JP2008067162A - Control system and method for controlling system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method for controlling an FA system by which the security of a program is maintained. <P>SOLUTION: The method for controlling the FA system includes: a step (S204) in which an encryption rule issuing device generates an encryption key and a decryption key; a step (S206) in which the decryption key is transmitted to a PLC (programmable logic controller) through the internet, a step (S210) in which the encryption key is transmitted to an encryption converter; a step (S216) in which the encryption converter encrypts a control program by using the encryption key; a step (S218) in which the encryption converter transmits the program generated by encryption to the PLC; and a step (S222) in which the PLC decrypts the control program. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for protecting a program for controlling a device. More specifically, the present invention provides a control system that distributes the encrypted program via a network, decrypts the distributed program, and uses the device for controlling the device, and a system that controls the device Relates to the control method.

  In the field of FA (Factory Automation), production equipment is often controlled by a programmable logic controller or other control device. In general, such a control device controls the production facility or collects performance data from the production facility by executing a program created in advance. This program is created by a developer using a so-called ladder language, C language, or other programming language.

  The control device is installed near the production facility. On the other hand, the monitoring device for managing the operation of the production facility based on the data from the control device, or the management device for performing maintenance such as correction and change of the program used by the control device is separated from the production facility. Often installed in different locations. In this case, the maintenance of the program is performed by the system administrator as remote maintenance via a communication line connecting the management device and the control device, for example, the Internet.

  When the control device is connected to the Internet for remote maintenance, the control device may be accessed by a third party communication device. When the third-party communication device has a function of creating a program for controlling the production facility, the communication device can access the control device. Therefore, even for remote maintenance, the control device cannot be easily connected to the Internet.

Regarding the FA system, for example, Japanese Patent Laid-Open No. 2003-199179 (Patent Document 1) discloses a remote engineering system that can distribute information necessary for monitoring or maintenance to the outside without showing information that the user wants to keep secret. To do.
JP 2003-199179 A

  However, in the FA system, when the device itself is out of the secret state, for example, when a device having information to be kept secret is stolen, the confidentiality of the information is impaired.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to provide a control system capable of maintaining the confidentiality of information.

  Another object of the present invention is to provide a control system including a control device capable of maintaining the confidentiality of a program used for controlling a device.

  Another object of the present invention is to provide a control method for controlling a system so that confidentiality of information can be maintained.

  In order to achieve the above object, according to one aspect of the present invention, a control system for controlling an apparatus is provided. The control system includes: an encryption data generation device that generates encryption data used for encryption processing; an encryption device that is connected to the encryption data generation device via a communication line and encrypts a program that controls the device; and A control device is provided that is connected to the encryption data generation device and the encryption device via a line and controls the device based on a program. The encryption data generation device includes: generation means for generating encryption data used for program encryption and decryption; and first encryption data transmission means for transmitting encryption data to the encryption device as first encryption data. And second encrypted data transmission means for transmitting the encrypted data to the control device as the second encrypted data. The encryption apparatus includes: a storage unit that stores a program; an encryption data reception unit that receives first encryption data; an encryption unit that encrypts the program based on the first encryption data and generates an encryption program; Transmitting means for transmitting the encryption program to the control device. The control device includes: a receiving unit that receives the encryption program transmitted from the encryption device; the second encryption data transmitted from the encryption data generation device; an encryption data storage unit that stores the second encryption data; Decryption means for decrypting the encryption program based on the second encryption data, program storage means for storing the decrypted program, and control means for controlling the device based on the program stored in the program storage means Including.

  Preferably, the generation unit generates an encryption key for encrypting the program and a decryption key for decrypting the encryption program generated by encryption using the encryption key. The first encrypted data transmission means transmits the encryption key to the encryption device. The second encrypted data transmission means transmits the decryption key to the control device.

  Preferably, the transmission means further transmits the first encrypted data to the control device in addition to the encryption program. The control device further includes authentication means for confirming whether or not the encryption program is an encrypted program for controlling the device based on the first encryption data and the second encryption data. The decrypting means decrypts the encrypted program when the encrypted program is an encrypted program for controlling the device.

  Preferably, the first encrypted data includes an encryption key for encrypting the program. The second encryption data includes a decryption key for decrypting the encryption program generated by encryption using the encryption key. The authentication unit determines that the encryption program is an encrypted program for controlling the device when the encryption key and the decryption key correspond to each other.

  Preferably, the generation unit generates new encrypted data every predetermined time. The first encrypted data transmission means transmits newly generated encrypted data to the encryption device as the first encrypted data every predetermined time. The second encrypted data transmission means transmits newly generated encrypted data to the control device as second encrypted data at predetermined time intervals.

  Preferably, the control device detects a switching between turning on and off of the power supply, and a first requesting unit that requests the encryption device to transmit a new encryption program based on the detection of the switching. And further including. The encryption device further includes reception detection means for detecting that a request for transmission of a new encryption program has been received. The transmission means transmits a new encryption program to the control device based on the reception of the transmission request. The decrypting means decrypts the new encryption program.

  Preferably, the control device further includes second request means for transmitting a new second encrypted data transmission request to the encrypted data generating device based on the detection of switching. The generating means generates new encrypted data based on the reception of the second encrypted data transmission request. The first encrypted data transmission means transmits the newly generated encrypted data to the encryption device as the first encrypted data. The second encrypted data transmission means transmits newly generated encrypted data to the control device as second encrypted data.

