to the remote monitoring control maintenance device 54 via the first computer 51.

As a result, by using the first computer 51 and the second computer 52, the open network 55 between the control device 1 and the remote monitoring control maintenance device 54.
It becomes possible to execute the data relay processing via the secure and high speed.

(Sixth Embodiment) FIG. 6 is a block diagram showing the schematic arrangement of a data transmission side system 170 and a data reception side system 171 according to the sixth embodiment of the present invention. In the present embodiment, the same or corresponding portions as those in the above-described first embodiment will be denoted by the same reference numerals as those in FIG. 1 and the description thereof will be omitted or simplified.

In this embodiment, the data transmission side system 1
70 constitutes the plant monitoring control data relay system shown in FIG. 2, and the data receiving side system 171 is installed in the remote monitoring control device 54.

As shown in FIG. 6, the data transmission side system 170 is a computer, and its memory 172 has
A transmission side application 61 and a data transmission side system (hereinafter referred to as a data transmission side computer) 170
A program 175 for realizing the functions described later is stored in the.

That is, the data transmission side computer 17
0 is a function realized by the program 175, and includes a receiving side application executing unit 180 that executes the transmitting side application 61 and transmits the plant monitoring control data, and a checksum value of the transmitted plant monitoring control data. , A checksum calculator 181 which calculates using a predetermined message digest function and sends the plant monitoring control data and the checksum value.

This message digest function is a function for calculating a checksum value of about 128 bits from data of arbitrary length. When the checksum value is given first, the data for outputting the checksum value is obtained. Use a function that is extremely difficult to do {one-way function}. Typical message digest functions are, for example, MD5 (Message Digest 5 (RFC1321)), SHA-1 (S
ecure Hash Algorithm) etc.

Further, the data transmission side computer 170
As a function realized by the program 175, receives the plant monitoring control data and the checksum value sent from the checksum calculation unit 181, and the received checksum value is sent to the data receiving system 171 via the network interface 62. Expected transmission time from transmission of the checksum value to reception of the checksum value by the data receiving system 171 via the open network 55 (for example, in the case of a wide area network, several tens of milliseconds to several milliseconds). A transmission control unit 182 that transmits the plant monitoring control data to the data receiving side system 171 via the network interface 62 after a lapse of about 100 milliseconds).

On the other hand, the data receiving side system 171 is a computer, and the memory 192 thereof has the receiving side application 66 and the data receiving side system (hereinafter referred to as the data receiving side computer) 171 realize the functions described later. A program 195 for storing is stored.

That is, the data receiving computer 17
1 receives the checksum value and the plant monitoring control data transmitted via the open network 55 as a function realized by the program 195,
There is provided a reception control unit 200 that passes the received checksum value to a checksum comparison unit described later, and passes the received plant monitoring control data to the checksum comparison unit and a checksum calculation unit described later.

The reception control section 200 has a function of transmitting the reception confirmation data to the data transmission side computer 170 via the network interface 67 when the checksum value is received.

Further, the data receiving computer 171
Is a function realized by the program 195, calculates a checksum value using the same predetermined message digest function as the checksum calculation unit 181, based on the passed plant monitoring control data, and calculates the calculated check. A checksum calculating unit 201 that passes the sum value to the checksum comparing unit is provided.

Further, the data receiving computer 171
Compares the checksum value transmitted from the computer 170 on the data transmission side with the checksum value calculated by the checksum calculation unit 201 as a function realized by the program 195, and the result of this comparison is that the two match. In this case, the plant monitoring control data is passed to the receiving-side application execution unit, which will be described later, and the check sum comparing unit 202 that discards the plant monitoring control data when the result of the comparison does not match, and the passed plant monitoring control The reception side application execution unit 203 executes the reception side application 66 based on the data.

That is, according to this configuration, the open network 5 is transmitted from the transmission control unit 182 of the data transmission side computer 170 via the network interface 62.
Even if the plant monitoring and control data sent to 5 is tampered with by a third party on the open network 55, it matches the checksum value that has already arrived / received at the receiving side due to the characteristics of the message digest function. It is extremely difficult to tamper with.

