JP2018055271A - Monitoring apparatus, monitoring system, and monitoring method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To protect equipment such as field equipment and monitor a state of the equipment.SOLUTION: A monitoring apparatus that monitors input information inputted to field equipment from a high-order control system accepts input of input verification data that indicates a criterion for verifying the input information, accepts input of the input information, and verifies whether or not the input information is abnormal data on the basis of the input verification data.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a monitoring device, a monitoring system, and a monitoring method.

  Conventionally, a method for detecting an abnormality of a control system or the like in a plant having the control system or the like is known.

  That is, an abnormality detection device is installed between a control server (HMI (Human-Machine Interface), etc.) and a control device (PLC (Programmable Logic Controller, controller, etc.) constituting the control system. This is a method of detecting an abnormality. Specifically, first, a network device (such as a router or a gateway) installed on a line connecting the control server, the control device, the control server, and the like to the control device is installed. Then, the network device is equipped with an abnormality detection function, or the abnormality detection device is directly connected to the same line, etc., to analyze the state of the server or device and the data transmitted / received over the network. This is a method of detecting an abnormality by, for example.

  In addition, for example, first, an abnormality detection device that detects an abnormality of the control system has a security gateway. The security gateway then monitors traffic such as sensor data, sensor signals, operation commands for the actuators, and control signals for the actuators transmitted through the control network. Next, as a result of monitoring, the security gateway generates event information in a predetermined format and passes the event information to the analysis engine. Subsequently, the analysis engine analyzes the event information and detects an abnormality occurring in the control network (for example, Patent Document 1).

JP2012-168686A

  However, in the conventional method, for example, it is possible to infect the control device etc. with a computer virus through the process of maintenance work for the control server, the control device and the network device having the abnormality detection device or via the network. It is. Alternatively, it is possible to invalidate the function of the abnormality detection device by exploiting the vulnerability of the control device or the network.

  Thus, even if an abnormal command is set for a device such as a field device or an abnormal value is measured from the field device, it may not be detected that the device or the command is abnormal. Therefore, an abnormal value may be set in a device such as a field device.

  One aspect of the present invention has been made in view of such a problem, and an object thereof is to monitor the protection and state of devices such as field devices.

In order to solve the above-described problems and achieve the object, in one embodiment of the present invention,
Unlike the method for detecting an abnormality between the control server and the control device described above,
The monitoring device that monitors the input information input from the host control system to the field device
An input verification data input unit for inputting input verification data indicating a criterion for verifying the input information;
An input information input unit for inputting the input information;
And an input verification unit that verifies whether the input information is abnormal information based on the input verification data.

  According to the present invention, it is possible to protect a device by preventing abnormal input information from being input to a device such as a field device. Furthermore, it is possible to detect an abnormality of a device by monitoring output information from a device such as a field device.

1 is a system diagram illustrating an example of an overall configuration using a monitoring device according to a first embodiment of the present invention. It is a flowchart which shows an example of the whole process by the monitoring apparatus in 1st Embodiment of this invention. It is a schematic diagram which shows an example of the verification data in one Embodiment of this invention. It is a functional block diagram which shows the function structural example of the monitoring apparatus in 1st Embodiment of this invention. It is a system diagram which shows an example of the whole structure using the monitoring apparatus in 2nd Embodiment of this invention. It is a flowchart which shows an example of the whole process by the monitoring apparatus in 2nd Embodiment of this invention. It is a functional block diagram which shows the function structural example of the monitoring apparatus in 2nd Embodiment of this invention.

Embodiments of the present invention will be described in the following order.

1. 1. Example of overall configuration of first embodiment 2. Example of overall processing by the monitoring apparatus according to the first embodiment. 3. Functional configuration example of monitoring device according to first embodiment 4. Overall configuration example of second embodiment 5. Example of overall processing by monitoring apparatus according to second embodiment Functional configuration example of a monitoring apparatus according to the second embodiment

(First embodiment)
≪ １． Example of overall configuration of first embodiment >>
FIG. 1 is a system diagram showing an example of the overall configuration using the monitoring apparatus according to the first embodiment of the present invention. For example, in a plant such as a factory as shown, input information such as control information is input to the field device FM. In addition, based on a command that is an example of control information, the field device FM installed in the plant is controlled to control various physical quantities in the plant or various devices including the field device. Specifically, the physical quantity is, for example, temperature, pressure, speed, the number of rotations of the motor, the amount of electric power, or dimensions.

  Hereinafter, an example in which the motor is controlled by the field device FM in the plant will be described. First, the user UR inputs a command CM including information such as a command value or a command to control the motor to the HMI terminal HM. The HMI terminal HM is an information processing apparatus having an input device such as a PC (Personal Computer) or a tablet. In the following description, the command CM includes a command value, and the command value is a main monitoring target.

