JP2022108027A - Control apparatus, management method and security program - Google Patents

Abstract

To protect a control program, which is intellectual property.SOLUTION: A control apparatus collates unique information, which is generated by using identification information acquired from each of one or more devices, with unique information generated in advance in response to an execution start request relating to whether to execute a control program, and determines whether to execute the control program on the basis of the collation result. The control apparatus selects, for each of the one or more devices, identification information according to a security policy out of first identification information for identifying the type of the device and second identification information for individually identifying the device.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to control devices, management methods, and security programs.

Control devices such as PLCs (Programmable Logic Controllers) have been introduced in various manufacturing sites. Such a control device is a kind of computer and executes a control program designed according to a manufacturing device or manufacturing facility.

In recent years, there has been a problem in which control programs are extracted from control devices that have already been used at manufacturing sites, new control devices are created at other manufacturing sites, and the extracted control programs are used. there is

Japanese Patent Laying-Open No. 2008-065678 (Patent Document 1) discloses one method for coping with such a problem. Specifically, in Patent Document 1, the PLC determines whether or not a program obtained by encrypting a control program is unique to the equipment, and if the program is unique to the equipment, control is performed from the program. Disclosed is a method of decoding a program and executing a control program to control equipment.

Japanese Patent Application Laid-Open No. 2008-065678

In the method disclosed in Patent Document 1, the PLC has storage means for storing previously input identification data and encryption rules, and using the identification data, the encrypted program is a program unique to the equipment. determine whether there is If the encrypted program is determined to be unique to the equipment, the PLC obtains the control program by decrypting the encrypted program according to the encryption rules, and uses the control program. Therefore, if not only the encrypted program but also the identification data and encryption rules are extracted, the control program will be used. In other words, the method disclosed in Patent Document 1 has room for improvement in terms of protecting the intellectual property of the control program.

One object of the present disclosure is to protect the intellectual property of the control program.

According to one example of the present disclosure, a control device including one or more devices includes a control engine that executes a control program, and a security engine that manages whether the control engine can execute the control program. The security engine includes generating means, holding means, verification means, and authorization means. The generator generates unique information using identification information obtained from each of the one or more devices. The holding means holds the first unique information generated in advance, and the collating means collates the first unique information with the second unique information generated by the generating means in accordance with the collation request. . The permitting means makes a request for verification in response to the control program execution start request, and determines whether or not the control program can be executed based on the verification result obtained from the verification means. For each of the one or more devices, the generation means selects identification information from first identification information identifying the type of the device and second identification information individually identifying the device according to the security policy.

According to this configuration, the security engine compares the second unique information generated in response to the control program execution start request based on the previously generated first unique information, and according to the comparison result, to determine whether the control program can be executed. The unique information is generated from identification information selected from first identification information identifying the type of each device and second identification information individually identifying each device. Therefore, when a new control device is created by copying the software (including the first unique information and the control program) and the hardware of the control device, the The second unique information may be inconsistent with the first unique information. As a result, it is possible to prevent activation of the control program under an environment different from the environment managed by the security engine. That is, it is possible to protect the intellectual property of the control program.

Further, identification information is selected according to the security policy from the first identification information that identifies the device type and the second identification information that individually identifies the device. Therefore, the developer of the control program can appropriately set the security policy in consideration of the priority of security measures for the control program. As a result, the security level in the security engine can be changed arbitrarily.

In the above disclosure, the security policy is preset among the first policy, the second policy and the third policy. A first policy is a policy that selects a first identification for each of the one or more devices. A second policy selects first identification information for a first device belonging to a first group among the one or more devices, and prioritizes security measures over the first group among the one or more devices. is a policy of selecting a second identity for a second device belonging to a second group with a higher . A third policy is a policy that selects the second identification for each of the one or more devices.

According to this disclosure, the developer can arbitrarily change the security level in the security engine in consideration of the priority of security measures for the control program.

In the above disclosure, each of the one or more devices carries a second identification. The second identification information is a combination of the first identification information and the third identification information uniquely assigned to the individual device of the type identified by the first identification information. The generation means acquires the first identification information from the second identification information. According to this disclosure, each device need only store the second identification.

In the above disclosure, one or more devices include a control device with a control engine and a security device with a security engine.