Therefore, in the comparison process of the checksum comparing unit 202, the checksum value of the tampered plant monitoring control data does not match the previously received checksum value, and the tampered plant monitoring control data is not used. The data will always be discarded.

As described above, according to this embodiment,
It is possible to reliably discard the plant monitoring control data that has been tampered with on the open network 55, and to provide a highly reliable process plant monitoring control system.

Further, in this embodiment, the transmission controller 1
After receiving the reception confirmation data transmitted from the reception control unit 200, the unit 82 can also transmit the plant monitoring control data to the data receiving side system 171 via the network interface 62.

According to this structure, it is possible to eliminate the risk that the plant monitoring control data is transmitted before the checksum value reaches the data receiving computer 171. The plant using the above checksum value can be eliminated. It is possible to maintain high reliability of the tampering check function of the monitoring control data.

(Seventh Embodiment) FIG. 7 is a block diagram showing the schematic arrangement of a data transmitting side system 170A and a data receiving side system 171A according to the seventh embodiment of the present invention. In addition, in the present embodiment, the same or corresponding portions as those in the above-described sixth embodiment are denoted by the same reference numerals as those in FIG. 6, and the description thereof will be omitted or simplified.

As shown in FIG. 7, the time data transmission device 2 for transmitting data representing the times synchronized and coincident with each other to the data transmission side computers 170A and 171A.
10 and 211 are respectively implemented. As the time data transmission devices 210 and 211, for example, G
A GPS receiver that transmits time data based on GPS signals received from PS satellites, a radio-controlled clock module that corrects and outputs time data using a standard radio wave with time information, and a public server via an open network 55. A module for receiving and outputting time data provided by the network time protocol, an accurate clock circuit, etc. are used.

Further, the data transmission side computer 170A
The transmission control unit 182A adds the time data transmitted from the time data transmission device 210 to the plant monitoring control data to be transmitted and transmits the data. At this time, the transmission interval between the checksum value and the plant monitoring control data to which the time data is added is changed from the data transmission side computer 170A to the data reception side computer 17A.
It is set longer than the expected transmission time to 1A.

The data receiving computer 171A
The reception control unit 200A of the
It has a function to receive the checksum value sent from 70A and regard it as valid plant monitoring control data only when the transmission time added to the received plant monitoring control data is later than the checksum value arrival time. is doing.

Next, the overall operation of this embodiment will be described.

The transmission control unit 182A has the time synchronizer 21
The time data transmitted from 0 is received, and the transmission time data Td is added to the plant monitoring control data based on the received time data. Also, the checksum calculator 1
Reference numeral 81 calculates the checksum value by including the transmission time data Td in the plant monitoring control data.

Then, the transmission control unit 182A transmits the checksum value calculated by the checksum calculation unit 181 to the data receiving computer 171A via the network interface 62, and after a predetermined time has passed from the expected transmission time, the time data is acquired. The attached plant monitoring control data is transmitted to the data receiving computer 171A via the network interface 62.

At this time, the reception control section 200A receives the time data sequentially from the time synchronizer 211, receives the checksum value transmitted from the data transmitting side computer 170A, and outputs the checksum value reception time data Tc. Remember. Next, the reception control unit 200A compares the time data Td added to the plant monitoring control data with the stored time data Tc, and invalidates the plant monitoring control data data that does not satisfy the following conditional expression (1). Discard as possible.

[0155]

## EQU1 ## Tc <Td-δ (1) where δ is the maximum error between the time synchronizers 210 and 211. The conditional expression (1) means that the time data Td at which the plant monitoring control data is transmitted is earlier than the time data Tc at which the checksum value including the error δ is received.

That is, when the time data Td at which the plant monitoring control data is transmitted is later than the time data Tc at which the checksum value including the error δ is received, the plant monitoring control data is set to the open network. It is possible to judge that it has been delayed due to the falsification at 55, and to discard the plant monitoring control data.