  Hereinafter, as illustrated, a system including the HMI terminal HM, the controller CR, the output module OM, the field device FM, and the like is referred to as “control system 1”. In the example of the control system 1 shown in the figure, the HMI terminal HM, the controller CR, the output module OM, and the like are the upper control system UC. The host control system UC may include other types of information processing apparatuses.

  In the control system 1, the HMI terminal HM may be preinstalled with a program DP or the like serving as an interface for displaying each data on the user UR or operating a device such as the field device FM. In addition, data displayed by the program DP or the like is transmitted to the HMI terminal HM via a network or the like and stored in the database DB.

  For example, when the motor is speed controlled, the command value included in the command CM is a value indicating the rotational speed of the motor or the voltage input to the motor. In addition, when the motor is in position control, the command value included in the command CM is a value indicating an angle or a position at which the motor is rotated. When the temperature is controlled by the field device, the command value included in the command CM is a value indicating the temperature or the voltage input to the heater. As described above, the command values included in the command CM are various types of values.

  Next, in the control system 1, when the command CM is input to the HMI terminal HM, the HMI terminal HM outputs a signal indicating the command CM to the controller CR. The controller CR is, for example, DCS (Distributed Control System), PLC, or a combination thereof.

  Subsequently, the controller CR outputs a signal indicating the command CM to the output module OM which is an example of the input / output module. Then, the output module OM converts the field device FM into a format in which the command CM can be processed. For example, when an analog value is output from the controller CR and the field device FM inputs a digital value, the output module OM performs A / D (analog-digital) conversion or the like. On the other hand, when a digital value is output from the controller CR and the field device FM inputs an analog value, the output module OM performs D / A (digital-analog) conversion or the like. Note that the output module OM performs a process that can be processed by the field device FM, and if the format output by the controller CR can be input to the field device FM as it is, the output module OM performs the conversion. Not necessary.

  In the control system 1, the controller CR or the output module OM is a human such as a temperature (unit system is ° C. (degrees) or the like) or a voltage value (unit system is V (volt) or the like). May be converted into a digital value or the like that can be input by the field device FM. In the following description, even after conversion by the controller CR or the output module OM, it is simply referred to as a command CM.

  In the control system 1, the field device FM controls a physical quantity or device based on the command CM. For example, in the case of motor control, the field device FM controls the voltage and the like input to the motor so that the voltage value indicated by the command value included in the command CM is obtained. The control result by the field device FM may be fed back to the HMI terminal HM or the like.

  As illustrated, the monitoring apparatus 10 is connected to the output module OM and the field device FM. And the monitoring apparatus 10 inputs the instruction | command CM output from the output module OM. Next, the monitoring device 10 monitors whether or not the command value included in the command CM is an abnormal value.

  Note that the control system 1 may further include a monitoring control computer such as SCADA (Supervision Control And Data Acquisition), DCS, PLC, or a combination thereof.

  In addition, each device included in the control system 1 uses a general-purpose OS (Operating System) such as Windows (registered trademark) or Linux (registered trademark), or Ethernet (registered trademark) or the like in a network connecting the devices. A general purpose network may be used. Therefore, there is a case where a so-called cyber attack is performed on each device and a network connecting the devices.

  Specifically, as shown in the figure, input to or output from each device such as the HMI terminal HM, the controller CR, the output module OM, and the field device FM, that is, transmission and reception on the network to which each device is connected. In some cases, a cyber attack (hereinafter referred to as “first cyber attack AT1”) targeting a signal and data to be performed is performed on each device and a path connecting the devices. In the example shown in the figure, the first cyber attack AT1 is a target of the cyber attack such as a signal transmitted / received between each device, and the data transmitted / received by the first cyber attack AT1 is altered or the data is illegally transmitted. Or get it.

  Further, as shown in the drawing, a cyber attack (hereinafter referred to as “second cyber attack AT2”) targeting data stored in each device may be performed on each device. In the illustrated example, the second cyber attack AT2 first illegally enters the HMI terminal HM, etc., and targets data stored in the database DB as a target to tamper with data or obtain data illegally. It is a cyber attack.

  In addition, a cyber attack (hereinafter referred to as “third cyber attack AT3”) targeting the program DP installed in each device may be performed on each device. In the illustrated example, for example, the third cyber attack AT3 is performed on the program DP installed in advance in the HMI terminal HM. When the third cyber attack AT3 is performed, the numerical value displayed by the program DP is changed, or the message indicating “abnormal” is changed, and the user UR cannot detect the abnormality of the plant.

  As described above, cyber attacks such as the first cyber attack AT1, the second cyber attack AT2, and the third cyber attack AT3 may be performed on the devices and the like, and an abnormality may occur in the plant or the devices included in the plant. If the command CM is altered by such a cyber attack or each device is changed to an abnormal state, the abnormal command CM may be transmitted to the field device FM.

