JP2015201021A - Access controller - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access controller capable of improving security performance without largely changing or version-up of an existing control system.SOLUTION: The access controller includes: a protocol analysis section 11 that analyzes an access protocol to extract an operation object and a piece of information relevant to the operation; a user authentication section 12 that identifies a user on the basis of a piece of user information and an authentication data; and an access control section 14 that determines whether or not the identified user has the authority to operate an operation object on the basis of the information relevant to the extracted operation object and the operation and the access control data, and when the user has the authority, permits the access, and when the user does not have the authority, does not permit the access.

Description

  The present invention relates to a technology for controlling access to a control system.

  In recent years, cybersecurity threats to control systems that support social infrastructure are increasing. Therefore, in order to ensure the security of the control system, a security standard for the control system such as IEC62443 has been established, and products compliant with the standard have been provided. A control system in which security measures are taken using such a product is also being constructed (Patent Document 1).

JP 2011-100443 A

  In order to adapt an existing control system to the above-mentioned security standard, it is indispensable to update an engineering terminal or a programmable controller in order to renew a particularly vulnerable protocol. For this reason, it takes a lot of time and man-hours to cope with the security of the existing control system, and there is a problem that the countermeasures are not easily advanced.

  Therefore, there is a need for a technique that can improve security performance by adding a few devices without significantly changing or upgrading an existing control system.

  The present invention has been made to solve the above-described problems, and access that can improve the security performance by adding a few configurations without significantly changing or upgrading the existing control system. An object is to provide a control device.

  An access control apparatus according to an aspect of the present invention is an access control apparatus that controls access from a user to a control system, and an access protocol for the access includes at least one operation object in the control system, and Information on at least one operation on the operation target is included, a protocol analysis unit that analyzes the access protocol input from the user and extracts information on the operation target and the operation, and input from the user In addition, a reception unit that receives user information that is information for specifying the user who performs the access, an authentication database that stores authentication data that specifies the user corresponding to the user information, and each of the control systems About the operation target The user based on the access control database storing access control data for identifying a user who has the authority to perform the operation on the operation target, and the user information and the authentication data received by the reception unit. The user identified by the user authenticating unit based on the access object and the operation object extracted by the protocol analyzing unit and the access control data. It is determined whether or not the user has the authority to perform the operation on the operation object extracted in the section, and if the user has the authority, the access is permitted and the user who does not have the authority And an access control unit that does not permit the access Provided.

  According to the above aspect of the present invention, it is possible to improve the security performance by adding only a few components without significantly changing or upgrading the existing control system.

  The objects, features, aspects and advantages of the present invention will become more apparent from the following detailed description and the accompanying drawings.

It is a figure which shows notionally the structure of the control system regarding embodiment, an access control apparatus, and an engineering terminal. It is a figure which shows notionally the structure of the control system regarding embodiment, an access control apparatus, and an engineering terminal. It is a figure which shows notionally the structure of the control system regarding embodiment, an access control apparatus, and an engineering terminal. It is a figure which illustrates the hardware constitutions of the control system, access control apparatus, and engineering terminal regarding an embodiment.

  Hereinafter, embodiments will be described with reference to the accompanying drawings. In the following description, the same components are denoted by the same reference numerals, and the names and functions thereof are also the same. Therefore, the detailed description about them may be omitted.

<First Embodiment>
<Configuration>
FIG. 1 is a diagram conceptually illustrating the configuration of a control system, a security gateway as an access control device, and an engineering terminal according to the present embodiment.

  The control system includes a plant bus 22, a programmable controller 23, and an operator station 24.

  The plant bus 22 is a network that connects a control device or a console in a factory or a plant, and communicates information for monitoring or controlling the plant operation status. The plant bus is superior in real time, availability, and fault tolerance as compared to a general network.

  The programmable controller 23 is a device that controls the operation of the facility or the machine in accordance with the order or conditions defined by the program. It is also possible to control the position, speed or continuous amount, and to exchange information between devices. Also called a programmable logic controller.

