JP2013246531A - Control device and control method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a control device capable of monitoring behavior of internal elements such as I/O by detecting abnormal operation caused from unauthorized injection of control program or unauthorized remote operation.SOLUTION: An abnormality detection section 6 of a control device 1 inputs learning access event 111 including control signal data constituted of plural digit bits in normal operation state using a learning mode, develops frequency of changes at each bit position in the learning access event 111 to create a conversion rule 62 and rearranges the plural digit bits in the order of smaller frequency of changes from the upper bit. When a new access events 11 is input in a diagnosis mode, the abnormality detection section 6 converts the control signal data using the created conversion rule 62 to detect any change of the frequency at a small bit position in the upper bit; to thereby detect a deviation of the new access events 11 from predetermined normal operation.

Description

  The present invention relates to a control device and a control method capable of monitoring an internal behavior of control of a plant facility or the like and detecting an abnormal operation.

  In a control system used for control of plant equipment, etc., it outputs command values that cause the control device to cause dangerous operations to the plant by improper control program injection or unauthorized remote operation, and important control information In order to prevent leakage, it is required to monitor the behavior of the control device and take appropriate action when an abnormality is detected.

  However, in these control devices, security technology such as anti-virus software used in computers for information processing is difficult to apply due to time restrictions on execution of control operations and restrictions on processing capabilities. There are many.

  In Patent Document 1, out of an abnormality detection method for detecting an abnormality of a plant or equipment at an early stage, data is acquired from a plurality of sensors, and a trajectory of a data space is divided into a plurality of clusters based on temporal changes in the data. However, an abnormality detection method is disclosed in which the divided cluster group is modeled by a subspace method and an outlier is calculated as an abnormality candidate.

JP 2010-92355 A

  When applying the abnormality detection method using statistical analysis to the behavior monitoring of the control device, the internal elements such as CPU (Central Processing Unit) and I / O (Input / Output) that constitute the control device are monitored. It is necessary to determine whether or not the feature values of the action events that occur with these actions are included in a set of preset normal action ranges. At this time, depending on the internal elements to be monitored, it may be difficult to define the set of normal operating ranges.

  First, as an example of the case where the normal operation range is easily defined, consider a case in which the opening of a valve that determines the feed rate of a raw material is controlled using an I / O called analog I / O in a chemical plant.

  As shown in FIG. 2A, by writing a 16-bit setting value from the CPU to the analog I / O setting value register, a command signal corresponding to the setting value (for example, a current signal of 4 mA to 20 mA). Is sent to the valve and the opening of the valve is set. There is a one-to-one correspondence between the set value written to the analog I / O and the valve opening, and when the set value is increased, the valve opening increases (or decreases) accordingly. ing. Therefore, as shown in FIG. 2 (b), if the appropriate opening range of the valve when the plant is in a steady state is obtained from the operating conditions of the plant, for example, an analog I / The set value for O can also be defined within a certain continuous range of the entire range of 0x0000 (0) to 0xffff (65535) that can be expressed in 16 bits.

  On the other hand, as an example in which it is difficult to define the normal operation range, consider a case where the processing machine is controlled by an I / O called a digital I / O.

  As shown in FIG. 3A, it is assumed that the digital I / O has 16 contacts, and the drive unit of the processing machine is connected to each contact. By writing a 16-bit set value from the CPU to the set value register, the ON / OFF state corresponding to the bit pattern is set for each contact, and the drive unit connected to each contact is activated.

  In other words, at this time, since the set value written to the register is read as the binary number of the contact ON / OFF pattern, the amount of change in the set value when the ON / OFF of each contact is switched is As shown in FIG. 3B, the weight corresponds to the bit position.

  That is, when the respective contacts are sequentially turned on / off in accordance with time, as shown in FIG. 3C, the change in the set value becomes discontinuous, and the distribution of the set value is also expressed by 16 bits. It becomes a form which is scattered in the range of 0x0000 to 0xffff. In addition, as described above, the set value is the contact state read as a numerical value, and it is meaningless to define a magnitude relationship between the set values, so a certain range should be set for the set value. It is difficult to define normal operation with.

  In addition to the above example, it may be assumed that it is difficult to define normal operation when the feature value falls within a certain range in accessing a register, a memory, or the like. In these cases, it is difficult to detect anomalies simply by applying the prior art described above.

  The present invention is an invention for solving the above-mentioned problems, and it is possible to monitor the behavior of the internal elements of the control device in order to detect an abnormal operation caused by an intrusion of an unauthorized control program or an unauthorized remote operation. It is an object to provide a control device and a control method.

