JP2021090106A - Control device network rule management device and control device network rule management method - Google Patents

Abstract

To provide a control device network rule management device and a control device network rule management method that can manage rules placed in a network security device.SOLUTION: A control device network rule management device 13 is provided in a control device network 1 including a control device 11 having a plurality of different software configurations and a plurality of different communication media 14, and a rule for safety inspection of a network security device 12 that inspects the safety of the control device network is arranged on the basis of software configuration of the control device and the configuration of the communication medium corresponding to the control device.SELECTED DRAWING: Figure 2

Description

The present invention relates to a control device network rule management device and a control device network rule management method.

In recent years, networks for control devices in a plurality of factories are connected to enable bidirectional communication via an external network, thereby realizing distributed control of control devices. It is conceivable that a malicious program (so-called virus) that affects the control device may invade the control device network via an external network, or that a malicious attacker may inject malicious control commands or data. Be done. Therefore, the control device network is required to have a network security device that protects each control device from the above-mentioned attacks.

The technique of Patent Document 1 discloses an unauthorized access countermeasure rule automatic setting device that automates the security management work of the unauthorized access countermeasure tool. The unauthorized access countermeasure rule automatic setting device acquires the weakness identification information of the protected network from the security vulnerability diagnosis tool. The unauthorized access countermeasure rule automatic setting device sets an unauthorized access countermeasure rule optimized to protect the protected network based on the weakness identification information.

The unauthorized access countermeasure rule automatic setting device can suppress the threat of unauthorized access while the countermeasure rule is not set by shortening the time until the countermeasure rule is set. The unauthorized access countermeasure rule automatic setting device can suppress the threat caused by human error by automatically setting the rule.

JP-A-2002-328896

A wide variety of control devices are installed in the factory, and each control device has a different software configuration and hardware configuration. As a result, a plurality of rules for detecting an attack are set in the network security device based on the software configuration and the hardware configuration of each control device.

However, the software and hardware used in the control device are diverse, and many attacks targeting each of them are also known. Setting rules for all of the many attacks on a network security device increases the number of rules stored on the network security device. As a result, in the network security device, the collation process may increase and the communication performance may decrease.

Therefore, the present invention has been made to solve the above problems, and provides a control device network rule management device and a control device network rule management method capable of managing rules arranged in a network security device. The purpose is.

The network from the network security device to the control device may have different communication media and communication standards for each control device. Therefore, unlike a network of personal computers and servers, an attack that affects a control device may not be able to correspond to the communication medium and communication standard used in the network, and may not reach the target control device.

Based on this, the control device network rule management device is provided between the control device network including the control device having a plurality of different software configurations and a plurality of different communication media, and the security of the control device network is improved. The rules used for the safety inspection are arranged for the network security device to be inspected based on the software configuration and hardware configuration of the control device and the configuration of the communication medium to which the control device is connected.

According to the present invention, only the rules necessary for the control device under the control device can be arranged in the network security device, and the deterioration of the communication performance in the network security device can be suppressed.

The schematic diagram of the distributed control system in 1st Example. Schematic diagram of the network for control equipment. Hardware configuration diagram of the rule management device for the control device network. Explanatory drawing of PLC configuration information. Explanatory drawing of the configuration information of the 1st network. Explanatory drawing of the first example in the inspection rule storage part. The explanatory view of the 2nd example in the inspection rule storage part. Explanatory diagram of the attack information storage unit. Explanatory drawing of an example of a network for control equipment. A flow chart showing an example of a processing procedure in a rule management device for a control device network. Explanatory drawing of rule arrangement determination processing. Flow diagram of rule reduction processing. The schematic diagram of the network for control equipment in 2nd Example. Explanatory diagram of the risk value storage unit. Flow diagram of the load adjustment unit. The schematic diagram of the network for control equipment in 3rd Example. Flow diagram of the rule movement processing unit. The schematic diagram of the network for control equipment in 4th Example. Explanatory drawing of memory capacity management part. Flow chart of rule arrangement judgment processing. Flow chart of leveling process.

Hereinafter, an embodiment of the present invention will be described, but the present embodiment is not limited to the embodiments described in the drawings. The present embodiment relates to a control device network rule management device capable of managing rules arranged in a network security device. In the present embodiment, the direction in which the information arrives, that is, the upstream side is referred to as an upper position, and the control device side, that is, the downstream side is referred to as a lower position, based on the direction in which predetermined information that affects each control device flows.

FIG. 1 is an explanatory diagram of the distributed control system 6. In the distributed control system 6, a PLC (Programmable Logic Controller) 11 as an example of a “control device” is provided for each manufacturing apparatus in the factory 5. Each PLC 11 independently controls the manufacturing apparatus and transmits the operation history to the management server 8.

The control device network 1 of each factory 5 is connected to the control device network 1 by an external network 7 so as to be capable of bidirectional communication. The management server 8 is connected to the control device network 1 of each factory 5 via an external network 7 so that bidirectional communication is possible. The management server 8 acquires, for example, the drive history of each PLC 11 and sends it to another computer.

The factory 5 includes, for example, a plurality of PLCs 11, a firewall (FW) 12 as an example of a plurality of “network security devices”, and a rule management device 13 for a control device network. In the factory 5, the control device network 1 is configured by connecting each PLC 11 and each FW 12 and the control device network rule management device 13 so as to be able to communicate in both directions.

Each PLC 11 and each FW 12 are connected in a bidirectional communication manner by, for example, a first network 14 as an example of a communication medium. Each PLC 11 is connected so as to be bidirectionally communicable by, for example, a first network 14. Each FW 12 and the control device network rule management device 13 are connected to each other by, for example, a second network 15 so as to be capable of bidirectional communication.

Each PLC11 controls a manufacturing apparatus in a factory, and each PLC11 may have a different software and hardware configuration depending on its contents. Each FW12 inspects the safety of the control device network 1. The control device network rule management device 13 manages the rules for safety inspection arranged in each FW 12.