  The operator station 24 is a monitoring control terminal for a plant operator to monitor the plant state and operate the control equipment.

  The engineering terminal 20 is a terminal at a remote location of the control system and has an operation screen 25. The engineering terminal 20 can access the programmable controller 23 and the operator station 24 of the control system from the operation screen 25 via the Internet 21 or the like.

  When connecting the Internet 21 and the control system, it is a common practice to improve the security of the control system by connecting via a firewall or an intrusion detection system. The security gateway 10 in this embodiment is used in combination with a firewall or an intrusion detection system, and is installed at a connection portion between the Internet 21 and the plant bus 22.

  Usually, the operation of the control system by the engineering terminal 20 includes a program 27 processed by the programmable controller 23, a parameter 28 such as system configuration or alarm setting, input / output of the control system or data 29 (tag data) such as an internal counter. Read and write.

  Particularly in the case of a control system, data is collected in a data structure called a “tag” for each measuring instrument or adjuster, and the operation of the control system by the engineering terminal 20 is generally performed in units of tags.

  The security gateway 10 as an access control device includes a protocol analysis unit 11, a user authentication unit 12, an authentication database 13, an access control unit 14, and an access control database 15. The authentication database 13 and the access control database 15 are configured by, for example, a hard disk or a memory.

  The protocol analysis unit 11 analyzes the access protocol to the control system input from the operation screen 25 by the user, and for which program 27, parameter 28, data 29, and tag data of any programmable controller 23 or operator station 24. , Information on what kind of operation (reading or writing, etc.) is performed is obtained. In other words, information about what operation object is accessed for what operation is obtained. Then, the protocol analysis unit 11 sends the analysis result to the access control unit 14 in order to inquire the access control unit 14 whether the access protocol can be passed through the control system.

  The access control unit 14 stores, in the access control database 15, data that defines in advance which data can be operated by which user, that is, operates each operation target in the control system. Access control data, which is data for specifying a user who has authority to perform, is referred to and whether or not the protocol can be passed is determined.

  As the protocol, a TCP / IP protocol is used on the Internet 21, and a protocol unique to the control system, for example, a protocol such as CC-Link or FLnet is stored in the payload portion. On the plant bus 22, the programmable controller 23 or the operator station 24 is accessed using a protocol specific to the control system.

  The protocol analysis unit 11 analyzes both the protocol on the Internet 21 and the plant bus 22, and in particular regarding the control protocol, analyzes what command or operation is performed on which instrument or control device. To do.

  However, access protocols to existing control systems often do not have user information. In that case, the access control unit 14 needs to separately obtain the user information regarding who is operating the operation screen 25.

  Therefore, the user authentication unit 12 displays an authentication dialog 26 on the engineering terminal 20 and inputs user information, specifically a user ID and password, for specifying a user who accesses the control system. Request. This user ID and password are registered in the authentication database 13 in advance.

  The input user ID (user name) and password are collated with the user ID and password registered in the authentication database 13 in the user authentication unit 12. The collation result is sent from the user authentication unit 12 to the access control unit 14 and used in the access control unit 14 to determine whether or not the protocol can pass.

  The user authentication unit 12 also manages an authentication validity period, which is an elapsed time from when authentication was successful. For example, management is performed by a method such as forcibly invalidating (forcibly logout) one hour after successful authentication (that is, after logging in to the control system), or invalidating when protocol passing stops for 10 minutes.

  In addition, the security standards stipulate security functions such as password length or strength (number of character types), number of retries at the time of authentication failure, and measures for failure (for example, lockout). The authentication unit 12 also performs these checks or controls. These security functions are described in, for example, IEC62443-4-2.

  The access control unit 14 refers to the operation object and information regarding the operation extracted by the protocol analysis unit 11 and the access control data. And the access control part 14 determines whether the user specified in the user authentication part 12 is a user who has the authority to perform operation with respect to the extracted operation target object. The access control unit 14 permits access when the user is an authorized user, and does not permit access when the user is an unauthorized user.