As a result, the plant monitoring control data that has been tampered with on the open network 55 can be surely discarded, and a highly reliable remote monitoring control system for a process plant can be provided.

(Modification of Seventh Embodiment) As a modification of the seventh embodiment, the transmission control unit 182A of the data transmission side system 170A further includes the data encryption unit 75 described in the first embodiment and the like. The transmission time data Td to be added to the plant monitoring control data is encrypted by the data encryption unit 75, added to the plant monitoring control data as encrypted time data Td, and the data is transmitted via the network interface 62. Receiver system 17
It is also possible to transmit to the reception control unit 200A of 1A.

At this time, the data receiving system 171A
The reception control unit 200A further includes the data decryption unit 95 described in the first embodiment and the like, and is capable of decrypting the encrypted encrypted time data Td added to the received plant monitoring control data. it can.

According to this modification, the transmission time data Td transmitted via the open network 55 is encrypted by using a theoretically undecipherable disposable random number as an encryption key, and encrypted using the disposable random number. Since the encrypted transmission time data Td can be decrypted, the transmission time data T
It is possible to reliably prevent interception and tampering of d, and to provide a more reliable remote monitoring and control system for a process plant.

In the sixth to seventh embodiments and their modifications, the plant monitoring control data sent from the data transmitting side system 170 is received by the remote monitoring control maintenance device 54 in order to facilitate the explanation. Side system 17
However, the present invention is not limited to this configuration.

That is, the plant monitoring control data is transmitted from the remote monitoring control maintenance device 54 to the control device 1, in other words, via the data transmitting side system 170 and the data receiving side system 171, the control device 1 and the remote side are transmitted. Data communication for plant monitoring control is mutually performed between the monitoring control maintenance devices 54.

In this case, the data transmission side computer 17
Since the same program 175 is installed in 0, the data transmission side computer 170 is set to the functional modules of the data reception side system 171 (reception control unit 20
0, checksum calculation unit 201, checksum comparison unit 2
02 and the reception side application execution unit 203).

Similarly, the data receiving computer 171
Also, since the same program 175 is installed,
The data reception side computer 171 can be made to function as each functional module of the data transmission side system 170 (the transmission side application execution unit 180, the checksum calculation unit 181, and the transmission control unit 182).

Therefore, even when the plant monitoring control data is transmitted from the remote monitoring control maintenance device 54 to the control device 1 via the data receiving side computer 171 and the data transmitting side computer 170, the data transmitting side system 170 described above is used. The operation is performed in substantially the same manner as the case of transmitting the sent plant monitoring control data to the remote monitoring control maintenance device 54 via the data receiving side system 171.

As a result, the data transmission side computer 17
0 and the computer 171 on the data receiving side, it is possible to safely and quickly execute the data relay process between the control device 1 and the remote monitoring control maintenance device 54 via the open network 55.

In each of the above-described embodiments, the data relay program 50, the program 175, etc. are described as being executed by one computer, but they may be executed by a plurality of computers networked so that they can communicate with each other. Good.

In addition, L in the plant as a dedicated communication line
Although AN was used, other networks may be used.

[0169]

As described above, according to the plant supervisory control data relay program and system of the present invention, the plant supervisory control data relating to plant supervisory control is provided with an unused random number as an encryption key / decryption key. Since the encryption / decryption processing based on the exclusive OR is performed as described above, the security of the data transmission / reception processing can be maintained high even if an illegal reading of the random number table should occur.

According to the plant monitoring control data relay program and system of the present invention, the checksum value of the plant monitoring control data calculated by the data transmitting computer using the predetermined message digest function is first used alone. Since the data is transmitted to the data receiving computer via the communication line, the checksum value previously transmitted at the data receiving computer,
By comparing the checksum value calculated from the plant monitoring control data transmitted via the communication line, it is possible to determine whether the plant monitoring control data has been tampered with.

That is, it is extremely difficult to tamper with the checksum value of the plant monitoring control data so that the checksum value matches the checksum value that has already arrived / received at the receiving side due to the characteristics of the message digest function. Therefore, the comparison process makes it possible to easily determine whether the plant monitoring control data has been tampered with, and the safety and reliability of the plant remote monitoring control system using the plant monitoring control data relay program and system. Can be improved.