According to this disclosure, a control engine that needs to satisfy the degree of freedom to change the control program and a security engine that does not like the degree of freedom to change from the viewpoint of security are realized by different devices, thereby enabling each engine to Enables device design according to characteristics.

In the above disclosure, the holding means holds the first unique information in the form of a distributed ledger with the external device.

According to this disclosure, the first unique information is held in a state that is more difficult to falsify. As a result, the security level of the intellectual property of the control program can be increased.

In the above disclosure, the collating means further collates the second unique information with the first unique information held by the external device.

According to this disclosure, a third party who illegally copies the control device needs to tamper with the first unique information held by the external device in order to execute the control program. Therefore, the security level of the control program can be further enhanced.

According to another example of the present disclosure, a management method performed in a control device including one or more devices comprises first to fourth steps. The first step is to hold pre-generated first unique information. A second step is generating second unique information using identification information obtained from each of the one or more devices in response to a request to start execution of the control program. A third step is a step of collating the first unique information and the second unique information. A fourth step is a step of determining whether or not the control program can be executed based on the collation result. A second step (generating step) includes, for each of one or more devices, first identification information that identifies the type of the device and second identification information that individually identifies the device according to the security policy. Selecting identification information.

According to another example of the present disclosure, the security program causes the computer to execute the management method described above.

These disclosures also make it possible to protect the intellectual property of the control program.

According to the present disclosure, the intellectual property of the control program can be protected.

It is a figure which shows an example of the scene to which the control apparatus which concerns on embodiment is applied. 1 is a schematic diagram showing an overall configuration of a control system 10 including a control device 1 according to this embodiment; FIG. FIG. 2 is a schematic diagram showing a hardware configuration example of a control unit 100 that configures the control device 1 according to the present embodiment; FIG. 2 is a schematic diagram showing a hardware configuration example of a security unit 200 that constitutes control device 1 according to the present embodiment. FIG. 4 is a diagram showing an example of identification information 40 possessed by each device included in the control device 1. FIG. FIG. 4 is a diagram showing the flow of a method for determining whether or not a control program 140 can be executed; 2 is a block diagram showing an example of functional configurations of a control unit 100 and a security unit 200; FIG. FIG. 4 is a sequence diagram showing a processing procedure when receiving a request to start execution of control program 140 in the present embodiment; 3 is a diagram showing an example of management information 30 held in the form of a distributed ledger; FIG. 3 is a diagram showing the functional configuration of a security unit 200 that functions when a new block 50 is generated; FIG. FIG. 12 is a sequence diagram showing a processing procedure when receiving a request to start execution of the control program 140 in Modification 1; FIG. 12 is a sequence diagram showing another example of a processing procedure when a request to start execution of the control program 140 is received in modification 2;

Hereinafter, each embodiment according to the present invention will be described with reference to the drawings. In the following description, identical parts and components are given identical reference numerals. Their names and functions are also the same. Therefore, detailed description of these will not be repeated. It should be noted that each embodiment and each modified example described below may be selectively combined as appropriate.

§1. APPLICATION EXAMPLE An outline of the control system according to the present embodiment will be described. FIG. 1 is a diagram showing an example of a scene in which a control device 1 according to an embodiment is applied. As shown in FIG. 1, the control device 1 manages a control program 140 for controlling a controlled object, a control engine 142 that executes the control program 140, and whether or not the control engine 142 can execute the control program 140. and a security engine 230 .

The control device 1 includes one or more devices. Each device is controlled by executing the control program 140, and by controlling each device, a manufacturing facility or the like, which is a controlled object, is controlled.

Security engine 230 includes a permitting portion 232 , a generating portion 234 , a holding portion 236 and a matching portion 238 .

The permitting unit 232 receives a start request for the control program 140 from the control engine 142 and determines whether the control program 140 can be executed.

The generation unit 234 generates unique information using identification information acquired from each of the one or more devices that configure the control device 1 . The generation unit 234 selects identification information for each of the one or more devices from first identification information for identifying the type of the device and second identification information for individually identifying the device, according to the security policy. Since the unique information is generated using the identification information thus acquired, it changes as the configuration of the control device 1 changes.