  If the user has the authority to operate the extracted operation target, the protocol analysis unit 11 relays the protocol to the operation target programmable controller 23 or the operator station 24 according to the determination of the access control unit 14. On the other hand, if the user is not authorized to perform an operation on the extracted operation target, the protocol analysis unit 11 discards the protocol according to the determination of the access control unit 14. Then, the protocol analysis unit 11 returns a protocol error signal to the engineering terminal 20.

  The authentication database 13 and the access control database 15 of the security gateway 10 are set by a dedicated setting tool. In order to avoid a security risk, the dedicated setting tool is not mounted on the remote engineering terminal 20 and can be operated only from the control system.

  According to the present invention, a security gateway that manages access control to a protection target required by a security standard, that is, a program, parameter, data, and actuator of a programmable controller is installed between an engineering terminal and a control system. When the engineering terminal operates the protection target in the control system, it is determined whether or not the user has the authority to access the target (operation authority), and whether or not the protocol can be passed is determined.

  Also, access protocols for existing control systems often do not have user information. Therefore, the security gateway displays a dialog (authentication dialog 26) for performing additional authentication regarding user information on the engineering terminal, and performs user authentication. The security gateway analyzes the user information input from the engineering terminal, performs additional user authentication if necessary, and determines whether the user can access (operate) the target.

  As described above, the security gateway collectively determines whether or not each user can perform operations that are required by the security standard. By simply adding a security gateway to an existing control system, security that conforms to the standard can be obtained. A control system having a function can be obtained.

  Here, FIG. 4 illustrates a hardware configuration of the control system, security gateway, and engineering terminal shown in FIG.

  The computer terminal 120 corresponds to the engineering terminal 20 in FIG.

  The security gateway 110 corresponds to the security gateway 10 in FIG.

  The programmable controller 123 corresponds to the programmable controller 23 in FIG.

  The computer terminal 124 corresponds to the operator station 24 in FIG.

<Effect>
Below, the effect by this embodiment is illustrated.

  According to this embodiment, the access control device includes a protocol analysis unit 11, an authentication dialog 26 as a reception unit, an authentication database 13, an access control database 15, a user authentication unit 12, and an access control unit 14. Prepare.

  The protocol analysis unit 11 analyzes an access protocol input by a user and extracts information related to the operation target and operation. The access protocol for access includes information on at least one operation object in the control system and at least one operation on the operation object.

  In the authentication dialog 26, user information that is input from the user and is information for specifying the user who performs access is input.

  The authentication database 13 stores authentication data for specifying a user corresponding to the user information.

  The access control database 15 stores, for each operation target in the control system, access control data that identifies a user who has the authority to operate the operation target.

  The user authentication unit 12 specifies a user based on the user information and authentication data received in the authentication dialog 26.

  The access control unit 14 is an operation in which the user identified by the user authentication unit 12 is extracted by the protocol analysis unit 11 on the basis of the operation object and operation information extracted by the protocol analysis unit 11 and the access control data. It is determined whether or not the user is authorized to perform an operation on the object. If the user is authorized, access is permitted. If the authorized user is not authorized, access is not permitted.

  According to such a configuration, the security performance can be improved by adding a small number of security devices (access control devices) without significantly changing or upgrading the existing control system. Specifically, fine access control can be performed for each user, operation object, and operation. Even when the access protocol does not include user information, additional user authentication is performed, so it can be determined whether access is possible.

Second Embodiment
<Configuration>
In the following, the same components as those described in the above embodiment are denoted by the same reference numerals, and detailed description thereof will be omitted as appropriate.

  FIG. 2 is a diagram conceptually showing the configuration of the control system, security gateway, and engineering terminal according to this embodiment.