  When the other situation of this invention is followed, the control method for controlling the system provided with the control apparatus which controls an apparatus is provided. The system includes an encryption data generation device that generates encryption data used for encryption processing, an encryption device that is connected to the encryption data generation device via a communication line and encrypts a program that controls the device, and a communication line. Is connected to the encrypted data generation device and the encryption device, and includes a control device that controls the device based on the program. The control method includes a generation step in which the encryption data generation device generates encryption data used for encryption and decryption of the program, and the encryption data generation device sends the encryption data to the encryption device as the first encryption data. A first transmission step of transmitting, a second transmission step of transmitting the encrypted data as the second encrypted data to the control device by the encrypted data generation device, a step of loading the program by the encryption device, and an encryption A receiving step in which the device receives the first encrypted data; an encryption step in which the encryption device encrypts the program based on the first encrypted data to generate a cryptographic program; and the encryption device in the cryptographic program Is transmitted to the control device, the encryption program transmitted from the encryption device to the control device, and the second transmitted from the encrypted data generation device. A receiving step for receiving the encrypted data; a control data storing step for storing the second encrypted data; a decrypting step for the control device to decrypt the encryption program based on the second encrypted data; The control device includes a step of storing the decrypted program, and the control device includes a control step of controlling the device based on the stored program.

  Preferably, the generation step generates an encryption key for encrypting the program and a decryption key for decrypting the encryption program generated by the encryption using the encryption key. In the first transmission step, the encryption key is transmitted to the encryption device. In the second transmission step, the decryption key is transmitted to the control device.

  Preferably, in the third transmission step, the first encrypted data is further transmitted to the control device in addition to the encryption program. The control method further includes an authentication step of confirming whether or not the encryption program is an encrypted program for controlling the device based on the first encryption data and the second encryption data. The decrypting step decrypts the encrypted program when the encrypted program is an encrypted program for controlling the device.

  Preferably, the first encrypted data includes an encryption key for encrypting the program. The second encryption data includes a decryption key for decrypting the encryption program generated by encryption using the encryption key. The authentication step determines that the encryption program is an encrypted program for controlling the device when the encryption key and the decryption key correspond to each other.

  Preferably, the generation step generates new encrypted data every predetermined time. In the first transmission step, the newly generated encrypted data is transmitted to the encryption device as the first encrypted data every predetermined time. In the second transmission step, the newly generated encrypted data is transmitted as second encrypted data to the control device at predetermined time intervals.

  Preferably, the control method includes a detection step in which the control device detects switching of power on and off, and the control device transmits a new encryption program to the encryption device based on the detection of switching. And a step of detecting that the encryption device has received a request for transmission of a new encryption program. In the third transmission step, a new encryption program is transmitted to the control device based on the reception of the transmission request. The decryption step decrypts the new encryption program.

  Preferably, the control method further includes a step in which the control device transmits a new second encrypted data transmission request to the encrypted data generation device based on the detection of the switching. The generation step generates new encrypted data based on the reception of the second encrypted data transmission request. In the first transmission step, the newly generated encrypted data is transmitted to the encryption apparatus as the first encrypted data. In the second transmission step, the newly generated encrypted data is transmitted as second encrypted data to the control device.

  According to the control system of the present invention, the confidentiality of the program used by the control device can be maintained.

  According to the control method of the present invention, it is possible to control the control system including the control device while maintaining the confidentiality of the program used by the control device.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following description, the same parts are denoted by the same reference numerals. Their names and functions are also the same. Therefore, detailed description thereof will not be repeated.

  A factory automation (hereinafter referred to as FA (Factory Automation)) system 10 according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 is a diagram showing the configuration of the FA system 10.

  The FA system 10 includes a cryptographic rule issuing device 100, a program development device 110, a cryptographic converter 120, a programmable logic controller (hereinafter, PLC (Programmable Logic Controller)) 130, and an equipment device 140. The encryption rule issuing device 100, the encryption converter 120, and the PLC 130 are connected via the Internet 150. The program development device 110 and the cryptographic converter 120 are electrically connected via a cable 152. The PLC 130 and the facility device 140 are connected by a LAN (Local Area Network) 154.

  A control method of the FA system 10 will be described with reference to FIG. FIG. 2 is a flowchart showing a series of processes executed in the FA system 10.

  In step S202, encryption rule issuing apparatus 100 specifies a transmission destination of an encryption rule (for example, a decryption key) based on a code (for example, device ID (Identification)) unique to PLC 130. In step S204, the encryption rule issuing device 100 generates an encryption key and a decryption key according to a generation procedure prepared in advance. In step S206, the encryption rule issuing device 100 transmits the generated decryption key to the PLC 130 via the Internet 110.

  In step S208, the PLC 130 receives the decryption key transmitted by the encryption rule issuing device 100 and stores it in the internal memory.

  In step S <b> 210, the encryption rule issuing device 100 transmits the encryption key to the encryption converter 120 via the Internet 150. In step S212, the cryptographic converter 120 receives the encryption key transmitted by the encryption rule issuing device 100 and stores it in the internal memory.

  In step S214, the program development device 110 reads a control program stored in advance from the internal memory and transmits the control program to the cryptographic converter 120. Here, the control program is a program created by the user of the program development device 110 in order to control the equipment device 140.

  In step S216, encryption converter 120 reads the encryption key from the memory, and encrypts the program transmitted from program development device 110 using the encryption key. In step S218, cipher converter 120 transmits the encrypted program to PLC 130 via Internet 150.

