JP2022033125A - Control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a control device for safely managing communication of devices.

SOLUTION: According to an embodiment, a control device comprises a first communication unit, a second communication unit, and a processor. The first communication unit communicates with a first device in a local area network. The second communication unit communicates with a second device outside the local area network. The processor confirms authenticity of the first device through the first communication unit, receives data transmitted by the first device through the first communication unit, transmits the data to a destination through the second communication unit when confirmation of the authenticity of the first device is successful and the destination of the data is the second device, and shuts down the communication of the first device when confirmation of the authenticity of the first device fails and the destination of the data is the second device.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2022,JPO&INPIT

Description

Embodiments of the present invention relate to a control device.

In recent years, sensors, cameras, lighting or air conditioning (so-called IoT devices) connected to a network have been provided. IoT devices may not be able to take strong security measures in order to control costs or power consumption. In such a case, the control device that controls the communication of the IoT device controls the communication of the IoT device by using the communication permission list or the communication rejection list.

Conventionally, the control device has a problem that it is necessary to store a communication permission list or a communication refusal list according to an IoT device in advance according to an operation of an operator or the like.

JP-A-2002-73548

In order to solve the above problems, a control device for safely managing the communication of the device is provided.

According to the embodiment, the control device includes a first communication unit, a second communication unit, and a processor. The first communication unit communicates with the first device in the local area network. The second communication unit communicates with a second device outside the local area network. The processor confirms the authenticity of the first device through the first communication unit, receives the data transmitted by the first device through the first communication unit, and receives the authenticity of the first device. When the confirmation of the data is successful and the destination of the data is the second device, the data is transmitted to the destination through the second communication unit, and the confirmation of the authenticity of the first device fails and the data is described. When the destination of the second device is the second device, the communication of the first device is cut off.

FIG. 1 is a block diagram showing a configuration example of a control system according to the first embodiment. FIG. 2 is a block diagram showing a configuration example of the control device according to the first embodiment. FIG. 3 is a diagram showing a configuration example of device information according to the first embodiment. FIG. 4 is a sequence diagram showing an operation example of the control device according to the first embodiment. FIG. 5 is a flowchart showing an operation example of the control device according to the first embodiment. FIG. 6 is a flowchart showing an operation example of the control device according to the first embodiment. FIG. 7 is a block diagram showing a configuration example of the control device according to the second embodiment. FIG. 8 is a diagram showing a configuration example of policy information according to the second embodiment. FIG. 9 is a diagram showing a configuration example of device information according to the second embodiment. FIG. 10 is a sequence diagram showing an operation example of the control device according to the second embodiment. FIG. 11 is a flowchart showing an operation example of the control device according to the second embodiment. FIG. 12 is a flowchart showing an operation example of the control device according to the second embodiment.

Hereinafter, embodiments will be described with reference to the drawings.
(First Embodiment)
First, the first embodiment will be described.
The control system according to the embodiment controls the communication of the IoT device. The control system monitors the content of the communication performed by the IoT device. The control system checks whether the communication operation of the IoT device is appropriate. If the connection destination of the IoT device is inappropriate, the control system cuts off the communication of the IoT device. For example, a control system is installed in a store that sells goods. The place where the control system is installed is not limited to a specific configuration.

FIG. 1 is a block diagram showing a configuration example of the control system 1 according to the embodiment.
As shown in FIG. 1, the control system 1 includes a control device 10, a WAN connection device 20, a server 30, a network 40, devices A to D (IoT devices), and the like. The control device 10 is connected to the devices A to D. The control device 10 is connected to the WAN connection device 20 with each other. The WAN connection device 20 connects to the server 30 via the network 40.

The control device 10 controls communication between the devices A to D. The control device 10 relays data communication between the devices A to D. Further, the control device 10 controls communication between the devices A to D and the server 30. The control device 10 relays data communication between the devices A to D and the server 30 via the WAN connection device 20.

The control device 10 forms a network (local area network (LAN)) for transmitting and receiving data to and from the devices A to D. The control device 10 transmits / receives data to / from the devices A to D.
The WAN connection device 20 supports connection to the network 40. The WAN connection device 20 transfers the data from the control device 10 to the network 40. Further, the WAN connection device 20 transfers the data from the network 40 to the control device 10.

The network 40 is a communication network for transmitting and receiving data between the control device 10 and the server 30 and the like. For example, the network 40 is the Internet. Further, the network 40 may be a unique communication network.