  An abnormal command CM is, for example, a command value that damages the field device FM or a device that is controlled by the field device FM, a command value that the field device FM or the like cannot input due to specifications, and deviates from a preset allowable range. Command values or command values that tend to change rapidly.

  The monitoring device 10 monitors whether such an abnormal command CM is input to the field device FM. Note that the monitoring device 10 is realized by hardware such as an electronic circuit, for example. Specifically, the monitoring device 10 is, for example, an ASIC (Application Specific Integrated Circuit) or an FPGA (Field-Programmable Gate Array). Note that the monitoring device 10 may execute part or all of the processing by an information processing device or the like. As described above, when the monitoring device 10 is realized by an electronic circuit or the like, processing for monitoring input information such as the command CM can be performed at high speed. Therefore, even if the command CM is transmitted via the monitoring device 10, there is a delay. Can be reduced.

≪ 2. Example of Overall Processing by Monitoring Device According to First Embodiment >>
FIG. 2 is a flowchart showing an example of the entire process performed by the monitoring apparatus according to the first embodiment of the present invention. For example, the monitoring device performs the following processing.

≪ Input example of verification data (step S101) ≫
In step S101, the monitoring apparatus inputs verification data. In the first embodiment, the input verification data is input verification data. Hereinafter, it is simply referred to as “verification data”. The verification data is data indicating a verification criterion for verifying whether or not the command value included in the command is an abnormal value. Specifically, the verification data is tolerance range data indicating an tolerance range, determination condition data indicating a determination condition, and the like. More specifically, the allowable range data is data for setting the allowable range based on, for example, an upper limit value and a lower limit value of a command value included in the command. The determination condition is data indicating an output condition such as a tendency of the command value included in the command with respect to time, which may be set in the field device, for example. For example, the verification data is the following data as illustrated.

  FIG. 3 is a schematic diagram illustrating an example of verification data according to an embodiment of the present invention. For example, the allowable range data is data for setting an allowable range RA as shown in FIG. In this example, as illustrated, the range between the upper limit UL and the lower limit DL is an allowable range RA. That is, if the allowable range RA as shown in the figure is set by the allowable range data, and the command value included in the command CM is a value within the allowable range RA as shown in the drawing, the monitoring device performs the following process. It is possible to verify that the command value included in the command CM is not an abnormal value but a “normal” value. On the other hand, if the command value included in the command CM is a value that exceeds the upper limit value UL or the command value included in the command CM is a value that is lower than the lower limit value DL, the monitoring device It can be verified that the command value included in the command CM is an abnormal value.

  The allowable range data is not limited to data indicating the upper limit value and the lower limit value of the command value included in the command. For example, the allowable range data may be data indicating only one of the upper limit value and the lower limit value of the command value included in the command.

  The determination condition data is data indicating an output condition of a command that may be set in the field device, for example, data indicating a tendency TE as illustrated in FIG. Specifically, the trend TE indicates whether the command value included in the command CM is increasing or decreasing, or an increase amount, that is, a change amount per unit time. As shown in the figure, when the command value included in the command CM is the same or similar to the tendency indicated by the determination condition data, that is, when the command value included in the command CM matches the output condition, the monitoring device In the processing, it is possible to verify that the command value included in the command CM is not an abnormal value but a “normal” value. On the other hand, if the command value included in the command CM has a tendency different from the tendency indicated by the determination condition data, that is, if the command value included in the command CM does not match the output condition, the monitoring device It can be verified that the command value included in the CM is an abnormal value. That is, the determination condition data is, for example, data indicating an output condition for checking whether or not the command value included in the command CM has a tendency of a sudden change in the value and determining whether the command value is an abnormal command value. It is.

  In addition, the output condition is, for example, a time during which a predetermined value can be set in the field device. In other words, depending on the output condition, the condition may be set so that it is not set in the field device for a time when a predetermined value is set.

  Furthermore, the output condition is, for example, the number of times that a predetermined value can be set in the field device. That is, the condition may be set so that the field device is not set more than the predetermined number of times depending on the output condition. The number of times may be the number of times set within a predetermined time.

  Furthermore, the output condition may be, for example, a condition determined based on a control result obtained by feeding back a control result from the field device. Specifically, the output condition is that a command value within a predetermined range may be set in the field device if the control result is equal to or less than a predetermined value.

  Further, the output condition may be a logical product or a logical sum of each verification result by verifying each of the above output conditions based on a plurality of output conditions.

  The verification data is not limited to the allowable range data and the determination condition data as illustrated. For example, the verification data may be data indicating an abnormal value. When such verification data is input, the monitoring device determines that the command value included in the command CM is an abnormal value in the subsequent processing of the command value included in the command CM included in the value or tendency indicated by the verification data. It can be verified that On the other hand, the monitoring device may verify that the command value included in the command CM that does not match the value indicated by such verification data is a “normal” value.