The holding unit 236 holds management information 30 including unique information 20 generated in advance for the control device 1 . In order to prevent the unique information 20 from being illegally falsified, the holding unit 236 permits updating of the management information 30 only when a predetermined condition is satisfied. The predetermined condition is, for example, a condition that the preset access ID and password match the input information.

The collation unit 238 collates the unique information 22 generated by the generation unit 234 according to the collation request with the unique information 20 included in the management information 30 . Matching means determining whether or not there is a match.

Next, a method for managing whether or not a control program executed by the control device 1 can be executed will be described in order from step 1 shown in FIG. In addition, in FIG. 1 and the following description, a step is simply written as "S".

S1: The generator 234 generates unique information 20 of the control device 1 in advance. The holding unit 236 holds management information 30 including unique information 20 generated in advance.

S2: The permitting unit 232 receives the request to start the control program 140 . In the example shown in FIG. 1, the control engine 142 issues the start request, but the security engine 230 may have a reception unit that receives the start request.

S3: In response to the request to start the control program 140, the permission unit 232 requests the verification unit 238 to perform verification.

S4: The collation unit 238 requests the generation unit 234 to generate the unique information 22 in response to the collation request.

S5: The generation unit 234 acquires identification information from one or more devices included in the control device 1 in response to the generation request, and generates unique information 22 using the acquired identification information. The generation unit 234 selects identification information for each device from first identification information for identifying the type of the device and second identification information for individually identifying the device according to the security policy. Note that the generation unit 234 may select the first identification information for all of the one or more devices, or may select the second identification information for all of the one or more devices. Alternatively, the generator 234 may select the first identification information for some of the one or more devices and select the second identification information for the remaining devices. A security policy is preset for the control device 1 .

S6: The collation unit 238 collates the pre-generated unique information 20 included in the management information 30 with the unique information 22 generated at the timing of receiving the collation request to obtain a collation result.

S7: The matching unit 238 provides the obtained matching result to the permitting unit 232 . The permitting unit 232 determines whether or not the control program 140 can be executed based on the collation result provided. Specifically, the permitting unit 232 permits the execution of the control program 140 in response to a matching result. The permitting unit 232 prohibits the execution of the control program 140 in response to the matching result indicating a mismatch.

S8: The permission unit 232 provides the control engine 142 with the result (permission or prohibition) determined based on the collation result. The control engine 142 executes the control program 140 only when the determination result of the permission unit 232 is "permitted".

The control program 140 for realizing the environment managed by the control device 1 may be developed by a company other than the company using the control device 1 . In such a case, if the control program 140 and the environment in which the control program 140 can be used are easily imitated, the intellectual property of the company that develops the control program 140 cannot be sufficiently protected.

When mimicking the controller 1 , both the hardware and software of the controller 1 are copied to run the control program 140 . Copying the software means that not only the control program 140 but also the system programs for operating the control engine 142 and the security engine 230 are copied. Furthermore, copying the software also copies the management information 30 held by the security engine 230 .

On the other hand, as for hardware, the control device 1 is imitated by installing a device that replaces each device that constitutes the control device 1 . Another control device that imitates the control device 1 generates unique information 22 using identification information obtained from a device different from the control device 1 . Therefore, the unique information 22 may not match the unique information 20 included in the copied management information 30 . In particular, unique information 22 does not match unique information 20 by setting the security policy to obtain the second identification information for at least one device. Alternatively, if at least one device constituting the control device 1 is imitated using a device of a different model having the same function as the device, even if the first identification information is obtained for the device, the unique information 22 does not match the unique information 20. As a result, activation of the control program 140 under an environment different from the environment managed by the security engine 230 can be prevented. In other words, the intellectual property of the control program 140 can be protected.

In another control device imitating the control device 1, the unique information 22 can match the unique information 20 by falsifying the identification information of each device. However, the number of devices constituting the control device 1 can be several tens, and in such a case, it becomes necessary to falsify the identification information of all the devices. Therefore, much effort is required to imitate the control device 1 managed by the control program 140 .

Further, in the present embodiment, identification information is selected from the first identification information for identifying the device type and the second identification information for individually identifying the device according to the security policy. For example, the developer of the control program 140 may lower the priority of security countermeasures by selecting the first identification information for a device that is expected to be replaced due to failure, regular maintenance, or the like. This allows developers to strike a balance between maintainability such as device replacement and intellectual property protection.

