JP2017085250A - Plant security device and plant security system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a plant security device capable of blocking an encryption unit for encrypting data from an external network.SOLUTION: The plant security device includes: an encryption unit which encrypts and outputs data, acquired from a data storage unit, using a first cipher key, to output a first decryption key to be used to decrypt the encryption data which is encrypted using the first cipher key; a first transmission unit which transmits the first decryption key acquired from the encryption unit in a single direction; a second transmission unit which transmits the encryption data acquired from the encryption unit in a single direction.SELECTED DRAWING: Figure 1

Description

  Embodiments described herein relate generally to a plant security apparatus and a plant security system.

  Data stored in a data server installed in various industrial plants such as a power plant and a chemical plant is acquired from a terminal via an external network. In this case, in order to improve security, it is important to prevent data leakage in the data server and data leakage in the external network when transmitting data to the terminal.

  In general, user authentication, access authentication, data encryption, and the like are effective for countermeasures against such data leakage. FIG. 7 is a diagram illustrating a configuration example of the security device 10 used for countermeasures against such data leakage. As shown in FIG. 7, in the database 100, inspection data and user information are encrypted and registered by the interface unit 101. When a data request is received from a user of the terminal 102, user information and inspection data that are encrypted and registered in the database 100 are decrypted by the interface unit 101 as necessary. After user authentication is performed, the requested data is retrieved from the database 100. Then, the retrieved data is encrypted again and sent to the terminal 102.

  As described above, the data in the database 100 is encrypted, and the data is sent in an encrypted state. For this reason, data leakage in the database 100 and data leakage in the external network when data is transmitted to the terminal 102 are prevented.

JP 2003-178069 A JP 2003-242124 A

  However, the interface unit 101 can be accessed from an external network, and information may be leaked via the interface unit 101. An interface unit 101 having a decryption function also exists in the security device 10. For this reason, if the encryption key and the decryption key are leaked, the data can be decrypted in the security device 10, and more data leaks.

  Therefore, the embodiment of the present invention has been made in consideration of such points, and provides a plant security apparatus and a plant security system that can block an encryption unit that encrypts data from an external network. is there.

The plant security device according to the present embodiment is
The data acquired from the data storage unit is encrypted and output with the first encryption key, and the first decryption key used for decrypting the encrypted data encrypted with the first encryption key is output. An encryption unit;
A first transmission unit for transmitting the first decryption key acquired from the encryption unit in a single direction;
A second transmission unit for transmitting the encrypted data acquired from the encryption unit in a single direction;
It is characterized by providing.

The plant security system according to this embodiment is
A terminal having a plurality of pairs of encryption keys and corresponding decryption keys;
The data obtained from the data storage unit is encrypted and output with the first encryption key, and the first decryption key used for decrypting the encrypted data encrypted with the first encryption key is output. An encryption unit;
A first transmission unit for transmitting the first decryption key acquired from the encryption unit in a single direction;
A second transmission unit for transmitting the encrypted data acquired from the encryption unit in a single direction;
The first decryption key acquired via the first transmission unit is stored, and the second request acquired from the terminal when the terminal that requests acquisition of the first decryption key satisfies an authentication condition. A first authentication unit that encrypts the first decryption key with an encryption key and outputs the first decryption key to the terminal;
The encrypted data acquired via the second transmission unit is stored, and when the terminal that requests acquisition of the encrypted data satisfies an authentication condition, a third encryption key acquired from the terminal is used. A second security unit that encrypts the encrypted data and outputs the encrypted data to the terminal, and a plant security device,
With
The terminal is a terminal having a second decryption key for the second encryption key and a third decryption key for the third encryption key, and is encrypted with the second decryption key Decrypting the first decryption key, decrypting the encrypted data encrypted by the second authentication unit with the third decryption key, and further decrypting the encrypted data with the decrypted first decryption key; The data is acquired.

  It is possible to provide a plant security device and a plant security system that can block an encryption unit that encrypts data from an external network.