≪ Example of command input (step S102) ≫
Returning to FIG. 2, in step S102, the monitoring apparatus inputs a command from the output module.

<< Judgment example of whether or not the command value included in the command is within the allowable range (step S103) »
In step S103, the monitoring device determines whether the command value included in the command is within an allowable range. Specifically, the monitoring device determines whether or not the command value included in the command input in step S102 is a value within the allowable range set based on the allowable range data, and the command value is abnormal. It is verified whether it is a correct value.

  Next, when it is determined that the command value included in the command is within the allowable range, that is, the command included in the command is not an abnormal value (YES in step S103), the monitoring apparatus proceeds to step S104. On the other hand, when it is determined that the command value included in the command is outside the allowable range, that is, the command value included in the command is an abnormal value (NO in step S103), the monitoring apparatus proceeds to step S105.

<< Judgment example of whether or not the command value included in the command matches the output condition (step S104) >>
In step S104, the monitoring apparatus determines whether the command value included in the command matches the output condition. Specifically, the monitoring device determines whether the command value included in the command is a value that matches the output condition set based on the determination condition data, and the command value included in the command is abnormal. It is verified whether it is a value.

  Next, when it is determined that the command value included in the command matches the output condition, that is, the command value included in the command is not an abnormal value (YES in step S104), the monitoring apparatus proceeds to step S106. On the other hand, if it is determined that the command value included in the command does not match the output condition, that is, the command value included in the command is an abnormal value (NO in step S104), the monitoring apparatus proceeds to step S105. .

  Steps S103 and S104 are an example of a verification procedure for verifying whether or not the command value included in the command is an abnormal value. Further, the verification procedure is not limited to the procedure as illustrated. For example, the verification procedure may be reverse to the order shown in steps S103 and S104, or may be in parallel.

<< Example of Notification, etc. (Step S105) >>
In step S105, it is desirable for the monitoring device to notify the user. For example, the monitoring device notifies the user that an abnormal command has occurred. Specifically, for example, the monitoring apparatus notifies the user of a warning or the like by using Patlite (registered trademark) or a buzzer. In addition, the monitoring device may notify the user by displaying a warning message or sending an e-mail. As described above, when the notification is performed, the user can more surely understand that an abnormal command has occurred.

  In step S105, it is desirable that the monitoring device restricts setting of command values for field devices. For example, the monitoring device stops the command value based on the abnormal command being set in the field device, or stops the operation of the field device. As described above, when the command value based on the abnormal command is restricted from being set for the field device, it is possible to prevent the field device or the plant from operating based on the abnormal command. Therefore, the monitoring device can reduce the failure of the field device or the plant due to the operation based on the abnormal command due to the limitation.

  In addition, in step S105, the monitoring device may set a normal value for the field device in the field device instead of an abnormal command. If the setting based on the abnormal command is performed on the field device, the field device or the plant may break down. Therefore, the monitoring device is not a command value based on an abnormal command, but a normal value such as a value within the allowable range indicated by the allowable range data, a past value in a normal state, or a value that can stop the field device. Set the value to the field device. As described above, when a normal value is set in the field device, the monitoring device can maintain or stop the operation of the field device or the plant even if an abnormal command is generated. Note that the normal value set in the field device instead of the abnormal command is a value set in advance by user setting or the like.

≪ Example of setting command value for field device (step S106) ≫
In step S106, the monitoring device sets a command value for the field device based on the command. Step S106 is performed when it is determined that the command value included in the command is not an abnormal value but a normal value. Therefore, in step S106, since the command is normal, the monitoring device sets the command value included in the command to the field device.

≪ 3. Example of Functional Configuration of Monitoring Device According to First Embodiment >>
FIG. 4 is a functional block diagram illustrating a functional configuration example of the monitoring device according to the first embodiment of the present invention. For example, the monitoring device 10 has a functional configuration including an input verification data input unit FN11, an input information input unit FN12, an input verification unit FN13, and a setting unit FN14.

  The input verification data input unit FN11 inputs verification data DC indicating the allowable range of the command value included in the command CM, the determination condition of the command value included in the command CM, or a combination thereof. For example, the verification data DC is allowable range data DRA and determination condition data DJG as shown in FIG. The input verification data input unit FN11 is realized by hardware such as an input I / F (interface) included in the monitoring device 10, for example.

  The input information input unit FN12 inputs input information such as a command CM input from the upper control system UC to the field device FM. For example, the input information input unit FN12 is realized by hardware such as an input I / F that the monitoring apparatus 10 has. The input information input unit FN12 can input the command CM without being altered by a cyber attack when the command CM is input via a control cable or the like instead of the network or the like.

