JP2018142078A - Information processing system and information processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing system capable of improving cyber security by preventing starting of a reliability program and an illicit program while maintaining distributed process and an information processing method thereof.SOLUTION: Each of a plurality of calculation devices includes a control unit, a data generation unit and a communication unit. The control unit determines permission or not of execution of processing of a matter on the basis of list information indicating matters to be permitted or not. The data generation unit generates current block data including a verification value according to block data of the previous block data, and history information concerning the occurrence of the matter and accumulated until this moment. The communication unit broadcasts the block data to the plurality of calculation devices.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an information processing system and an information processing method.

  In a power plant, a railway system, a ship, an automobile, a factory automation, and the like, a distributed control system may be used to control their operation. A distributed system such as a distributed control system has a redundant configuration. The redundant configuration is also called a multiplexed configuration. In order to ensure safety, two or more (for example, four) subsystems are provided, and the same processing can be executed in parallel between the subsystems. At this time, the computing devices constituting each subsystem may check whether the combination of hardware and software included in the own device is appropriate at the time of activation. For example, it has been proposed to update software when double approval by a plurality of different users is obtained (Patent Document 1). In a distributed system, it is proposed that a certificate authority server (CA) is provided and the computing device authenticates a user who accesses the computing device using an authenticated electronic certificate (patent). Reference 2). Further, it has been proposed that the arithmetic device does not start software or processes other than software or processes permitted in advance using a white list provided from a management device such as a monitor.

Japanese Patent No. 5964077 Japanese Patent No. 5593416

However, when a redundant configuration is adopted, communication occurs between the arithmetic devices to mutually confirm the software configuration. For this reason, when the number of redundant units increases, the amount of communication of data transmitted and received between arithmetic devices increases remarkably. The number of redundant units is the number of subsystems in the redundant configuration. The number of redundant units is sometimes called multiplicity. For example, when the number of subsystems, that is, the number of arithmetic devices is n (n is an integer greater than 1), the amount of communication between the arithmetic devices is n (n−1) when no redundant configuration is adopted. / 2 times. Therefore, there was a problem that the number of redundant units could not be easily increased.
When a certificate authority server is provided in order to ensure cyber security, the certificate authority server plays a role as a central server for various cyber security functions. For this reason, there has been a problem that, even though the system is a distributed system, a failure of the certificate authority server may affect the operation of the entire distributed system. The installation of a certificate authority server is an effective measure against user impersonation, but it cannot prevent the application of unauthorized software other than software permitted in advance. For example, when a whitelist method is used that allows only programs that have been permitted in advance to prevent infection, it is necessary to distribute a whitelist indicating the software that is permitted to be executed every time the software is updated, and the more redundant the number Update and distribution load increases. When a dedicated distribution server is installed in the distributed system for updating and distribution, the problem arises that the operation of the entire distributed system may be affected by the failure, like the certificate authority server.

  The present invention has been made in view of the above-described problems, and provides an information processing system and an information processing method capable of improving cyber security by preventing reliability and unauthorized program activation while maintaining distributed processing. The purpose is to do.

  One aspect of the present embodiment is an information processing system including a plurality of arithmetic devices, wherein each of the plurality of arithmetic devices is based on list information indicating matters that are permitted or not permitted in the arithmetic devices. A data generation unit that generates current block data including a control unit that determines whether or not to execute the process, a verification value based on block data at a previous time point, and history information accumulated up to the present time regarding occurrence of the item And a communication unit that broadcasts the block data among the plurality of arithmetic devices.

  One aspect of the present embodiment is the above-described information processing system, including a management device that provides the plurality of arithmetic devices with first block data at a start time including program list information indicating a program that is permitted to be executed. The control unit determines whether or not to execute the process based on the program indicated by the program list information, and the data generation unit indicates a verification value based on the first block data at the previous time point and an activation state of the process. The first block data at the present time including the history information in which the activation program information is accumulated up to the present time is generated, and the communication unit broadcasts the first block data among the plurality of arithmetic devices.

  Another aspect of the present embodiment is the information processing system described above, in which the second block data at the start point including user list information indicating users who are permitted to access a predetermined function is stored in the plurality of arithmetic devices. A management device for providing, the control unit determines whether to allow access to the function from a user based on the user list information, the data generation unit is a verification value based on the second block data of the previous time point And access history information that is history information in which access status information indicating an access result to the function is accumulated up to the present time, and the communication unit generates the second block data Is broadcast among the plurality of arithmetic units.

  Another aspect of the present embodiment is the information processing system described above, wherein each of the plurality of arithmetic devices includes a detection unit that detects an event in which cyber security is impaired, and the data generation unit Generating the current third block data including a verification value based on the third block data and event history information which is history information in which event information indicating the detected event is accumulated up to the present time, and the communication unit Broadcasts the third block data among the plurality of arithmetic devices.

  Another aspect of the present invention is the information processing system described above, including a management device that provides the plurality of arithmetic devices with fourth block data at a start point including patch list information indicating a patch of the program, and the control Determine whether or not to apply the patch indicated by the patch list information, and the data generation unit includes a verification value based on the fourth block data of the previous time point and the patch application information indicating the patch application state at the present time. Current application block data including patch application history information that is accumulated history information until the first block data is broadcast among the plurality of arithmetic devices.

  Another aspect of the present invention is an information processing method in an information processing system including a plurality of arithmetic devices, wherein each of the plurality of arithmetic devices is based on list information indicating matters permitted or not permitted by the arithmetic devices. Generating current block data including a control process for determining whether or not to execute the process for the item, a verification value based on the previous block data, and history information accumulated up to the present time regarding the occurrence of the item And a communication process for broadcasting the block data among the plurality of arithmetic devices.

  According to the present invention, block data broadcast is shared among a plurality of arithmetic devices. For this reason, an increase in the transmission amount due to an increase in the number of computing devices to be transmitted is suppressed as compared with the case where block data is transmitted by specifying individual computing devices, so that the block data is efficiently shared. In addition, the program list included in the block data can be maintained while maintaining the distributed processing of each redundant computing device without installing an authentication server for authenticating the validity of the program list information included in the block data. Based on the information, it is possible to control activation of processing based on the program. Suppressing the activation of unauthorized programs that are not allowed to be executed improves the reliability and cyber security of the information processing system.

It is a block diagram which shows the example of 1 structure of the redundancy system which concerns on 1st embodiment. It is a block diagram which shows an example of the arithmetic unit which concerns on 1st embodiment. It is a figure which shows the example of the white list information which concerns on 1st embodiment. It is a figure which shows an example of the starting application information which concerns on 1st embodiment. It is a figure which shows an example of the creation screen of white list information which concerns on 1st embodiment. It is a figure which shows an example of the creation screen of the hardware configuration information which concerns on 1st embodiment. It is a figure which shows the example of the block data which concern on 1st embodiment. It is a flowchart which shows an example of the white list management and delivery process which concerns on 1st embodiment. It is a block diagram which shows the other structural example of the redundancy system which concerns on 1st embodiment. It is a figure which shows the example of the block data which concern on 2nd embodiment. It is a block diagram which shows the example of 1 structure of the arithmetic unit which concerns on 3rd embodiment. It is a figure which shows an example of the threat countermeasure table which concerns on 3rd embodiment. It is a figure which shows the example of the block data which concern on 3rd embodiment. It is a figure which shows the example of the block data which concern on the modification of 3rd embodiment. It is a figure which shows the example of the patch list information which concerns on 4th embodiment. It is a figure which shows the example of the patch application information which concerns on 4th embodiment. It is a figure which shows the example of the block data which concerns on 4th embodiment.

<First embodiment>
Hereinafter, a redundant system according to a first embodiment of the present invention will be described with reference to FIGS.
FIG. 1 is a block diagram illustrating a configuration example of a redundancy system 1 according to the present embodiment.
The redundancy system 1 includes a plurality of arithmetic devices 10 and an EMS (Engineering and Maintenance Station) 22. The plurality of arithmetic devices 10 have a common configuration. Symbols such as “a” of the arithmetic device 10a are symbols for distinguishing individual arithmetic devices. The arithmetic devices 10a to 10d are communicably connected via a network NW, and can transmit and receive various types of data to and from each other. In the example illustrated in FIG. 1, the number of arithmetic devices 10 is four, but may be three or more. There is no particular upper limit on the number of units. In the following description, a case where the arithmetic device 10 is realized mainly as a server device is taken as an example.