[Brief description of drawings]

FIG. 1 is a diagram showing a plurality of computers equipped with a plant monitoring control data relay program according to a first embodiment of the present invention.

FIG. 2 is a block diagram showing a plant monitoring control system including a plant monitoring control data relay system equipped with a plurality of computers in which the data relay program shown in FIG. 1 is installed.

FIG. 3 is a diagram showing a plurality of computers in which a data relay program according to a second embodiment of the present invention is installed.

FIG. 4 is a diagram showing a plurality of computers in which a data relay program according to a third embodiment of the present invention is installed.

FIG. 5 is a diagram showing a plurality of computers in which a data relay program according to a fifth embodiment of the present invention is installed.

FIG. 6 is a block diagram showing a schematic configuration of a data transmission side system and a data reception side system according to a sixth embodiment of the present invention.

FIG. 7 is a block diagram showing a schematic configuration of a data transmission side system and a data reception side system according to a seventh embodiment of the present invention.

FIG. 8 is a block diagram showing a conventional supervisory control system.

[Explanation of reference numerals] 1 control device 5 in-plant LAN 50, 50A data relay program 51, 105 first computer 52, 106 second computer 54 remote monitoring control maintenance device 55 open network 60, 60A data transmission side system 61 transmission Side application 62, 67 Network interface 65, 65A Data receiving side system 71, 91, 172, 192 Memory 73, 93 Random number table 75, 75A, 75B Data encryption unit 80 Data compression unit 81, 181 Checksum calculation unit 82, 82A Random number table management unit 83 Encryption unit 95, 95A, 95B Data decryption unit 100 Decryption unit 101, 101A Random number table management unit 102 Checksum comparison unit 103 Data decompression unit 107, 180 Transmission side application execution 108, 203 Receiving side application execution units 110-113 Fixed length buffers 137, 138 Dedicated communication lines 139-142 Communication control unit 160 Physical random number generators 161, 162 Communication lines for transmitting random numbers 163, 164 Random number receiving units 170, 170A Data transmission Side computer (data transmission side system) 171, 171A Data reception side computer (data reception side system) 175, 175A Program 182 Transmission control unit 200, 200A Reception control unit 201 Checksum calculation unit 202 Checksum comparison unit 210, 211 Time synchronization apparatus

─────────────────────────────────────────────────── ─── Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) H04L 9/32 H04L 9/00 601E // G05B 23/02 675A 653 (72) Inventor Toru Onodera Kawasaki, Kanagawa Prefecture 2-1, Ukishima-cho, Kawasaki-ku, Yokohama Incorporated company Toshiba Hamakawasaki Factory (72) Inventor Yoji Takizawa 8 Shinsita-cho, Isogo-ku, Yokohama-shi, Kanagawa Incorporated company Toshiba Yokohama Works (72) Inventor Hiroshi Nishikawa Tokyo Fuchu F-term in Toshiba Fuchu Works, Toshiba Corporation (reference) 5H223 AA01 DD07 EE30 5J104 AA08 AA12 AA16 AA34 EA04 EA08 EA21 EA23 FA09 FA10 GA01 GA03 GA05 JA01 JA03 LA01 LA05 NA02 NA12 NA20 NA22 NA24 PA07

Claims (17)