  The input verification unit FN13 verifies whether or not the command value included in the command CM is an abnormal value based on the verification data DC input by the input verification data input unit FN11. It is verified whether it is information. For example, the input verification unit FN13 is realized by hardware such as an arithmetic device included in the monitoring device 10.

  The setting unit FN14 sets a command value for the field device FM based on the command CM. For example, the setting unit FN14 is realized by hardware such as an output I / F included in the monitoring device 10.

  As illustrated, the monitoring apparatus 10 inputs input information such as a command CM scheduled to be input to the field device FM before the command value based on the command CM is set by the input information input unit FN12. Then, the monitoring device 10 verifies, based on the verification data DC, whether or not the input verification unit FN13 includes an abnormal command value that may cause the field device FM or the plant to fail.

  As described above, when the command value included in the command CM is verified before the command value included in the command CM is set by the verification, the monitoring apparatus 10 detects the command CM including the abnormal command value. be able to. For this reason, the monitoring apparatus 10 limits the output of abnormal input information to devices such as the field device FM, reduces the setting of abnormal values, and protects the field device FM and the like. be able to.

  For example, when the field device FM controls the motor, the command CM may be altered to an abnormal command that causes the motor to fail due to a cyber attack. When a command CM including such an abnormal value is input to the field device FM, the field device FM sends a high voltage value or current value to the motor that causes the motor to fail based on the abnormal command CM. There may be a case where control is performed to output or to change the rotation speed or rotation direction of the motor abruptly.

Therefore, as shown in the figure, the monitoring apparatus 10 monitors whether an abnormal value is set in the device such as the field device FM based on the verification data DC. When an abnormal value occurs, the monitoring apparatus 10 notifies that an abnormal value has occurred, or restricts an abnormal value from being set in the device. In this way, the monitoring device 10 can protect a device such as a motor or a plant from control based on an abnormal command CM set by a cyber attack.
(Second Embodiment)
<< 4. Overall Configuration Example of Second Embodiment >>
FIG. 5 is a system diagram showing an example of the entire configuration using the monitoring device according to the second embodiment of the present invention. For example, in a plant such as the factory shown in the figure, the field device FM installed in the plant outputs output information such as various physical quantities in the plant or control information indicating the state of various devices including the field device FM. . Note that the control information is, for example, a measurement value in the second embodiment. The physical quantity is a mechanical or electrical value measured by the field device FM such as a sensor. Furthermore, the state of the device can be various states, for example, whether the target device is in operation, whether the device is out of order, whether the device is on or off. It is a parameter to show.

  The measured value is a value that feeds back a control result obtained by the field device FM or the like performing some control.

  Hereinafter, as illustrated, a system including the HMI terminal HM, the controller CR, the input module IM, the field device FM, and the like is referred to as “control system 1”. In the example of the control system 1 shown in the figure, the HMI terminal HM, the controller CR, the input module IM, and the like are the upper control system UC.

  Next, in the control system 1, the measured value ME measured by the field device FM is input to the input module IM as a signal (hereinafter referred to as “input signal”). The input module IM performs A / D conversion and the like on the input signal. Subsequently, the input module IM generates a value in a data format that can be processed by the controller CR, that is, a so-called digital value, by A / D conversion. That is, the input module IM converts the input signal into a format that can be processed by the controller CR or the like. A digital value may be transmitted from the field device FM. In addition to the value, the field device FM may output a character code indicating the state of the device included in the output information.

  Subsequently, in the control system 1, the controller CR performs processing based on the digital value. The processing performed by the controller CR varies depending on setting conditions set in advance, the type of the controller CR, the type of input signal, and the like.

  For example, it is assumed that the field device FM is a device that measures temperature. Then, the field device FM outputs a measured value such as a voltage value (the unit system is V (volt) or the like) to an input module IM which is an example of an input / output module, according to an input signal. Next, the input module IM generates a digital value (the unit system has no dimension) by A / D conversion. Subsequently, the controller CR performs processing for converting the digital value into an industrial value such as temperature (the unit system is ° C. (degrees), etc.). Further, the industrial value is not limited to temperature, but may be other types.

  In the control system 1, the controller CR may perform processing such as controlling other devices based on the input signal.

  Data indicating the processing result by the control system 1 is transmitted to the HMI terminal HM. Further, when data indicating the processing result is transmitted to the HM terminal 1HM, for example, the transmitted data is stored in a database or the like in the HMI terminal HM. Subsequently, the HMI terminal HM displays the management parameters, that is, the contents of the transmitted data, etc. on the user UR.

  As shown in the figure, the monitoring device 10 is connected to input a measurement value ME output from the field device FM. The measured value ME output to the input module IM and the measured value ME output to the monitoring device 10 are the same value.

  The control system 1 may further include a supervisory control computer such as SCADA, DCS, PLC, or a combination thereof.