  The EMS 22 is an apparatus for receiving an operation of an engineer who is a user and managing devices connected via the network NW according to the received operation. The management of the computing device 10 includes, for example, an instruction of an operation state such as starting and stopping of each computing device 10, setting of parameters, creation and distribution of an application program, and the like. The EMS 22 provides an operation input unit that receives user operations, a display unit for displaying an operation target arithmetic device and various information, operation information instructed by the operation, setting information, and the like to the application target arithmetic device 10. A communication unit for transmitting is provided. The EMS 22 generates block data at the start time indicating a list of application programs that are permitted to be started by the arithmetic device 10. Activation means starting execution. In the following description, an application program is simply called an application or an application. The execution of a program means that an arithmetic device that executes arithmetic processing such as a CPU (Central Processing Unit) and an ASIC (Application Specific Integrated Circuit) performs processing related to an instruction described in the program. Starting the program means starting execution of the program. Moreover, the arithmetic device and program which perform the process for every function part may differ.

  The current block data is data including a verification value based on the block data at the previous time point and history information configured by accumulating element information at each time point from the start time point to the current time point. As the verification value, for example, a hash value obtained for each of the block header included in the block data at the previous time point and the current history information is used. The EMS 22 generates block data including start time (initial) history information indicating an application list, an initial value of a predetermined verification value, and a verification value of history information at the start time as block data at the start time. . The application list is whitelist information that includes one or more pieces of application information indicating applications that are permitted to be activated by the arithmetic device 10. A specific example of the block data will be described later. Each piece of application information may include information on the arithmetic device 10 indicating whether the application is permitted to be activated. The EMS 22 transmits the generated block data at the start time to the arithmetic device 10 via the network NW.

Next, a functional configuration of the arithmetic device 10 according to the present embodiment will be described. FIG. 2 is a block diagram illustrating an example of the arithmetic device 10 according to the present embodiment.
The arithmetic device 10 includes a control arithmetic unit 11, a function control unit 13, a block data processing unit 14, a communication unit 16, and a storage unit 18. The arithmetic device 10 is composed of, for example, an arithmetic device. The arithmetic device reads a predetermined control program stored in the storage unit 18 and executes the read control program. In addition, the arithmetic devices that execute programs between the functional units may be common or different.

The control calculation unit 11 reads an application indicated by the application activation instruction information input from the function control unit 13 from various programs stored in the storage unit, and executes a process indicated by the instruction described in the read application. Note that in the control calculation unit 11, the application for executing the process may be an application indicated by the application activation instruction information, and may be an application instructed by a user operation. Further, the program executed by the control calculation unit 11 may include a dynamic link library (DLL) referred to by the application. The control calculation unit 11 stores, in the storage unit 18, activated application information indicating that the activated application is being activated as an activated state in the own device. In addition, when the activation of the activated application is completed, the control calculation unit 11 updates the activated application information stored in the storage unit 18 to activated application information indicating completion of activation as an activated state in the own device. The application to be executed may be an application provided via the EMS 22.
Further, when the application execution stop information is input from the function control unit 13, the control calculation unit 11 stops the execution of the application indicated by the application execution stop information. For the application whose execution has been stopped, the control calculation unit 11 stores, in the storage unit 18, start application information indicating start / stop as the start state of the own device.

  The function control unit 13 determines whether to execute the application indicated by the application information based on the application information newly stored in the storage unit 18, that is, white list information. The function control unit 13 determines that the application information executes an application that is permitted to be executed on the own device. The function control unit 13 determines that the application information whose application information is not permitted to be executed by the own device is not executed. The function control unit 13 generates application activation instruction information for instructing activation of an application determined to be executed, and outputs the generated application activation instruction information to the control calculation unit 11.

  In the function control unit 13, among the applications indicated by the latest activated application information stored in the storage unit 18, there may be an application whose activated state is activated / deactivated (interrupting activation and stopping). In that case, the execution of the application is stopped in the control calculation unit 11 of another calculation device 10 different from the own device, and the execution of the application is stopped in the control calculation unit 11 of the own device. There are cases. The function control unit 13 may generate application activation instruction information for instructing activation of the application, and output the generated application activation instruction information to the control calculation unit 11. As a result, in the redundancy system 1, the arithmetic device 10 that is first detected by the application whose execution has been stopped maintains the execution of the application. In addition, in the arithmetic device that first detects the stop of the execution of the application, the application is restarted. Therefore, the computing device 10 that has stopped executing the application and the computing device 10 that restarts the application may be the same or different.

Further, when the function control unit 13 detects a newly started application in the control calculation unit 11, the function control unit 13 refers to the white list information and determines whether or not the application is an application permitted to be executed by the own device. To do. Furthermore, the function control unit 13 may determine whether or not the white list information stored in the storage unit 18 has been updated every predetermined time. When it is determined that the application has been updated, it is determined whether or not there is an application that is not permitted to be executed in the own device by referring to the updated whitelist information among the applications being executed in the control calculation unit 11. Also good. When there is an application that is not permitted to be executed in its own device, the function control unit 13 generates application execution stop information indicating stop of the execution of the application, and the generated application execution stop information is used as the control calculation unit 11. Output to. As a result, the execution of the application is stopped. In that case, the function control unit 13 generates alarm information indicating stop of execution of the application, and transmits the generated alarm information to the OPS (Operator Station; monitoring device) 21 (FIG. 9) via the communication unit 16. May be. The OPS 21 is an apparatus for an engineer who is a user to monitor the control state of various devices as will be described later. The OPS 21 may be configured integrally with the EMS 22. Thereby, the user can know the stop of execution of the activated application.
When the function control unit 13 detects the stop of the execution of the application in the control calculation unit 11, the start application information indicating start / stop as the start state of the application in the own device is used as the start application information stored in the storage unit 18. Update to

  The block data processing unit 14 executes processing related to block data. The block data processing unit 14 includes a block data storage unit 141, a reception data analysis unit 142, and a transmission data generation unit 143.

  The block data storage unit 141 temporarily stores the block data received via the communication unit 16 from the EMS 22 or another arithmetic device 10 different from the own device and the block data generated by the transmission data generation unit 143 of the own device. .

The received data analysis unit 142 reads the latest block data from the block data storage unit 141 as the block data at the previous time point out of the stored block data. When the read block data is the block data at the start time, the reception data analysis unit 142 extracts white list information corresponding to the history information at the start time from the read block data, and the extracted white list information Is stored in the storage unit 18. When the white list information included in the read block data has not been changed from the white list information stored in the storage unit 18 in the past, the received data analysis unit 142 determines that the white list included in the read block data. Information may not be stored in the storage unit 18. That is, when new white list information is acquired, the white list information stored in the storage unit 18 may be updated to new white list information.
In addition, when the read block data is block data after the start time, the reception data analysis unit 142 extracts the latest activation application information from the history information of the latest block data, and extracts The activated application information is stored in the storage unit 18.

  The transmission data generation unit 143 reads the latest activation application information indicating the activation state of the application in its own device from the storage unit 18. Also, the transmission data generation unit 143 reads the latest block data from the block data stored in the block data storage unit 141 as the previous block data, and the current block based on the read block data and the startup application information. Generate data. The current block data is data including a verification value based on the previous block data and current history information configured by adding new activation application information as element information to the history information. For example, the transmission data generation unit 143 calculates a hash value as a verification value by using a predetermined one-way function for each of the block header included in the previous block data and the current history information. The transmission data generation unit 143 transmits the generated block data to another arithmetic device 10 different from the own device, and stores it in the block data storage unit 141 of the own device. As a result, the block data generated by the transmission data generation unit 143 is broadcast (broadcast) among a plurality of arithmetic devices 10 including the own device, and is shared with each other.

The communication unit 16 is communicably connected to the network NW, and transmits / receives various data to / from other devices connected to the network NW. For example, the communication unit 16 receives block data from another arithmetic device 10 different from the own device, and transmits the block data generated by the transmission data generation unit 143 of the own device to another arithmetic device 10 different from the own device. I will inform you.
The storage unit 18 stores various data acquired by each unit of the own device and data used for processing of each unit of the own device. The storage unit 18 and the block data storage unit 141 are configured to include a storage medium such as a RAM (Random Access Memory), for example.