[Claims] 1. A first computer, which is connected to a control device of a plant so as to be capable of data communication and has access to a first random number table which holds a plurality of random numbers so that respective storage positions can be identified, and the plant. Digital data (plant monitoring control) for a remote monitoring control device, which can be executed by a second computer that can access a second random number table having the same structure as the first random number table. Data) relay program for transmitting one of the first and second computers when the plant monitoring control data is transmitted to the other computer via a communication line. A compression means for compressing the plant monitoring control data, and a predetermined calculation from the compressed data. A checksum value is calculated using a method, and the calculated checksum value is added to the compressed plant monitoring control data, and a random number that is not used from the random number table corresponding to the data transmitting computer. And a means for extracting the position information of the random number and an exclusive OR for each bit of the extracted random number and the plant monitoring control data to which the checksum value has been added to encrypt the plant monitoring control data. , Plant monitoring control data characterized by adding the position information to the encrypted plant monitoring control data to generate encrypted plant monitoring control data with position information Relay program. 2. The data receiving side computer of the other side is based on the position information in the encrypted plant supervisory control data with the position information transmitted from the one data transmitting side computer via the communication line. A search determination unit that retrieves a random number corresponding to the position information by searching a random number table corresponding to the other computer, and determines whether the retrieved random number is unused, and if the result of the determination is unused, Decryption means for decrypting the encrypted plant monitoring control data by the taken random number; and a checksum value calculated from the decrypted data using the predetermined calculation method, and the calculated checksum value and the decryption The comparison means for comparing the checksum value added to the converted plant monitoring control data with the comparison means. If the calculated checksum value and adding checksum values match, the data decompression means for decompressing said decrypted plant monitoring control data,
The data relay program for plant monitoring and control according to claim 1, wherein the data relay program is operated as described above. 3. The plant monitoring control data relay program according to claim 1, wherein the communication line is an open network. 4. The decoding means adds a checksum value calculated by comparing the means for issuing a warning and the comparing means when the retrieval judgment means determines that the extracted random number is not unused. 3. The plant monitoring control data relay program according to claim 2, further comprising means for issuing a warning when the checksum values do not match. 5. A transmission for causing the first and second computers to function as their own computers as transmission means for transmitting the encrypted plant monitoring control data with position information to another computer via the communication line. The application program on the side and the application program on the receiving side that causes the computer to function as receiving means for receiving the encrypted plant monitoring control data with position information transmitted via the communication line are respectively one process. The data relay program for plant monitoring control is installed in the first and second computers as a process different from the processes of the transmission side application program and the reception side application program. Second Compu Each has a fixed length buffer, the encryption means of the data transmission side computer comprises means for storing the encrypted plant monitoring control data with position information in the fixed length buffer, the data transmission side computer The transmitting means is a means for reading the encrypted plant monitoring control data with position information stored in the fixed length buffer and transmitting it to the data receiving side computer via the communication line, the data receiving side computer Means for receiving the encrypted plant monitoring control data with position information transmitted through the communication line and storing the data in the fixed length buffer, the search judgment of the data receiving side computer. The means is the encrypted plant monitoring control data with position information stored in the fixed length buffer. 4. The plant monitoring control data relay program according to claim 2, further comprising means for reading the data and searching a random number table corresponding to the data receiving computer based on the read position information. 6. A third computer connected to the plant control device so as to be capable of data communication and connected to the first computer by a dedicated communication line, wherein the remote monitoring control device is the second computer. And a fourth computer connected by a dedicated communication line to the third and fourth computers, wherein the third computer and the fourth computer include the own computer and the encrypted plant monitoring control data with position information via the communication line. A transmission-side application program that functions as a transmission unit that transmits to another computer, and a reception unit that functions to receive the encrypted plant monitoring control data with position information transmitted from the own computer via the open network. The receiving side application program that causes The monitoring control data relay program is installed in each of the first and second computers, while the encryption means of the data transmission side computer transfers the encrypted plant monitoring control data with position information to the dedicated communication. The data is transmitted to one of the third and fourth computers connected to the data transmission side computer via a line, and the transmission means of the one computer is transmitted via the dedicated communication line. Means for receiving the encrypted plant supervisory control data with position information and transmitting it to the other computer of the third and fourth computers via the communication line, the third and fourth computers The receiving means of the other computer of the above is the encryption with position information transmitted via the communication line. Is a means for receiving the data for chemical plant monitoring control and transmitting it to the data receiving computer connected to the other computer via the dedicated communication line, wherein the search determining means of the data receiving computer is the reception 4. A means for searching a random number table corresponding to the computer on the data receiving side based on the position information of the encrypted plant monitoring control data with position information transmitted from the means. Data relay program for plant monitoring control. 