The server 30 (second device) is a server outside the LAN formed by the control device 10. That is, the server 30 connects to the devices A to D via the network 40. The server 30 may manage the devices A to D based on the data from the devices A to D and the like. For example, the server 30 manages the operating states of the devices A to D and the like. The operation and purpose of the server 30 is not limited to a specific configuration.

The devices A to D (first device) are devices connected to the LAN formed by the control device 10. The devices A to D are connected to each other via the LAN. Further, the devices A to D are connected to each other to the server 30 via the control device 10. For example, the devices A to D are IoT (Internet of Things) devices. The devices A to D are, for example, a printer, a camera, a microphone, various sensors, a light, a drone, a POS terminal (point of sale terminal), and the like. Further, the devices A to D may be a desktop PC, a notebook PC, a tablet PC, a smartphone, a wearable terminal, or the like. The configurations of the devices A to D are not limited to a specific configuration.

The device A includes a TPM101A (Trusted Platform Module).
The TPM101A is a module that realizes a function related to the security of the device A. Here, TPM101A is used to detect tampering with device A. For example, the device A checks for tampering by using the TPM101A at the time of startup or the like.

Further, TPM101A is used to issue a certificate certifying the authenticity of the device A. For example, TPM101A generates an encryption key or the like for a certificate. The device A uses the TPM 101A to transmit the certificate to the control device 10. For example, the device A sends a certificate to the control device 10 as a response to a request from the control device 10.

Device B includes TPM101B. Since TPM101B has the same configuration as TPM101A, the description thereof will be omitted.

The control system 1 may include other devices as IoT devices connected to the LAN of the control device 10, or may exclude predetermined devices. The configuration of the control system 1 is not limited to a specific configuration.

Next, the control device 10 will be described.
FIG. 2 is a block diagram showing a configuration example of the control device 10.
As shown in FIG. 2, the control device 10 includes an MCU 11, a TPM 12, a WAN communication unit 13, a communication control unit 14, communication units 15 to 18, storage 19, and the like as a basic configuration. Each of these parts is connected to each other via a data bus. In addition to the configuration shown in FIG. 2, the control device 10 may include a configuration as required, or may exclude a specific configuration.

The MCU 11 (processor) (Micro Control Unit) has a function of controlling the operation of the entire control device 10. The MCU 11 may include an internal memory, various interfaces, and the like. The MCU 11 realizes various processes by executing a program stored in advance in the internal memory, ROM 111, storage 19, or the like.

It should be noted that some of the various functions realized by the MCU 11 by executing the program may be realized by the hardware circuit. In this case, the MCU 11 controls the functions performed by the hardware circuit.

The MCU 11 includes a ROM 111, a RAM 112, and the like.
The ROM 111 is a non-volatile memory in which a control program, control data, and the like are stored in advance. The control program and control data stored in the ROM 111 are incorporated in advance according to the specifications of the control device 10.

The RAM 112 is a volatile memory. The RAM 112 temporarily stores data and the like being processed by the MCU 11. The RAM 112 stores various application programs based on the instructions from the MCU 11. Further, the RAM 112 may store data necessary for executing the application program, an execution result of the application program, and the like.

The TPM 12 is a module that realizes a function related to the security of the control device 10. The TPM 12 is used to detect tampering with the control device 10. For example, the control device 10 checks for tampering with the TPM 12 at the time of activation or the like.

Further, the TPM 12 generates an encryption key for encrypting the data stored in the storage 19 and a decryption key for decrypting the data stored in the storage 19.

The WAN communication unit 13 (second communication unit) is an interface for transmitting and receiving data to and from the WAN connection device 20. That is, the WAN communication unit 13 is an interface for connecting to the network 40 (further, the server 30) via the WAN connection device 20. The WAN communication unit 13 transmits predetermined data to the WAN connection device 20 according to the signal from the MCU 11. Further, the WAN communication unit 13 transmits the data received from the WAN connection device 20 to the MCU 11.
The WAN communication unit 13 may support a LAN connection.

The communication control unit 14 is an interface for transmitting and receiving data to and from the communication units 15 to 18. The communication control unit 14 transmits data from the communication units 15 to 18 to the MCU 11. The communication control unit 14 transmits the data from the MCU 11 to the communication units 15 to 18.

The communication units 15 to 18 (first communication unit) are interfaces for transmitting and receiving data to and from a plurality of devices (here, devices A to D), respectively. The communication units 15 to 18 transmit data from the devices A to D to the communication control unit 14, respectively. The communication units 15 to 18 transmit data from the communication control unit 14 to the devices A to D, respectively.
The communication units 15 to 18 may support a LAN connection.