  In step S220, PLC 130 receives the encrypted program from cipher converter 120 and stores it in the internal memory. In step S222, PLC 130 reads a previously stored decryption key from the memory, and decrypts the received program using the decryption key. In step S224, PLC 130 controls facility device 140 using the decrypted program.

  With reference to FIG. 3, the structure of the encryption rule issuing device 100 according to the present embodiment will be described. FIG. 3 is a block diagram illustrating a configuration of functions realized by the encryption rule issuing device 100.

  The encryption rule issuing device 100 includes a generation timing detection unit 310, a device identification unit 330, a device information storage unit 320, an encryption rule generation unit 340, an encryption rule storage unit 350, an encryption rule transmission control unit 360, a communication Part 370.

  The generation timing detection unit 310 detects timing for generating an encryption rule (for example, a combination of an encryption key and a decryption key). For example, the generation timing detection unit 310 detects a timing at which a cryptographic rule should be generated based on a generation instruction given from the outside. Alternatively, in another aspect, generation timing detector 310 detects the timing when an internal clock (not shown) detects the arrival of a predetermined time.

  The device information storage unit 320 stores information for specifying a device that can communicate with the encryption rule issuing device 100. The information includes, for example, a device number unique to the cryptographic converter 120, the PLC 130, and other identifiable data. When the FA system 10 is constructed, information for identifying these devices is input to the encryption rule issuing device 100 by the user of the FA system 10 and stored in the device information storage unit 320.

  The device identification unit 330 is connected to the generation timing detection unit 310 and the device information storage unit 320 so as to be operable based on the output from the generation timing detection unit 310 and the data stored in the device information storage unit 320. It is connected. The device specifying unit 330 reads out data stored in the device information storage unit 320 based on the detection of the generation timing of the encryption rule by the generation timing detection unit 310, and sets the encryption rule to be generated. Identify the device to be. More specifically, the device specifying unit 330 specifies the PLC 130 or other control device connected to the Internet 150.

  The encryption rule generation unit 340 is configured to be operable based on the output from the device identification unit 330. More specifically, the encryption rule generation unit 340 generates an encryption rule specific to the device specified by the device specification unit 330 according to a generation criterion prepared in advance. The generated encryption rule includes, for example, an encryption key for encrypting an executable program and a decryption key for decrypting the encrypted program. The encryption rule generation unit 340 stores the generated encryption rule in the encryption rule storage unit 350.

  The encryption rule transmission control unit 360 is configured to be operable based on data stored in the encryption rule storage unit 350. Specifically, the encryption rule transmission control unit 360 reads an address (for example, an IP (Internet Protocol) address) of a device to which a decryption key is transmitted from the device information storage unit 320. The encryption rule transmission control unit 360 reads the decryption key stored in the encryption rule storage unit 350. The encryption rule transmission control unit 360 generates data for transmitting the decryption key with reference to the address.

  Alternatively, the encryption rule transmission control unit 360 reads from the device information storage unit 320 the address of the cryptographic converter 120 that is the target of transmitting the encryption key. The encryption rule transmission control unit 360 reads the encryption key stored in the encryption rule storage unit 350. The encryption rule transmission control unit 360 generates data for transmitting the encryption key using the address.

  The communication unit 370 is configured to be operable based on an output from the encryption rule transmission control unit 360 and an input to the encryption rule issuing device 100. The communication unit 370 transmits the data generated by the encryption rule transmission control unit 360 to an address included in the data. Alternatively, the communication unit 370 receives data transmitted via the Internet 150. The received data includes data for confirmation of communication transmitted by the cryptographic converter 120 or the PLC 130 (for example, a so-called “Ack” signal). Alternatively, the communication unit 370 receives a control signal transmitted from a management server (not shown) operated by the administrator of the FA system 10.

  With reference to FIG. 4, one aspect of a specific configuration of encryption rule issuing apparatus 100 according to the present embodiment will be described. FIG. 4 is a block diagram illustrating a hardware configuration of a computer system 400 that functions as the encryption rule issuing device 100.

  The computer system 400 is generated as a main component by a CPU (Central Processing Unit) 410 that executes a program, a mouse 420 and a keyboard 430 that receive an instruction input by a user of the computer system 400, and the execution of the program by the CPU 410. RAM (Random Access Memory) 440 for storing volatile data or data input via mouse 420 or keyboard 430, hard disk 450 for storing data in a nonvolatile manner, and CD-ROM (Compact Disc-Read) Only Memory) driving device 460, monitor 480, and communication I / F (interface) 490 are included. Each hardware is mutually connected by a data bus. A CD-ROM 462 is mounted on the CD-ROM drive 460.

  Processing in the computer system 400 is realized by the hardware and software executed by the CPU 410. Such software may be stored in the hard disk 450 in advance. The software may be stored in a CD-ROM 462 or other recording medium and distributed as a program product. Alternatively, the software may be provided as a program product that can be downloaded by an information provider connected to the so-called Internet. Such software is temporarily stored in the hard disk 450 after being read from the recording medium by the CD-ROM drive 460 or other reading device or after being downloaded via the communication I / F 490. The software is read from the hard disk 450 by the CPU 410 and stored in the RAM 440 in the form of an executable program. CPU 410 executes the program.

  The hardware constituting the computer system 400 shown in FIG. 4 is general. Therefore, it can be said that the essential part of the encryption rule issuing device 100 is software stored in the RAM 440, the hard disk 450, the CD-ROM 462, or other recording medium, or software that can be downloaded via a network. Since the operation of each component of computer system 400 is well known, detailed description will not be repeated.