The first network 14 may be, for example, wired communication or wireless communication. A different protocol may be set for each of the first networks 14 in the first network 14. The second network 15 may be, for example, wired communication or wireless communication.

The management server 8 acquires, for example, the operation history of the PLC 11 and outputs it to the user. The management server 8 acquires the operation history of the PLC 11 via the external network 7, for example.

FIG. 2 is a schematic view of the control device network 1. The control device network 1 is formed by connecting a plurality of devices provided in a factory so as to be able to communicate in both directions. The control device network 1 includes, for example, PLCs 11 (1) to 11 (5), FW12 (1) to 12 (3), and a control device network rule management device 13.

The PLC 11 includes, for example, a configuration information acquisition unit 111. The configuration information acquisition unit 111 acquires the hardware information and software information of the PLC 11 (see FIG. 4). The configuration information acquisition unit 111 also acquires connection information (described later in FIG. 5) to the first network 14 in each PLC 11.

The FW12 includes, for example, an inspection rule storage unit D1, a frame inspection unit 121, and a frame control unit 122. The inspection rule storage unit D1 stores the rules for safety inspection. The rule is set to detect an attack from a plurality of data passing through the FW12. The inspection rule storage unit D1 will be described later with reference to FIGS. 6 and 7.

In the following description, for example, when the inspection rule stored in the inspection rule storage unit D1 is simply indicated as the inspection rule D1, the data stored in various storage units is indicated by using the symbol of the storage unit. There is.

The frame inspection unit 121 determines whether or not the information passing through the FW 12 is an attack based on the inspection rule D1. The frame control unit 122 controls whether to pass information based on the above-mentioned determination result.

Each PLC11 and between the PLC11 and the FW12 are bidirectionally communicably connected by, for example, a plurality of different first networks 14 (1) to 14 (5).

The FW12 (1) and the PLC11 (1) are connected in both directions by, for example, the first network 14 (1) so as to be communicable. The PLC 11 (1) and the PLC 11 (2) are connected to each other so as to be communicable in both directions by, for example, the first network 14 (2). The FW12 (1) protects the PLC11 (1) and the PLC (2) from attack.

The FW12 (2) and the PLC11 (3) are connected in both directions by, for example, the first network 14 (3) so as to be communicable. The FW12 (2) protects the PLC11 (3) from attack.

The FW12 (3) and the PLC11 (4) are connected in both directions by, for example, the first network 14 (4) so as to be communicable. The PLC 11 (4) and the PLC 11 (5) are connected to each other so as to be communicable in both directions by, for example, the first network 14 (5). The FW12 (3) protects the PLC11 (4) and the PLC11 (5) from attack. The configuration of the control device network 1 is not limited to the configuration shown in FIG. 2, and may take various forms.

The control device network rule management device 13 arranges rules in each FW 12 based on the software configuration of each PLC 11 and the first network 14 corresponding to each PLC 11. The control device network rule management device 13 is bidirectionally connected to each FW 12 via the second network 15. The control device network rule management device 13 includes an attack information storage unit D2, a configuration information acquisition unit 131, an attack information extraction unit 132, a rule generation unit 133, a distribution information storage unit D3, and a load adjustment unit 134. It is provided with a rule distribution unit 135.

The attack information storage unit D2 stores information on the characteristics of the attack, information on software and hardware affected by the attack (having vulnerabilities), and the like (hereinafter collectively referred to as attack information). The attack information storage unit D2 will be described later in FIG. 8, for example.

For example, attack information may be transmitted from the attack information source 2 to the attack information storage unit D2. The attack information source 2 is provided outside the control device network 1, for example, and collects attack information related to the detected attack. The attack information storage unit D2 may also store, for example, attack information based on the user-defined rule 3 set by the user.

The configuration information acquisition unit 131 collects software and hardware configuration information in each PLC 11 from the configuration information acquisition unit 111. The configuration information acquisition unit 131 also collects connection information of each first network 14 in each PLC 11 from the configuration information acquisition unit 111.

The attack information extraction unit 132 extracts attack information that may affect PLC11 selected as a rule setting target from a plurality of attack information stored in the attack information storage unit D2, and extracts them into a rule generation unit. Send to 133.

Specifically, the attack information extraction unit 132 searches the software and hardware information of each PLC11 collected by the configuration information acquisition unit 131 for the information corresponding to the selected PLC11, and if there is a corresponding one, the attack information extraction unit 132 searches for the information corresponding to the selected PLC11. Extract them. The attack information extraction unit 132 further searches a plurality of attack information stored in the attack information storage unit D2 using the extracted software and hardware information as a key, and extracts the attack information including the key, if any. To do.

The rule generation unit 133 generates a rule for detecting an attack on the selected PLC 11 from the selected attack information. The rule generation unit 133 includes information on the characteristics of the attack included in the attack information extracted by the attack information extraction unit 132, for example, characteristic data patterns, network addresses, and port numbers included in viruses and illegal control data. Generate a rule to detect an attack using such as.

The distribution information storage unit D3 stores the rules generated by the rule generation unit 133 and the association information (for example, hardware ID and network address) of the FW12 to which the rules are set.

The load adjusting unit 134 determines whether to distribute each of the rules to each FW 12 based on the determination of whether the attack detected by each rule stored in the distribution information storage unit D3 can pass through the first network 14. decide. That is, the load adjusting unit 134 acquires the connection information from the configuration information acquisition unit 131 to the first network 14 in each PLC 11. The load adjusting unit 134 connects the attack to be detected by the rule to the lower level of each FW 12 based on the connection information of the first network 14 with respect to the rule stored in the distribution information storage unit D3. It is determined whether or not the PLC 11 can be reached, and if it is reachable, the information linking the rule and the FW 12 is stored in the distribution information storage unit D3. The detailed determination procedure of reachability will be described later with reference to FIG. 9 and the like.

The load adjusting unit 134 also adjusts the FW12 to which each rule is distributed, if necessary, so that the rules stored in the distribution information storage unit D3 fit within the set capacity allowed by each FW12. The detailed adjustment procedure will be described later with reference to FIG. 11 and the like.