The storage 19 (storage unit) is a non-volatile memory capable of writing and rewriting data. The storage 19 is composed of, for example, a hard disk, SSD, EEPROM (registered trademark), a flash memory, or the like. The storage 19 stores programs, applications, and various data according to the operational use of the control device 10.

The storage 19 stores the encrypted data. The storage 19 stores data encrypted with an encryption key or the like generated by the TPM 12.

The storage 19 includes a storage area 19a for storing the authenticity confirmation program and a storage area 19b for storing device information. The authenticity confirmation program and device information will be described later.

The control device 10 may include a display unit or an operation unit.
The control device 10 may be, for example, a router or the like. Further, the control device 10 may be a general-purpose PC. In the case of a general-purpose PC, the control device 10 may have a program installed for executing a function described later.

Further, the communication units 15 to 19 may be integrally formed. For example, the communication units 15 to 19 may be communication units that wirelessly communicate with the devices A to D.

Next, the device information will be described.
The device information is information related to the security of the IoT devices (for example, devices A to D) connected to the control device 10LAN. The device information is set for each IoT device. When the IoT device is connected to any of the communication units 15 to 18, the MCU 11 generates device information corresponding to the IoT device and stores it in the storage area 19b.

The device information indicates the authenticity of the IoT device. That is, the device information indicates whether a certificate certifying the authenticity has been received from the corresponding IoT device.

FIG. 3 shows a configuration example of device information. FIG. 3 shows the device information corresponding to the device A and the device information corresponding to the device C.

The device information is composed of "MAC address", "IP address", "connection destination", "authenticity", "port number used", "installation date and time" and the like.

The "MAC address" indicates the MAC (Media Access Control) address of the corresponding IoT device.

The "IP address" indicates the IP (Internet Protocol) address of the corresponding IoT device.

“Destination” indicates an address to which the corresponding IoT device can connect. Here, none of the "connection destinations" is set.

"Authenticity" indicates the authenticity of the corresponding IoT device. That is, "authenticity" indicates whether the certificate has been received from the IoT device.

"Used port number" indicates a port to which the corresponding IoT device can be connected. Here, none of the "used port numbers" is set.

The "installation date and time" indicates the date and time when the corresponding IoT device is connected to the control device 10.

In addition to the configuration shown in FIG. 3, the device information may include a configuration as required, or may exclude a specific configuration.

Next, the functions realized by the control device 10 will be described. The following functions are realized by the MCU 11 of the control device 10 executing a program stored in the storage 19 or the like.

First, the MCU 11 has a function of confirming the authenticity of the connected IoT device according to the authenticity confirmation program.
For example, the MCU 11 allows interrupt processing at startup. The MCU 11 starts interrupt processing when the IoT device is connected or disconnected. The MCU 11 checks the authenticity of the IoT device as interrupt processing. For example, when the MCU 11 determines that an IoT device is newly connected, it checks the authenticity of the device.

For example, when an IoT device is newly connected to itself, the MCU 11 sends a request for a certificate to the IoT device. The MCU 11 receives the certificate from the IoT device. Upon receiving the certificate, the MCU 11 determines that the authenticity of the IoT device has been successfully confirmed. The MCU11 may determine that the authenticity of the IoT device has been successfully confirmed when the certificate is verified and the verification is successful.

When the MCU 11 determines that the authenticity of the IoT device has been successfully confirmed, the MCU 11 stores information indicating that the authenticity has been confirmed in the device information corresponding to the IoT device. For example, the MCU 11 stores "OK" in the "authenticity" of the device information.

If the MCU11 does not receive the certificate from the IoT device, it determines that the confirmation of the authenticity of the IoT device has failed. When the MCU 11 determines that the confirmation of the authenticity of the IoT device has failed, the MCU 11 stores information indicating that the confirmation of the authenticity has failed in the device information corresponding to the IoT device. For example, the MCU 11 stores "NG" in the "authenticity" of the device information.

Further, the MCU 11 has a function of managing data from each IoT device based on the device information.
The MCU 11 is an internal device (for example, devices A to D) of an internal network (for example, LAN) in which the IoT device is formed by itself regardless of whether the "authenticity" of the device information is "OK" or "NG". ). That is, when the destination of the data of the IoT device is a device (for example, devices A to D) connected through the communication units 15 to 18, the MCU 11 transmits the data to the destination.