  The access control database 15a records a remote access operation from the outside in the protocol analysis unit 11. In particular, the time when a remote access operation is performed, the IP address of the engineering terminal 20 that performed the remote access operation, the name of the user who performed the remote access operation, the type of the input access protocol or command, and the operation target. Record the instrument or control device and whether access control is possible.

  By analyzing this record, attackers can be found or tracked in the control system. If the attacker does not have experience in operating the target control system, the attacker should make an illegal error such as a password entry failure or access to a non-existing control device in the remote access operation. By grasping these illegal errors, it is possible to know signs of attack or intrusion.

  The authentication database 13a keeps a record of user authentication related to remote access from outside in the authentication dialog 26. In particular, the time when the remote access operation was performed, the IP address of the engineering terminal 20 where the remote access operation was performed, the name of the user who performed the remote access operation, the input password, the input of the backspace, and the availability of the authentication result Record about.

  Even if an attacker tries to enter a password by impersonating another person, he / she is not used to it and often needs to make mistakes and start over. In that case, the user often enters a backspace or re-enters a password. By recording these input status and authentication result, it is possible to know the sign of impersonation.

  That is, the present embodiment aims to find an attack discovery or intrusion sign by recording the authentication status in the access control and user authentication of the first embodiment.

  The contents of these records can be confirmed from the engineering terminal 20 directly connected to the security gateway 10a or connected to the Internet. Alternatively, when an authentication error is detected, it is possible to notify the display unit of the security gateway 10a. Note that intrusion detection as a security measure is generally performed by an apparatus called an intrusion detection system (IDS), and in the present embodiment, the description up to the point of leaving a record of remote access and authentication provided to the IDS is described. .

<Effect>
Below, the effect by this embodiment is illustrated.

  According to the present embodiment, the access control database 15a also stores the access history from the user in the protocol analysis unit 11.

  According to such a configuration, an attacker can be found or tracked in the control system. Necessary measures can be taken by grasping the signs of attacks or intrusions.

  Further, according to the present embodiment, the authentication database 13a also stores the access history from the user in the authentication dialog 26.

  According to such a configuration, it becomes possible to discover or trace a person who impersonates another company and attempts to attack the control system. Necessary measures can be taken by grasping the signs of attacks or intrusions.

<Third Embodiment>
<Configuration>
In the following, the same components as those described in the above embodiment are denoted by the same reference numerals, and detailed description thereof will be omitted as appropriate.

  FIG. 3 is a diagram conceptually illustrating the configuration of the control system, the security gateway, and the engineering terminal according to the present embodiment.

  The tag data of the data 29b and the tag data in the programmable controller 23b and the operator station 24b shown in FIG. 3 is a data flag that means that the instrument or control device represented by the tag data is under maintenance. The flag is included.

  The billing flag is set not only for on-site maintenance but also when setting values in the tag data or the like by the operator station 24 or the engineering terminal 20 in order to avoid false alarms or operational errors. Is done. The rules for plant operation are defined so that only the maintenance operator can operate the instrument on the billing flag or the control device on the billing flag, and the setting operation to the corresponding device is not intended. Is avoided.

  However, the security threat from the engineering terminal 20 will also attack the billing instrument or the billing control device. Therefore, only authorized users can set the tagging flag in the tag data, and only the user who set the tagging flag writes the value and clears the tagging flag during tagging. General access control must be provided.

  In the access control database 15b, data specifying which user can tag which tag data, that is, for each adjustment target, specifying a user who has authority to perform adjustment operations on the adjustment target is registered in advance. Keep it. In response to the adjustment request protocol that is a tagging request protocol, the access control unit 14b obtains user information from the user authentication unit 12 and determines whether or not the user can tag the corresponding tag data. That is, the access control unit 14b has the authority for the user specified in the user authentication unit 12 to perform an adjustment operation on the adjustment target based on the information on the adjustment target extracted in the protocol analysis unit 11 and the access control data. It is determined whether or not the user has. The access control unit 14b returns an error to the request via the protocol analysis unit 11 if the corresponding tag data is already being tagged. If the corresponding tag data is not being tagged and the user is an authorized user, access is permitted. Even if the corresponding tag data is not being tagged, if the user is an unauthorized user, access is not permitted.