The rule distribution unit 135 transmits the rules stored in the distribution information storage unit D3 to each FW12 via the second network 15, and stores the rules in the inspection rule storage unit D1. The rule distribution unit 135 acquires rule information and association information from the distribution information storage unit D3. The rule distribution unit 135 selects the FW12 to save the rule based on the association information.

FIG. 3 is a hardware configuration diagram of the control device network rule management device 13. The control device network rule management device 13 is a data transmission that connects a "CPU" (Central Processing Unit) H131, a storage unit H132, a memory H133, a communication unit H134, and each function H131 to H134 so as to be communicable with each other. The road H135 is provided.

In the storage unit H132, for example, a program of a rule generation unit 133, a configuration information acquisition unit 131, an attack information extraction unit 132, a load adjustment unit 134, and a rule distribution unit 135 is stored. In the storage unit H132, for example, a database of the attack information storage unit D2 and the distribution information storage unit D3 is stored.

The "CPU" H131 realizes each function by reading each program 131 to 135 from the storage unit H132 into the memory H133 and executing the program. The memory H133 is, for example, a volatile storage medium such as a RAM (Random Access Memory). The communication unit H134 is bidirectionally connected to each FW12 via the second network 15.

FIG. 4 shows the configuration information of the PLC 11. The configuration information acquisition unit 131 acquires the configuration information 1320 to 1322 of the PLC 11 from the configuration information acquisition unit 111 of each PLC 11. The configuration information of the PLC 11 includes, for example, identification information 1320, control number 1321, and configuration information 1322.

The identification information 1320 is information for identifying each PLC 11, and for example, the MAC address in the network port of the PLC 11 may be used. The configuration information 1322 includes, for example, hardware information of each PLC11, OS (Operating System) information, and application information.

FIG. 5 shows the connection information of the first network 14. The configuration information acquisition unit 131 acquires connection information 1323 to 1329 with the first network 14 from the configuration information acquisition unit 111 of each PLC 11. The connection information of the first network 14 includes, for example, the identification information 1320 of the PLC 11, the control number 1323, the identification information 1324 of the network interface connected to the first network 14, and the protocol information used in the first network 14. 1325, 1326, the identification information 1327 of the first network 14, the address 1328 of the PLC 11 in the first network 14, and whether data can be transferred between each of the plurality of first networks 14. It is provided with communicable information 1329 to be shown.

6 and 7 show inspection rule storage units D1 (1) and D1 (2) as an example of the inspection rule storage unit D1. The inspection rule storage unit D1 (1) shows a case where field information such as an attack destination address and a protocol used for an attack is used as a rule. The inspection rule storage unit D1 (2) shows a case where a feature pattern included in a virus used for an attack or an illegal control command is used as a rule.

FIG. 6 is an explanatory diagram of the inspection rule storage unit D1 (1). For example, the control number D11, the field position D12, the field value D13, and the mask information D14 are stored in the inspection rule storage unit D1. The field position D12 indicates the position where the field value D13 appears in the attack data. The mask information D14 indicates information for designating a matching portion when a partial matching of the field value D13 is a condition.

FIG. 7 is an explanatory diagram of the inspection rule storage unit D1 (2). For example, the control number D15, the pattern value D16, and the pattern length D17 are stored in the inspection rule storage unit D1. Information indicating the attack feature pattern is stored in the pattern value D16. The length of the data representing the pattern value D16 is stored in the pattern length D17.

FIG. 8 is an explanatory diagram of the attack information storage unit D2. For example, the control number D21, the vulnerability information D22, the attack condition D23, and the detailed attack information D24 are stored in the attack information storage unit D2. The control number D21 stores a number that identifies the vulnerability information D22, the attack condition D23, and the detailed attack information D24.

Vulnerability information D22 stores information on software and hardware that are vulnerable to an attack. Vulnerability information D22 may be described in a standardized notation such as Common Platform Enumeration (CPE) in order to uniformly represent information on various software and hardware. The attack condition D23 stores the condition of the communication content for a successful attack using the vulnerability information D22. The detailed attack information D24 stores a description of the effects of the attack. This information will be used as a reference when the user manages or verifies the generated rules later, and will not be used in subsequent operations.

Hereinafter, the processing flow of the control device network rule management device 13 shown in FIG. 10 will be described with reference to FIG. FIG. 9 is an explanatory diagram of an example of the control device network 1.

The control device network rule management device 13 refers to the connection information 1323 to 1329 of the first network 14 included in the information acquisition unit 131 to generate a network model with each PLC 11 as a node, and each function 131. ~ 135 may be realized. In this case, each PLC 11 may be read as a node of the network model.

For example, "attack A" and "attack B" as an example of an attack are sent to the control device network 1 via the external network 7 (both are not shown). "Attack A" can pass when the first network 14 is set to communicate with "Protocol A", and affects the software configuration including "Vulnerability A". "Attack B" can pass when the first network 14 is set to communicate with "Protocol B", and affects the software configuration including "Vulnerability B". It is assumed that the attack information of the "attack A" and the "attack B" is stored in the attack information storage unit D2 including information on the respective vulnerabilities.

The software configuration of PLC11 (1) includes, for example, "Vulnerability A". The software configuration of PLC11 (2) includes, for example, "Vulnerability A" and "Vulnerability B".

The first network 14 (1) is set to communicate with, for example, "protocol A" and "protocol B". The first network 14 (2) is set to communicate by, for example, "protocol A".

FIG. 10 is a flow chart showing an example of a processing procedure in the control device network rule management device 13. The processes of the control device network rule management device 13 are, for example, a process of acquiring vulnerability information D22 from each PLC11 (S1 to S2) and a process of collecting the latest software configuration, hardware configuration, and network configuration (S3 to S3). It can be roughly divided into S4), a rule extraction process (S5 to S8), a rule arrangement determination process (S10), and a rule distribution process to the FW 12 (S11).