The block diagram which shows the structure of the plant security system which concerns on 1st Embodiment. The schematic diagram which shows the structure of a diode. The schematic diagram which shows the structure of the diode which can set a transmission path arbitrarily. The block diagram which shows the structure of an interception detection part. The figure which shows the flowchart explaining the flow of a process of the whole plant security system. The block diagram which shows the structure of the plant security system which concerns on 2nd Embodiment. The block diagram which shows the structure of the conventional security apparatus.

  Embodiments of the present invention will be described below with reference to the drawings. This embodiment does not limit the present invention.

(First embodiment)
The plant security apparatus according to the present embodiment connects a diode that transmits the first decryption key in a single direction to the encryption unit and a data diode that transmits encrypted data obtained by encrypting the data in a single direction. By doing so, the encryption unit is cut off from the external network. More details will be described below.

(Constitution)
Based on FIG. 1, the structure of the plant security system 1 which concerns on 1st Embodiment is demonstrated. FIG. 1 is a block diagram showing a configuration of a plant security system 1 according to the first embodiment. As shown in FIG. 1, a plant security system 1 according to the first embodiment according to the present embodiment includes a terminal 2, a plant security device 4, and a plant control monitoring device 6.

  The terminal 2 requests data in the plant via the external network. For example, the terminal 2 is a computer configured with two pairs of public key cryptography encryption keys and decryption keys.

  The plant security device 4 outputs the data in the plant to the terminal 2 in a state where it is blocked from the external network. That is, the plant security device 4 includes an encryption unit 42, a diode 44, a user authentication unit 46, a data diode 48, and a data server 50.

  The encryption unit 42 encrypts the data in the plant with the first encryption key and outputs the encrypted data as encrypted data. The encryption unit 42 also uses the first encryption key encrypted to decrypt the encrypted data encrypted with the first encryption key. Output the decryption key. The encryption unit 42 includes, for example, a public key cryptosystem encryption key and a decryption key, and is configured by a computer that encrypts data using the encryption key. This public key encryption method is a method for encrypting and decrypting data with a pair of keys of an encryption key and a decryption key. Information encrypted with an encryption key is difficult to decrypt unless it is a decryption key. Encryption methods include DH (Diffie-Hellman), RSA (Rivest-Shamir-Adleman), DSA (Digital Signature Algorithm), and elliptical. A method such as curve cryptography (Elliptic Curve Cryptosystem) is applied. As the encryption method used in the encryption unit 42, a common key encryption method may be used. Here, for example, the encryption unit 42 encrypts and outputs the data in the plant with the first encryption key and outputs the first decryption key.

  One end of the diode 44 is connected to the encryption unit 42 and transmits the first decryption key in a single direction. The diode 44 is, for example, a unidirectional gateway, and restricts communication in only one direction to block intrusion from an external network. Although a detailed configuration will be described later, the diode 44 optically transmits information from a light emitting element such as an LD or LED via an optical fiber, and detects light by a light receiving element such as a PD or APD to acquire information. In this case, information can be transmitted from the light emitting element to the light receiving element, but information cannot be physically transmitted from the light receiving element to the light emitting element, so that information can be transmitted in a single direction. In the present embodiment, the diode 44 corresponds to the first transmission unit.

  The user authentication unit 46 stores the first decryption key acquired through the diode 44, and the terminal 2 that requests acquisition of the first decryption key satisfies the authentication condition and acquires the first decryption key acquired from the terminal 2. The first decryption key is encrypted with the encryption key 2 and output to the terminal 2. That is, the user authentication unit 46 authenticates the terminal 2 that requests acquisition of the first decryption key, and if it is valid, requests the terminal 2 for the second encryption key. Then, the first decryption key is encrypted with the second encryption key and transmitted to the terminal 2. The user authentication unit 46 is, for example, a computer. In the present embodiment, the user authentication unit 46 corresponds to the first authentication unit.