7. The plant monitoring control data relay according to claim 1, wherein each random number stored in the random number table is a physical random number having no regularity. program. 8. The data transmission side computer is configured to transmit a physical random number generated by a physical random number generator for generating the physical random number having no regularity via a first random number transmission communication line different from the communication line. And receiving the received physical random number as a means for storing the received physical random number in the random number table as the random number, and making the data receiving side computer generate the physical random number generated by the physical random number generating device different from the communication line. 8. The data relay program for plant monitoring control according to claim 7, which functions as means for receiving the received physical random number as the random number in the random number table via the communication line for transmitting the random number. 9. Digital data relating to plant monitoring control (plant monitoring control data) is connected to the plant control device so as to be able to perform data communication, and via a communication line between the plant control device and the remote monitoring control device. A plant monitoring control data relay system for relaying, wherein a random number table storage means for storing a random number table that holds a plurality of random numbers so that respective storage positions can be identified, and the plant control device and the remote monitoring control device A compression means for compressing the plant monitoring control data transmitted from one side, and a checksum value is calculated from the compressed data using a predetermined calculation method, and the calculated checksum value is used for the plant monitoring control after the compression. Checksum calculation means to be added to the data, and unused random numbers and random numbers from the random number table. A means for extracting the position information of the random number, and an exclusive OR for each bit of the extracted random number and the plant monitoring control data to which the checksum value is added to encrypt the plant monitoring control data, A plant monitoring control data relay system comprising: an encryption unit that adds the position information to the encrypted plant monitoring control data to generate encrypted plant monitoring control data with position information. 10. A digital data (plant monitoring control data) relating to plant monitoring control is connected via a communication line between the plant control device and the remote monitoring control device, which is connected to the plant control device so that data communication is possible. A data relay system for plant monitoring control that relays a plurality of random numbers, a random number table storage unit that stores a random number table that holds each storage position in a distinguishable manner, and a check calculated using a predetermined calculation method. The encrypted plant monitoring control data including the position information of the random number generated by the exclusive OR of the compressed plant monitoring control data including the sum value and the random number at the predetermined position in the random number table is the plant control device. And when transmitted from one of the remote monitoring and control devices via the communication line. Search determination means for searching the random number table based on the position information in the encrypted plant monitoring control data to extract a random number corresponding to the position information, and determining whether or not the extracted random number is unused; If the result is unused, decryption means for decrypting the encrypted plant monitoring control data with the random number taken out, and a checksum value is calculated from the decrypted data using the predetermined calculation method, Comparison means for comparing the calculated checksum value with the checksum value added to the decrypted plant monitoring control data, and the calculated checksum value and the additional checksum value match by comparison of this comparison means. In this case, data decompression means for decompressing the decrypted plant monitoring control data,
A data relay system for plant monitoring and control, comprising: 11. A physical random number generator for generating a physical random number having no regularity, and a physical random number generated by this physical random number generator are received via a communication line for random number transmission different from the communication line, The data relay system for plant monitoring control according to claim 9 or 10, further comprising: a storage unit that stores the received physical random number in the random number table as the random number. 12. The physical random number generation device is a device for constantly generating the physical random number, and the storage means is within a predetermined range from the physical random number constantly generated by the physical random number generation device. 12. The plant monitoring control data relay system according to claim 11, which is means for receiving a physical random number and storing it in the random number table. 