Further, the MCU 11 connects the IoT device whose "authenticity" of the device information is "OK" to the network 40. That is, the MCU 11 connects to a device (for example, a server 30) to be connected through the WAN communication unit 13. For example, when the destination of the data of the IoT device is the server 30, the MCU 11 transmits the data to the server 30 via the WAN connection device 20 and the network 40.

The MCU 11 does not connect the IoT device whose "authenticity" of the device information is "NG" to the network 40. When the destination of the data of the IoT device is the server 30, the MCU 11 blocks the communication from the IoT device to the network 40.

Further, when the MCU 11 cuts off the communication from the IoT device to the network 40, any communication from the IoT device may be cut off until an operation or the like from a staff member is accepted. Further, the MCU 11 may connect the IoT device to a device of the internal network.

In the example shown in FIG. 3, the "authenticity" of the device information corresponding to the device A is "OK". Further, the "authenticity" of the device information corresponding to the device C is "NG". Therefore, the MCU 11 connects the device A to the network 40. Further, the MCU 11 does not connect the device C to the network 40.

Next, an operation example of the control system 1 will be described.
FIG. 4 is a sequence diagram for explaining an operation example of the control system 1.

Here, it is assumed that the device A is connected to the communication unit 15 of the control device 10. After that, the equipment C is connected to the communication unit 17 of the control device 10.

First, the device A is connected to the communication unit 15 by an operation of an operator or the like (ACT 11). When the device A connects to the communication unit 15, the MCU 11 of the control device 10 transmits a request for a certificate to the device A through the communication unit 15 (ACT 12).

The device A receives the request. Upon receiving the request, the device A generates a certificate using the TPM 101A and transmits it to the control device 10 (ACT 13).
The MCU 11 receives the certificate through the communication unit 15. Upon receiving the certificate, the MCU 11 stores "OK" in the "authenticity" of the device information corresponding to the device A (ACT14).

The device A operates according to the program (ACT15). The device A transmits data addressed to the server 30 to the control device 10 at a predetermined timing (ACT 16). The MCU 11 receives the data through the communication unit 15.

Upon receiving the data, the MCU 11 transmits the data to the WAN connection device 20 through the WAN communication unit 13 (ACT 17). The WAN connection device 20 receives the data. The WAN connection device 20 transmits the data to the server 30 via the network 40 (ACT 18).

The device C is connected to the communication unit 17 by an operation of an operator or the like (ACT 19). When the device C connects to the communication unit 15, the MCU 11 of the control device 10 transmits a request for a certificate to the device C through the communication unit 17 (ACT 20).

If the MCU 11 does not receive the certificate even after the lapse of a predetermined period, the MCU 11 stores "NG" in the "authenticity" of the device information corresponding to the device C (ACT21).

The device C operates according to the program (ACT22). The device C transmits data to the control device 10 at a predetermined timing (ACT23). The MCU 11 receives the data through the communication unit 15.

The MCU 11 determines whether the destination of the data is a device (device A, B or D) of the internal network (ACT24). If it is determined that the destination of the data is a device of the internal network (ACT24, YES), the MCU 11 transmits the data to the destination (ACT25).

If it is determined that the destination of the data is not a device of the internal network (ACT24, NO), the MCU 11 cuts off the communication with the device C (ACT26).

Next, an operation example of the control device 10 will be described.
5 and 6 are flowcharts for explaining an operation example of the control device 10.

First, the MCU 11 of the control device 10 is safely activated by using the TPM 12 according to an operation from the operator or the like (ACT31). If the activation is successful (ACT32, YES), the MCU 11 acquires device information from the storage area 19b (ACT33).

Upon acquiring the device information, the MCU 11 acquires the "authenticity" of the device information (ACT34). Upon acquiring the "authenticity" of the device information, the MCU 11 enables the connection between the network 40 and the internal network of the device corresponding to the device information whose "authenticity" is "OK" (ACT35).

When the connection with the network 40 and the internal network is enabled, the MCU 11 enables the connection between the device corresponding to the device information whose "authenticity" is "NG" and the internal network (ACT36).

When the connection with the internal network is enabled, the MCU 11 sets to allow interrupt processing (ACT37). When the setting for enabling interrupt processing is made, the MCU 11 determines whether or not there is an interrupt (connection or disconnection of the IoT device) (ACT38).

When it is determined that there is no interrupt (ACT38, NO), the MCU 11 determines whether or not the operation of turning off the power is accepted through the operation unit or the like (ACT39). If it is determined that the operation of turning off the power is not accepted (ACT39, NO), the MCU 11 returns to the ACT 38.