  The authentication here is a MAC (Media Access Control address) address, user ID, password, electronic signature, SSL (Secure Socket Layer) or TLS (Transport Layer Security), or a combination of some or all of these. Do that. Further, it is possible to further improve the security by attaching an electronic certificate of a certificate authority to the electronic signature. For example, after obtaining the hash value of the user ID and password at the terminal 2, it is encrypted with the encryption key and transmitted from the terminal 2 to the user authentication unit 46. Separately, the encryption key is transmitted to the user authentication unit 46 to obtain an electronic signature. Is possible. The user authentication unit 46 can confirm the electronic signature of the terminal 2 with the encryption key, and can further authenticate the terminal 2 with the user ID and password more reliably. MD5, SHA-1, or the like can be used as a hash function for obtaining a hash value.

  One end of the data diode 48 is connected to the encryption unit 42 and transmits the encrypted data encrypted by the encryption unit 42 using the first encryption key in a single direction. The data diode 48 is a unidirectional gateway that restricts communication in only one direction and blocks intrusion from an external network. The data diode 48 has the same structure as the diode 44. The data diode 48 here is configured by providing a light emitting element and a light receiving element in parallel. Therefore, large-capacity data transmission is possible. In the present embodiment, the data diode 48 corresponds to the second transmission unit.

  The data server 50 stores the encrypted data acquired via the data diode 48, and uses the third encryption key acquired from the terminal 2 when the terminal 2 requesting acquisition of the encrypted data satisfies the authentication condition. The encrypted data is encrypted and output to the terminal 2. That is, the data server 50 is a computer that performs storage of encrypted data, double encryption, authentication of the terminal 2 that requests access, and data transmission. After authenticating the terminal 2, the data server 50 double-encrypts the encrypted data with the encryption key transmitted from the terminal 2, and transmits the encrypted data. As with the user authentication unit 46, the terminal 2 is authenticated by a MAC (Media Access Control address) address, a user ID, a password, an electronic signature, an electronic signature with an electronic certificate, or a combination of one or all of these. To do. Furthermore, data tampering is verified by attaching a hash value of transmission data when data is transmitted from the data server 50 to the terminal 2. In the present embodiment, the data server 50 corresponds to the second authentication unit.

  The plant control monitoring device 6 includes a control monitoring unit 62 and a data storage unit 64. The plant control monitoring device 6 controls and monitors various industrial plants such as a power plant and a chemical plant.

  The control monitoring unit 62 monitors monitoring data used for controlling the plant and controls each device in the plant. For example, a power plant is composed of a boiler, a generator that generates electricity using steam generated by the boiler, and the like. In this case, the control monitoring unit 62 monitors monitoring data used for controlling the power plant and controls each device in the power plant. For example, the monitoring data includes data such as the amount of power generated by the generator, the cooling water temperature of the pump that supplies cooling water to the condenser, the condensate flow rate, and the feed water pump outlet pressure.

  The data storage unit 64 is configured by a data server, for example, and stores at least one of monitoring data used for control by the plant monitoring control device 6 and data related to the plant as plant data, that is, data in the plant. For example, these plant data are used for monitoring the plant by the external terminal 2, or are used for remote operation in an emergency. For this reason, in addition to safety, reliability, and economy, the importance of information security has been raised in the plant control monitoring device 6 in recent years. Security risks include DoS attacks (Denial of Service), unauthorized access and manipulation, data interception, leakage, tampering and destruction, and it is necessary to raise the security level.

  Thus, the diode 44 performs unidirectional transmission from the encryption unit 42 to the user authentication unit 46, that is, unidirectional transmission. The data diode 48 is one-way transmission from the encryption unit 42 to the data server 50. Therefore, the encryption unit 42 is completely isolated from the external network. The control monitoring unit 62 and the data storage unit 64 are connected to the encryption unit 2, and the encryption unit 2 is further connected to a diode 44 and a data diode 48. For this reason, when the encryption unit 2 is blocked from the external network, the control monitoring unit 62 and the data storage unit 64, that is, the plant control monitoring device 6 are also blocked from the external network.