  In order to achieve the above object, the control device of the present invention includes an event collection unit (for example, event collection / selection unit 10) that collects an access event including control signal data composed of a plurality of digits, A feature value extraction unit that extracts feature values that are control signal data from, a change frequency aggregation unit that aggregates the change frequency of each bit position for the extracted feature values, and a change in each bit position recorded by the change frequency aggregation unit Based on the frequency, when receiving a feature value from the conversion rule generating unit that generates a conversion rule for rearranging each bit in order of decreasing change frequency and the feature value extracting unit, the received based on the conversion rule The feature value conversion unit that converts the value of each bit position in the feature value is compared with the converted feature value and a preset value range, and the converted feature value is deviated from the range And having a determination unit (for example, a normal range determination unit 70) for notifying the management terminal that an abnormality has occurred, and controlling the equipment with an abnormality detection unit for detecting an abnormality of the control signal It is characterized by.

  According to the present invention, it is possible to monitor the behavior of the internal elements of the control device in order to detect an abnormal operation caused by an intrusion of an unauthorized control program or an unauthorized remote operation.

It is a figure which shows the control apparatus which concerns on embodiment of this invention. It is a figure which shows the relationship between the setting value in an analog I / O, and a normal operation range. It is a figure which shows the relationship between the setting value in a digital I / O, and a normal operation range. It is a figure which shows the structure of a change frequency totalization part. It is a figure which shows the concept of a conversion rule. It is a figure which shows the structure of a conversion rule. It is a figure which shows the structure of a feature value conversion part. It is a figure which shows the effect of a conversion rule.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
<Configuration and function of each part>
FIG. 1 is a diagram illustrating a control device according to an embodiment of the present invention, FIG. 1 (a) is a diagram illustrating an overall configuration of the control device, and FIG. 1 (b) is a functional configuration of an abnormality detection unit. FIG. The control device 1 executes input / output of control signals to and from the memory 2 that stores the control program and various information necessary for executing the control program (both not shown), the CPU 3 that executes the control program, and the plant equipment 7. A system bus 5 that connects the I / O 4, the memory 2, the CPU 3, and the I / O 4 to each other, and an abnormality detection unit 6 that detects an abnormality in an access operation to the memory 2, the CPU 3, and the I / O 4.

  The abnormality detection unit 6 includes a memory 6M that stores a program of the abnormality detection unit 6, a CPU 6C that executes a program in the memory 6M, and an interface 6I of the abnormality detection unit 6. The memory 6M, CPU 6C, and interface 6I are connected by a bus 6B. The memory 6M includes an event collection / selection unit 10 shown in FIG. 1B, an attribute identification unit 20, a feature value extraction unit 30, a change frequency totaling unit 40, a conversion rule generation unit 50, and a feature value conversion. The unit 60, the program of the normal range determination unit 70, and the information that is the conversion rule set 61 are stored.

  Examples of the control system targeted in this embodiment include a railroad control system and a power control system in addition to the plant facility control system. Systems that support social infrastructure such as railways and electric power are systems that cannot be stopped and require high reliability. In addition, old and new device groups are mixed due to function expansion over many years, and some aging devices have old hardware and software architectures that operate with no performance margin. For this reason, it is preferable to use the CPU 6C separately from the original CPU 3 of the control device 1 and operate the abnormality detection unit 6 without imposing a burden on the existing control device 1.

The function and configuration of each unit shown in FIG. 1B and the data flow between the units will be described below.
The event collection / selection unit 10 collects access events 11 from the CPU 3 to the I / O 4. The access event 11 is an event for instructing access to the access destination address. The access event 11 is a series of signals sent and received in the access operation from the CPU 3 to the I / O 4 and includes at least the access destination address of the I / O 4, the type of read / write, the data to be written, or the read data. . As a method of collecting the access event 11, it may be acquired directly from the I / O 4 as shown in FIG. 3, or may be acquired by monitoring what is sent from the CPU 3 onto the system bus 5.

  Access attribute information 21 is extracted from the acquired access event 11 by the attribute identification unit 20. The access attribute information 21 includes, for example, the access destination address in the access event 11 and the type of read / write. The event collection / selection unit 10 determines whether or not the access event 11 acquired based on the access attribute information 21 is accepted, and sends it to the subsequent feature value extraction unit 30 only when it is adopted. Specifically, for example, it is determined that a read access (ie, input from plant equipment) event from the CPU 3 to the I / O 4 is not adopted because it has a small influence from the viewpoint of normal operation of the control device 1. Further, this determination criterion may be determined based on a balance between the occurrence frequency of the access event 11 and the processing capability of the abnormality detection unit 6.