§2. Specific example <A. Control system>
FIG. 2 is a schematic diagram showing the overall configuration of a control system 10 including the control device 1 according to this embodiment. Referring to FIG. 2 , control system 10 includes one or more control devices 1 and host device 3 .

The control device 1 controls a controlled object. Control objects include various industrial equipment for automating production processes, and equipment that exerts some physical action on manufacturing equipment, production lines, etc. (hereinafter also collectively referred to as "fields") and field input/output devices for transmitting information to and from Note that the entire production line may be controlled.

The control device 1 is communicably connected to a host device 3 and other control devices 1 via an information system network 2 . The information system network 2 is, for example, EtherNet/IP (registered trademark) or OPC UA (Object Linking and Embedding for Process Control) that can realize data exchange without depending on the type of vendor or OS (Operating System). It is a network that complies with communication standards such as Unified Architecture).

The control device 1 includes one or more devices. In the example shown in FIG. 2, the control device 1 includes a control unit 100, a security unit 200, an I/O (Input/Output) unit 300, a communication coupler 400, and the like. In addition, below, each unit and communication coupler which comprise the control apparatus 1 are also collectively called a "device."

The control unit 100 is an example of a control device that configures the control device 1 , executes a control program for controlling a controlled object, and performs central processing in the control device 1 .

The security unit 200 is an example of a security device that configures the control device 1 and manages whether or not the control program can be executed in the control unit 100 . A method of managing whether or not the control program is executable will be described later.

Control unit 100 and security unit 200 are connected, for example, via an arbitrary data transmission line (eg, PCI Express or EtherNet/IP (registered trademark)).

The I/O unit 300 is an example of a device that configures the control device 1, and is a unit related to general input/output processing. The I/O unit 300 collects detection values from IO devices including various sensors, various switches, encoders, and the like.

The control unit 100 and the I/O unit 300 are communicably connected via an internal bus. The control unit 100 uses the detected values collected by the I/O unit 300 to execute the calculations of the control program and outputs the values of the calculation results to the I/O unit 300 .

Communication coupler 400 is communicably connected to control unit 100 via field network 4 . The communication coupler 400 performs processing related to data transmission on the field network 4 . Communication coupler 400 is communicatively connected to one or more I/O units 300 via an internal bus, for example. Detected values collected by each of the one or more I/O units 300 connected to the communication coupler 400 are output to the control unit 100 via the field network 4 .

As the field network 4, typically, various types of industrial Ethernet (registered trademark) can be used. Industrial Ethernet (registered trademark) includes, for example, EtherCAT (registered trademark), Profinet IRT, MECHATROLINK (registered trademark)-III, Powerlink, SERCOS (registered trademark)-III, and CIP Motion. You can use any one of them. Furthermore, a field network other than Industrial Ethernet (registered trademark) may be used. For example, if motion control is not performed, DeviceNet, CompoNet/IP (registered trademark), etc. may be used.

Each device that configures the control device 1 has identification information 40 . Typically, the identification information 40 is an individual identification code such as SGTIN (Serialized Global Trade Item Number).

Note that the devices that configure the control device 1 are not limited to the devices shown in FIG. 2 . Devices that make up the control device 1 include, for example, a power supply unit that supplies power, a special unit that has functions not supported by the I/O unit 300, and a safety device that prevents human safety from being threatened by facilities and machinery. It may include a safety unit or the like that provides the functionality. In addition, the devices that make up the control device 1, for example, present various types of information obtained by control calculations in the control unit 100 or other units to the operator, and in accordance with operations from the operator, to the control unit 100 or other units. It may include an HMI (Human Machine Interface) for generating internal commands and the like.

The host device 3 is a server in the control system 100, an external server such as a cloud server, a PLC with higher performance than the control device 1, or an industrial computer (so-called IPC: Industrial Personal Computer). configured as

<B. Hardware configuration>
A hardware configuration example of main devices constituting control device 1 according to the present embodiment will be described.