  Next, the structure of the diode 44 will be described with reference to FIG. FIG. 2 is a schematic diagram showing the configuration of the diode 44. As shown in FIG. 2, the diode 44 modulates a carrier wave whose number of wavelengths and wavelength order are arbitrarily determined, and transmits information in one direction, that is, in a single direction. In other words, the transmission unit 440 and the demodulation unit 442 are provided. The transmission unit 440 modulates light including a plurality of wavelengths into a data carrier wave 444 and transmits it. The transmitter 440 uses a light source having a wavelength width and disperses information to be transmitted for each wavelength in time or space. In this case, the number and order of the wavelengths are set, and information is superimposed by performing digital modulation or analog modulation or both on each wavelength. Then, each wavelength is multiplexed in time or space and transmitted as a data carrier wave 444. The data carrier 444 in FIG. 2 is an example that is not multiplexed in space. Regarding the wavelength and modulation of the data carrier wave 444, the wavelength, modulation amount, or modulation method may be changed in units of information, or the wavelength, modulation amount, or modulation method may be changed in units of packets.

  The demodulator 442 receives and demodulates the data carrier wave 444 modulated according to a preset number of wavelengths and wavelength order. That is, when each wavelength of the data carrier wave 444 is multiplexed in time or space, the demodulation unit 442 disperses again for each wavelength in time or space. The data carrier 444 is received and demodulated for each wavelength, and information is acquired by restoring the values of the respective wavelengths in a preset order. As described above, when the diode 44 and the data diode 48 shown in FIG. 2 are used, light including a plurality of wavelengths is transmitted as the data carrier 444, and only by intercepting it, the used wavelength, the number of wavelengths, Information cannot be reproduced because the order is unknown. As a result, the encryption unit 42 is blocked from the external network, and data leakage from the data storage unit 64 connected to the encryption unit 42 can be prevented.

  Next, the structure of the diode 44 capable of arbitrarily setting the transmission path will be described with reference to FIG. FIG. 3 is a schematic diagram showing the configuration of the diode 44 whose transmission path can be arbitrarily set.

  As shown in FIG. 3, the diode 44 includes a demodulation unit 442 and a deflection unit 446. As described above, the demodulator 442 receives and demodulates the modulated data carrier 444.

The deflection unit 446 sets the modulation and propagation direction of the data carrier 444. Path between the demodulator 442 and the deflection unit 446 is set by the deflection member ₄₄₆ 1-446 ₉ data carrier 444. The deflecting members 446 _{1 to} 446 ₉ can be configured by deflecting elements such as a polarizing element combined with a mirror, a prism, a diffraction grating, and a wave plate. The deflection unit 446, after modulation to light sources such as LED or LD emits, change direction and angle of the deflecting member ₄₄₆ 1-446 _9, sets the direction of propagation of the data carrier 444. By making the data carrier 444 invisible light, it is possible to make the data carrier 444 more difficult to intercept. In the present embodiment, the deflection unit 446 corresponds to the transmission unit 440. As described above, when the diode 44 and the data diode 48 shown in FIG. 3 are used, there are a plurality of transmission paths, and if the data carrier 444 is invisible light and the transmission path changes in time, the interception cannot be performed. As a result, the encryption unit 42 is blocked from the external network, and data leakage from the data storage unit 64 connected to the encryption unit 42 can be prevented.

  Next, the intercept detection unit 72 will be described with reference to FIG. FIG. 4 is a block diagram illustrating a configuration of the intercept detection unit 72. As shown in FIG. 4, the intercept detection unit 72 includes a transmission unit characteristic measurement unit 722, a reception unit characteristic measurement unit 724, and an intercept determination unit 726. The characteristic measurement unit 722 of the transmission unit measures the characteristic of the data carrier at the time of transmission. The characteristic measurement unit 722 of the transmission unit can be configured with, for example, a wavelength meter, a power meter, a polarimeter, or the like that measures characteristics such as wavelength, intensity, and polarization.

  The reception unit characteristic measurement unit 724 measures the characteristic of the data carrier at the time of reception. The interception determination unit 726 detects a change during transmission / reception based on output signals from the characteristic measurement unit 522 of the transmission unit and the characteristic measurement unit 724 of the reception unit. That is, the interception determination unit 726 compares one of the measured characteristics, some combinations, or all combinations, and detects whether there is a change between the transmission and reception units. If the change amount is equal to or less than the set value, or the changed item is equal to or less than the set number, it is determined that there is no interception between the transmission and reception units. Thus, by providing the interception detection unit 72, the presence or absence of interception can be determined, and measures such as discarding data that has been intercepted or stopping data transmission can be taken.