  The feature value extraction unit 30 extracts a feature value 31 from the access event 11. The feature value 31 is defined in advance so as to indicate, for example, write data in a write access (ie, output to the plant equipment) event from the CPU 3 to the I / O 4.

  The change frequency totaling unit 40 takes the difference for each bit position by exclusive OR with the previously acquired feature value for the acquired feature value 31, and the bit position where the feature value 31 and the previous feature value have changed Is identified. A specific description will be given with reference to FIG.

  FIG. 4 is a diagram illustrating a configuration of the change frequency counting unit. The change frequency totaling unit 40 calculates the difference between the acquired feature values 31 for each bit position by exclusive OR (the circled + symbol in the drawing) with the previously acquired feature value 401. The bit position that has changed between 31 and the feature value 401 acquired last time is specified. Note that “D” in the figure means that the output is delayed until the next feature value is acquired (Delay). The change frequency counting unit 402 includes counters having the same number as the number of bits of the input feature value. In the above procedure, the counter value corresponding to the bit position that has changed between the feature values is added by one. With the above configuration, the change frequency 41 of each bit position in the feature value 31 is recorded.

  Returning to FIG. 1, the conversion rule generation unit 50 refers to the change frequency 41 of each bit position recorded in the change frequency counting unit 402 (see FIG. 4), and converts the bits so that the bits are rearranged in ascending order of the change frequency. A rule 62 is generated. Specifically, this will be described with reference to FIG.

  FIG. 5 is a diagram showing the concept of the conversion rule. As illustrated in FIG. 5, in a feature value 31 having a 16-bit size, the change frequency of bit 15 is 100 times, the change frequency of bit 11 is 5 times, and the change frequencies of other bits are all 20 times. , Bit 15 in the converted feature value bit 0 and bit 11 are similarly bit 15, and a conversion rule 62 (see FIG. 6) is generated in which the other bits are rearranged from bit 14 to bit 1, respectively.

  In addition, when there are a plurality of bit positions having the same frequency of change in the feature value, it may be determined according to a separately set rule how the bits are arranged in the bit positions after rearrangement. Access attribute information 21 (see FIG. 1B) corresponding to the input feature value 31 is added to the generated conversion rule, and in particular, access destination address information is added and stored in the conversion rule set 61. The contents of the conversion rule 62 exemplified above are shown in FIG.

  FIG. 6 is a diagram showing the configuration of the conversion rule. The conversion rule 62 includes an access destination address, a pre-conversion bit position, and a post-conversion bit position. Access attribute information 21 is stored in the access destination address. For example, when the pre-conversion bit position is 15, the post-conversion bit position is 0, and when the pre-conversion bit position is 14, the post-conversion bit position is 14. Similarly, when the bit position before conversion is 0, the bit position after conversion is 1. Although the example shown in FIG. 6 is an example, the conversion rule 62 is defined for each access destination address because the frequency of use of each bit differs depending on the access destination address.

  Returning to FIG. 1, the extracted feature value 31 is converted by the feature value conversion unit 60 according to the conversion rule 62. The configuration of the feature value conversion unit 60 is shown in FIG.

  FIG. 7 is a diagram illustrating a configuration of the feature value conversion unit. The input buffer 601 of the feature value conversion unit 60 receives the feature value 31, decomposes it into bits, and inputs it to the bit array conversion unit 602. The bit array conversion unit 602 rearranges the value of each bit position in the input feature value to another bit position according to the conversion rule 62. The operation can be configured by a circuit such as a crossbar switch or by software. The rearranged bits are input to the output buffer 603, gathered again, and output as the converted feature value 63. By the operation of the feature value conversion unit 60, the conversion rule 62 is applied to the original feature value 31, in which a bit with a high change frequency is placed in a lower bit and a bit with a low change frequency is placed in an upper bit.

  FIG. 8 is a diagram illustrating the effect of the conversion rule. FIG. 8A is a diagram showing the characteristics of the conversion rule, FIG. 8B is an example of time-series data of the feature value 31 before conversion, and FIG. 8C is an example of the feature value 63 after conversion. It is an example of time series data.