  With reference to FIG. 5, the control structure of the encryption rule issuing device 100 will be described. FIG. 5 is a flowchart showing a series of processing executed by CPU 410 included in computer system 400 functioning as encryption rule issuing device 100.

  In step S510, CPU 410 detects the arrival of the timing for generating the encryption rule (encryption key and decryption key). In step S520, CPU 410 identifies the PLC for which the encryption rule is to be generated. When the CPU 410 specifies the PLC, the CPU 410 stores data for identifying the PLC in an area secured in the RAM 440.

  In step S530, CPU 410 generates an encryption key and a decryption key in accordance with an execution program prepared in advance, and stores it in an area secured in RAM 440.

  In step S540, CPU 410 transmits the encryption key to encryption converter 120 via Internet 150 via communication I / F 490.

  In step S550, CPU 410 determines whether or not a confirmation signal indicating reception of the encryption key has been received from encryption converter 120. If CPU 410 determines that the signal has been received (YES in step S550), the process proceeds to step S560. If not (NO in step S550), the process proceeds to step S552.

  In step S552, CPU 410 waits for a predetermined time. Thereafter, control is returned to step S550. Note that a process corresponding to a communication error may be executed while the standby process is executed. For example, if the confirmation signal cannot be received within a predetermined time, the CPU 410 may determine that the transmission has failed and execute a process of leaving a communication error.

  In step S560, CPU 410 transmits the decryption key to PLC 130 via Internet 150.

  In step S570, CPU 410 determines whether or not a confirmation signal indicating that the decryption key has been received has been received from PLC 130. If CPU 410 determines that the signal has been received (YES in step S570), the process proceeds to step S580. If not (NO in step S570), the process proceeds to step S572.

  In step S572, CPU 410 waits for a predetermined time. Thereafter, control is returned to step S570. Note that the same processing as the error processing in step S552 may be executed.

  In step S580, CPU 410 determines whether an instruction to end the operation has been input or not. If CPU 410 determines that such an instruction has been input (YES in step S580), the process ends. If not (NO in step S580), the process returns to step S510.

  The data structure of the encryption rule issuing device 100 will be described with reference to FIG. FIG. 6 is a diagram conceptually showing one mode of data storage in hard disk 450 provided in computer system 400. Hard disk 450 includes a plurality of memory areas for storing data.

  Data for specifying a target to which the encryption key is transmitted is stored in the memory area 610. The date and time when the encryption key is transmitted is stored in the memory area 620. If the encryption key has never been transmitted, data representing “NULL” is stored in this area, for example. The encryption key generated by the CPU 410 is stored in the memory area 630.

  The data related to the decryption key is also stored in the same manner as the data related to the encryption key. That is, data for specifying a target to which the decryption key is transmitted is stored in the memory area 640. The date and time when the decryption key is transmitted is stored in the memory area 650. If the decryption key has not yet been transmitted, “NULL” is stored in this area as described above. The decryption key generated by the CPU 410 is stored in the memory area 660.

  Next, data transmitted by the encryption rule issuing device 100 will be described with reference to FIGS. FIG. 7 is a diagram illustrating a communication frame 700 transmitted from the encryption rule issuing device 100 to the encryption converter 120. The communication frame 700 includes a header 710, user data 720, and an FCS (Frame Check Sequence) 730. The header 710 includes a transmission source address (that is, the IP address of the cryptographic rule issuing device 100), a transmission destination address (that is, the IP address of the cryptographic converter 120), a transmission date and time (for example, a date and time when the communication frame 700 was generated). including. User data 720 includes an encryption key generated by CPU 410.

  When the process of step S540 shown in FIG. 5 is executed, the communication frame 700 is transmitted from the encryption rule issuing device 100 to the encryption converter 120.

  FIG. 8 is a diagram showing a communication frame 800 transmitted from the encryption rule issuing device 100 to the PLC 130. Communication frame 800 includes a header 810, user data 820, and FCS 830. The header 810 includes a transmission source address (that is, the IP address of the encryption rule issuing device 100), a transmission destination address (that is, the IP address of the PLC 130), and a transmission date and time (the date and time when the communication frame 800 was generated). User data 820 includes a decryption key generated by CPU 410. When the process of step S560 shown in FIG. 5 is executed, the communication frame 800 is transmitted from the encryption rule issuing device 100 to the PLC 130.

  Next, with reference to FIG. 9, the structure of the encryption converter 120 which concerns on this Embodiment is demonstrated. FIG. 9 is a block diagram showing a configuration of functions realized by cryptographic converter 120. The cryptographic converter 120 includes a data input unit 910, a program storage unit 920, an encryption key storage unit 930, an encryption processing unit 940, and an encrypted data distribution unit 950.

  The data input unit 910 receives data input from the outside of the cryptographic converter 120. For example, the data for which input is accepted may be a program generated by the program development device 110, an encryption key transmitted by the encryption rule issuing device 100, or an instruction (encryption command) for enabling encryption processing by the encryption converter 120 Etc. The encryption command may be transmitted by the encryption rule issuing device 100 or may be given by the administrator of the FA system 10.

  The program storage unit 920 stores a program that has been accepted by the data input unit 910. The encryption key storage unit 930 stores the encryption key that has been accepted by the data input unit 910.

  The encryption processing unit 940 is configured to be operable based on an output from the data input unit 910 and data stored in the program storage unit 920 and the encryption key storage unit 930. More specifically, the encryption processing unit 940 executes the encryption process based on the encryption command received by the data input unit 910. That is, the encryption processing unit 940 reads the program stored in the program storage unit 920 and encrypts the read program using the encryption key stored in the encryption key storage unit 930.