(Function)
The overall process flow of the plant security system 1 will be described with reference to FIG. FIG. 5 is a diagram illustrating a flowchart for explaining the flow of processing of the entire plant security system 1. As shown in FIG. 5, first, the encryption unit 42 encrypts the plant data acquired from the data storage unit 64 with the first encryption key (step S100). Then, the plant data encrypted with the first encryption key is stored in the data server 50 through the data diode 48. On the other hand, the first decryption key paired with the first encryption key is stored in the user authentication unit 46 through the diode 44.

  Next, when the terminal 2 in the external network requests the first decryption key, the user authentication unit 46 authenticates the terminal 2 (step S102). First, the user authentication unit 46 acquires a second encryption key and an electronic certificate from the terminal 2. Then, the certificate authority is confirmed through the external network, and the terminal 2 is authenticated. When the second encryption key can be trusted, it is not necessary to confirm the electronic certificate. As for the certificate authority, a public certificate authority or a private certificate authority may be requested. When the certificate authority is an intermediate certificate authority, the validity of the intermediate certificate authority is also checked as appropriate.

  Subsequently, the user authentication unit 46 acquires the user ID and password encrypted with the second encryption key and the hash value of the user ID and password from the terminal 2. If necessary, the MAC address encrypted with the second encryption key and the hash value of the MAC address may be included. Then, the user ID and password are decrypted with the second decryption key corresponding to the second encryption key acquired first. Since the one encrypted with the encryption key can be decrypted only with the paired decryption key, the terminal 2 can be authenticated by this decryption. Next, the hash value of the user ID and password is calculated, and it can be confirmed that there is no falsification by confirming that it matches the hash value acquired from the terminal 2. Since the hash value corresponds to the digest of the data and becomes a data-specific value, it is used for confirmation of tampering. Subsequently, the user authentication unit 46 authenticates the terminal 2 more reliably by confirming that the user ID and password of the terminal 2 are registered. The MAC address may be added to the authentication item of the terminal 2 as necessary.

  Next, after authenticating the terminal 2, the user authentication unit 46 encrypts the stored first decryption key with the second encryption key transmitted from the terminal 2 and transmits it to the terminal 2 (step 104). . At the same time, the user authentication unit 46 encrypts the URL (Uniform Resource Locator) or IP address of the data server 50 with the second encryption key and transmits it to the terminal 2. Note that it is possible to further increase the security of the user authentication unit 46 by providing a firewall between the user authentication unit 46 and the external network to block other than the registered IP address.

  Next, when the terminal 2 in the external network requests plant data, the data server 50 authenticates the terminal 2 (step S106). The terminal 2 acquires the first decryption key and the URL or IP address of the data server 50 with the second decryption key, and requests plant data from the acquired URL or IP address to the data server 50. In response to this request, the data server 50 acquires a third encryption key and an electronic certificate from the terminal 2. Then, the third encryption key is confirmed with the certificate authority through the external network, and the terminal 2 is authenticated. When the third encryption key can be trusted, it is not necessary to confirm the electronic certificate. As for the certificate authority, the same certificate authority as the electronic certificate of the second encryption key may be requested, or a different certificate authority may be requested. When the certificate authority is an intermediate certificate authority, the validity of the intermediate certificate authority is also checked as appropriate. Note that a second encryption key and electronic certificate may be used instead of the third encryption key and electronic certificate.

  Further, the data server 50 obtains the user ID and password encrypted with the third encryption key and the hash value of the user ID and password from the terminal 2 and decrypts them with the third decryption key to further secure the terminal 2. And verifying that there is no falsification by comparing the acquired value of the hash value with the calculated value. If necessary, the MAC address encrypted with the third encryption key and the hash value of the MAC address may be included. And the data server 50 can authenticate the terminal 2 more reliably by confirming that the user ID and password of the terminal 2 are registered. The MAC address may be added to the authentication item of the terminal 2 as necessary.