  FIG. 8A shows that the feature value 31 is converted to the feature value 63 by the conversion rule 62 (see FIG. 6) as described above. The conversion rule 62 (see FIG. 1) is defined for each access destination address because the frequency of how each bit is used differs depending on the access destination address. That is, the lower bits shown in FIG. 8A have a smaller weight for the change, and the upper bits have a larger weight for the change.

  In the present embodiment, by using the conversion rule 62, as shown in FIG. 8C, the fluctuation range due to the component having a large change frequency is compressed, and the distribution of the feature values 31 is limited to a narrow range, thereby operating normally. It has the effect of facilitating the definition of

  Here, the change frequency of the feature value 31 at each bit position does not itself constitute a normal operation range, but the degree to which the relationship between the change in the value at each bit position and the deviation from the normal operation range is evaluated to what extent. It is for prescribing what to do.

  In the present embodiment, feature value data is converted according to a conversion rule in which each bit, which is a feature value of digital I / O, is rearranged from an upper bit in ascending order of change frequency. In other words, it is because a bit having a high conversion frequency takes into account that even if the value is rewritten illegally, there is little influence on the plant.

  Returning to FIG. 1, the normal range determination unit 70 compares the converted feature value 63 with a preset upper and / or lower threshold value of the normal range, and the converted feature value 63 deviates from the threshold value. If it is, an alarm 71 is generated.

<Overall operation>
Next, the operation of the abnormality detection unit 6 will be described with reference to FIG.
The abnormality detection unit 6 according to the present embodiment has a learning mode (generation of a conversion rule) for setting a normal operation range in advance, and whether its own operation is within the normal operation range while actually executing the control program. It has two operation modes called a diagnosis mode for diagnosing whether or not. Whether to operate the control device 1 in these modes may be set by a switch or the like provided in the main body of the control device 1 or may be set by using an electrical signal or communication from an external management terminal or the like. Good.

  In the learning mode, the event collection / selection unit 10 sequentially reads the access events 11 in the normal operation state. The event collection / selection unit 10 actually operates the control program as an access event 11 in an environment where the control device 1 has been confirmed to normally operate in advance, and is sent from the CPU 3 to the I / O 4. 11 may be collected, or an externally generated learning access event 111 indicated by a dashed arrow may be read.

  The read access event 11 is input to the feature value extraction unit 30, and the extracted feature value 31 is controlled to be input to the change frequency totaling unit 40. As described with reference to FIG. 4, the change frequency totaling unit 40 counts the change frequency 41 (change frequency of each bit position) of each bit position of the access event 11, and the conversion used by the feature value conversion unit 60 based on these counts. A rule 62 is generated by the conversion rule generation unit 50.

  When the conversion rules 62 having a predetermined number of patterns are accumulated in the conversion rule set 61, the reading of the access event 11 is terminated and the process shifts to the diagnosis mode. In the diagnosis mode, the control device 1 is placed in an actual operating environment and an actual control program is executed. The event collection / selection unit 10 is controlled to use an access event 11 sent from the CPU 3 to the I / O 4.

  The feature value 31 output from the feature value extraction unit 30 is controlled to be input to the feature value conversion unit 60. The feature value conversion unit 60 converts the feature value 31 according to the conversion rules 62 accumulated in the learning mode, obtains a converted feature value 63, and the normal range determination unit 70 detects a deviation from the normal operation range.

  With the configuration and operation described above, since a bit whose change frequency is low in the feature value of the learning access event 111 is arranged in the upper bit by the conversion rule 62, the change of the access event 11 at the bit position is Appears as a large change in value. As a result, when the normal range determination unit 70 deviates from a predetermined threshold value, it is detected as an abnormal operation of the control device 1 and an alarm 71 is generated and notified to, for example, the management terminal.

  In the learning mode, the abnormality detection unit 6 of the control device 1 according to the present embodiment inputs a learning access event 111 including control signal data composed of a plurality of digits in a normal operation state. A conversion rule 62 is created in which the change frequency of each bit position is derived and rearranged from the higher bit in ascending order of change frequency. When a new access event 11 is input in the diagnosis mode, the abnormality detection unit 6 converts the control signal data using the created conversion rule 62 and detects a change in a bit position with a low change frequency, which is a higher bit. By doing so, it is possible to detect that the new access event 11 deviates from a predetermined normal operation.

  That is, a bit position with a low change frequency in the access event 11 in the normal operation state input as learning data is considered to have a large influence on the plant equipment when the access event 11 changes at the bit position, and the production operation is started. The change in the bit position is greatly evaluated when determining whether the new access event 11 input in the state deviates from the normal operation. Thereby, even when the normal operation of the access event 11 cannot be defined within a simple feature value range, the abnormal operation of the control device 1 can be easily detected.