If it is determined that there is an interrupt (ACT38, YES), the MCU 11 sets to reject the interrupt processing (ACT40). When the interrupt processing is set to be rejected, the MCU 11 determines whether the IoT device is connected or disconnected (ACT41).

When it is determined that the IoT device is connected (ACT42, YES), the MCU 11 generates device information corresponding to the IoT device and stores it in the storage area 19b (ACT43). When the device information is stored, the MCU 11 confirms the authenticity of the IoT device (ACT44). If the authenticity of the IoT device is successfully confirmed (ACT45, YES), the MCU 11 stores "OK" in the "authenticity" of the device information corresponding to the IoT device (ACT46).

If the confirmation of the authenticity of the IoT device fails (ACT45, NO), the MCU 11 stores "NG" in the "authenticity" of the device information corresponding to the IoT device (ACT47).

When it is determined that the IoT device has been removed (ACT42, NO), the MCU 11 resets the device information of the IoT device (ACT48). For example, the MCU 11 may delete the device information from the storage area 19b.

When "OK" is stored in the "authenticity" of the device information (ACT46), when "NG" is stored in the "authenticity" of the device information (ACT47), or when the device information is reset (ACT48). MCU11 returns to ACT34.

If the startup fails (ACT32, NO), or if it is determined that the operation to turn off the power is accepted (ACT39, YES), the MCU 11 ends the operation.

The MCU 11 may generate device information based on the confirmation result after confirming the authenticity of the IoT device.
Further, the MCU 11 may update the "authenticity" of the device information by periodically checking the authenticity of the connected IoT device.
Further, the storage 19 may store unencrypted data.

The control device configured as described above can connect an IoT device that has succeeded in confirming its authenticity to an external network. In addition, the control device does not connect the IoT device that failed to confirm the authenticity to the external network. As a result, the control device can prevent the IoT device from attempting to transmit inappropriate data due to unauthorized falsification or the like.

In addition, the control device can ensure the security of the IoT device without newly setting up a security server or the like.

Further, the control device connects the IoT device whose authenticity has failed to be confirmed to the internal network (for example, LAN). As a result, the control device does not prevent IoT devices that do not have the ability to send certificates from transmitting data to devices on the internal network. Therefore, the control device can ensure the security of communication to the external network while maintaining the communication within the internal network.
(Second embodiment)
Next, the second embodiment will be described.
The control device according to the second embodiment is different from that according to the first embodiment in that a device that monitors the communication of the IoT device and permits the connection of the IoT device is set. Therefore, other points are designated by the same reference numerals and detailed description thereof will be omitted.

FIG. 1 is a block diagram showing a configuration example of the control system 1'according to the embodiment.
As shown in FIG. 1, the control system 1'provides a control device 10'instead of the control device 10.

FIG. 7 is a block diagram showing a configuration example of the control device 10'.
As shown in FIG. 7, the control device 10'provides a storage 19'(storage unit) instead of the storage 19.

The storage 19'includes a storage area 19c for storing a connected device inspection program, a storage area 19d for storing policy information, and the like.

The policy information is information related to security when the IoT device connects to an external network. The policy information indicates a device (server, etc.) or a port that allows the connection of the IoT device.

For example, the policy information indicates a device or port that allows connection of an IoT device (an incorrect IoT device) that does not have a function of transmitting a certificate.

FIG. 8 shows a configuration example of policy information.
As shown in FIG. 8, the policy information includes "authenticity", "connection destination restriction", "connection destination permission list", "connection destination disapproval list", "port restriction", "permission port list", and "installation". It is composed of "date and time limit", "time limit date and time (start)" and "time limit date and time (end)".

"Authenticity" indicates whether the authenticity of the IoT device is essential in order to allow the connection of the IoT device to the network 40. Here, "authenticity" does not require authenticity.

"Restriction of connection destination" indicates whether to restrict the connection destination of the untrue IoT device. Here, "restriction of connection destination" means that the connection destination is restricted.

The "connection destination permission list" indicates the connection destinations that allow the connection of the incorrect IoT device. Here, the "connection destination permission list" indicates the URL of the server that is permitted to connect.

The "destination disallowed list" indicates the connection destinations that do not allow the connection of the incorrect IoT device. Here, the "connection destination disallowed list" indicates the URL of the server that does not allow the connection.

"Port restriction" indicates whether to restrict the port to which an incorrect IoT device connects. Here, "port restriction" is used to indicate that the port is restricted.