  Next, after authenticating the terminal 2, the data server 50 further encrypts the stored encrypted plant data with the third encryption key transmitted from the terminal 2, and double-encrypted the plant. Data is transmitted to the terminal 2 (step 108).

  Next, the terminal 2 decrypts the double-encrypted plant data with a third decryption key owned in advance, and further decrypts with the first decryption key acquired first, thereby obtaining the target plant Data is obtained (step 110). The security of the data server 50 can be further enhanced by providing a firewall between the data server 50 and the external network to block other than the registered IP address. Further, by providing a gateway or proxy server between the data server 50 and the external network and making the IP address of the data server 50 a private address, the IP address of the data server 50 is changed every time the user authentication unit 46 transmits. The security of the data server 50 can be further increased.

  As described above, the encryption unit 42 outputs the first decryption key to the user authentication unit 46 via the diode 44, encrypts the data with the first encryption key, and transmits the data server 50 via the data diode 48. Output to. Subsequently, the user authentication unit 46 encrypts the first decryption key with the second encryption key and outputs it to the terminal 2 when the terminal 2 requesting acquisition of the first decryption key satisfies the authentication condition. . Subsequently, when the terminal 2 that requests acquisition of encrypted data satisfies the authentication condition, the data server 50 encrypts the encrypted data with the third encryption key and outputs the encrypted data. Then, the terminal 2 decrypts the first decryption key encrypted with the second decryption key, decrypts the encrypted data with the third decryption key, and further decrypts the encrypted data with the decrypted first decryption key. Decrypt and get the data.

(effect)
As described above, according to the plant security device 4 according to the present embodiment, the diode 44 that transmits the first decryption key in a single direction to the encryption unit 42 and the encrypted data obtained by encrypting the data are single. A data diode 48 transmitting in the direction is connected. Thereby, the encryption part 42 is interrupted | blocked from an external network, and the risk that information leaks outside via the encryption part 42 can be reduced more. The user authentication unit 46 encrypts the first decryption key acquired through the diode 44 with the second encryption key, and the data server 50 further converts the encrypted data acquired through the data diode 48 into the third The encryption key is encrypted and output to the terminal 2 through different paths. This can further reduce the risk of data leakage in the external network.

(Second Embodiment)
(Constitution)
Based on FIG. 6, the structure of the plant security system 1 which concerns on 2nd Embodiment is demonstrated. FIG. 6 is a block diagram illustrating the configuration of the measuring device plant security system 1 according to the second embodiment. In the plant security system 1, as shown in FIG. 6, the plant security apparatus 4 is further provided with a decryption key temporary storage unit 74, an opening / closing unit 76, and a position acquisition unit 78. It differs from the plant security system 1 which concerns. Hereinafter, a different part from 1st Embodiment mentioned above is demonstrated.

  The decryption key temporary storage unit 74 repeatedly holds and discards the first decryption key transmitted from the encryption unit 42 via the diode 44. The decryption key temporary storage unit 74 is composed of a volatile memory such as DRAM or SRAM, and repeatedly holds and discards the first decryption key at preset time intervals.

  Further, when an intercept is detected by the intercept detector 72, the first decryption key is discarded or the first decryption key is discarded by turning off the power. Furthermore, when an unexpected situation such as a disaster occurs, the first decryption key is discarded or the first decryption key is discarded by turning off the power. In this way, when interception is detected by the interception detection unit 72, the intercepted data can be discarded and data transmission can be stopped, and data leakage from the data server 50 can be prevented. Note that the decryption key temporary storage unit 74 can be configured by a non-volatile memory when the first decryption key can be securely discarded.

  The opening / closing unit 76 is connected between the data server 50 and the external network, and when receiving a request from the terminal 2, enables connection to the data server 50 when the terminal 2 is valid. That is, the opening / closing unit 76 authenticates the terminal 2 and enables access to the data server 50 only when the terminal 2 is valid. The open / close unit 76 includes a mechanical, optical, electrical or magnetic open / close circuit, an analog circuit or a digital circuit using electronic components, and is a data server at a command from the encryption unit 42 or at a preset time interval. It opens and closes between 50 and the external network.