(White list information)
Next, an example of white list information according to the present embodiment will be described.
FIG. 3 is a diagram illustrating an example of white list information according to the present embodiment.
In the example illustrated in FIG. 3, the white list information is configured to include one or a plurality of combinations of application name, version, hash value, and information on a computing device to be permitted for each application that is permitted to be executed. This combination of information shown in each row corresponds to application information. The application name is the name of each application. In the example shown in FIG. 3, the process name is used as the application name, but an abbreviation, common name, or the like may be used as long as the name can identify the application. The version is the version of the application related to the application name. In the present embodiment, even if the application name is common, applications having different versions are treated as different applications. The hash value is a hash value of the entire bit string indicating the application, and is set in the EMS 22. The control calculation unit 11 checks whether or not the hash value matches the hash value based on the application selected as the execution target, and when the two match, the control calculation unit 11 is a legitimate application that has not been modified. If the two do not match, the application may be determined to be an unauthorized application. And the control calculating part 11 performs the application determined to be valid, and does not execute the application determined to be unjust. In the item of the arithmetic device to be permitted, the number of the arithmetic device to be permitted to execute is specified. ALL indicates all the arithmetic units that share block data.

(Launched application information)
Next, an example of activation application information according to the present embodiment will be described.
FIG. 4 is a diagram illustrating an example of activation application information according to the present embodiment. In the example illustrated in FIG. 4, the startup application information indicates a startup state for each application in one arithmetic device 10. The activated application information includes one or more combinations of application name, version, process ID (Identifier), and state for each application. This application corresponds to one of the applications indicated by the white list information. The process ID is identification information indicating the process. The state item indicates the activation state of the application, and indicates information on activation, completion of activation, or stop. Each time the activation state of the application changes, the control calculation unit 11 updates the information on the activation state before the change to information indicating the activation state after the change for the corresponding application, and records the information in the storage unit 18. The startup application information is information recorded in the history information of block data to be described later.

(Whitelist information creation screen)
When creating the white list information, the EMS 22 displays the creation screen on the display unit, and selects an application designated by the accepted operation from among the applications displayed on the creation screen. The EMS 22 configures white list information including application information indicating the selected application.
FIG. 5 is a diagram showing an example of a whitelist information creation screen according to the present embodiment.
The white list information creation screen shown in FIG. 5 is displayed, for example, when the start of white list creation is instructed by an operation accepted by the EMS 22. On the white list information creation screen, an application that can be executed by the arithmetic device 10 is displayed in each row in a vertically long frame. When the check box appearing at the beginning of the name of each application is designated by the selection operation, the EMS 22 selects the application as an application that is permitted to be executed. The EMS 22 displays a check symbol in a rectangle related to the designated application. Note that the EMS 22 determines a device specified by an operation for each selected application as a computing device 10 that permits execution (not shown). Then, when the “load” button is designated by the click operation, the EMS 22 generates white list information indicating the selected application.

(Hardware configuration information creation screen)
When the EMS 22 designates a plurality of computing devices 10 as transmission destinations of whitelist information, the EMS 22 displays a hardware configuration information creation screen on the display unit.
FIG. 6 is a diagram illustrating an example of a hardware configuration information creation screen according to the present embodiment.
The hardware configuration information creation screen illustrated in FIG. 6 is displayed, for example, when the hardware configuration setting is instructed by an operation received by the EMS 22. On the hardware configuration information creation screen, devices to which the EMS 22 is connected via the network NW are displayed. The EMS 22 selects the device represented at the position designated by the right click operation as the transmission destination, and displays the menu bar on the display unit. The EMS 22 selects the device as the transmission destination when the hardware configuration and the white list generation are selected by the operation from the functions displayed on the menu bar.

(Block data)
Next, an example of block data (first block data) according to the present embodiment will be described.
FIG. 7 is a diagram illustrating an example of block data according to the present embodiment.
BD01, BD02, and BD03 indicate block data at the start time, block data at a certain time after the start time, and block data at the next time, respectively.
The block data includes a block header and history information at that time. The block header includes a verification value based on the previous block data, a device ID, the number of calculations, verification data, and verification information of history information.

The verification value of the previous block data is a verification value derived using a predetermined one-way function from the block header of the block data at the previous time point. In the example illustrated in FIG. 7, a hash value calculated using a predetermined hash function is employed as the verification value. The verification value is also calculated based on the verification value obtained from the history information at the previous time included in the history information at the current time. Accordingly, whether or not the block data generated at the present time is valid is verified based on whether or not both verification values match.
However, since the block data at the start time does not exist at the start time, a predetermined initial value, for example, 0 is used as the verification value.

The device ID is identification information indicating a device that generates the block data.
The number of calculations is a number indicating the calculation process executed by the device. That is, the number of calculations is information indicating the operation timing indicating to which stage the calculation process has progressed.
The verification data is data that is arbitrarily set in order to adjust the operation timing between the arithmetic devices 10. The arithmetic device 10 whose operation timing is ahead of another arithmetic device 10 different from the own device performs a predetermined process that does not affect other functions by using the verification data. The time for which the process is performed corresponds to a time difference in which the operation timing is ahead of another arithmetic device 10 different from the own device. The predetermined process is a process based on an algorithm that requires a certain amount of time by including a continuous calculation, for example, calculation of a circumference ratio and calculation of a hash value for mining. The verification data includes, for example, a processing start time, a counter timer value, and the like. In addition, the verification data may include an initial value of a process to be executed, an intermediate value obtained by the process, and the like.

  The verification value of history information is a verification value calculated as a one-way function of history information up to the present time. That is, the verification value based on the white list information is used as the verification value of the history information at the start time. In addition, as the verification value of the history information at each time point after the start time point, the verification value of the history information configured by accumulating the white list information and all the activated application information up to the present time is used. This verification value is included in the block header and is used to derive the verification value of the previous block data at the next time point. Therefore, when it is determined that the previous block data is not valid, the current block data is also determined not valid.

The history information of the block data at the start time includes white list information. Each line of the white list information includes application information of each application.
The history information of the block data at a time later than the start time includes white list information and activated application information up to the present time as element information. Each piece of activated application information is associated with information about an active server that is a computing device related to the activated state.

(Whitelist management / distribution processing)
Next, white list management / distribution processing according to the present embodiment will be described.
FIG. 8 is a flowchart showing an example of whitelist management / distribution processing according to the present embodiment. In the following description, it is assumed that the redundancy system 1 includes the OPS 21 in addition to the plurality of arithmetic devices 10 and the EMS 22.
Further, the following processing is executed periodically (for example, for each cycle control) while the arithmetic device 10 is activated.
(Step S102) The computing device of the computing device 10 reads the block data processing program stored in advance in the storage unit 18 and activates the read block data processing program. Thereby, the functions of the function control unit 13 and the block data processing unit 14 are started. Thus, preparation for processing the block data is completed. At this stage, the whitelisted application is not executed. Thereafter, the process proceeds to step S104.
(Step S104) The block data storage unit 141 receives the block list 1 at the start time from the EMS 22 via the communication unit 16, and stores the received block list 1. The reception data analysis unit 142 extracts a white list from the latest block list 1 stored in the block data storage unit 141, and stores the extracted white list in the storage unit 18. Thereafter, the process proceeds to step S106.

(Step S <b> 106) The function control unit 113 displays application activation instruction information indicating an application permitted to be activated by the own apparatus among the applications indicated by the application information included in the white list stored in the storage unit 18. Output to. Thereby, the control calculation part 11 starts the application permitted to start by the own apparatus among the applications indicated by the white list information. Thereafter, the process proceeds to step S108.
(Step S108) When the activation of the application in the own device is completed, the control calculation unit 11 stores activated application information indicating activation completion in the storage unit 18 as an activated state. The transmission data generation unit 143 reads the latest block data 1 from the block data storage unit 141 as the previous block data, and reads the latest startup application information from the storage unit 18. The transmission data generation unit 143 generates the current history information by adding the latest activated application information to the history information included in the previous block data. Thereafter, the process proceeds to step S110.
(Step S110) The transmission data generation unit 143 generates, as transmission block data, current block data including the current history information, the verification value of the current history information, and the verification value of the block header included in the previous block data. To do. The transmission data generation unit 143 transmits the generated transmission block data to the other arithmetic device 10 different from the own device via the communication unit 16 and stores it in the block data storage unit 141. Thereby, the transmission block data is shared between the arithmetic devices 10. Thereafter, the process proceeds to step S112.

(Step S112) The function control unit 113 detects whether or not an application is newly activated in the control calculation unit 11 of the own device. Here, the activated state includes both activated and activated. When activation is detected (YES in step S112), the process proceeds to step S114. When activation is not detected (NO in step S112), the process returns to step S108, and, for example, when the next control cycle is started, the processes after step S108 are repeated.
(Step S114) The function control unit 13 refers to the white list information stored in the storage unit 18 with reference to the application whose activation is detected, and determines whether or not the application is permitted to be executed by the own device. Determine. When it is determined that the application is permitted to be executed (YES in step S114), the process proceeds to step S120. When it is determined that the application is not permitted to be executed (NO in step S114), the process proceeds to step S116.
(Step S116) The function control unit 13 outputs application execution stop information indicating stop of the execution of the application whose start is detected to the control calculation unit 11. The control calculation unit 11 stops the activation when the application is activated, and stops the execution when the application is activated (block). Thereafter, the process proceeds to step S118.
(Step S118) The function control unit 13 generates alarm information indicating stop of execution of the application, and transmits the generated alarm information to the OPS 21 via the communication unit. Thereafter, the process proceeds to step S112.