The control device network rule management device 13 determines whether the information between the attack information source 2 and the user-defined rule 3 has been updated (S1). When updated (S1: Yes), the control device network rule management device 13 integrates the attack information source 2 and the user-defined rule 3 and generates new attack information in the attack information storage unit D2 (S1: Yes). S2).

If it is not updated (S1: No) or after the processing (S2) is completed, the control device network rule management device 13 determines whether the software configuration, hardware configuration, and network configuration information of the PLC 11 has been updated (S3). .. When updated (S3: Yes), the configuration information acquisition unit 131 acquires configuration information from each PLC 11 (S4).

If it is not updated (S3: No) or after the processing (S4) is completed, the attack information extraction unit 132 uses the software information and hardware information of each PLC11 acquired by the configuration information acquisition unit 131 as keys, and these are vulnerability information. The attack information included in D22 is searched and extracted from the attack information storage unit D2 (S5). For example, since the software of PLC11 (2) includes "vulnerability B", the attack information extraction unit 132 extracts the attack information of the "attack B" corresponding to the "vulnerability B".

The control device network rule management device 13 determines whether or not the information in the first network 14 has been updated (S6). When the information of the first network 14 is updated, for example, a case where a new PLC 11 is provided in the control device network 1 is shown.

When there is an update (S6: Yes), the configuration information acquisition unit 131 acquires the connection information of the first network 14 (S7). The configuration information acquisition unit 131 may aggregate only the updated information of the first network 14.

If there is no update (S6: No) or after the process (S7) is completed, the rule generation unit 133 determines whether to execute the rule generation process (S9) (S8). The determination results in the above processes (S1), (S3), and (S6) are checked, and if any of the information is updated (S8: Yes), the rule generation unit 133 performs the rule generation process (S9). To execute.

The judgment results in the above processes (S1), (S3), and (S6) are checked, and if none of the information is updated (S8: No), there is no need to generate a new rule, so the process. (S9) to (S11) are skipped and the process proceeds to the standby process (S12).

The above processes (S2), (S4), and (S7) may be executed asynchronously with the processes other than the above, instead of being a series of processes as described above. That is, the information acquisition and collection processes in the processes (S2), (S4), and (S7) are executed at arbitrary cycles, and only the results are checked in the processes (S1), (S3), and (S6). You may do it.

In the rule generation process (S9), the rule generation unit 133 refers to the attack condition D23 included in the attack information extracted from the attack information storage unit D2 by the attack information extraction unit 132, and sets a rule for detecting the attack. Generate. Specifically, the data structures exemplified by the inspection rules D1 (1) and D1 (2) are generated from the field values such as the address included in the attack condition D23 and the characteristic pattern such as a virus. The rule generation unit 133 stores the created rule in the distribution information storage unit D3.

The load adjusting unit 134 executes the rule arrangement determination process (S10). The rule arrangement determination process (S10) determines, for example, the FW12 in which the generated rule is arranged.

FIG. 11 is an explanatory diagram of the rule arrangement determination process (S10). The load adjusting unit 134 associates the generated rule with each PLC 11 (S101). The load adjusting unit 134 associates, for example, the PLC 11 (1) with the "rule A" for detecting the "attack A". Further, the PLC 11 (2) is associated with the "rule A" that detects the "attack A" and the "rule B" that detects the "attack B".

The load adjusting unit 134 selects one of the PLCs 11 (S102). As an algorithm for selecting the PLC 11, for example, the PLC 11 located on the lower side of the network may be sequentially selected toward the upper side. Here, the load adjusting unit 134 selects PLC11 (2). Hereinafter, the selected PLC11 may be referred to as "selected PLC11".

The load adjusting unit 134 executes the rule reduction process (S103) using the information of the first network 14. FIG. 12 is a flow chart of the rule reduction process (S103). The load adjusting unit 134 acquires information on the upper side of the selected PLC 11, that is, the information of the first network 14 from the selected PLC 11 to the FW 12 from the information acquisition unit 131 (S1031). The load adjusting unit 134 acquires, for example, information on the first networks 14 (1) and 14 (2) between the PLC 11 (2) and the FW 12 (1).

The load adjusting unit 134 selects one rule associated with the selected PLC 11 on the distribution information storage unit D3 (S1032). The load adjusting unit 134 selects, for example, the "rule A" associated with the PLC 11 (2).

The load adjusting unit 134 determines whether or not the attack detected by the selected rule can reach the selected PLC 11 (S1033). When it is determined that the attack reaches the selected PLC 11 (S1033: Yes), the control device network rule management device 13 returns to the process (S1032).

For example, when the "rule A" is selected in the PLC 11 (2), it is determined whether the "attack A" detected by the selection can reach the PLC 11 (2). For the above determination, connection information 1323 to 1329 with the first network 14 included in the configuration information acquisition unit 131 may be used. For example, the protocol information 1325, 1326 determines whether the communication protocol used by the attack can pass through the first network 14, and the identification information 1327 of the first network 14 and the address 1328 of the PLC 11 cause the PLC 11 to pass through the first network. It may be determined whether it belongs to 14. Since the first networks 14 (1) and 14 (2) can communicate with the "protocol A", the load adjusting unit 134 determines that the "attack A" can reach the PLC 11 (2).

When it is determined that the attack does not reach the selected PLC11 (S1033: No), the load adjusting unit 134 releases the association between the selected PLC11 and the selected rule (S1034). For example, when the "rule B" is selected in the PLC 11 (2), the first network 14 (2) cannot communicate with the "protocol B", so that the "attack B" detected by the "rule B" is It is determined that the "attack B" cannot reach the PLC 11 (2) because it cannot pass through the first network 14 (2). Therefore, the association between PLC11 (2) and "Rule B" is released.

The load adjusting unit 134 repeats the process (S1032 to S1034) until the determination of all the rules in the selected PLC 11 is completed. When the determination for all the rules is completed, the load adjusting unit 134 ends the rule reduction process (S103).