(b1. Control unit)
FIG. 3 is a schematic diagram showing a hardware configuration example of control unit 100 forming control device 1 according to the present embodiment. Referring to FIG. 3, control unit 100 includes, as main components, processor 102 such as a CPU (Central Processing Unit) or GPU (Graphical Processing Unit), chipset 104, main memory 106, and secondary memory. 108 , a communication controller 110 , a USB controller 112 , a memory card interface 114 , a field network controller 116 , an internal bus controller 118 and an information system network controller 120 .

The processor 102 reads various programs stored in the secondary storage device 108 or the memory card 115, develops them in the main storage device 106, and executes them, thereby performing control calculations for controlling the control target and It realizes the processing related to the execution start request of the control program.

The main memory device 106 is composed of a volatile memory device such as a DRAM (Dynamic Random Access Memory) or an SRAM (Static Random Access Memory). The secondary storage device 108 is configured by, for example, a non-volatile storage device such as an HDD (Hard Disc Drive) or an SSD (Solid State Drive).

The chipset 104 mediates the exchange of data between the processor 102 and each component, thereby realizing the processing of the control unit 100 as a whole.

In the secondary storage device 108, in addition to the system program 1082 for realizing the basic functions of the control unit 100, the control program 140 created according to the control object such as equipment and machinery, and the control unit 100 are stored. Identification information 40 for identification is stored.

The system program 1082 incorporates the authentication program 130 . The authentication program 130 is a program that is executed when the control program 140 is activated, and is a program that requests the security unit 200 for permission to execute the control program 140 that is activated. The system program 1082 also functions as a control engine that executes the control program 140 .

Control program 140 is, for example, intellectual property whose underlying algorithms are created by a program development company. For example, the user prepares an environment in which the control program 140 provided by the program development company can be executed by setting parameters according to the control device 1 .

The communication controller 110 is in charge of exchanging data with the security unit 200 . As the communication controller 110, for example, a communication chip compatible with PCI Express or Ethernet (registered trademark) can be adopted.

The USB controller 112 is in charge of exchanging data with any information processing device via a USB connection. The arbitrary information processing device includes, for example, a support device that provides the user with functions such as creation or editing of the control program 140, debugging, and setting of various parameters.

The memory card interface 114 is configured such that a memory card 115, which is an example of a storage medium, can be attached/detached. The memory card interface 114 can write data such as the control program 140 and various settings to the memory card 115 and read data such as the control program 140 and various settings from the memory card 115 .

Field network controller 116 controls data exchange with other devices via field network 4 .

The internal bus controller 118 controls data exchange with other devices (such as the I/O unit 300) via the internal bus. The internal bus may use a manufacturer-specific communication protocol, or may use a communication protocol that is the same as or conforms to any industrial network protocol.

The information system network controller 120 controls exchange of data with other control devices 1 via the information system network 2 .

FIG. 3 shows a configuration example in which necessary functions are provided by the processor 102 executing a program. Alternatively, it may be implemented using an FPGA, etc.). Alternatively, the main part of the control unit 100 may be implemented using hardware following a general-purpose architecture (for example, an industrial personal computer based on a general-purpose personal computer). In this case, virtualization technology may be used to execute a plurality of OSs with different purposes in parallel, and necessary applications may be executed on each OS.

(b2. security unit)
FIG. 4 is a schematic diagram showing a hardware configuration example of security unit 200 that configures control device 1 according to the present embodiment. 4, security unit 200 includes, as main components, processor 202 such as CPU or GPU, chipset 204, main memory device 206, secondary memory device 208, communication controller 210, and USB controller. 212 , a memory card interface 214 and an information system network controller 220 .

The processor 202 reads various programs stored in the secondary storage device 208 or the memory card 215, develops them in the main storage device 206, and executes them, thereby managing whether or not the control programs can be executed in the control unit 100. Realize The main memory device 206 is composed of a volatile memory device such as DRAM or SRAM. The secondary storage device 208 is composed of, for example, a non-volatile storage device such as an HDD or SSD.

The chipset 204 implements processing of the security unit 200 as a whole by mediating data exchange between the processor 202 and each component.

The secondary storage device 208 stores identification information 40 and management information 30 in addition to a system program 2082 for realizing the basic functions of the security unit 200 .

A security program 240 is incorporated in the system program 2082 . The security program 240 is a program for managing whether or not the control program 140 executed in the control device 1 can be executed. That is, the security program 240 provides a function as a security engine that manages whether or not the control program 140 can be executed.