  For each device included in the control system 1, a general-purpose OS such as Windows (registered trademark) or Linux (registered trademark) may be used, or a general-purpose network such as Ethernet (registered trademark) may be used for the network. Therefore, there is a case where a so-called cyber attack is performed on each device and a network connecting the devices.

  On the other hand, the field device FM measures the measurement value ME, and the monitoring device 10 determines whether the measurement value ME is an abnormal value.

  The abnormal measurement value ME is, for example, a value that damages the field device FM or a device that handles the physical quantity measured by the field device FM, a value that the field device FM or the like cannot be input in the specification, and a preset allowable value. For example, the value is out of the range or the value tends to be abrupt.

  The monitoring device 10 monitors whether an abnormal measurement value ME is generated in the plant. Note that the monitoring device 10 is realized by hardware such as an electronic circuit, for example. Specifically, the monitoring device 10 is, for example, an ASIC or an FPGA. Note that the monitoring device 10 may execute part or all of the processing by an information processing device or the like. As described above, when the monitoring device 10 is realized by an electronic circuit or the like, processing for monitoring the measurement value ME can be performed at high speed.

<< 5. Example of Overall Processing by Monitoring Device According to Second Embodiment >>
FIG. 6 is a flowchart showing an example of overall processing by the monitoring apparatus according to the second embodiment of the present invention. For example, the monitoring device performs the following processing.

≪ Input example of verification data (step S201) ≫
In step S201, the monitoring apparatus inputs verification data. In the second embodiment, the input verification data is output verification data. Hereinafter, it is simply referred to as “verification data”. The verification data is data used to verify whether or not the measured value is an abnormal value. Specifically, the verification data is tolerance range data indicating an tolerance range, determination condition data indicating a determination condition, and the like. More specifically, the allowable range data is data for setting the allowable range based on, for example, an upper limit value and a lower limit value of measurement values. The determination condition is, for example, data indicating a tendency of the measured value with respect to time. For example, the verification data is the same data as in the first embodiment.

<< Example of Input of Measurement Value (Step S202) >>
In step S202, the monitoring device inputs a measurement value from the field device.

<< Judgment example of whether or not the measured value is outside the allowable range (step S203) >>
In step S203, the monitoring apparatus determines whether or not the measured value is outside the allowable range. First, in step S201, a value indicating that the measurement value is normal is input to the monitoring apparatus as verification data. Specifically, an allowable range RA as shown in FIG. 3A is input to the monitoring device by verification data. If the measured value is a value that exceeds or falls below the allowable range RA, the monitoring device determines that the measured value is outside the allowable range.

  Next, when the monitoring device determines that the measured value is outside the allowable range, that is, the measured value is an abnormal value (YES in step S203), the monitoring device proceeds to step S205. On the other hand, if the monitoring device determines that the measured value is not outside the allowable range, that is, the measured value is not an abnormal value (NO in step S203), the monitoring device proceeds to step S204.

<< Judgment example of whether or not the measured value tends to be abnormal (step S204) >>
In step S204, the monitoring apparatus determines whether or not the measurement value has an abnormal tendency. First, in step S201, a determination condition when the measurement value is normal is input to the monitoring apparatus as verification data. Specifically, a trend TE or the like as shown in FIG. 3B is input to the monitoring device by verification data. If the measured value does not match the determination condition tendency TE, the monitoring apparatus determines that the measured value has an abnormal tendency.

  Next, when the monitoring device determines that the measured value tends to be abnormal, that is, the measured value is an abnormal value (YES in step S204), the monitoring device proceeds to step S205. On the other hand, when the monitoring device determines that the measured value does not tend to be abnormal, that is, the measured value is not an abnormal value (NO in step S204), the monitoring device ends the process.

<< Example of Notification, etc. (Step S205) >>
In step S205, it is desirable for the monitoring device to notify the user. For example, the monitoring device notifies the user that an abnormal measurement value has occurred. Specifically, for example, the monitoring device performs notification or the like by the same method as in step S105 shown in FIG. As described above, when the notification is performed, the user can more surely understand that an abnormal measurement value has occurred.

  When the field device is a measuring device such as a sensor, the device in an abnormal state is a device or a field device that is measured by a field device other than the field device. In such a case, in step S205, the monitoring device stops the device being measured by the field device in an abnormal state, or the device being measured by the field device or the field device is in a normal state. For example, the control may be performed so that a device in an abnormal state is in a normal state.

≪ 6. Functional configuration example of monitoring apparatus according to second embodiment >>
FIG. 7 is a functional block diagram illustrating a functional configuration example of the monitoring device according to the second embodiment of the present invention. For example, the monitoring device 10 has a functional configuration including an output verification data input unit FN21, an output information input unit FN22, and an output verification unit FN23.