Returning to FIG. 11, the load adjusting unit 134 executes the rule reduction process (S103) for all PLC11s. When the processing (S103) for all the PLCs 11 is completed, the load adjusting unit 134 selects the FW12 to which the rule is distributed (S104). The load adjusting unit 134 generates, for example, association information with the FW12 selected as the save destination of the rule based on the association between the PLC 11 set in the process (S101, S93) and the rule.

If there is a PLC11 to which the rule is associated, the load adjusting unit 134 associates the rule with the FW12 located immediately above the PLC11. For example, since the "rule A" is associated with the PLC 11 (2), the load adjusting unit 134 associates the "rule A" with the FW12 (1) located immediately above the PLC 11 (2). .. When the process (S104) is completed, the control device network rule management device 13 ends the rule arrangement determination process (S10).

The load adjusting unit 134 does not associate the rule whose association has been deleted by the process (S1034) with the FW12. The load adjusting unit 134 does not associate the "rule B" with the FW12 (1) because, for example, the relationship between the PLC11 (2) and the "rule B" is deleted. That is, the load adjusting unit 134 associates the rule corresponding to the attack with the FW12 only when the attack reaches the PLC 11.

Returning to FIG. 10, the rule distribution unit 135 distributes the rule to the FW12 associated with the rule arrangement determination process (S10) (S11). After that, the control device network rule management device 13 resumes execution from the process (S1) after waiting for a predetermined time (S12). The control device network rule management device 13 may wait until an update instruction from the user is received instead of waiting for a predetermined time in the process (S12). Further, the control device network rule management device 13 may end the processes (S1) to (S12) when the power of the control device network rule management device 13 is turned off or the like.

By providing the load adjusting unit 134, the control device network rule management device 13 shown above can adjust the arrangement of rules based on whether the attack can reach the PLC 11. The control device network rule management device 13 can suppress the setting of rules that cannot reach the PLC 11 in the FW 12, and can reduce the number of rules set in the FW 12.

As a result, the control device network rule management device 13 can suppress an increase in the load of the collation process in the safety inspection of the FW12. Alternatively, since the control device network rule management device 13 stores only the rules necessary for protecting the lower PLC 11 in the FW 12, it is possible to suppress a decrease in utilization efficiency of the rule storage area in the FW 12.

As a result, the memory of the FW 12 can be miniaturized as compared with the case where the rule management device 13 for the control device network is not provided, so that the FW 12 can be made smaller. As a result, the cost of the FW 12 can be suppressed, and the FW 12 can be more easily arranged in the control device network 1.

Since this embodiment corresponds to a modified example of the first embodiment, the differences from the first embodiment will be mainly described. This embodiment is a control device network rule management device 13a that manages rules based on a risk value as an example of a “predetermined value”.

FIG. 13 is a schematic view of the control device network 1a. The control device network 1a includes, for example, a PLC 11, a FW 12, and a control device network rule management device 13a. The control device network rule management device 13a includes an attack information storage unit D2, a configuration information acquisition unit 131, an attack information extraction unit 132, a rule generation unit 133, a load adjustment unit 134a, and a distribution information storage unit D3. It includes a rule distribution unit 135 and a risk value storage unit D4.

The load adjusting unit 134a adjusts the rule arranged in the FW 12 based on the risk index F (x). The risk index F (x) indicates, for example, the threat of an attack calculated using the risk value D42 (see FIG. 15) stored in the risk value storage unit D4 as a coefficient. The risk value storage unit D4 will be described with reference to FIG.

The load adjusting unit 134a acquires the connection information of the first network 14 from the configuration information acquisition unit 131. The load adjusting unit 134a acquires a rule from the distribution information storage unit D3. The load adjusting unit 134a acquires the risk value D42 from the risk value storage unit D4.

The load adjusting unit 134a calculates the risk index based on the risk value D42 and the connection information of the first network 14. The load adjusting unit 134a associates the rule with the FW12 based on the risk index. The load adjusting unit 134 stores the association information in the distribution information storage unit D3.

The risk index F (x) may be calculated by, for example, the following formula 1.
F (x) = x1 + x2 + x3 + ... + xn ... (Equation 1)
In Equation 1, "x1 to xn" represent the risk value D42, respectively. “N” indicates a predetermined integer. The risk index F (x) is not limited to being obtained by the above formula 1, but may be obtained by another formula.

FIG. 14 is an explanatory diagram of the risk value storage unit D4. In the risk value storage unit D4, for example, the risk value D42 is stored by the user. In the risk value D42, for example, a value corresponding to the attack effect information D41 is stored.

The attack impact information D41 indicates the threat of the attack to PLC11. In the attack impact information D41, for example, "high impact", "communication with a protocol that can use the attack", and "there is a protocol converter on the upper side" are stored.

“Large impact” indicates, for example, a case where the impact of an attack on PLC 11 is equal to or greater than a predetermined impact. Predetermined effects include, for example, the case where the PLC 11 malfunctions and the case where normal data cannot be acquired. Also, certain effects may be expressed using standard criteria such as, for example, the Common Vulnerability Scoring System (CVSS). "Implementing a protocol through which an attack can pass" indicates, for example, that the communication protocol required for the attack to pass through the first network 14 is implemented in the PLC 11. The condition may be determined from, for example, protocol information 1325, 1326 included in the information acquisition unit 131. "There is a protocol conversion function on the upper side" means, for example, that the communication protocol necessary for the attack to pass through the first network 14 is not implemented in the PLC 11 itself, but it is implemented in the PLC 11 from the communication protocol. It is shown that the conversion function to any of the above-mentioned protocols is implemented in another PLC11 or the like arranged above the PLC11. The condition may be determined based on, for example, the communicable information 1329 included in the information acquisition unit 131.

The risk value D42 includes, for example, "0.5" corresponding to "high impact", "0.3" corresponding to "communication with a protocol that can be attacked", and "protocol converter on the upper side". "0.2" corresponding to "is" is saved.