The "permitted port list" indicates the ports that are allowed to connect to the incorrect IoT device. Here, the "permitted port list" indicates a port number or the like that allows connection.

"Installation date and time restriction" indicates whether to limit the installation period of the IoT device. When the "installation date and time restriction" indicates that the installation period is limited, the control device 10 transmits data from the IoT device to the internal network or the network 40 during the predetermined installation period. The control device 10 does not allow connection to the internal network or the network 40 except during the installation period.

"Restricted date and time (start)" indicates the start of a predetermined installation period. For example, the "restricted date and time (start)" is composed of a date and a time.

"Restricted date and time (end)" indicates the end of a predetermined installation period. For example, the "restricted date and time (end)" is composed of a date and a time.

In addition to the configuration shown in FIG. 8, the policy information may include a configuration as required, or may exclude a specific configuration.

Next, the functions realized by the control device 10'will be described. The following functions are realized by executing a program stored in the storage 19'or the MCU 11 of the control device 10'. The control device 10'realizes the following functions in addition to the functions of the control device 10 according to the first embodiment.

The MCU 11 of the control device 10'generates the "connection destination" and the "port number used" of the device information of the incorrect IoT device according to the connection device inspection program.

First, the MCU 11 has a function of monitoring the communication of an untrue IoT device for a predetermined period of time.
The MCU 11 monitors the communication of the IoT device for a predetermined period after the IoT device is connected and determined to be untrue. For example, the MCU 11 monitors the communication of the IoT device during the period when the IoT device is set up.

The MCU 11 identifies a destination and a port to which the IoT device transmits data via the network 40. That is, the MCU 11 specifies a device and a port to which the IoT device is connected via the network 40.

The MCU 11 transmits data from the IoT device to the destination device via the network 40 during a predetermined period.

The MCU 11 has a function of updating device information based on the device and port to which the IoT device is connected in a predetermined period.
The MCU 11 stores the specified device and port in the device information as a device and port that allow connection of the IoT device. For example, the MCU 11 stores a device (for example, the URL of the device) specified in the "connection destination" of the device information corresponding to the IoT device. Further, the MCU 11 stores a port (for example, a port number) specified in the "port number used" of the device information corresponding to the IoT device.

If the specified device is included in the "connection destination disallowed list" of the policy information, the MCU 11 does not have to store the device in the "connection destination".

Further, the MCU 11 has a function of updating device information based on the policy information. The MCU 11 adds the device of the "connection destination permission list" of the policy information to the "connection destination" of the device information. In addition, the MCU 11 adds the port of the "permitted port list" of the policy information to the "port number used" of the device information.

FIG. 9 shows an example of device information according to the second embodiment. Here, the device information corresponding to the device C will be described.

The "connection destination" of the device information stores "www.mainte.co.jp; www.service.co.jp; www.support.co.jp;". Here, it is assumed that the MCU 11 specifies "www.mainte.co.jp" as a device in a predetermined period. In addition, it is assumed that MCU11 acquires "www.service.co.jp; www.support.co.jp;" from the "connection destination permission list" of the policy information and adds it to the "connection destination" of the device information. ..

Further, the "port number used" of the device information stores "80; 442; 37;". Here, it is assumed that the MCU 11 specifies "37" as a port in a predetermined period. Further, it is assumed that the MCU 11 acquires "80; 442" from the "connection destination permission list" of the policy information and adds it to the "port number used" of the device information.

Further, the MCU 11 has a function of specifying a destination and a port (destination port) of data transmitted to the network 40 by an untrue IoT device.
For example, the MCU 11 identifies a destination and a destination port based on the header. The MCU 11 identifies the destination and the port by extracting information indicating a destination server or the like from the header.

Further, the MCU 11 has a function of specifying a connection destination and a port (permitted port) to which the IoT device is permitted to connect.
The MCU 11 refers to the device information corresponding to the IoT device, and specifies the connection destination and the permitted port to which the IoT device is permitted to connect. That is, the MCU 11 acquires the "connection destination" and the "used port number" from the device information.

Further, the MCU 11 has a function of determining whether the data destination and the destination port are included in the specified connection destination and permitted port.
For example, the MCU 11 determines whether there is a connection destination that matches the data destination and an authorized port that matches the destination port.

Further, the MCU 11 has a function of transmitting data to the destination port of the destination when it is determined that the destination and the destination port of the data are included in the specified connection destination and the permitted port.
The MCU 11 transfers the data from the IoT device according to the destination and the destination port of the data.