  The position acquisition unit 78 acquires the position of the data server 50 and permits the data server 50 to transmit and receive data when the data server 50 is at a predetermined position. That is, the position acquisition unit 58 is connected to the data server 50, acquires the position of the data server 50 using electromagnetic waves or magnetism, and permits data transmission / reception of the data server 50 only when it is at a predetermined position. The position acquisition unit 58 detects the position with a sensor for electromagnetic waves such as light and radio waves, magnetism, and the like, and when the measured value exceeds the set value, the encrypted data obtained by encrypting the plant data of the data server 50 is discarded. It has become. For example, position measurement is performed using GPS (Global Positioning System) using radio waves from a satellite or radio waves from a mobile phone, and compared with a specified position. With GPS, the position can be specified in real time with an accuracy of several meters, and the change in position can be detected more reliably by using the change in the number of receivable satellites for determination. In the present embodiment, the position acquisition unit 58 corresponds to the permission unit.

(Function)
First, processing operations related to the decryption key temporary storage unit 74 will be described. The decryption key temporary storage unit 74 synchronizes with the output (transmission) of the encryption unit 42 and repeats holding and discarding the first decryption key for a preset time interval. Or according to the instruction | indication of the encryption part 42, holding | maintenance and destruction of a 1st decoding key are repeated. The ratio between the holding time of the first decryption key and the discarding time can be arbitrarily set, and is set before the processing operation is performed. Thereby, since the first decryption key does not exist at the discard time, the risk of leakage of the first decryption key can be further reduced.

  On the other hand, as described above, the user authentication unit 46 uses the second encryption key transmitted from the terminal 2 to encrypt the first decryption key held in the decryption key temporary storage unit 74 and sends it to the terminal 2. Send. At this time, when the decryption key of the decryption key temporary storage unit 74 is discarded, the user authentication unit 46 is kept waiting until it is held again.

  Next, processing operations related to the opening / closing unit 76 will be described. As described above, the terminal 2 requests plant data from the data server 50. At this time, the opening / closing unit 76 is in an open state in synchronization with the transmission of the encryption unit 42 and in accordance with a preset time or an instruction of the encryption unit 42. The opening / closing part 76 is in a closed state other than this. Since the data server 50 is always disconnected from the external network in the closed state by the open / close unit 76, the risk of leakage of encrypted data obtained by encrypting plant data can be further reduced.

  Next, processing operations related to the position acquisition unit 78 will be described. If the data server 50 is illegally taken out or moved, the position acquisition unit 78 detects a change in the position and discards the plant data of the data server 50. The position acquisition unit 78 permits data transmission / reception only when the data server 50 is in a predetermined position. If the data server 50 is illegally taken out or moved, the encrypted data in which the plant data is encrypted is discarded. Risk can be further reduced.

(effect)
As described above, according to the plant security apparatus 4 according to the present embodiment, the decryption key temporary storage unit 74 repeatedly holds and discards the first decryption key in accordance with a preset time interval or command. Thereby, since the time when the 1st decryption key does not exist arises, the risk that the 1st decryption key leaks can be reduced more. The opening / closing unit 76 repeats opening / closing between the data server 50 and the external network in accordance with a preset time or command. For this reason, since the data server 50 is always disconnected from the external network when the open / close unit 76 is in the closed state, the risk of data leakage can be further reduced. Furthermore, the position acquisition unit 78 detects illegal take-out or movement of the data server 50 and discards data held by the data server 50. Thereby, the risk of data leaking from the data server 50 can be further reduced. As a result, the risk of data leakage from the data storage unit 64 and the risk of data leakage in the external network during data transmission can be further reduced.

  Although several embodiments have been described above, these embodiments are presented as examples only and are not intended to limit the scope of the invention. The novel devices and systems described herein can be implemented in a variety of other forms. In addition, various omissions, substitutions, and changes can be made to the forms of the devices and systems described in the present specification without departing from the spirit of the invention. The appended claims and their equivalents are intended to include such forms and modifications as fall within the scope and spirit of the invention.