  The output verification data input unit FN21 inputs verification data DC indicating an allowable range of the measurement value ME, a determination condition of the measurement value ME, or a combination thereof. For example, the verification data DC is allowable range data DRA and determination condition data DJG as shown in FIG. The output verification data input unit FN21 is realized by hardware such as an input I / F included in the monitoring device 10, for example.

  The output information input unit FN22 inputs the measurement value ME output from the field device FM. For example, the output information input unit FN22 is realized by hardware such as an input I / F that the monitoring apparatus 10 has. The output information input unit FN22 can input the measurement value ME without being falsified by a cyber attack when the measurement value ME is input via a control cable or the like instead of the network or the like.

  The output verification unit FN23 determines whether or not the measurement value ME is an abnormal value based on the verification data DC input by the output verification data input unit FN21, and whether or not the output information is abnormal information. Verify that. For example, the output verification unit FN23 is realized by hardware such as an arithmetic device included in the monitoring device 10.

  As shown in the figure, the monitoring apparatus 10 inputs the measurement value ME output from the field device FM by the output information input unit FN22. Then, the monitoring device 10 verifies, based on the verification data DC, whether or not the measurement value ME is an abnormal value that would cause the field device FM or a device in the plant to fail.

  As described above, when the measurement value ME indicating the physical quantity in the plant or the state of the device is verified by the verification, the monitoring device 10 sets an abnormal value in any device or the like in the plant, It can be detected based on the measured value ME that an abnormal value has occurred in. Therefore, the monitoring apparatus 10 can reduce an abnormal value from being set in any device or the like in the plant.

  For example, in the case of controlling a motor in a plant, a cyber attack causes the motor to malfunction, so the control value is altered to an abnormal value, and the motor is controlled at an abnormal rotational speed or voltage value. There is a case. Therefore, the field device FM measures, for example, the rotational speed or voltage value of the motor, and feeds back a measurement value ME indicating the measurement result. Then, the monitoring device 10 verifies the measurement value ME based on the verification data DC.

  Since a normal value or an abnormal value is input to the verification data DC, the monitoring device 10 can monitor that the control of the motor is in an abnormal state from the measurement value ME based on the verification data DC. it can. When an abnormal value occurs, the monitoring apparatus 10 notifies that an abnormal value has occurred, or detects a device measured by the field device FM in which the abnormal value has been set. Stop it. In this way, the monitoring device 10 detects an abnormal state of a device such as a motor or a plant from a control based on an abnormal value set by a cyber attack, and protects the device such as a motor or the plant. Can do.

(Comparative example)
As a comparative example, countermeasures against cyber attacks include, for example, installation of a firewall or introduction of anti-virus software. In this way, it is possible to prevent unauthorized access from the outside of each system, insertion of a computer virus, creation of a so-called back door for unauthorized intrusion, or deprivation of system administrator authority. There is a way. In particular, when a general-purpose OS or a general-purpose network is used, a cyber attack may be made using security vulnerabilities. As described above, when a cyber attack is performed, data is altered or an installed program is changed.

  For example, even if the data has been tampered with, if the user is monitoring, it may be possible for the user to detect abnormal fluctuations in the value, etc., and to discover that a cyber attack has occurred. On the other hand, if the user has altered the viewer software program used for monitoring, the program indicating that the viewer has been tampered with is altered, and therefore data indicating the alteration may not be displayed to the user. For this reason, even if the user is monitoring, it may not be possible to discover that a malicious person has been subjected to a cyber attack.

  On the other hand, when the input or output relating to the field device is monitored as in the present embodiment, the monitoring device can detect an abnormality even if the viewer software program used for monitoring is altered.

(Modification)
The configuration shown in the first embodiment and the configuration shown in the second embodiment may be combined. Hereinafter, a configuration in which the configuration shown in the second embodiment is added to the configuration shown in the first embodiment will be described as an example.

  In other words, the monitoring device may monitor both the input to the field device that controls the physical quantity or device and the output from the field device that measures the physical quantity or the state of the device.

  Specifically, the monitoring apparatus inputs the output verification data input shown in FIG. 7 in addition to the input verification data input unit FN11, the input information input unit FN12, the input verification unit FN13, and the setting unit FN14 shown in FIG. The functional configuration further includes a unit FN21, an output information input unit FN22, and an output verification unit FN23.

  As shown in the first embodiment, the monitoring device has a functional configuration including an input verification data input unit FN11, an input information input unit FN12, an input verification unit FN13, and a setting unit FN14. Can detect abnormal input information before the command value included in the command is set. For this reason, the monitoring device 10 can reduce the occurrence of abnormal values in devices such as field devices.

  Furthermore, as shown in the second embodiment, the monitoring device has a functional configuration including an output verification data input unit FN21, an output information input unit FN22, and an output verification unit FN23. An abnormal measured value can be detected. Therefore, the monitoring apparatus 10 can detect that an abnormal value has been set in the field device or the device measured by the field device.