The management information 30 is information for managing unique information generated using the identification information 40 acquired from one or more devices that configure the control device 1 . The unique information is used as reference information for determining whether or not to permit execution of the control program 140 . Specific information will be described later.

The communication controller 210 is in charge of exchanging data with the control unit 100 . As the communication controller 210, a communication chip compatible with PCI Express or Ethernet (registered trademark), for example, can be adopted in the control unit 100, similarly to the communication controller 210. FIG.

The USB controller 212 is in charge of exchanging data with any information processing device via a USB connection. Any information processing device includes, for example, a support device that provides a user with functions such as setting the security program 240 .

The memory card interface 214 is configured such that a memory card 215, which is an example of a storage medium, can be attached/detached. The memory card interface 214 can write data such as programs and various settings to the memory card 215 and read data such as programs and various settings from the memory card 215 .

The information system network controller 220 controls exchange of data with other control devices 1 via the information system network 2 . The information system network controller 220 may employ a general-purpose network protocol such as Ethernet (registered trademark).

FIG. 4 shows a configuration example in which necessary functions are provided by the processor 202 executing a program. Alternatively, it may be implemented using an FPGA, etc.). Alternatively, the main part of the security unit 200 may be implemented using hardware following a general-purpose architecture (for example, an industrial personal computer based on a general-purpose personal computer). In this case, virtualization technology may be used to execute a plurality of OSs with different purposes in parallel, and necessary applications may be executed on each OS.

3 and 4, the control device 1 may be connected to the information system network 2 via the information system network controller 120 of the control unit 100, and the information system of the security unit 200. It may be connected via network controller 220 . In this embodiment, it is assumed that the control device 1 is connected via the information system network controller 220 of the security unit 200 .

<C. Identification information>
FIG. 5 is a diagram showing an example of identification information 40 possessed by each device included in the control device 1. As shown in FIG. FIG. 5 shows identification information 40, which is SGTIN. SGTIN is one of identification codes to be written in electronic tags standardized by the distribution system standardization organization GS1, and is an individual identification code for products. The identification information 40 is the second identification information because it uniquely identifies the device.

As shown in FIG. 5, identification information 40 includes identification information 42, which is a product identification code that identifies the type of device, and a serial number that is uniquely assigned to each individual device of the type identified by the identification information 42. It is a combination with number 44 (third identification information). The identification information 42 is first identification information for identifying the type of device.

The identification information 42 is a product identification code GTIN (Global Trade Item Number) standardized by the distribution system standardization organization GS1. A GTIN is composed of an indicator, a business code, a merchandise item code, and a check digit.

<D. Security Policy>
A developer of control program 140 sets a security policy for control program 140 . Note that security policy setting is not limited to the developer of the control program 140, and may be performed by another person. A security policy is preset in the security program 240 .

In this embodiment, the security policy is set in advance from the following policies (A) to (C).
Policy (A): Select identification information 40 (second identification information) for all devices.
Policy (B): Select identification information 42 (first identification information) for a first device belonging to a first group, and select a second group belonging to a second group having a higher priority for security measures than the first group. The identification information 40 (second identification information) is selected for the second device.
Policy (C): Select identification information 42 (first identification information) for all devices.

For example, the developer sets policy (A) when there is a high possibility that the control program 140 will be imitated and the developer wants to increase the security level of the control program 140 . The developer sets policy (B) or policy (C) when the control program 140 is unlikely to be imitated, or when the value of the control program 140 as intellectual property is not high.

When setting policy (B), the developer sets the product identification code GTIN (identification information 42) of the device belonging to the first group and the product identification code GTIN (identification information 42) of the device belonging to the second group. is set in advance.

<E. Outline of Method for Determining Whether Control Program is Executable>
FIG. 6 is a diagram showing the flow of a method for determining whether the control program 140 can be executed. In addition, in the example shown in FIG. 6, in order to simplify the drawing, description of units (I/O unit 300, communication coupler 400, etc.) other than the control unit 100 and the security unit 200 constituting the control device 1 is omitted. there is

First, the control unit 100 requests the security unit 200 to determine whether the control program 140 can be executed ((1) in the figure).

Upon receiving the determination request from the control unit 100, the security unit 200 collects the identification information 40 from one or more devices constituting the control device 1 ((2) in the figure).