(Step S120) The function control unit 13 causes the control calculation unit 11 to continue the execution without stopping the execution of the application. Thereafter, the process proceeds to step S122.
(Step S122) The function control unit 13 determines whether or not the white list information stored in the storage unit 18 has been updated. This determination is made based on whether or not new white list information is added to new block data received after the previous processing. The new white list information after the update is added to the newly received block data history information next to the plurality of activated application information indicating the history of starting and stopping of the application performed on the previous white list. Yes. When the white list information is updated, the function control unit 13 determines whether the application being executed in the control calculation unit 11 of the own device and the application indicated by the updated white list information and permitted to be executed by the own device. And compare.

(Step S124) If it is determined in step S122 that there is no change in the white list information, the control calculation unit 11 continues the execution without stopping the execution of the application. Thereafter, returning to step S108, for example, when the next control cycle is started, the processing after step S108 is repeated.
(Step S126) In the process of step S122, when there is an application other than the application permitted to be executed indicated by the updated white list information in the application being executed, the process proceeds to step S128. Such a case may occur when a part or all of the application permitted to be executed by the own device is deleted from the white list information.
(Step S128) The function control unit 13 outputs application execution stop information indicating stop of execution of an application other than the application permitted to be executed to the control calculation unit 11. As a result, the execution of the application is stopped. Thereafter, returning to step S108, for example, when the next control cycle is started, the processing after step S108 is repeated.
(Step S130) In the process of Step S120, when there is an application newly added to the application permitted to be executed in the own device indicated by the updated white list information, the control arithmetic unit 11 stops the execution of the application. Continue execution. Thereafter, returning to step S108, for example, when the next control cycle is started, the processing after step S108 is repeated.

  In this manner, by storing the white list information in the block data and reflecting it in the next block data together with the verification value of the history information at the start time, it becomes possible to prevent the white list information from being falsified by a cyber attack. In other words, even if the attacker falsifies the whitelist information and attempts to grant start permission to his malicious program, he changes all block data from the beginning and recalculates the verification value of the history information. Need to be reflected. Furthermore, the block data stored in the block data storage unit by each arithmetic device must be altered throughout the entire device. And when all are not successful, the user can detect tampering very easily from the verification value of the history information. By detecting this alteration, the attacker's intention is discovered. Therefore, this method has an effect of suppressing falsification of the white list information.

(Modification)
In the above description, the case where the white list information indicates an application program that is permitted to be executed for each program process is taken as an example, but the present invention is not limited to this. The white list information may be information indicating a program that is permitted to be executed for each control command. In such a case, execution is controlled in units of control commands, not in units of program processes as in the above example. Further, each control command indicated by the white list information may be accompanied by parameter information for use in the execution. When executing the control command, the control calculation unit 11 executes the process of the control command using the parameter indicated by the accompanying information.

  In addition, when a legitimate application program includes a code for executing an illegal process, the control for each program process cannot prevent the execution of the illegal process as in the above example. There is. For example, when an injection attack such as SQL (Structured Query Language) injection or OS (Operating System) command injection is performed at the control command level, the attack is not protected. However, execution of unauthorized processing can be prevented by controlling the execution in units of control commands. Therefore, the cyber security of the redundancy system 1 can be ensured.

  In the above description, the case where the arithmetic device 10 is mainly a server device is taken as an example, but the present invention is not limited to this. For example, the control device (LS: Logic Solver) 24 and the input / output device (IO: Input Output) 28 of the redundancy system 2 illustrated in FIG. 9 may have the same configuration as the arithmetic device 10. The control device 24 is a device for controlling the operation of the plant to be controlled by the redundancy system 2. The input / output device 28 is a device for outputting various output data to the plant and inputting various input data from the plant. Here, each of the control device 24 and the input / output device 28 includes an arithmetic device, and the arithmetic device executes a process indicated by an instruction described in a predetermined program.

  The redundancy system 2 includes an OPS 21, an EMS 22, an NA (Network Adapter) 23, a plurality of control devices 24a to 24d, an IO (Input Output) scanner 25, an IO network 26, IO adapters 27a and 27b, and The control system includes input / output devices 28aa to 28aI and 28ba to 28bJ. The control devices 24a to 24d, the input / output devices 28aa to 28aI, and 28ba to 28bJ each have a common configuration. A code such as a for the control device 24a and a code such as aa for the input / output device 28aa are codes for identifying individual devices.

  As described above, the redundancy systems 1 and 2 according to the present embodiment include a plurality of arithmetic devices (for example, the arithmetic device 10, the control device 24, the input / output device 28, etc.) and a program permitted to be executed. An information processing system including a management device (for example, EMS22) that provides block data at the start point including program list information (for example, whitelist information) to the plurality of arithmetic devices. Each of the plurality of arithmetic devices includes a control unit (for example, function control unit 13), a data generation unit (for example, transmission data generation unit 143), and a communication unit (for example, communication unit 16). The control unit determines whether or not to execute the process based on the program indicated by the program list information. The data generation unit generates current block data including a verification value based on block data at the previous time point and history information in which start program information (for example, start application information) indicating the start state of the process is accumulated up to the present time To do. The communication unit broadcasts block data among a plurality of arithmetic devices.

According to this configuration, block data broadcast is shared among a plurality of arithmetic devices. For this reason, an increase in the transmission amount due to an increase in the number of computing devices to be transmitted is suppressed as compared with the case where block data is transmitted by specifying individual computing devices, so that the block data is efficiently shared. In addition, the program list included in the block data can be maintained while maintaining the distributed processing of each redundant computing device without installing an authentication server for authenticating the validity of the program list information included in the block data. Based on the information, it is possible to control activation of processing based on the program. By suppressing the activation of unauthorized programs that are not allowed to be executed, the reliability of the redundant system is improved.
In addition, activation program information included in the block data is shared among a plurality of arithmetic devices via a network. Therefore, referring to the block data, the detection of the execution of the process based on the program that is not permitted to execute and the stop of the execution are efficiently performed, so that cyber security is ensured.

<Second embodiment>
Next, a second embodiment of the present invention will be described. About the same structure as 1st embodiment, the same code | symbol is attached | subjected and the description is used. In the following description, differences from the redundancy system 1 of the first embodiment will be mainly described.

  The EMS 22 (FIG. 1) according to the present embodiment further generates white list information including one or a plurality of user information indicating users who are permitted to access each arithmetic device 10 based on the accepted operation. In the following description, this white list information is called user list information and is distinguished from the white list information according to the first embodiment. The user information includes a hash value of identification information of each user, a hash value of authentication information of the user, and information on an access permission function. For example, a user ID and a password are used as user identification information and authentication information, respectively. The access permission function is a function that permits access to the user. The EMS 22 generates block data at the start time so as to include the generated user list information. In the following description, block data including user list information is referred to as second block data and is distinguished from block data according to the first embodiment. The second block data at the start time includes user list information as history information at the start time, and includes an initial value of a predetermined verification value and history information at the start time. A specific example of the second block data will be described later. The EMS 22 transmits the generated second block data at the start time to the arithmetic device 10 via the network NW.

  Next, the configuration of the arithmetic device 10 (FIG. 2) will be described in this embodiment. The function control unit 13 according to the present embodiment acquires user access information based on input information from the outside of the own device. The user access information is information indicating access to a function of the computing device 10 by the user. The user access information includes, for example, a hash value of access user identification information, a hash value of access user authentication information, and access function information. An access user is a user who performs access. The access function is a function that an access user intends to use. When acquiring the input information, the function control unit 13 specifies, for example, access user identification information, access user authentication information, and access function information by an operation received by an operation input unit (not shown) included in the own device. To do. Then, the function control unit 13 calculates respective verification values of the identified access user identification information and access user authentication information. Further, the function control unit 13 verifies the verification value of the access user identification information indicated by the operation or setting information received from the EMS 22 or another device connected to the network NW via the communication unit 16 and the verification information of the access user. Information on values and access functions may be acquired.