Further, the MCU 11 has a function of blocking communication from the IoT device when it is determined that the data destination and the destination port are not included in the specified connection destination and permitted port.
The MCU 11 does not transmit the data from the IoT device to the destination. If the MCU 11 receives data whose destination and destination port are the connection destination and the permitted port that are permitted to connect from the IoT device after blocking the communication from the IoT device, the MCU 11 uses the data as the destination. It may be sent to the destination port. Further, when the MCU 11 cuts off the communication from the IoT device, the MCU 11 may continue to cut off the communication until it receives an operation or the like from a staff member.

Further, when the communication from the IoT device is blocked, the MCU 11 may notify that the communication from the IoT device is blocked. For example, the MCU 11 may display a predetermined warning message on a display unit or the like. Further, the MCU 11 may emit a warning sound through a speaker or the like. Further, the MCU 11 may transmit a predetermined signal to an external device.

Next, an operation example of the control system 1'will be described.
FIG. 10 is a sequence diagram for explaining an operation example of the control system 1'.

Here, it is assumed that the device A is connected to the communication unit 15 of the control device 10'. After that, the equipment C is connected to the communication unit 17 of the control device 10.

Since ACTs 11 to 18, 22 and 23 are the same as those in the first embodiment, the description thereof will be omitted.

If the MCU 11 does not receive the certificate even after the lapse of a predetermined period, the MCU 11 monitors the communication from the device C for a predetermined period and identifies the destination and the destination port of the data from the device C (ACT51). Upon specifying the destination and the destination port, the MCU 11 acquires the "connection destination permission list" and the "permission port list" of the policy information (ACT52).

When the "connection destination permission list" and "permission port list" of the policy information are acquired, the MCU 11 sets the specified destination and destination port and the "connection destination permission list" and "permission port list" to the device C. Store in information (ACT53).

Upon receiving the data from the device C to the network 40, the MCU 11 determines whether the data destination and the destination port are included in the "connection destination" and the "used port number" of the device information (ACT34). When it is determined that the destination of the data and the destination port are included in the "connection destination" and the "port number used" (ACT54, YES), the MCU 11 transmits the data to the WAN connection device 20 through the WAN communication unit 13 (ACT55). ..

The WAN connection device 20 receives the data. The WAN connection device 20 transmits the data to the destination (for example, the server 30) via the network 40 (ACT56).

When it is determined that the data destination and the destination port are not included in the "connection destination" and the "used port number" (ACT54, NO), the MCU 11 cuts off the communication with the device C (ACT57).

Next, an operation example of the control device 10'will be described.
11 and 12 are flowcharts for explaining an operation example of the control device 10'.

Since ACTs 31 to 48 are the same as those of the first embodiment, the description thereof will be omitted.

When the connection between the IoT device corresponding to the incorrect device information and the internal network is enabled (ACT36), the MCU11 will use the device information of the IoT device as the "connection destination" and "port number used" of the IoT device. Enable the connection to (ACT61).

When the connection to the "connection destination" and "port number used" of the device is enabled, the MCU 11 sets to allow interrupt processing (ACT37).

Further, when "NG" is stored in the "authenticity" of the device information (ACT47), the MCU 11 monitors the communication of the device for a predetermined period and identifies the destination and the destination port of the data transmitted by the device (ACT47). ACT62). Upon specifying the destination and the destination port, the MCU 11 acquires the "connection destination permission list" and the "permission port list" of the policy information (ACT63).

When the "connection destination permission list" and "permission port list" of the policy information are acquired, the MCU 11 sets the specified destination and destination port and the "connection destination permission list" and "permission port list" to the device C. Store in information (ACT65).

When the specified destination and destination port and the "connection destination permission list" and "permission port list" are stored in the device information corresponding to the device C, the MCU 11 returns to the ACT 34.

The storage 19'does not have to store the policy information. The MCU 11 may monitor the communication of the IoT device and set the "connection destination" and the "port number used" of the device information.

The control device configured as described above monitors the communication of the untrue IoT device and sets the connection destination or the like that permits the connection of the IoT device. Therefore, when the IoT device is tampered with and an attempt is made to connect to the IoT device, the control device can block the communication of the IoT device.

In addition, the control device can appropriately set a connection destination or the like that allows connection to the IoT device that connects to the connection destination that is not included in the policy information.

Although some embodiments of the present invention have been described, these embodiments are presented as examples and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other embodiments, and various omissions, replacements, and changes can be made without departing from the gist of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are also included in the scope of the invention described in the claims and the equivalent scope thereof.