  The encrypted data distribution unit 950 is configured to be operable based on the output from the encryption processing unit 940. More specifically, the encrypted data distribution unit 950 generates data for transmitting the data generated by the encryption processing unit 940 to a device (for example, the PLC 130) that uses the program. After generating the data, the encrypted data distribution unit 950 establishes communication between transmission partners (such as the PLC 130), and transmits the data after the communication is established. Data transmitted by the cryptographic converter 120 will be described later.

  Here, with reference to FIG. 10, an aspect of a specific configuration of the cryptographic converter 120 will be described. FIG. 10 is a block diagram showing a hardware configuration of computer system 1000 that functions as cryptographic converter 120. The computer system 1000 includes, as main components, a CPU 1010 that executes a program, a mouse 1020 and a keyboard 1030 that accept input of instructions by a user of the computer system 1000, data generated by execution of a program by the CPU 1010, or a mouse 1020 or A RAM 1040 that stores data input via the keyboard 1030 in a volatile manner, a hard disk 1050 that stores data in a nonvolatile manner, a CD-ROM drive 1060, a monitor 1080, and a communication I / F 1090 are included. A CD-ROM 1062 is attached to the CD-ROM drive device 1060.

  Functions and basic operations of the components of the computer system 1000 shown in FIG. 10 are the same as the functions and operations of the computer system 400 shown in FIG. Therefore, description thereof will not be repeated here.

  Next, the control structure of the cryptographic converter 120 will be described with reference to FIG. FIG. 11 is a flowchart showing a series of processing executed by CPU 1010 provided in computer system 1000 functioning as cryptographic converter 120.

  In step S1110, CPU 1010 detects that a program has been received from program development device 110 via communication I / F 1090. In step S1120, CPU 1010 temporarily stores the received program in the work area secured in RAM 1040. Thereafter, the CPU 1010 stores the program in the hard disk 1050.

  In step S1130, CPU 1010 detects that an encryption key has been received from encryption rule issuing device 100 via communication I / F 1090. In step S1140, CPU 1010 stores the encryption key in the area secured in RAM 1040, and then stores it in hard disk 1050.

  Here, the data structure of the cryptographic converter 120 will be described with reference to FIGS. 12 and 13 are diagrams conceptually showing one mode of data storage in hard disk 1050, respectively.

  Referring to FIG. 12, hard disk 1050 includes a plurality of memory areas for storing data. Data (program user) for identifying a device that uses a program generated by the program development device 110 is stored in the memory area 1210. Data (program ID) for identifying a program actually used by the program user is stored in the memory area 1220. Specific program data specified by the program ID is stored in the memory area 1230.

  Referring to FIG. 13, data (encryption key ID) for identifying the encryption key transmitted by encryption rule issuing device 100 is stored in memory area 1310. Specific data of the encryption key specified by the encryption key ID is stored in the memory area 1320.

  Next, with reference to FIG. 14, the data transmitted by the cryptographic converter 120 will be described. FIG. 14 is a diagram illustrating a communication frame 1400 transmitted from the cryptographic converter 120 to the PLC 130.

  Communication frame 1400 includes header 1410, user data 1420, and FCS 1430. The header 1410 includes a transmission source address (that is, the IP address of the cryptographic converter 120), a transmission destination address (that is, the IP address of the PLC 130), and a transmission date and time (that is, the date and time when the communication frame 1400 was generated). User data 1420 includes a program encrypted in cryptographic converter 120.

  The communication frame 1400 is transmitted by the cryptographic converter 120 after the communication between the cryptographic converter 120 and the PLC 130 is established. In another aspect, when the confirmation signal indicating that the PLC 130 has not received the communication frame 1400 is received by the cryptographic converter 120, the communication frame 1400 may be transmitted again.

  With reference to FIG. 15, the control structure of the cryptographic converter 120 will be described. FIG. 15 is a flowchart showing a series of processing executed by CPU 1010 of computer system 1000 functioning as cryptographic converter 120.

  In step S1510, CPU 1010 receives an instruction to execute processing for encrypting a program via communication I / F 1090. This instruction may be included in data transmitted from the encryption rule issuing device 100, or may be given by the administrator of the FA system 10.

  In step S1520, based on the instruction, CPU 1010 specifies a program to be encrypted, an encryption key used for encryption, and PLC 130 that is a user of the program.

  In step S1530, CPU 1010 encrypts the program using the specified encryption key, and temporarily stores it in RAM 1040. When the transmission of the encrypted data is not completed, the CPU 1010 stores the data stored in the RAM 1040 in an area secured in the hard disk 1050.

  In step S1540, CPU 1010 executes processing for establishing communication with identified PLC 130. In step S1550, CPU 1010 determines whether or not a communication session with PLC 130 has been established. If CPU 1010 determines that a communication session has been established (YES in step S1550), the process proceeds to step S1560. If not (NO in step S1550), the process returns to step S1540, and the process for establishing communication is continued.

  In step S1560, CPU 1010 generates data (eg, communication frame 1400) for transmitting the encrypted program. In step S1570, CPU 1010 transmits generated communication frame 1400 to PLC 130 via Internet 150.

  In step S1580, CPU 1010 determines whether a program reception completion notification is received from PLC 130 or not. For example, this determination is made based on data included in the communication performed while the communication session between the cryptographic converter 120 and the PLC 130 is established. If CPU 1010 determines that the completion notification has been received (YES in step S1580), the process proceeds to step S1590. If not (NO in step S1580), the process proceeds to step S1582.