  If the billing request is permitted, who has set the billing flag in the corresponding tag data is recorded in the access control database 15b. Then, the access control unit 14 sends the billing request protocol to the programmable controller 23 via the protocol analysis unit 11.

  Similarly, when there is a tagging release request from the engineering terminal 20, the access control unit 14b makes a tagging release request with the tagging person of the corresponding tag data (the person who set the tagging flag in the tag data). To see if it matches the current user. The access control unit 14b returns an error via the protocol analysis unit 11 if they do not match (disallowed), and updates the access control database 15b if they match (allows), the protocol analysis unit 11 to send the corresponding protocol to the programmable controller 23.

  As described above, according to the third embodiment, only the addition of the security gateway 10b is performed for the control system in which the access control related to the billing flag setting operation of the instrument and the control device and the exclusive control to the tag data are not performed. Thus, it is possible to add access control related to the billing flag setting operation and exclusive control to the tag data.

  In addition, the control system has “tagging” information indicating that data and actuators are under maintenance, but it does not manage who is tagging. The security gateway manages the user information of the protocol that makes the billing request, and can rewrite the data being billed by anyone other than the billing user, so the access control required for security can be controlled by the control system. Can be added.

<Modification>
In the conventional control system, the tagging flag is basically set so that the field worker sets the tagging flag before the adjustment work, and the field worker releases the tagging flag after the adjustment work. However, there is a case where the work is prolonged and the worker is changed, or the operator confirms the completion of the work and cancels the billing flag from the central control room. If the site worker cannot set and cancel as per the principle, it is necessary to forcibly cancel the billing flag.

  Also, the setting operation of the bill-hanging flag is an operation that requires a sufficient measure from the viewpoint of security because the field worker directly operates the control device of the control system. For this reason, when the operator who requests the tagging cannot perform the tagging release operation for a certain period of time for some reason, that is, when the input of the adjustment termination protocol for ending the adjustment operation is not performed for a certain period of time. In addition, it is necessary for the control system administrator or security administrator to be able to forcibly perform the tagging release operation.

  Specifically, with the administrator authority, the corresponding billing flag recording in the access control database 15b is canceled, and the corresponding billing flag of the programmable controller 23 is released. The access control unit 14b permits the end operation with administrator authority. When the billing flag of the programmable controller 23 is canceled, the result is automatically notified to all the programmable controllers 23 and the operator station 24 of the control system. Further, the operator station 24 displays the contents on the screen so that the operator can confirm the cancellation of the bill.

  In this way, even if the billing worker is changed or the access to the billing work is interrupted, the billing can be forcibly released, so it is required without hindering the actual billing work. Security functions can be realized.

<Effect>
Below, the effect by this embodiment is illustrated.

  According to the present embodiment, the protocol analysis unit 11 analyzes the adjustment request protocol input from the user, and extracts information related to the adjustment target. Here, the adjustment request protocol for the adjustment operation of the control system includes information on at least one adjustment object in the control system.

  The access control database 15b stores, for each adjustment object in the control system, data that identifies a user who has authority to perform an adjustment operation on the adjustment object. The access control unit 14b is configured such that the user specified by the user authentication unit 12 is extracted by the protocol analysis unit 11 based on the information on the adjustment target extracted by the protocol analysis unit 11 and the access control data. It is determined whether or not the user has the authority to perform the adjustment operation on the user. If the user has the authority, access is permitted, and if the user has no authority, the access is not permitted.

  According to such a configuration, only the addition of the security gateway 10b can be applied to the control system in which the access control related to the billing flag setting operation of the instrument and the control device and the exclusive control to the tag data are not performed. Access control regarding flag setting operation and exclusive control to the tag data can be added.