FIG. 15 is a flow chart of the load adjusting unit 134a. The load adjusting unit 134a executes the rule reduction process (S103a). The load adjusting unit 134a executes the process (S1031) and the process (S1032), and selects one rule associated with the selected PLC 11.

The load adjusting unit 134a calculates the risk index F (x) for the selected rule (S1035). The load adjusting unit 134a acquires, for example, the connection information between the PLCs 11 and the vulnerability information of the selected PLC11 from the configuration information acquisition unit 131. Based on the connection information and the vulnerability information, the load adjusting unit 134a determines whether the selected PLC 11 applies to the attack effect information D41 corresponding to the selected rule.

For example, when an attack corresponding to the selected rule causes a malfunction as an effect on the selected PLC 11, the load adjusting unit 134a sets, for example, “x1” in the equation 1 to “0.3”. To do. Further, when the attack can reach the selected PLC 11 via the first network 14, the load adjusting unit 134a sets, for example, "x2" to "0.5". That is, the load adjusting unit 134a calculates the risk index F (x) of the attack as “0.8” based on Equation 1.

The load adjusting unit 134a determines whether the risk index F (x) is equal to or higher than a predetermined threshold value (S1036). The predetermined threshold value is a value for determining whether or not to save the rule in the FW12. The predetermined threshold value may be preset by the user.

When it is determined that the risk index is equal to or higher than a predetermined threshold value (S1036: Yes), the load adjusting unit 134a returns to the process (S1032) and selects another rule. For example, when "0.7" is set as a predetermined threshold value, the load adjusting unit 134a has the risk index F (x) exceeding the predetermined threshold value, so that the FW12 is located higher than the selected PLC11. Judge that the rule is saved in.

When it is determined that the risk index is smaller than the predetermined threshold value (S1036: No), the load adjusting unit 134 releases the association relationship between the selected PLC 11 and the selected rule (S1034). For example, when "0.9" is set as a predetermined threshold value, the load adjusting unit 134a links the selected PLC 11 with the selected rule because the risk index F (x) is smaller than the predetermined threshold value. Release the relationship.

The load adjusting unit 134a returns to the process (S1032) after the process (S1036: Yes) or the process (S1034) is completed, and selects another rule (S1032). When the determination of the processing (S1036, S1034) is executed for all the rules, the load adjusting unit 134a ends the rule reduction processing (S103a).

Since the control device network rule management device 13 shown above includes the load adjusting unit 134a, it is possible to determine whether to place a rule in the FW 12 based on the risk index F (x). As a result, the control device network rule management device 13 can manage the rule arrangement of the FW 12 based on the communication possibility of the attack and other indicators.

Since this embodiment corresponds to a modified example of the first and second embodiments, the differences from the first and second embodiments will be mainly described. This embodiment is a control device network rule management device 13b capable of changing the rule arrangement between the FW12s.

FIG. 16 is a schematic view of the control device network 1b. The control device network 1b includes, for example, a plurality of PLCs 11, a plurality of FW 12b, and a control device network rule management device 13b.

The FW12b inspects the safety of the control device network 1b. The FW 12b includes an inspection rule storage unit D1, a frame inspection unit 121, and a frame control unit 122. The FW12b includes the upper FWs 123 (1) and 123 (2) and the lower FWs 124 (1) to 124 (4).

The upper FW 123 (1) and 123 (2) may be referred to as the upper FW 123 unless otherwise specified. The lower FW 124 (1) to 124 (4) may be referred to as a lower FW 124 unless otherwise specified.

The upper FW 123 is, for example, communicably connected to the second network 15 and is located on the upper side of the lower FW 124. The lower FW 124 is, for example, communicably connected to the upper FW 123 and the PLC 11 and is located on the lower side of the upper FW 123. The FW12b is not limited to the two layers of the upper FW123 and the lower FW124, and may be three or more layers.

For example, the lower FW 124 (1) and 124 (2) are connected to the upper FW 123 (1) so as to be able to communicate with each other. For example, the lower FW 124 (3) and 124 (4) are connected to the upper FW 123 (2) so as to be able to communicate with each other.

The control device network rule management device 13b manages the rules arranged in each FW 12b. The control device network rule management device 13b includes, for example, a rule arrangement processing unit 130 and a rule movement processing unit 137.

The rule arrangement processing unit 130 arranges a rule in each FW 12b based on the configuration information of the PLC 11 and the connection information between the PLC 11. The rule placement processing unit 130 is, for example, an attack information storage unit D2 (see FIG. 2), a configuration information acquisition unit 131, an attack information extraction unit 132, a rule generation unit 133, a load adjustment unit 134, and distribution information storage. A unit D3 and a rule distribution unit 135 are provided.

The rule movement processing unit 137 changes the FW12b associated with the rule stored in the distribution information storage unit D3 so that the rule is distributed to a different FW12b. The rule movement processing unit 137 includes, for example, a FW structure acquisition unit 138, a rule acquisition unit 139, a movement determination unit 140, and a rule movement unit 141.

The FW structure acquisition unit 138 acquires the arrangement information of each FW12b. The rule acquisition unit 139 acquires the rule information stored in the distribution information storage unit D3.

The movement determination unit 140 determines whether or not the rule is associated with another FW12b. For example, when a rule common to each lower FW 124 is set, the movement determination unit 140 determines that the rule is distributed to the upper FW 123 instead of each lower FW 124.

The rule movement unit 141 changes the association between the rule and each FW 12b based on the determination result of the movement determination unit 140. When a rule common to each lower FW 124 is arranged, the rule moving unit 141 releases the association between the common rule and each lower FW 124, and instead sets the association with the upper FW 123. To do.

FIG. 17 is a flow chart of the rule movement processing unit 137. The FW structure acquisition unit 138 acquires the structure of the FW 12b (S13). The FW structure acquisition unit 138 has, for example, information that the lower FW 124 (1) and 124 (2) are located on the lower side of the upper FW 123 (1) and the lower FW 124 (2) on the lower side of the upper FW 123 (2). 3), the information on which 124 (4) is located is acquired.