  In addition, the abnormality detection unit 6 of the control device 1 detects that the new access event 11 is abnormal by detecting a change in the position of a bit with a small change frequency that is an upper bit of the converted feature value 63. be able to.

  In addition, the abnormality detection unit 6 of the control device 1 causes the access event when the change frequency, which is the lower bit of the converted feature value 63, does not change for a predetermined period at a bit position that is equal to or higher than the predetermined frequency It can be detected that 11 is abnormal.

  That is, the bit position that should be constantly changed in the access event 11 in the normal operation state is specified, and whether the change in the bit position is stopped in the new access event 11 input in the actual operation state is also taken into consideration. Deviation determination is performed. Thereby, it becomes possible to easily detect the abnormal mode in which the internal element that should always change in the control device 1 stops.

  In addition, this invention is not limited to above-described embodiment, Various modifications are included. For example, the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to one having all the configurations described.

1 control device 2 memory 3 CPU
4 I / O
5 System bus 6 Abnormality detection unit 6C CPU
6M memory 6I interface 10 Event collection / selection unit (event collection unit)
DESCRIPTION OF SYMBOLS 11 Access event 20 Attribute identification part 21 Access attribute information 30 Feature value extraction part 31 Feature value 40 Change frequency total part 41 Change frequency of each bit position (change frequency of each bit position)
50 conversion rule generation unit 60 feature value conversion unit 61 conversion rule set 62 conversion rule 70 normal range determination unit (determination unit)
71 Alarm 111 Access event for learning

Claims (10)

An event collection unit that collects access events including control signal data composed of multiple digits of bits;
A feature value extraction unit that extracts a feature value that is the control signal data from the access event;
A change frequency totaling unit that counts the change frequency of each bit position for the extracted feature value;
A conversion rule generation unit that generates a conversion rule for rearranging the bits in ascending order of the change frequency based on the change frequency of the bit positions recorded by the change frequency totaling unit;
A feature value conversion unit that converts the value of each bit position in the received feature value based on the conversion rule when the feature value is received from the feature value extraction unit;
A determination unit that compares the converted feature value with a preset range of values and notifies the management terminal that the converted feature value is abnormal when the converted feature value deviates from the range; And a control device comprising an abnormality detection unit for detecting an abnormality of the control signal to control the facility. The control apparatus according to claim 1, wherein the abnormality detection unit performs processing by a CPU independent of a CPU of the control apparatus. The abnormality detection unit detects that the access event is abnormal by detecting a change in a position of the bit with a small change frequency that is an upper bit of the converted characteristic value. Item 2. The control device according to Item 1. The abnormality detection unit indicates that the access event is abnormal when the change frequency, which is a lower bit of the converted feature value, has not changed for a predetermined period at a bit position that is equal to or higher than a predetermined frequency. The control device according to claim 1, wherein the control device is detected. The abnormality detection unit has a learning mode for generating the conversion rule and a diagnosis mode for diagnosing whether the operation of the control program itself is within a normal operation range while executing the control program of the equipment. The control device according to claim 1. The abnormality detector of the control device that controls the equipment
Collecting access events including control signal data composed of multiple-digit bits, extracting feature values as the control signal data from the access events, and summing up the frequency of change of each bit position for the extracted feature values When the feature value is received after generating a conversion rule for rearranging each bit based on the change frequency of each bit position in ascending order of the change frequency, the conversion rule is used based on the conversion rule. When the value of each bit position in the received feature value is converted, the converted feature value is compared with a preset value range, and the converted feature value deviates from the range A control method characterized by notifying the management terminal of an abnormality. The control method according to claim 6, wherein the abnormality detection unit performs processing by a CPU independent of a CPU of the control device. The abnormality detection unit detects that the access event is abnormal by detecting a change in a position of the bit with a small change frequency that is an upper bit of the converted characteristic value. Item 7. The control method according to Item 6. The abnormality detection unit indicates that the access event is abnormal when the change frequency, which is a lower bit of the converted feature value, has not changed for a predetermined period at a bit position that is equal to or higher than a predetermined frequency. It detects. The control device according to claim 6 characterized by things. The abnormality detection unit has a learning mode for generating the conversion rule and a diagnosis mode for diagnosing whether the operation of the control program itself is within a normal operation range while executing the control program of the equipment. The control method according to claim 6.

Images