  The function control unit 13 refers to the user list information stored in the storage unit 18 and performs user authentication processing on the acquired user access information. Here, for each set of the hash value of the user identification information included in the user list information and the hash value of the user authentication information, the function control unit 13 sets the hash value of the access user identification information included in the user access information, The hash value of the access user authentication information is collated. The function control unit 13 determines that the set of the hash value of the user identification information and the authentication information of the access user, which match the hash value of the access user identification information and the access user authentication information included in the user access information, is a user It is determined whether or not the list information exists. When determining that it exists, the function control unit 13 further determines whether or not the access function included in the user access information corresponds to the access permission function associated with the set determined to match. When determining that it does not exist, the function control unit 13 determines that user authentication has failed for the user access information, and does not permit access.

  Further, when the function control unit 13 determines that the access function included in the user access information corresponds to the access permission function associated with the set, the function control unit 13 determines that the user authentication is successful for the user access information and permits the access. To do. When the function control unit 13 determines that the access function does not correspond to the access permission function associated with the set, the function control unit 13 determines that the user access information is a user authentication failure and does not permit the access. The function control unit 13 generates access date / time indicating the current date / time, access user, access function, and access status information indicating access success / failure, and stores the generated access status information in the storage unit 18. The function control unit 13 outputs function information indicating the function permitted to access to the control calculation unit 11. The control calculation unit 11 reads a program for realizing the function indicated by the function information input from the function control unit 13 from the storage unit 18 and activates the read program. Thereby, the function for which access is permitted is executed.

The block data storage unit 141 temporarily stores the second block data received from the EMS 22 or another arithmetic device 10 different from the own device via the communication unit 16 and the second block data generated by the transmission data generating unit 143 of the own device. To save.
The reception data analysis unit 142 reads the latest second block data from the second block data stored in the block data storage unit 141. When the latest read second block data is the second block data at the start time, the reception data analysis unit 142 extracts user list information corresponding to the history information at the start time from the second block data. The extracted user list information is stored in the storage unit 18. The user list information need not always be stored each time new second block data is read. When new user list information is acquired, the user list information stored in the storage unit 18 may be updated to new user list information.
When the latest second block data read from the block data storage unit 141 is the second block data at a time point after the start time point, the reception data analysis unit 142 displays the history information of the latest second block data. Then, the latest access state information is extracted, and the extracted access state information is stored in the storage unit 18.

  The transmission data generation unit 143 reads the latest access state information indicating the access state from the user in the own device from the storage unit 18. The transmission data generation unit 143 reads the latest second block data from the second block data stored in the block data storage unit 141 as the second block data at the previous time point, and the read second block data and the access state Based on the information, the current second block data is generated. The second block data at the current time is data including a verification value based on the second block data at the previous time point and current history information configured by adding new access state information as element information to the history information. . For example, the transmission data generation unit 143 calculates a hash value using a predetermined one-way function for each of the block header included in the second block data at the previous time point and the current history information as the verification value. The transmission data generation unit 143 transmits the generated second block data to another arithmetic device 10 different from the own device, and stores the second block data in the block data storage unit 141 of the own device. As a result, the second block data generated by the transmission data generation unit 143 is broadcast among a plurality of arithmetic devices 10 including its own device and shared with each other.

(Block data)
Next, an example of block data according to the present embodiment will be described.
FIG. 10 is a diagram illustrating an example of block data according to the present embodiment.
BD21, BD22, and BD23 indicate second block data at the start time, second block data at a time later than the start time, and second block data at the next time, respectively.
The second block data includes a block header and history information at that time. The second block header includes a verification value based on the block data at the previous time point, a device ID, the number of operations, verification data, and a verification value of history information.

  In the present embodiment, the hash value of the user list information is used for the second block data at the start time as the verification value of the history information, and the user list information and the current time information as the history information at each subsequent time point are used. A hash value of history information configured by accumulating all user access status information is used.

The history information of the second block data at the start time includes user list information. Each line of the user list information includes user information of each user. The user information includes a hash value of the user ID of each user, a hash value of the password of the user, and information on an accessible function (access permission function).
The history information of the second block data at a time later than the start time includes user list information and access status information up to the current time as element information. The individual access status information includes access date / time, access user, access function, and access success / failure information. The access function may include information on the arithmetic device 10 having the function.
Note that the configuration of the redundancy system 1 according to the present embodiment and the modification may be applied to the redundancy system 2. Here, the control device 24 and the input / output device 28 may each have the same configuration as the arithmetic device 10 according to the present embodiment.

  As described above, in the redundant system (for example, redundant systems 1 and 2) according to the present embodiment, the management device (for example, EMS22) is a user indicating a user who is permitted to access a predetermined function. The second block data at the start point including the list information is provided to a plurality of arithmetic devices. The control unit (for example, the function control unit 13) of each arithmetic device determines whether or not the user can access the function based on the user list information. The data generation unit (for example, the transmission data generation unit 143) is an access history that is history information in which the verification value based on the second block data at the previous time point and the access state information indicating the access result to the function are accumulated up to the present time. And current second block data including the information. The communication unit (for example, the communication unit 16) broadcasts the second block data among a plurality of arithmetic devices.

With this configuration, the second block data including the user list information is broadcast while maintaining distributed processing among a plurality of arithmetic devices. Therefore, the arithmetic unit can perform user authentication processing using the user list information without installing a certificate authority in the redundant system. Therefore, the reliability of the redundant system is improved as compared with the case where a certificate authority that can be a single point of failure due to a cyber attack or the like is installed.
Further, since the access status information in each computing device 10 can be acquired on a network connecting a plurality of computing devices, information such as access date and time, access user, and access function indicated by the access status information can be obtained via the network. It can be obtained. Therefore, a clue to verifying the user's access denial can be obtained. Cyber security is ensured by checking the user's actions through the verification.

<Third embodiment>
Next, a third embodiment of the present invention will be described. About the same structure as the above-mentioned embodiment, the same code | symbol is attached | subjected and the description is used. In the following description, differences from the redundancy system 1 (FIG. 1) of the first embodiment will be mainly described. The redundancy system 1 according to the present embodiment includes an OPS 21 in addition to the plurality of arithmetic devices 10 and the EMS 22.
First, a functional configuration of the arithmetic device 10 according to the present embodiment will be described. FIG. 11 is a block diagram illustrating a configuration example of the arithmetic device 10 according to the present embodiment.
The arithmetic device 10 according to the present embodiment includes a control arithmetic unit 11, a detection unit 12, a function control unit 13, a block data processing unit 14, a communication unit 16, and a storage unit 18.

  The detection unit 12 detects a threat in the own device. A threat means an event that can compromise cybersecurity. For example, the detection unit 12 may detect, as a threat, such as consecutive login failures, continuous access by undefined users, data reception from undefined addresses, abnormal received data amount, reception of undefined commands, reception of undefined size packet data, etc. Detect events. The continuous login failure means that a plurality of user authentication failures occur in response to a login request from a device designated by the same address within a predetermined period (for example, 1 to 5 seconds). The continuous access of undefined users means that an access request from a user other than the user permitted to access is generated a plurality of times within a predetermined period. Data reception from an undefined address refers to receiving data from a device that is designated in advance by an address other than the set address. An abnormality in the amount of received data means that the information amount of data received from another device is larger than the upper limit of the information amount that can be received without affecting the execution of other functions. An abnormality in the amount of received data can occur, for example, when a DoS (Denial of Service) attack is underway. Receiving an undefined command means receiving a command that is not set in advance as a command for instructing the function of the arithmetic device 10. Receiving packet data of an undefined size means receiving packet data having an information amount not set in advance. The detection unit 12 generates threat information indicating a date and time when a threat is detected and a threat ID indicating the threat, and stores the generated threat information in the storage unit 18. Here, the detection unit 12 refers to the threat countermeasure table (FIG. 12) stored in advance in the storage unit 18 and identifies a threat ID indicating the detected threat.

  The detection unit 12 may transmit the identified threat ID to the OPS 21 via the communication unit 16. Alternatively, as will be described later, the transmission data generating unit 143 may transmit the third block data including the threat ID to the OPS 21 via the communication unit 16. The threat countermeasure table is threat list information configured by associating a threat ID, a threat level, and recommended countermeasure information with each item of threat. The threat level is a numerical value obtained by quantifying the degree of the influence. The larger the numerical value, the larger the influence. The recommended countermeasure information is information indicating a desirable countermeasure against the threat, that is, any one or combination of suppression of the threat, suppression of harmful events due to the threat, prevention of damage expansion, and prevention of recurrence. A specific example of the threat countermeasure table will be described later.