The rule acquisition unit 139 acquires the rules associated with each FW12b from the distribution information storage unit D3 (S14). The rule acquisition unit 139 acquires, for example, "rule A" and "rule B" associated with the lower FW124 (1) from the distribution information storage unit D3. The rule acquisition unit 139 acquires, for example, "rule A" and "rule C" associated with the lower FW124 (2) from the distribution information storage unit D3.

The movement determination unit 140 selects one upper FW123 (S15). The movement determination unit 140 selects, for example, the upper FW 123 (1). When the FW 12b is connected over three or more layers, the upper FW 123 is selected in order from the second layer except for the lowest FW 12b.

The movement determination unit 140 determines whether or not the lower FW 124 has a common rule (S16). The movement determination unit 140 determines, for example, whether the common rule is stored in the lower FWs 124 (1) and 124 (2) that are communicably connected to the upper FW 123 (1).

When it is determined that the common rule is saved (S16: Yes), the rule moving unit 141 releases the association with the lower FW 124 in the common rule, and instead associates it with the upper FW 123. Set (S17). The movement determination unit 140 determines, for example, that the "rule A" is commonly associated with the lower FW 124 (1) and 124 (2). For example, the rule moving unit 141 releases the association between the "rule A" and the lower FW 124 (1) and 124 (2), and newly sets the association with the upper FW 123 (1).

When it is determined that there is no common rule (S16: No) or the process (S17) is completed, the rule movement processing unit 137 completes the determination as to whether to move the rule in all the upper FW 123s. Processes (S16, S17) up to. When the FW12b is connected over three or more layers, if there is a further FW12b above the upper FW123 that has been processed so far, the processing is continued as a new upper FW123. The rule movement processing unit 137 ends the processing when the determination of whether to move the rule is completed in all the upper FW 123s.

The control device network rule management device 13b shown above can move the rules common to the lower FW 124 to the upper FW 123 by including the rule movement processing unit 137. As a result, the control device network rule management device 13 can suppress the memory usage rate of each FW 12b as compared with the case where the rules common to the lower FW 124 are stored. As a result, more rules can be set for each FW12b.

Since this embodiment corresponds to a modified example of the third embodiment, the differences from the third embodiment will be mainly described. This embodiment is a control device network rule management device 13c capable of suppressing the memory shortage of the FW 12b.

FIG. 18 is a schematic view of the control device network 1c. The control device network 1c includes, for example, a PLC 11, a FW 12b, and a control device network rule management device 13c.

The control device network rule management device 13c manages the rules stored in each FW12b. The control device network rule management device 13c includes, for example, a rule arrangement processing unit 130 and a memory capacity management unit 142.

The memory capacity management unit 142 suppresses the memory shortage of each FW12b. The memory capacity management unit 142 associates some rules with another FW12b when, for example, a rule having a memory capacity or more is associated with a certain FW12b. The memory capacity management unit 142 causes the management terminal 4 to display a warning when, for example, the memory capacity of each FW12b is exceeded and the rule is saved.

The management terminal 4 is a terminal on which the user can manage the rules stored in the FW 12b. The user can operate the distribution information storage unit D3 so as to delete the rule stored in the FW 12b by using, for example, the management terminal 4.

FIG. 19 is an explanatory diagram of the memory capacity management unit 142. FIG. 19 shows an example of the leveling process (S105) (described later in FIG. 20) of the memory capacity management unit 142. The leveling process (S105) suppresses the memory shortage of the FW12b. The memory capacity management unit 142 is not limited to the case shown in FIG.

A capacity that can store rules is set in the inspection rule storage unit D1. For example, 32 rules can be stored in the inspection rule storage unit D1 (1), and 20 rules have already been distributed. For example, 32 rules can be stored in the inspection rule storage unit D1 (2), and 10 rules have already been distributed.

The load adjusting unit 134 sets, for example, that the lower FW124 (1) is newly associated with 20 rules. The load adjusting unit 134 sets, for example, that the lower FW 124 (2) is newly associated with 10 rules.

The memory capacity management unit 142 detects that a rule larger than the memory capacity of the FW 12b is arranged, and sets a predetermined number of rules to be arranged in another FW 12b. In the memory capacity management unit 142, for example, in the distribution information storage unit D3, 20 rules are already associated with the lower FW124 (1), so when 20 rules are newly associated and distributed as they are. In addition, it is determined that the memory of the lower FW124 (1) is insufficient. In this case, the memory capacity management unit 142 describes, for example, the FW124 with respect to the 20 rules already associated with the lower FW124 (1) and the 10 rules out of the 20 newly associated rules. The association with (1) is released, and instead, it is associated with the upper FW123 (1).

FIG. 20 is a flow chart of the rule arrangement determination process (S10a). The load adjusting unit 134 determines the FW12b on which the rule is arranged by executing the processes (S101 to S104).

The memory capacity management unit 142 executes the leveling process (S105). FIG. 21 is a flow chart of the leveling process (S105). The memory capacity management unit 142 selects one lower FW124 (S1051). The memory capacity management unit 142 selects, for example, the lower FW124 (1).

The memory capacity management unit 142 determines whether the memory capacity of the selected FW 12b is insufficient (S1052). The memory capacity management unit 142 compares, for example, the number of rule distributions to the lower FW 124 (1) with the number of newly storable rules to determine whether the memory of the lower FW 124 (1) is insufficient. judge.

When the memory capacity is insufficient (S1052: Yes), the memory capacity management unit 142 determines whether or not the FW12b on the upper side has an excess free space (S1053). The memory capacity management unit 142 acquires, for example, from the load adjustment unit 134 that the number of rules arranged in the lower FW 124 (1) is 20. The memory capacity management unit 142 acquires, for example, that the limit number of rule storage of the inspection rule storage unit D1 (1) is 32.