In step S1582, CPU 1010 waits for a predetermined time.
In step S1590, CPU 1010 ends communication with PLC 130.

  Here, with reference to FIG. 16, the structure of PLC132 which concerns on this Embodiment is demonstrated. FIG. 16 is a block diagram showing a hardware configuration of PLC 130. The PLC 130 includes an inner board 1610 and a controller 1620. Inner board 1610 and controller 1620 are connected by CPU bus 1630.

  The inner board 1610 includes an inner board CPU 1612, a memory 1614, and a communication interface 1616. The controller 1620 includes a controller CPU 1622, an input / output (I / O) unit 1624, an execution memory 1626, and a tool 1628. The controller CPU 1622 and the I / O unit 1624 are connected by an I / O bus 1640.

  The inner board CPU 1612 controls the operation of the inner board 1610. More specifically, the inner board CPU 1612 communicates with other devices connected to the PLC 130 via the communication interface 1616. The inner board CPU 1612 stores the data received via the communication interface 1616 in the memory 1614. The inner board CPU 1612 communicates with the controller CPU 1622 via the CPU bus 1630.

  The controller CPU 1622 controls the operation of the controller 1620. More specifically, the controller CPU 1622 stores the data received from the inner board 1610 via the CPU bus 1630 in the execution memory 1626. The stored data includes a program for controlling the operation of the tool 1628.

  The controller CPU 1622 outputs data for controlling the operation of the facility device 140 connected to the PLC 130 via the I / O unit 1624 or accepts input of data output from the facility device 140. Tool 1628 functions as an interface for accessing a program for controlling the operation of facility device 140.

  Next, the data structure of the PLC 130 will be described with reference to FIG. FIG. 17 conceptually shows one mode of data storage in memory 1614. Memory 1614 includes a memory area for storing data. The memory area 1710 is used as a reserved area. For example, when the PLC 130 newly receives data from the outside, the data is stored in the reserved area 1710.

  The program received by the PLC 130 is stored in the memory area 1720. This program is included in the user data 1420 shown in FIG.

  The decryption key transmitted by the encryption rule issuing device 100 is stored in the memory area 1730. This decryption key is included in the user data 820 shown in FIG. An authentication code for identifying PLC 130 is stored in memory area 1740. The authentication code is input by the administrator when the FA system 10 is constructed.

  The PLCID unique to the PLC 130 is stored in the memory area 1750. The PLCID is a serial number unique to the PLC given when the PLC 130 is manufactured, for example.

  A decryption processing program for decrypting the encrypted data is stored in the memory area 1760. For example, the decryption processing program decrypts the program stored in the memory area 1720 using the decryption key stored in the memory area 1730.

  A communication control program for controlling communication between the PLC 130 and the encryption rule issuing device 100 or the encryption converter 120 is stored in the memory area 1770.

  An operating system for controlling basic operations of the PLC 130 is stored in the memory area 1780.

  Next, the control structure of the PLC 130 will be described with reference to FIG. FIG. 18 is a flowchart showing a series of processes executed by inner board CPU 1612 provided in PLC 130.

  In step S1810, the inner board CPU 1612 establishes communication with the cryptographic converter 120. In step S1820, inner board CPU 1612 detects that an encrypted program has been received from cipher converter 120.

  In step S1830, inner board CPU 1612 authenticates the encryption rule (decryption key). In step S1840, inner board CPU 1612 determines whether the encryption rules match. For example, the inner board CPU 1612 determines whether or not the decryption key included in the received data matches the decryption key already stored in the memory 1614. Alternatively, in another aspect, when inner board CPU 1612 receives an encryption key, it determines whether the encryption key corresponds to a decryption key already stored in memory 1614. If inner board CPU 1612 determines that the encryption rules match (YES in step S1840), the process proceeds to step S1850. If not (NO in step S1840), the process proceeds to step S1880.

  In step S1850, inner board CPU 1612 decrypts the encrypted program using the encryption key.

  In step S1860, inner board CPU 1612 stores the decrypted program in memory area 1710 of memory 1614. In step S1870, inner board CPU 1612 transmits the decrypted program to controller 1620. When controller CPU 1622 receives the program, controller CPU 1622 stores the program in execution memory 1620. In step S1890, inner board CPU 1612 ends communication with cipher converter 120 performed via communication interface 1616.

  With reference to FIG. 19, the transfer of the execution program in the PLC 130 will be described. FIG. 19 is a diagram illustrating data processing performed between memory 1614 and execution memory 1616.

  Memory 1614 includes memory areas 1910 and 1920 for storing data. The memory area 1920 corresponds to the memory area 1710 in FIG. Similarly, the memory area 1910 corresponds to the memory areas 1720, 1730, 1740. When the encrypted program is decrypted using the decryption key, the data is stored in the memory area 1920.

  When the inner board CPU 1612 communicates with the controller CPU 1622 and confirms that the execution program is in a phased state, the inner board CPU 1612 reads the execution program from the memory 1614 and transmits the execution program to the CPU bus 1630. To do. When the controller CPU 1622 receives the execution program, it stores it in the memory area 1930 secured in the execution memory 1626. The equipment 140 is controlled based on the program stored in the execution memory 1626.

  As described above, according to the FA system 10 according to the present embodiment, the program for controlling the equipment device 140 is transmitted to the PLC 130 as a program encrypted by the cryptographic converter 120. The encryption is performed based on the encryption rule generated by the encryption rule issuing device 100. For example, when the encryption rule issuing device 100 generates an encryption key and a decryption key, the encryption converter 120 encrypts the control program using the encryption key.