  The OPS 21 refers to the threat countermeasure table stored in advance, identifies the threat level and recommended countermeasure information corresponding to the threat ID received from the computing device 10, and displays the identified threat level and recommended countermeasure information on the display unit. You may let them. The threat level and recommended countermeasure information may be displayed as a dialog screen. The dialog screen may include an execution button for instructing execution of recommended measures. When the operation is instructed to execute the recommended measure, the OPS 21 may transmit recommended measure execution request information indicating a request for the execution to the arithmetic device 10 as a response to the recommended measure information. When receiving the recommended measure execution request information from the OPS 21 via the communication unit 16, the function control unit 13 of the arithmetic device 10 executes the recommended measure indicated by the recommended measure execution request information.

Note that the storage unit 18 may store new threat information included in the latest third block data received from the arithmetic device 10 other than the own device. In that case, the function control unit 13 refers to the threat countermeasure table, identifies the recommended countermeasure information corresponding to the threat ID included in the threat information, and executes the recommended countermeasure indicated by the identified recommended countermeasure information. Good.
When executing the recommended measure, the function control unit 13 may store recommended measure execution information indicating the execution in the storage unit 18. When the identified threat level is higher than a predetermined threat level threshold, the detection unit 12 outputs a recommended countermeasure execution countermeasure request indicating execution of the recommended countermeasure indicated by the recommended countermeasure information to the function control unit 13. By doing so, the recommended measures may be executed.

The block data storage unit 141 temporarily stores the third block data received from the other arithmetic device 10 different from the own device via the communication unit 16 and the third block data generated by the transmission data generating unit 143 of the own device. save.
The reception data analysis unit 142 reads the latest third block data among the third block data stored in the block data storage unit 141. The received data analysis unit 142 extracts the latest threat information from the read third block data from the history information at that time, and stores the extracted threat information in the storage unit 18. The threat ID included in the extracted threat information indicates a new threat detected by another computing device 10 different from the own device.

  The transmission data generation unit 143 reads the latest threat information indicating the threat detected in the own device from the storage unit 18. In addition, when the latest recommended countermeasure execution information for the threat is stored in the storage unit 18, the transmission data generation unit 143 may add the recommended countermeasure execution information to the threat information. Therefore, information indicating that the recommended countermeasure is executed for the threat is reflected in the threat information. Further, the transmission data generation unit 143 reads the latest third block data from the third block data stored in the block data storage unit 141 as the third block data at the previous time point, and reads the read third block data and threat information. Based on the above, the current third block data is generated. The third block data at the present time is data including a verification value based on the third block data at the previous time point, and current history information configured by adding new threat information as element information to the history information. For example, the transmission data generation unit 143 calculates a hash value as a verification value by using a predetermined one-way function for each of the block header included in the third block data at the previous time point and the current history information. The transmission data generation unit 143 transmits the generated third block data to another arithmetic device 10 different from the own device, and stores the third block data in the block data storage unit 141 of the own device. As a result, the third block data generated by the transmission data generation unit 143 is broadcast among a plurality of arithmetic devices 10 including the own device, and is shared with each other. Further, the transmission data generation unit 143 may transmit the generated third block data to the OPS 21.

(Threat Response Table)
Next, the threat countermeasure table according to the present embodiment will be described.
FIG. 12 is a diagram showing an example of a threat countermeasure table according to the present embodiment.
The threat countermeasure table is threat list information including one or a plurality of threat item information that is a combination of threat information, threat ID, threat level, and recommended countermeasure information for each item.
In the example shown in the second row of FIG. 12, the threat “login continuous failure” is associated with the threat ID “Threat 1”, the threat level “3”, and the recommended measure “revoke user access permission”, and threat item information Is formed.

(Block data)
Next, block data according to the present embodiment will be described.
FIG. 13 is a diagram illustrating an example of block data according to the present embodiment.
BD41, BD42, and BD43 respectively indicate third block data at a certain time point, third block data at the next time point, and third block data at the next time point.
The third block data includes a block header and history information at that time. The third block header includes a verification value based on block data at the previous time point, a device ID, the number of operations, verification data, and a verification value of history information.
In this embodiment, a hash value of history information configured by accumulating all threat information from the start time to the present time is used as a verification value of history information. The history information of the third block data includes threat information up to the present time as element information. Each threat information includes a date and a threat ID.

(Modification)
In the example described above, the threat handling table is stored in advance in the storage unit 18 of each arithmetic device 10, and the detection unit 12 refers to the threat handling table and identifies the detected threat. This is not a limitation. In the modification described below, the EMS 22 may generate a threat countermeasure table based on the accepted operation. The EMS 22 generates the third block data at the start time so as to include the generated threat countermeasure table. The third block data at the start time includes the threat countermeasure table as history information at the start time, and includes an initial value of a predetermined verification value and history information at the start time. The EMS 22 transmits the generated third block data at the start time to the arithmetic device 10 via the network NW.

The block data storage unit 141 temporarily stores the third block data received from the EMS 22 via the communication unit 16.
The reception data analysis unit 142 reads the latest third block data from the third block data stored in the block data storage unit 141. When the latest read third block data is the third block data at the start time, the received data analysis unit 142 extracts a threat countermeasure table corresponding to the history information at the start time from the third block data. The extracted threat countermeasure table is stored in the storage unit 18. The threat list information need not always be stored each time new third block data is read. When a new threat countermeasure table is acquired, the threat countermeasure table stored in the storage unit 18 may be updated to a new threat countermeasure table. As described above, the threat handling table stored in the storage unit 18 is used as threat list information to identify the detected threat.

(Block data)
Next, block data according to this modification will be described.
FIG. 14 is a diagram illustrating an example of block data according to the present modification.
BD61, BD62, and BD63 respectively indicate third block data at the start time, third block data at a time later than the start time, and third block data at the next time.
In this modification, in the third block data at the start time, a predetermined initial value is used instead of the verification value based on the block data at the previous time. In addition, threat list information, that is, a hash value of a threat countermeasure table is used as a verification value of history information. The history information of the third block data at the start time includes a threat target table. Each line of the threat list information includes threat item information of each item. The threat item information includes information on a threat, a threat ID, a threat level, and recommended measures, respectively. The history information of the third block data at a time later than the start time includes failure list information and threat information up to the present time as element information.
Note that the configuration of the redundancy system 1 according to the present embodiment and the modification may be applied to the redundancy system 2. Here, the control device 24 and the input / output device 28 may each have the same configuration as the arithmetic device 10 according to the present embodiment.

  As described above, in the redundant system (for example, redundant systems 1 and 2) according to the present embodiment, each of the plurality of arithmetic devices (for example, the arithmetic device 10, the control device 24, and the input / output device 28) is , A detection unit (for example, detection unit 12), a data generation unit (for example, transmission data generation unit 143), and a communication unit (for example, communication unit 16). The detection unit detects an event (for example, a threat) that can damage cybersecurity. The data generation unit includes a verification value based on the third block data at the previous time point, and event history information that is history information in which event information (for example, threat information) indicating the detected event is accumulated to the present time The third block data is generated. The communication unit broadcasts the third block data among a plurality of arithmetic devices.

  According to this configuration, the third block data including event information indicating an event in which cyber security can be impaired is shared among the plurality of arithmetic devices 10 while maintaining the distributed processing. For example, the occurrence of an event that can be a sign of a cyber attack as a threat is notified between the plurality of computing devices 10 with each other. Therefore, further threats, adverse events, or the spread of damage can be prevented by executing countermeasures against the detected threats. This ensures cyber security in the redundant system.

<Fourth embodiment>
Next, a fourth embodiment of the present invention will be described. About the same structure as the above-mentioned embodiment, the same code | symbol is attached | subjected and the description is used. In the following description, differences from the redundancy system 1 (FIG. 1) of the first embodiment will be mainly described.

  The EMS 22 according to the present embodiment generates patch information indicating a patch and its location based on the accepted operation. A patch is correction data for updating a part or all of a program to perform bug correction or function change. In the present embodiment, the patch is correction data of a program executed in at least one of the arithmetic devices 10. Such correction data is mainly a security patch for eliminating or reducing cyber security vulnerabilities. The EMS 22 further generates white list information including one or a plurality of pieces of patch information indicating the location of each patch and information of the arithmetic device 10 that is permitted to apply. In the following description, this white list information is called patch list information, and white list information according to other embodiments is distinguished. The patch information includes, for example, the patch name and version of each patch, a hash value of data constituting the patch, application permission device information, storage location information, and restart necessity information. The application permission device information is information indicating the arithmetic device 10 that is permitted to apply the patch. The storage location information is information indicating the storage location of the patch. The restart necessity information is information indicating whether or not a restart is required after the patch is applied.