The memory capacity management unit 142 calculates, for example, that the number of rules that can be stored in advance is 20, so that the number of rules that can be newly stored in the inspection rule storage unit D1 (1) is 12. As a result, the memory capacity management unit 142 determines that the memory capacity of the inspection rule storage unit D1 (1) is exceeded by eight rules.

The memory capacity management unit 142 acquires the number of rules stored in the upper FW 123 (1) and the number of rules that can be stored by the inspection rule storage unit D1. The memory capacity management unit 142 determines, for example, that the upper FW 123 (1) has a free capacity in which 32 rules can be arranged.

When there is free space in the memory of the upper FW 123 (S1053: Yes), the memory capacity management unit 142 determines whether there is a rule that can change the association (S1054). The memory capacity management unit 142 determines, for example, that the upper FW 123 (1) has more free space than the number of exceeding eight rules. The memory capacity management unit 142 determines, for example, whether or not the 20 rules stored in the inspection rule storage unit D1 (1) in advance have a rule whose association can be changed to the upper FW 123 (1).

When there is a rule that can change the association (S1054: Yes), the memory capacity management unit 142 sets the association with the rule to be changed by the upper FW 123 (S1055). The memory capacity management unit 142 can change the association of 10 rules out of the 20 rules already associated with the lower FW124 (1) and the newly associated 20 rules, for example. Is determined. For example, the memory capacity management unit 142 releases the association with the lower FW 124 (1) on the distribution information storage unit D3 for the 10 rules determined to be changeable, and newly releases the upper FW 123. Set the association with (1).

When the processing (S1052 to S1054) is No or the processing (S1055) is completed, the memory capacity management unit 142 returns to the processing (S1051) and selects another FW12b, for example. When the processing (S1052 to S1055) for all the FW12b is completed, the memory capacity management unit 142 determines whether or not there is a FW12b having a insufficient memory capacity (S1056).

After executing the above processing, if there is a FW12b that still exceeds the upper limit of the memory capacity (S1056: Yes), the memory capacity management unit 142 outputs a warning to the management terminal 4 (S1057). The memory capacity management unit 142 waits for the rule management of the FW 12b by the user (S1058).

The user may transmit the end signal of the process (S1058) to the control device network rule management device 13c by the management terminal 4. After the processing (S1058) is completed or when there is no FW12b that lacks memory (S1056: No), the memory capacity management unit 142 ends the leveling processing (S105).

By providing the memory capacity management unit 142 in the control device network rule management device 13c shown above, it is possible to prevent the memory capacity from becoming insufficient. The control device network rule management device 13c can prompt the user to delete unnecessary rules by outputting a warning to the management terminal 4. As a result, the control device network rule management device 13c can further suppress the number of rules set in the FW 12b.

The control device network rule management device 13 may execute the rule movement processing unit 137 shown in the third embodiment before executing the process (S1051). In this case, since the number of rules stored in the lower FW 124 can be reduced, it is possible to suppress the excess of the memory capacity.

The present invention is not limited to the above-described embodiment, and includes various modifications. The above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to those having all the described configurations. It is also possible to replace a part of the configuration of one embodiment with the configuration of another embodiment. It is also possible to add the configuration of another embodiment to the configuration of one embodiment. In addition, other configurations can be added / deleted / replaced with respect to a part of the configurations of each embodiment.

The present invention can include the computer programs shown below. The computer program for operating the computer as a rule management device for the control device network controls the software configuration and control of the control device software on the computer to check the safety of the network for the control device and the rules for the safety check of the network security device. Realize the function of arranging based on the communication medium corresponding to the device.

1 ... Network for control equipment, 11 (1) to 11 (5) ... Control equipment, 111 ... Configuration information acquisition unit, 12 (1) to 12 (3) ... Network security device, 121 ... Frame inspection unit, 122 ... Frame control unit, 13 ... Control device network rule management device, 131 ... Configuration information acquisition unit, 132 ... Attack information extraction unit, 133 ... Rules Generation unit, 134 ... Load adjustment unit, 135 ... Rule distribution unit, 14 (1) to 14 (5) ... 1st network, 15 ... 2nd network, 2 ... Attack Information source, 3 ... User-defined rules

Claims (8)

It is provided in a control device network including a control device having a plurality of different software configurations and a plurality of different communication media.
For a control device network, rules for safety inspection of a network security device for inspecting the safety of the control device network are arranged based on the software configuration of the control device and the configuration of the communication medium corresponding to the control device. Rule management device. The rule prevents predetermined information affecting the software of the control device from reaching the control device.
When the software configuration of a predetermined control device is vulnerable to the predetermined information, the rule management device for the control device network places the rule on the higher side than the predetermined control device. The control device network rule management device according to claim 1, which is arranged in a network security device. The control device network rule management device sets the rule when a predetermined communication medium located between the predetermined network security device and the predetermined control device can transfer the predetermined information. The control device network rule management device according to claim 2, which is arranged in the network security device of the above. The control device network rule management device determines whether to place the rule in the predetermined network security device based on a predetermined value.
The predetermined value is
A first value indicating a software configuration vulnerability in the predetermined control device, and
The rule management device for a control device network according to claim 3, further comprising a second value indicating the possibility of passing the predetermined information in the predetermined communication medium. The network security device includes an upper network security device and a plurality of lower network security devices located on the lower side of the upper network security device.
When the rules common to each other are set among the lower network security devices, the control device network rule management device requests the common rule to be arranged in the upper network security device according to claim 1. The control device network rule management device described. The network security device is set with a limit number in which the rule can be placed.
When the rule is arranged in the network security device in excess of the limit number, the control device network rule management device moves a predetermined number of the rules in the network security device to another network security device. The rule management device for a control device network according to claim 1. The control device network rule management device according to claim 6, wherein the control device network rule management device outputs a warning when the number of the rules arranged in the network security device exceeds the limit number. The rules for safety inspection of a network security device for inspecting the safety of a network for a control device including a control device having a plurality of different software configurations and a plurality of different communication media are applied to the software configuration of the control device and the control device. A rule management method for a control device network that is arranged based on the configuration of the corresponding communication medium.

Images