  On the other hand, the PLC 130 receives the decryption key from the encryption rule issuing device 100 and receives the encrypted program from the encryption converter 120. The PLC 130 performs an authentication process based on the data received from the cryptographic converter 120 and the data received from the cryptographic rule issuing device 100. For example, the PLC 130 determines whether or not the encryption key received from the encryption converter 120 and the decryption key (or encryption key) received from the encryption rule issuing device 120 correspond (or match). If these keys correspond or match, the authentication process succeeds.

  If the authentication process is successful, the PLC 130 decrypts the encrypted program using the decryption key. Therefore, after that, the PLC 130 controls the control device based on the decoded control program.

  When the power of the PLC 130 is turned off and then turned on again, the PLC 130 erases the control program stored in the internal memory or the encrypted program. Therefore, even if a third party illegally turns on the power of the PLC 130 in order to obtain data of the program used by the PLC 130, the program is deleted, so that leakage of the program is prevented.

  In such a case, the PLC 130 communicates with the cryptographic converter 120 to request transmission of a newly encrypted program. Based on the request for transmission of the program by the PLC 130, a new cryptographic rule issuance request is transmitted to the cryptographic rule issuing device 100. This issue request may be generated and transmitted by the PLC 130, or may be generated and transmitted by the cryptographic converter 120.

  The encryption rule issuing device 100 generates a new encryption rule based on the issue request. When the encryption rule issuing device 100 generates a pair of new encryption key and decryption key as the encryption rule, the encryption rule issuing device 100 transmits the encryption key to the encryption converter 120 and transmits the decryption key to the PLC 130.

  The cryptographic converter 120 encrypts the control program (that is, the deleted program) used by the PLC 130 using the new encryption key, and transmits the encrypted control program to the PLC 130.

  The PLC 130 decrypts the newly encrypted control program based on the decryption key transmitted by the encryption rule issuing device 100. The PLC 130 executes the decrypted control program to control the equipment device 140. Thereby, the FA system 10 can maintain the secret of the program for controlling the equipment 140 while the PLC 130 is not operating (for example, while the power of the PLC 130 is turned off).

  The embodiment disclosed this time should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

It is a figure showing the structure of the factory automation (FA system) 10 which concerns on embodiment of this invention. 3 is a flowchart showing a series of processes executed in FA system 10. It is a block diagram showing the structure of the function implement | achieved by the encryption rule issuing apparatus 100 which concerns on embodiment of this invention. It is a block diagram showing the hardware constitutions of the computer system 400 which functions as the encryption rule issuing apparatus 100 concerning embodiment of this invention. 4 is a flowchart showing a series of operations executed by CPU 410 included in computer system 400 functioning as encryption rule issuing device 100. FIG. 11 is a diagram conceptually showing one aspect of data storage in a hard disk 450 provided in the computer system 400. It is a figure showing the communication frame 700 transmitted to the encryption converter 120 from the encryption rule issuing apparatus 100. FIG. It is a figure showing the communication frame 800 transmitted from the encryption rule issuing apparatus 100 to PLC130. 3 is a block diagram illustrating a configuration of functions realized by a cryptographic converter 120. FIG. 2 is a block diagram illustrating a hardware configuration of a computer system 1000 that functions as a cryptographic converter 120. FIG. 12 is a flowchart showing a series of operations executed by CPU 1010 included in computer system 1000. FIG. 3 is a diagram (part 1) conceptually showing one aspect of data storage in hard disk 1050. FIG. 11 is a diagram (part 2) conceptually showing one aspect of data storage in hard disk 1050. It is a figure showing the communication frame 1400 transmitted from the encryption converter 120 to PLC130. 12 is a flowchart showing a series of processing executed by CPU 1010 of computer system 1000 functioning as cryptographic converter 120. It is a block diagram showing the hardware constitutions of PLC132 which concerns on embodiment of this invention. It is a figure which represents notionally the one aspect | mode of the storage of the data in the memory 1614 of PLC130. It is a flowchart showing a series of operation | movement which innerboard CPU1612 with which PLC130 is provided performs. FIG. 11 is a diagram representing data transfer performed between a memory 1614 and an execution memory 1626.

Explanation of symbols

  10 FA (Factory Automation) System, 150 Internet, 152 Cable, 154 LAN, 400,1000 Computer System, 462,1062 CD-ROM, 700,800,1400 Communication Frame, 1630 CPU Bus, 1640 I / O Bus.

Claims (14)