13. Digital data (plant monitoring) relating to plant monitoring control, which can be respectively executed by a first computer connected to a control device of the plant so as to be capable of data communication and a second computer for remote monitoring control of the plant. (Control data) is a relay program, and when one of the first and second computers transmits the plant monitoring control data to the other computer via the communication line, A data transmission side computer, a first calculation means for calculating a checksum value of the plant monitoring control data using a predetermined message digest function, and the calculated checksum value via the communication line of the other After sending the checksum value to the data receiving computer, the plant monitoring control Means for transmitting data for use to the other data receiving side computer via the communication line, respectively, causing them to function, the other data receiving side computer from the one data transmitting side computer to the communication line. Receiving means for respectively receiving the checksum value and the plant monitoring control data transmitted via the above; and a second calculating the checksum value of the received plant monitoring control data by using the predetermined message digest function. The checksum value calculated by the calculating means and the second calculating means is compared with the checksum value received by the receiving means, and the checksum value is received by the receiving means only when the comparison results in a match. Function as a comparison means that considers plant monitoring control data as valid data A data relay program for plant monitoring and control. 14. The receiving means, when the checksum value is received, means for transmitting data indicating confirmation of reception of the checksum value to the one data transmission side computer via the communication line. Including the means for receiving the reception confirmation data transmitted via the communication line, and, after the reception confirmation data is received, the plant monitoring control data via the communication line 14. Means for transmitting to the other data receiving computer.
The data relay program for plant monitoring control described. 15. The first and second computers are respectively provided with time data transmission devices that transmit data representing times that are synchronized and coincident with each other, and the first calculation means of the data transmission side computer comprises: First time data transmitted from the time data transmission device is added to the plant monitoring control data, and the checksum value of the plant monitoring control data to which the first time data is added is the predetermined message digest. Calculating means using a function, wherein the transmitting means adds means for adding the first time data to the plant monitoring control data and transmitting the data to the other data receiving computer via the communication line. Including, the receiving means of the other data receiving-side computer is provided for the time data transmitted from the time data transmitting device. Based on the means, the time when the checksum value is received is stored as second time data, and the first time data and the second time data in the plant monitoring control data to which the received first time data is added. Compare with the time data of
14. The plant monitoring control data relay program according to claim 13, further comprising means for determining whether or not the plant monitoring control data is valid according to the comparison result. 16. The first and second computers each include a random number table that holds a plurality of random numbers so that their respective storage positions can be identified, and the transmission means of the one data transmission side computer includes: A compression unit for compressing the first time data, a checksum value is calculated from the compressed data using a predetermined calculation method, and the calculated checksum value is added to the compressed first time data. Checksum calculating means, means for extracting an unused random number and position information of the random number from a random number table corresponding to the data transmitting computer, first time data to which the extracted random number and the checksum value are added The first time data is encrypted by bitwise exclusive OR with and the position information is added to the encrypted first time data. And an encryption unit for generating encrypted first time data with position information, and the encrypted first time data with position information via the communication line to the other data receiving computer. And a receiving means of the other data receiving side computer, wherein the receiving means of the other data receiving side computer transmits the encrypted first information with the position information transmitted from the one data transmitting side computer via the communication line.
Means for receiving the time data, and a random number table corresponding to the other computer is searched based on the position information in the received first time data, and the random number corresponding to the position information is extracted and A search determining means for determining whether or not it is unused, a decrypting means for decrypting the encrypted first time data by a random number taken out when the result of the determination is unused, and a decrypted first Comparing means for calculating a checksum value from the time data of the above using the predetermined calculation method and comparing the calculated checksum value with the checksum value added to the decoded first time data; When the calculated checksum value and the additional checksum value match with each other by the comparison means, the data decompression means for decompressing the decrypted first time data is used. 15. plant monitoring control data relay program, wherein a was e. 17. A plant monitoring control data relay system for relaying digital data (plant monitoring control data) relating to plant monitoring control via a communication line between a plant control device and a remote monitoring control device, wherein a predetermined message First calculating means for calculating a checksum value of the plant monitoring control data by using a digest function; and transmitting the calculated checksum value to the other data receiving computer via the communication line, After transmitting the checksum value, transmitting means for transmitting the plant monitoring control data to the other data receiving side computer via the communication line, and from the one data transmitting side computer via the communication line. Receive checksum value and plant monitoring control data respectively Receiving means, second calculating means for calculating the checksum value of the received plant monitoring control data using the predetermined message digest function, and the checksum value calculated by the second calculating means and And comparing means for comparing the checksum value received by the receiving means with each other, and only if the comparison results in a match, the plant monitoring control data received by the receiving means is regarded as valid data. A data relay system for plant monitoring and control.