  Further, according to the present embodiment, the access control unit 14b, when the adjustment end protocol for ending the adjustment operation corresponding to the adjustment operation is not input to the protocol analysis unit 11 for a certain period of time or more, Allow termination.

  According to such a configuration, even if the billing worker is changed or the access to the billing work is interrupted, the billing can be forcibly released, so that the actual billing work is not hindered. In addition, the required security function can be realized.

  The operation of each component described in the above embodiment can be performed in at least one processing circuit or electric circuit. The processing circuit and the electrical circuit include a programmed arithmetic processing unit. The processing circuit includes an integrated circuit (ASIC), or a conventional circuit element modified to realize the operation described in the above embodiment.

  The operation of each component described in the above embodiment is implemented by the above processing circuit or electric circuit operating according to a preset program. In addition, a program that realizes the action of each component is stored in a storage medium such as a hard disk or a memory.

  Further, the present invention may be a case (system) in which each component is provided dispersedly in a plurality of devices. For example, at least one of the authentication database 13 and the access control database 15 may be an external function unit. In that case, the functions of the access control device are performed as a whole by interacting with other functional units in the security gateway 10.

  In the above-described embodiment, the dimensions, shapes, relative arrangement relations, or implementation conditions of each component may be described. However, these are examples in all aspects, and the present invention has been described. It is not limited to things. Accordingly, countless variations that are not illustrated (including modifications or omissions of arbitrary components and free combinations between different embodiments) can be envisaged within the scope of the present invention.

  10, 10a, 10b, 110 Security gateway, 11 Protocol analysis unit, 12 User authentication unit, 13, 13a Authentication database, 14, 14b Access control unit, 15, 15a, 15b Access control database, 20 Engineering terminal, 21 Internet, 22 Plant bus, 23, 23b, 123 Programmable controller, 24, 24b Operator station, 25 Operation screen, 26 Authentication dialog, 27 Program, 28 Parameters, 29, 29b Data, 120, 124 Computer terminal.

Claims (6)

An access control device for controlling user access to the control system;
The access protocol for the access includes information on at least one operation object in the control system and at least one operation on the operation object,
A protocol analysis unit that analyzes the access protocol input from the user and extracts information about the operation target and the operation;
A reception unit that receives user information that is input from the user and is information for specifying the user performing the access;
An authentication database for storing authentication data for identifying the user corresponding to the user information;
For each of the operation objects in the control system, an access control database that stores access control data that identifies a user who has the authority to perform the operation on the operation object;
A user authentication unit that identifies the user based on the user information and the authentication data received by the reception unit;
Based on the operation object extracted in the protocol analysis unit, information related to the operation, and the access control data, the user specified in the user authentication unit is extracted from the operation target. It is determined whether or not the user has the authority to perform the operation on the object. An access control unit that is not permitted,
Access control device. The adjustment request protocol for the adjustment operation of the control system includes information on at least one adjustment object in the control system,
The protocol analysis unit analyzes the adjustment request protocol input from the user, extracts information on the adjustment target,
The access control database stores, for each of the adjustment objects in the control system, data specifying a user who has authority to perform the adjustment operation on the adjustment object,
The access control unit extracts the user specified in the user authentication unit based on the information on the adjustment target extracted in the protocol analysis unit and the access control data, in the protocol analysis unit. It is determined whether or not the user has the authority to perform the adjustment operation on the object to be adjusted. Does not allow the access,
The access control apparatus according to claim 1. The access control unit, when an adjustment termination protocol for ending the adjustment operation corresponding to the adjustment operation is not input to the protocol analysis unit for a predetermined time or more, permits the adjustment operation to be terminated by an administrator authority.
The access control apparatus according to claim 2. The access control database also stores access history from the user in the protocol analysis unit,
The access control apparatus according to any one of claims 1 to 3. The authentication database stores at least a user name and a password;
The access control apparatus according to any one of claims 1 to 4. The authentication database also stores an access history from the user in the reception unit.
The access control apparatus according to any one of claims 1 to 5.

Images