1 and 1'... control system, 10 and 10' ... control device, 11 ... MCU, 12, 101A and 101B ... TPM, 13 ... WAN communication unit, 15 to 18 ... communication unit, 19 ... storage, 19a to 19d ... storage Area, 20 ... WAN connection device, 30 ... server, 40 ... network, A to D ... device.

According to the embodiment, the control device includes a first communication unit, a second communication unit, and a processor. The first communication unit communicates with the first device in the local area network. The second communication unit communicates with a second device outside the local area network. The processor confirms the authenticity of the first device through the first communication unit, receives the data transmitted by the first device through the first communication unit, and receives the authenticity of the first device. When the confirmation of the data is successful and the destination of the data is the second device, the data is transmitted to the destination through the second communication unit, and the confirmation of the authenticity of the first device fails and the data is described. When the destination of the second device is the second device, the communication of the first device is cut off. When the processor receives the certificate from the first device through the first communication unit, the processor determines that the authenticity of the first device has been successfully confirmed.

Although some embodiments of the present invention have been described, these embodiments are presented as examples and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other embodiments, and various omissions, replacements, and changes can be made without departing from the gist of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are also included in the scope of the invention described in the claims and the equivalent scope thereof.
The inventions described in the claims at the time of filing the application of the present application are described below.
[C1]
The first communication unit that communicates with the first device in the local area network,
A second communication unit that communicates with a second device outside the local area network,
After confirming the authenticity of the first device through the first communication unit,
The data transmitted by the first device is received through the first communication unit, and the data is received.
When the authenticity of the first device is successfully confirmed and the destination of the data is the second device, the data is transmitted to the destination through the second communication unit.
If the authenticity of the first device fails to be confirmed and the destination of the data is the second device, the communication of the first device is cut off.
With the processor
A control device equipped with.
[C2]
The first communication unit communicates with a plurality of devices in the local area network, and the processor is a device.
When the destination of the data transmitted by the first device is a device in the local area network, the data is transmitted to the destination through the first communication unit.
The control device according to C1.
[C3]
A storage unit for storing a destination, which is one of the second devices, for data transmitted by the first device that fails to confirm the authenticity in a predetermined period is provided.
The processor
Upon receiving the data transmitted by the first device that failed to confirm the authenticity,
When the destination of the data matches the destination stored in the storage unit, the data is transmitted to the destination through the second communication unit.
The control device according to C1 or 2.
[C4]
The storage unit further stores a destination port to which the first device, which fails to confirm the authenticity, transmits data in a predetermined period.
The processor
When the destination and destination port of the data match the destination and destination port stored in the storage unit, the data is transmitted to the destination port of the destination through the second communication unit.
The control device according to C3.
[C5]
The storage unit stores policy information indicating a connection destination, which is one of the second devices.
The processor
When the destination of the data matches the connection destination in which the policy information is stored, the data is transmitted to the destination through the second communication unit.
The control device according to any one of C3 or 4 above.

Claims (5)

The first communication unit that communicates with the first device in the local area network,
A second communication unit that communicates with a second device outside the local area network,
After confirming the authenticity of the first device through the first communication unit,
The data transmitted by the first device is received through the first communication unit, and the data is received.
When the authenticity of the first device is successfully confirmed and the destination of the data is the second device, the data is transmitted to the destination through the second communication unit.
If the authenticity of the first device fails to be confirmed and the destination of the data is the second device, the communication of the first device is cut off.
With the processor
A control device equipped with. The first communication unit communicates with a plurality of devices in the local area network, and the processor is a device.
When the destination of the data transmitted by the first device is a device in the local area network, the data is transmitted to the destination through the first communication unit.
The control device according to claim 1. A storage unit for storing a destination, which is one of the second devices, for data transmitted by the first device that fails to confirm the authenticity in a predetermined period is provided.
The processor
Upon receiving the data transmitted by the first device that failed to confirm the authenticity,
When the destination of the data matches the destination stored in the storage unit, the data is transmitted to the destination through the second communication unit.
The control device according to claim 1 or 2. The storage unit further stores a destination port to which the first device, which fails to confirm the authenticity, transmits data in a predetermined period.
The processor
When the destination and destination port of the data match the destination and destination port stored in the storage unit, the data is transmitted to the destination port of the destination through the second communication unit.
The control device according to claim 3. The storage unit stores policy information indicating a connection destination, which is one of the second devices.
The processor
When the destination of the data matches the connection destination in which the policy information is stored, the data is transmitted to the destination through the second communication unit.
The control device according to any one of claims 3 or 4.

Images