A control system for controlling a device, the control system comprising:
An encryption data generation device for generating encryption data used for encryption processing;
An encryption device that is connected to the encrypted data generation device via a communication line and encrypts a program for controlling the device;
A controller that is connected to the encrypted data generation device and the encryption device by the communication line and controls the device based on the program;
The encrypted data generation device includes:
Generating means for generating the encrypted data used for encryption and decryption of the program;
First encrypted data transmitting means for transmitting the encrypted data as the first encrypted data to the encryption device;
Second encrypted data transmitting means for transmitting the encrypted data to the control device as second encrypted data,
The encryption device is:
Storage means for storing the program;
Encrypted data receiving means for receiving the first encrypted data;
Encryption means for encrypting the program based on the first encrypted data to generate an encrypted program;
Transmitting means for transmitting the encryption program to the control device,
The controller is
Receiving means for receiving the encryption program transmitted from the encryption device and the second encryption data transmitted from the encryption data generation device;
Encrypted data storage means for storing the second encrypted data;
Decryption means for decrypting the encryption program based on the second encryption data;
Program storage means for storing the decrypted program;
And a control unit that controls the device based on a program stored in the program storage unit. The generation means generates an encryption key for encrypting the program and a decryption key for decrypting an encryption program generated by encryption using the encryption key,
The first encrypted data transmitting means transmits the encryption key to the encryption device;
The control system according to claim 1, wherein the second encrypted data transmission unit transmits the decryption key to the control device. The transmission means further transmits the first encrypted data to the control device in addition to the encryption program,
The control device confirms whether or not the encryption program is an encrypted program for controlling the device based on the first encryption data and the second encryption data. Further including
The control system according to claim 1, wherein the decryption unit decrypts the encryption program when the encryption program is an encrypted program for controlling the device. The first encrypted data includes an encryption key for encrypting the program,
The second encryption data includes a decryption key for decrypting an encryption program generated by encryption using the encryption key,
The control system according to claim 3, wherein the authentication unit determines that the encryption program is an encrypted program for controlling the device when the encryption key and the decryption key correspond to each other. . The generating means generates new encrypted data every predetermined time,
The first encrypted data transmission means transmits the newly generated encrypted data at the predetermined time as the first encrypted data to the encryption device,
2. The control according to claim 1, wherein the second encrypted data transmission unit transmits the newly generated encrypted data to the control device as the second encrypted data at each predetermined time. system. The controller is
Detection means for detecting switching of power on and off;
Based on the detection of the switching, further including a first request means for requesting the encryption apparatus to transmit a new encryption program;
The encryption apparatus further includes reception detection means for detecting that a request for transmission of a new encryption program has been received,
The transmission means transmits the new encryption program to the control device based on receiving the transmission request,
The control system according to claim 1, wherein the decryption unit decrypts the new encryption program. The control device further includes second request means for transmitting a new transmission request for the second encrypted data to the encrypted data generation device based on the detection of the switching,
The generation means generates new encrypted data based on receiving the transmission request for the second encrypted data,
The first encrypted data transmitting means transmits the newly generated encrypted data to the encryption device as the first encrypted data,
The control system according to claim 6, wherein the second encrypted data transmission unit transmits the newly generated encrypted data to the control device as the second encrypted data. A control method for controlling a system comprising a control device for controlling equipment,
The system
An encryption data generation device for generating encryption data used for encryption processing;
An encryption device that is connected to the encrypted data generation device via a communication line and encrypts a program for controlling the device;
A controller that is connected to the encrypted data generation device and the encryption device by the communication line and controls the device based on the program;
The control method is:
The encryption data generation device generates the encryption data used for encryption and decryption of the program; and
A first transmission step in which the encrypted data generation device transmits the encrypted data to the encryption device as first encrypted data;
A second transmission step in which the encrypted data generation device transmits the encrypted data to the control device as second encrypted data;
The encryption device loading the program;
A receiving step in which the encryption device receives the first encrypted data;
An encryption step in which the encryption device encrypts the program based on the first encryption data to generate an encryption program;
A transmitting step in which the encryption device transmits the encryption program to the control device;
A receiving step in which the control device receives the encryption program transmitted from the encryption device and the second encrypted data transmitted from the encryption data generation device;
An encryption data storage step in which the control device stores the second encryption data;
A decrypting step in which the control device decrypts the cipher program based on the second cipher data;
The control device storing the decrypted program;
A control method, wherein the control device includes a control step of controlling the device based on the stored program. The generating step generates an encryption key for encrypting the program and a decryption key for decrypting an encryption program generated by encryption using the encryption key,
The first transmission step transmits the encryption key to the encryption device;
The control method according to claim 8, wherein the second transmission step transmits the decryption key to the control device. The third transmission step further transmits the first encrypted data to the control device in addition to the encryption program,
The control method includes an authentication step of confirming whether or not the encryption program is an encrypted program for controlling the device based on the first encryption data and the second encryption data. Further including
9. The control method according to claim 8, wherein the decrypting step decrypts the encryption program when the encryption program is an encrypted program for controlling the device. The first encrypted data includes an encryption key for encrypting the program,
The second encryption data includes a decryption key for decrypting an encryption program generated by encryption using the encryption key,
The control method according to claim 10, wherein the authentication step determines that the encryption program is an encrypted program for controlling the device when the encryption key and the decryption key correspond to each other. . The generation step generates new encrypted data every predetermined time,
The first transmission step transmits the newly generated encrypted data to the encryption device as the first encrypted data every predetermined time,
The control method according to claim 8, wherein the second transmission step transmits the newly generated encrypted data to the control device as the second encrypted data at each predetermined time. A detection step in which the control device detects switching of power on and off;
The control device requesting the encryption device to transmit a new encryption program based on the detection of the switching;
Detecting that the encryption device has received a request for transmission of a new encryption program; and
The third transmission step transmits the new encryption program to the control device based on the reception of the transmission request,
The control method according to claim 8, wherein the decrypting step decrypts the new encryption program. Based on the detection of the switching, further comprising the step of the control device transmitting a new transmission request for the second encrypted data to the encrypted data generating device;
The generating step generates new encrypted data based on receiving the transmission request for the second encrypted data,
The first transmission step transmits the newly generated encrypted data to the encryption device as the first encrypted data,
The control method according to claim 13, wherein the second transmission step transmits the newly generated encrypted data to the control device as the second encrypted data.

Images