  The EMS 22 generates block data at the start time so as to include the generated patch list information. In the following description, block data including patch list information is called fourth block data to be distinguished from block data according to other embodiments. The fourth block data at the start time includes user list information as history information at the start time, and includes an initial value of a predetermined verification value and history information at the start time. A specific example of the fourth block data will be described later. The EMS 22 transmits the generated fourth block data at the start time to the arithmetic device 10 via the network NW.

  Next, the configuration of the arithmetic device 10 (FIG. 2) will be described in this embodiment. The function control unit 13 according to the present embodiment refers to the patch information of each patch included in the patch list information stored in the storage unit 18 and determines whether the patch needs to be applied. The function control unit 13 determines that the patch is to be applied when the information about the own device is included in the application permission device information of the patch and the patch is not applied in the own device, and the function control unit 13 When the permitted device information does not include the information of the own device, or the patch is being applied or has been applied in the own device, it is determined that the patch is not applied.

  When it is determined to be applied, the function control unit 13 transmits a patch request signal indicating a request for the patch to the device serving as the storage location indicated by the storage location information of the patch via the communication unit 16. The device serving as the storage location may be the EMS 22 or a device connected to a network NW other than the EMS 22. The function control unit 13 receives (downloads) a patch from the device as a response to the patch request signal via the communication unit 16. The function control unit 13 calculates the hash value of the received patch and determines whether or not it matches the hash value included in the patch information of the patch. When it is determined that they match, the function control unit 13 outputs the patch and the restart necessity information of the patch to the control calculation unit 11. The control calculation unit 11 applies (installs) the patch input from the function control unit 13 by replacing it with a corresponding part of the program. When the restart necessity information input from the function control unit 13 indicates that restart is necessary, the control calculation unit 11 stops the execution of the program and starts executing the program to which the patch is applied.

  When the patch is being applied, the function control unit 13 generates patch application information indicating that the patch is being applied in its own device, and stores the generated patch application information in the storage unit 18. When the application of the patch is completed, the function control unit 13 generates patch application information indicating that the patch has been applied in its own device, and stores the generated patch application information in the storage unit 18.

The block data storage unit 141 temporarily stores the fourth block data received from the EMS 22 or another arithmetic device 10 different from the own device via the communication unit 16 and the fourth block data generated by the transmission data generating unit 143 of the own device. To save.
The reception data analysis unit 142 reads the latest fourth block data from the fourth block data stored in the block data storage unit 141. When the latest read fourth block data is the fourth block data at the start time, the reception data analysis unit 142 extracts patch list information corresponding to the history information at the start time from the fourth block data. The extracted patch list information is stored in the storage unit 18. The patch list information need not always be stored every time new fourth block data is read. When new patch list information is acquired, the patch list information stored in the storage unit 18 may be updated to new patch list information.

  The received data analysis unit 142 extracts patch application information that is element information of history information from the fourth block data at each time point after the start time point, and extracts the patch for each patch from the extracted patch application information. The applied arithmetic device 10 may be specified. The received data analysis unit 142 may determine that all of the arithmetic devices 10 indicated by the application permission device information indicated by the patch information of a certain patch have applied the patch. In that case, the received data analysis unit 142 may delete the patch information and the patch application information related to the patch from the latest fourth block data stored in the block data storage unit 141. This prevents unnecessary data from being circulated, thereby reducing the amount of communication.

  The transmission data generation unit 143 reads the latest patch application information indicating the patch application state in the own device from the storage unit 18. Also, the transmission data generation unit 143 reads the latest fourth block data from the fourth block data stored in the block data storage unit 141 as the fourth block data at the previous time point, and applies the read fourth block data and the patch application. The current fourth block data is generated based on the information. The fourth block data at the current time is data including a verification value based on the fourth block data at the previous time point, and current history information configured by adding new patch application information as element information to the history information. . For example, the transmission data generation unit 143 calculates a hash value as a verification value by using a predetermined one-way function for each of the block header included in the previous fourth block data and the current history information. The transmission data generation unit 143 transmits the generated fourth block data to another arithmetic device 10 different from the own device, and stores it in the block data storage unit 141 of the own device. As a result, the fourth block data generated by the transmission data generation unit 143 is broadcast among a plurality of arithmetic devices 10 including its own device, and is shared with each other. Further, the reception data analysis unit 142 may transmit the generated fourth block data to the EMS 22 via the communication unit 16.

(Patch list information)
Next, patch list information according to the present embodiment will be described.
FIG. 15 is a diagram illustrating an example of patch list information according to the present embodiment.
The patch list information is composed of one or a plurality of pieces of patch information. The patch information of each patch is configured as a combination of a patch name, a version, a hash value of data constituting the patch, application permission device information, storage location information, and restart necessity information. The patch information in the second row in FIG. 15 includes the patch name “Patch 1”, version “1.00”, hash value “661957fd99573fbbe391b9b4a950a19b”, application permission device information “ALL”, storage location information “ABC / DEF / GHIJK”, It is configured to include “required” restart. One type of patch is represented by a set of patch name and version. That is, even if the patch names are the same, patches having different versions are treated as patches different from each other. The application permission device ALL indicates all of the arithmetic devices 10 instructed by the EMS 22 as the fourth block data broadcast destination. In the example shown in FIG. 15, the storage location information is represented by a path name. However, if the location can be specified, other information, for example, a URL (Uniform Resource Locator) may be used. Good.

(Patch application information)
Next, patch application information according to the present embodiment will be described.
FIG. 16 is a diagram showing an example of patch application information according to the present embodiment.
The patch application information is information indicating an application state for each patch in each arithmetic device 10. In the example illustrated in FIG. 16, each patch includes a patch name, an application date and time, and an application state. The second row of FIG. 16 shows the patch name “Patch 1”, the application date and time “2017/1/1”, and the application state “Applied”. Note that the patch application information may further include information on the version of the patch.

(Block data)
Next, block data according to the present embodiment will be described.
FIG. 17 is a diagram illustrating an example of block data according to the present embodiment.
BD81, BD82, and BD83 indicate the fourth block data at the start time point, the fourth block data at a time point after the start time point, and the fourth block data at the next time point, respectively.
The fourth block data includes a block header and history information at that time. The fourth block header includes a verification value based on the block data at the previous time point, a device ID, the number of operations, verification data, and a verification value of history information.

  However, as the verification value of the history information, the hash value of the patch list information is used for the fourth block data at the start time, and the patch list information and all the patches applied up to the present time are applied as the history information at each time after that. A hash value of history information configured by accumulating information is used.

The history information of the fourth block data at the start time includes patch list information. Each line of the patch list information includes patch information of each patch. The patch information includes the patch name, version, hash value, application permission device information, storage location information, and restart necessity information for each patch.
The history information of the fourth block data at a time later than the start time includes patch application information up to the present time as element information. Each piece of patch application information includes information on a patch name, an application date and time, and an application state for each patch. Information on the access user, access function, and access success / failure is included. The access function may include information on the arithmetic device 10 having the function.

  In the above description, when the function control unit 13 determines to apply a patch based on the application permission apparatus information, the case where the request for the patch and the control of the application are performed is described as an example, but the present invention is not limited thereto. When the function control unit 13 determines to apply a patch, the function control unit 13 may transmit patch application inquiry information for inquiring the user to apply the patch to the EMS 22 via the communication unit 16. When receiving the patch application inquiry information from the arithmetic device 10, the EMS 22 may display a patch application inquiry screen on the display unit. The patch application inquiry screen includes a message indicating an inquiry as to whether patch application is necessary. When the received operation indicates patch application, the EMS 22 transmits patch application instruction information as a response to the patch application inquiry information. When receiving the patch application instruction information from the EMS 22 via the communication unit 16, the function control unit 13 performs the above-described patch request and control of the application. Thereby, a patch is applied according to a user's intention.

  The EMS 22 may include an editing unit that generates the patch based on a user operation. Further, an approval accepting device may be further connected to the network NW. In this case, when the function control unit 13 of the arithmetic device 10 determines to apply a patch based on the application permission device information, the patch application inquiry information may be transmitted to the approval reception device via the communication unit 16. When receiving the patch application inquiry information from the arithmetic device 10, the approval receiving device may display a patch application inquiry screen on the display unit. The approval receiving apparatus transmits patch application instruction information as a response to the patch application inquiry information when an operation received from a user (Safety Supervisor) separate from the user involved in generating the patch indicates patch application. When the function control unit 13 receives patch application instruction information from the approval receiving apparatus via the communication unit 16, the function control unit 13 controls the above-described patch request and application. As a result, the application of the patch requires approval by a user different from the user related to the generation of the patch, so that the random application of the patch is avoided. As the approval receiving device, OPS 21 may be used, or a device separate from OPS 21 may be used.