  As described above, the monitoring device may be configured to monitor both input and output.

  Further, the information to be verified is not limited to a value, and may be a command or the like.

  Note that all or part of each processing according to an embodiment of the present invention may be realized by a program that causes a computer described in a low-level language, a high-level language, or a combination thereof to execute a monitoring method. Good. That is, the program is a computer program for causing a computer such as an information processing apparatus to execute all or part of each process.

  The program can be stored and distributed in a computer-readable recording medium. The recording medium may be a flash memory, a flexible disk, an optical disk such as a CD-ROM or a Blu-ray disk, an SD (registered trademark) card, an auxiliary storage device, or an MO. Furthermore, the program can be distributed through a telecommunication line.

  Furthermore, all or a part of each process according to an embodiment of the present invention is processed by an information processing system having one or more information processing apparatuses in which all or a part of the process is performed in parallel, distributed, redundant, or a combination thereof. May be.

  Moreover, each process which concerns on one Embodiment of this invention is not restricted to the order shown in figure. For example, some or all of the processes may be processed in different orders, in parallel, distributed, or omitted.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to the above-described embodiments, and various modifications or changes can be made within the scope of the gist of the present invention described in the claims. Is possible.

10 Monitoring Device FN11 Input Verification Data Input Unit FN12 Input Information Input Unit FN13 Input Verification Unit FN14 Setting Unit FN21 Output Verification Data Input Unit FN22 Output Information Input Unit FN23 Output Verification Unit CM Command ME Measurement Value DC Verification Data FM Field Device UC Upper Level Control system

Claims (12)

A monitoring device that monitors input information input from a host control system to a field device,
An input verification data input unit for inputting input verification data indicating a criterion for verifying the input information;
An input information input unit for inputting the input information;
A monitoring apparatus comprising: an input verification unit that verifies whether the input information is abnormal information based on the input verification data.   If it is determined that the input information is the abnormal information, the user is notified that the abnormal information has occurred, the output restriction of the input information to the field device, and the normal input information for the field device. The monitoring apparatus according to claim 1, wherein at least one of settings is performed.   The monitoring apparatus according to claim 1, wherein the input verification data is data indicating at least one of an allowable range of the input information and a determination condition indicating a tendency of the input information. A monitoring device that monitors output information output from a field device to a host control system,
An output verification data input unit for inputting output verification data indicating a criterion for verifying the output information;
An output information input unit for inputting the output information;
A monitoring apparatus comprising: an output verification unit that verifies whether the output information is abnormal information based on the output verification data.   If it is determined that the output information is the abnormal information, a notification to the user that the abnormal information has occurred, a device measured by the field device or a stop of the field device, and the field device The monitoring apparatus according to claim 4, wherein at least one of settings based on normal information for a measuring device or the field device is performed.   The monitoring apparatus according to claim 4, wherein the output verification data is data indicating at least one of an allowable range of the output information and a determination condition indicating a tendency of the output information. An output verification data input unit for further inputting output verification data indicating a criterion for verifying output information output from the field device to the host control system;
An output information input unit for inputting the output information;
The monitoring apparatus according to claim 1, further comprising: an output verification unit that verifies whether the output information is abnormal information based on the output verification data. A control system composed of a host control system including an HMI terminal, a controller and an input / output module, and a field device,
A monitoring device is connected between the input / output module and the field device,
The monitoring device
An input verification data input unit for inputting input verification data indicating a criterion for verifying input information input from the input / output module to the field device;
An input information input unit for inputting the input information;
An input verification unit that verifies whether the input information is abnormal information based on the input verification data;
The field device includes
A control system to which the input information determined not to be abnormal by the monitoring device is input. An output verification data input unit for inputting output verification data indicating a criterion for verifying output information output from the field device to the upper control system;
An output information input unit for inputting the output information;
The control system according to claim 8, further comprising: an output verification unit that verifies whether the output information is abnormal information based on the output verification data.   The control system according to claim 8 or 9, wherein the monitoring device and the field device are connected via a control cable. A monitoring method performed by a monitoring device that monitors input information input from a host control system to a field device,
An input verification data input procedure in which the monitoring device inputs input verification data indicating a criterion for verifying the input information;
An input information input procedure in which the monitoring device inputs the input information;
A monitoring method comprising: an input verification procedure in which the monitoring device verifies whether or not the input information is abnormal information based on the input verification data. A monitoring method performed by a monitoring device that monitors output information output from a field device to a host control system,
An output verification data input procedure in which the monitoring device inputs output verification data indicating a criterion for verifying the output information;
An output information input procedure in which the monitoring device inputs the output information;
A monitoring method including: an output verification procedure in which the monitoring device verifies whether the output information is abnormal information based on the output verification data.

Images