1: Plant security system, 2: Terminal, 4: Plant security device, 6: Plant control and monitoring device, 42: Encryption unit, 44: Diode, 46: User authentication unit, 48: Data diode, 50: Data server, 62 : Control monitoring unit, 64: Data storage unit, 72: Interception detection unit, 74: Decryption key temporary storage unit, 76: Opening / closing unit, 78: Position acquisition unit, 440: Transmission unit, 442: Demodulation unit, 446: Deflection unit

Claims (11)

The data acquired from the data storage unit is encrypted and output with the first encryption key, and the first decryption key used for decrypting the encrypted data encrypted with the first encryption key is output. An encryption unit to
A first transmission unit for transmitting the first decryption key acquired from the encryption unit in a single direction;
A second transmission unit for transmitting the encrypted data acquired from the encryption unit in a single direction;
A plant security device comprising: At least one of the first transmission unit and the second transmission unit is:
A transmission unit for transmitting an input signal by a data carrier using light; and
A demodulator that receives and demodulates the input signal transmitted on the data carrier;
The plant security apparatus according to claim 1, comprising:   The plant security apparatus according to claim 2, wherein the transmitting unit uses light including a plurality of wavelengths as a data carrier wave, modulates the number of wavelengths and the order of the wavelengths, and performs optical transmission.   4. The plant security apparatus according to claim 2, wherein a space between the transmission unit and the demodulation unit includes a plurality of transmission paths, and the plurality of transmission paths are settable. 5.   The plant security device according to any one of claims 2 to 4, further comprising an interception detection unit that detects the presence or absence of transmission interception based on the characteristics of the data carrier wave. The second encryption key acquired from the terminal when the terminal requesting acquisition of the first decryption key satisfies the authentication condition, storing the first decryption key acquired via the first transmission unit. A first authentication unit that encrypts the first decryption key with a key and outputs the first decryption key to the terminal;
The encrypted data acquired via the second transmission unit is stored, and when a terminal that requests acquisition of the encrypted data satisfies an authentication condition, the third encryption key acquired from the terminal is used to store the encrypted data. A second authentication unit that encrypts encrypted data and outputs the encrypted data to the terminal;
The plant security apparatus according to any one of claims 1 to 5, further comprising:   The first authentication unit includes a holding unit that repeatedly holds and discards the first decryption key transmitted from the encryption unit via the first transmission unit. The plant security device described.   The plant security device according to claim 6 or 7, further comprising an opening / closing unit that enables connection to the second authentication unit when a request is received from the terminal.   9. The system according to claim 6, further comprising a permission unit that acquires a position of the second authentication unit and permits the second authentication unit to transmit and receive data when the position is at a predetermined position. The plant security device according to claim 1.   The said data storage part is connected to the said encryption part, and memorize | stores at least any one of the data which a plant monitoring control apparatus uses for control, and the data regarding a plant, The any one of Claim 1 thru | or 9 characterized by the above-mentioned. The plant security device according to one item. A terminal having a plurality of pairs of encryption keys and corresponding decryption keys;
The data obtained from the data storage unit is encrypted and output with the first encryption key, and the first decryption key used for decrypting the encrypted data encrypted with the first encryption key is output. An encryption unit;
A first transmission unit for transmitting the first decryption key acquired from the encryption unit in a single direction;
A second transmission unit for transmitting the encrypted data acquired from the encryption unit in a single direction;
The first decryption key acquired via the first transmission unit is stored, and the second request acquired from the terminal when the terminal that requests acquisition of the first decryption key satisfies an authentication condition. A first authentication unit that encrypts the first decryption key with an encryption key and outputs the first decryption key to the terminal;
The encrypted data acquired via the second transmission unit is stored, and when the terminal that requests acquisition of the encrypted data satisfies an authentication condition, a third encryption key acquired from the terminal is used. A second security unit that encrypts the encrypted data and outputs the encrypted data to the terminal, and a plant security device,
With
The terminal is a terminal having a second decryption key for the second encryption key and a third decryption key for the third encryption key, and is encrypted with the second decryption key Decrypting the first decryption key, decrypting the encrypted data encrypted by the second authentication unit with the third decryption key, and further decrypting the encrypted data with the decrypted first decryption key; A plant security system that acquires the data.