FIG. 17 illustrates an example in which the patch list information includes storage location information of each patch, but is not limited thereto. Instead of the storage location information, the patch itself may be included in an execution format. In that case, the function control unit 13 may extract the patch from the patch list information stored in the storage unit 18 instead of receiving the patch from the storage location indicated by the storage location information. In this case, the fourth block data including the patch is broadcast between the arithmetic devices 10. Therefore, it is not necessary to consider the failure of the device that stores the patch, and the reliability as the distributed system is increased. Further, the received data analysis unit 142 may determine that all of the arithmetic devices 10 indicated by the application permission device information indicated by the patch information of a certain patch have applied the patch. In that case, the received data analysis unit 142 may delete the patch from the latest fourth block data stored in the block data storage unit 141. This prevents unnecessary data from being circulated, thereby reducing the amount of communication.
Note that the configuration of the redundancy system 1 according to the present embodiment and the modification may be applied to the redundancy system 2. Here, the control device 24 and the input / output device 28 may each have the same configuration as the arithmetic device 10 according to the present embodiment.

  As described above, in the redundant system (for example, the redundant systems 1 and 2) according to the present embodiment, the management device (for example, EMS 22) has the first point in time including the patch list information indicating the patch of the program. The 4-block data is provided to a plurality of arithmetic devices (for example, the arithmetic device 10, the control device 24, and the input / output device 28). Each of the plurality of arithmetic devices includes a control unit (for example, function control unit 13), a data generation unit (for example, transmission data generation unit 143), and a communication unit (for example, communication unit 16). The control unit determines whether it is necessary to apply the patch indicated by the patch list information. The data generation unit includes a verification value based on the fourth block data at the previous time point and patch application history information that is history information in which the patch application information indicating the patch application state is accumulated up to the present time. Generate data. The communication unit broadcasts the fourth block data among the plurality of arithmetic devices.

According to this configuration, the fourth block data having the latest patch list information at that time is shared among the arithmetic devices 10 while maintaining the distributed processing. Therefore, each arithmetic device 10 can apply a patch that is permitted to be applied in its own device. For example, when the patch indicated by the patch list is a security patch, cyber security is ensured by applying the security patch.
Further, according to the present embodiment, the EMS 22 does not need to specify the individual arithmetic devices and transmit the fourth block data, so that it is more than when the individual arithmetic devices 10 are specified and the fourth block data is transmitted. Thus, it is possible to suppress an increase in the amount of information that accompanies an increase in the number of transmission destination computing devices.
In addition, since the fourth block data including patch application information indicating the application state of the patch applied by each arithmetic device is broadcast, it is easy to find an arithmetic device to which the patch has not been applied. For example, cyber security is improved by executing a countermeasure (blocking communication or the like) for the arithmetic device 10 that has been informed of the vulnerability due to the patch not being applied.
In addition, since the patch list information and the patch application information are centrally shared between the arithmetic devices 10 by the fourth block data, this is a redundant system in which different types of control devices such as manufacturers, models, and functions are mixed. However, it is possible to apply a patch, and an environment that enables management thereof is constructed.

  As described above, in the embodiments and modifications of the present invention, the constituent elements in the above-described embodiments can be appropriately replaced with known constituent elements without departing from the spirit of the present invention. The technical scope of the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention.

For example, the arithmetic device 10 according to the second embodiment and the arithmetic device 10 according to the fourth embodiment are each provided with the detection unit 12 of the third embodiment, and the function control unit 13 and the block data processing unit 14 are respectively third. You may perform the process similar to the function control part 13 and the block data processing part 14 of embodiment.
In the arithmetic device according to the third embodiment, the function control unit 13 and the block data processing unit 14 may perform the same processes as the function control unit 13 and the block data processing unit 14 of the fourth embodiment, respectively.
Further, the block data processing unit 14 may determine whether or not the amount of history information included in the latest block data handled by itself exceeds a predetermined amount of information. When determining that the predetermined amount of information has been exceeded, the block data processing unit 14 may store the history information in the storage unit 18 and newly generate block data at the start time.
The transmission data generation unit 143 of each arithmetic device 10 may transmit the generated various block data to one or both of the OPS 21 and the EMS 22 via the communication unit 16.
In addition, each of a plurality of electronic devices connected via a network may have the same configuration as the arithmetic device 10 described above. Examples of such electronic devices include IoT (Internet of Things) devices such as Web cameras and sensor units.

Each of the arithmetic devices 10 according to the second embodiment to the fourth embodiment does not depend on the functions of the other embodiments including the first embodiment, and the block data (second block data) unique to the embodiment. (4th block data) may be provided only.
Note that “execution of processing based on a program that is permitted to execute”, “access to a predetermined function”, “an event that can damage cyber security”, and “application of a patch” are items that are not permitted or permitted by the computing device 10 It is an example.
Further, the redundancy system 1 and the redundancy system 2 are examples of an information processing system.

  The arithmetic device 10, the control device 24, and the input / output device 28 described above may have a computer system therein. Each process in the arithmetic device 10 and the like described above is stored in a computer-readable recording medium in the form of a program, and the above-described processing is performed by the computer reading and executing this program. Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1, 2 ... Redundancy system, 10 ... Arithmetic unit, 11 ... Control operation part, 12 ... Detection part, 13 ... Function control part, 14 ... Block data processing part, 16 ... Communication part, 18 ... Memory | storage part,
21 ... OPS, 22 ... EMS, 23 ... NA, 24 ... control device, 25 ... IO scanner, 26 ... IO network, 27 ... IO adapter, 28 ... input / output device, 141 ... block data storage unit, 142 ... received data analysis Part, 143 ... transmission data generation part

Claims (6)

An information processing system including a plurality of arithmetic devices,
Each of the plurality of arithmetic units is
Based on list information indicating items that are permitted or not permitted in the arithmetic device, a control unit that determines whether or not to execute processing for the items;
A data generation unit for generating current block data including a verification value based on block data at the previous time point and history information accumulated up to the present time regarding the occurrence of the matter;
A communication unit for broadcasting the block data among the plurality of arithmetic devices;
An information processing system comprising: A management device that provides the plurality of arithmetic devices with first block data at a start time including program list information indicating a program permitted to be executed;
The controller is
Determining whether to execute the process based on the program indicated by the program list information;
The data generator is
Generating the first block data at the present time including the verification value based on the first block data at the previous time point and the history information in which the activation program information indicating the activation state of the process is accumulated up to the present time;
The communication unit is
The information processing system according to claim 1, wherein the first block data is broadcast among the plurality of arithmetic devices. A management device that provides the plurality of arithmetic devices with second block data at the start point including user list information indicating users who are permitted to access a predetermined function;
The controller is
Determining whether to allow access to the function from the user based on the user list information;
The data generator is
Generating second block data at the present time including a verification value based on the second block data at the previous time point and access history information which is history information in which access status information indicating an access result to the function is accumulated up to the present time ,
The communication unit is
The information processing system according to claim 1, wherein the second block data is broadcast among the plurality of arithmetic devices. Each of the plurality of arithmetic units is
It has a detection unit that detects events that can compromise cyber security,
The data generator is
Generating current third block data including a verification value based on the third block data of the previous time point, and event history information that is history information in which the event information indicating the detected event is accumulated up to the present time;
The communication unit is
The information processing system according to any one of claims 1 to 3, wherein the third block data is broadcast among the plurality of arithmetic devices. A management device that provides the plurality of arithmetic devices with fourth block data at the start point including patch list information indicating a patch of the program;
The controller is
Determining whether or not to apply a patch indicated by the patch list information;
The data generator is
Generating current fourth block data including a verification value based on the fourth block data at the previous time point and patch application history information which is history information in which the patch application information indicating the patch application state is accumulated up to the present time ,
The communication unit is
The information processing system according to any one of claims 1 to 4, wherein the fourth block data is broadcast among the plurality of arithmetic devices. An information processing method in an information processing system including a plurality of arithmetic devices,
Each of the plurality of arithmetic units is
Based on list information indicating items that are permitted or not permitted in the arithmetic device, a control process for determining whether or not to execute processing for the items;
A data generation process for generating current block data including a verification value based on block data of the previous time point and history information accumulated up to the present time regarding the occurrence of the matter;
A communication process for broadcasting the block data between the plurality of computing devices;
An information processing method comprising:

Images