The security unit 200 selects one of the identification information 40 (SGTIN) of each device and the identification information 42 (GTIN) included in the identification information 40 according to a preset security policy ((3) in the figure). . When the above policy (A) is set, the security unit 200 selects identification information 40 for all devices. When the above policy (B) is set, the security unit 200 selects the identification information 42 for the device corresponding to the product identification code GTIN set in the first group. Furthermore, the security unit 200 selects the identification information 40 for the device corresponding to the product identification code GTIN set in the second group. When the above policy (C) is set, the security unit 200 selects identification information 42 for all devices.

The security unit 200 generates a system hash value as the unique information 22 based on the identification information (identification information 40 or identification information 42) selected for each device ((4) in the figure). The system hash value is obtained by using a well-known hash function with the identification information 40 of the devices other than the security unit 200 among the devices constituting the control device 1 as an argument.

The security unit 200 collates the unique information 22 (system hash value) generated using the identification information 40 with the unique information 20 managed by the management information 30, and determines whether or not they match. (5)).

In (5) in the figure, the newly generated unique information 22 and the unique information 20 managed by the management information 30 are collated, and if they match, the control device 1 is a properly managed device. guaranteed to be. On the other hand, if they do not match, the control device 1 may be a control device that is not managed by the management information 30 .

The security unit 200 determines whether or not the control program 140 requested in (1) can be executed based on the collation result obtained in the process of (5) ((6) in the figure). The security unit 200 permits the execution of the control program 140 in response to the verification result indicating "match".

The security unit 200 notifies the control unit 100 of the determination result indicating whether or not the control program 140 can be executed ((7) in the figure).

<F. Functional configuration>
FIG. 7 is a block diagram showing an example of functional configurations of the control unit 100 and the security unit 200. As shown in FIG. In FIG. 7, dashed arrows indicate the flow of instructions. Solid arrows indicate information flow.

As shown in FIG. 7, control unit 100 includes control program execution section 144 and authentication section 132 . Each of these functions is realized by processor 102 of control unit 100 executing system program 1082 .

The control program execution unit 144 functions to execute the control program 140 . Upon receiving the request to start executing the control program 140 , the control program execution unit 144 requests the authentication unit 132 to authenticate the control program 140 . Authentication is to authenticate whether or not the execution environment of the control program 140 is an environment managed by the management information 30 held by the control device 1, and is an environment in which the control program 140 may be executed. It is to authenticate that there is

Authentication unit 132 includes determination request unit 134 , identification information transmission unit 136 , and identification information collection unit 138 . Upon receiving an authentication request from the control program execution unit 144 , the determination request unit 134 requests the permission unit 232 of the security unit 200 to determine whether the control program 140 can be executed.

The identification information transmission unit 136 transmits the identification information 40 of each device constituting the control device 1 collected by the identification information collection unit 138 to the security unit 200 .

The identification information collection unit 138 receives a request from the generation unit 234 of the security unit 200 and collects the identification information 40 of each device that configures the control device 1 . The identification information collection unit 138 collects the identification information 40 from the security unit 200 not only when determining whether the control program 140 can be executed but also when registering new unique information (system hash value) in the management information 30. is requested. In the present embodiment, identification information collection unit 138 collects identification information 40 from each of the devices constituting control device 1 excluding security unit 200 . Note that the identification information 40 of the security unit 200 may be included in the identification information 40 used to generate the system hash value, which is unique information.

After receiving a request for authentication of the control program 140 from the control program execution unit 144 , the authentication unit 132 receives the determination result as to whether or not the control program 140 can be executed from the permission unit 232 of the security unit 200 . The authentication unit 132 performs processing according to the determination result received from the security unit 200 . When the authentication unit 132 obtains a determination result indicating that execution can be permitted, the authentication unit 132 notifies the control program execution unit 144 to start executing the control program 140 . On the other hand, when the authentication unit 132 obtains a determination result indicating that the execution cannot be permitted, the authentication unit 132 instructs the control program execution unit 144 to prohibit the execution of the control program 140 .

Security unit 200 includes a permitting portion 232 , a generating portion 234 , a holding portion 236 and a matching portion 238 . Each of these functions is realized by executing the security program 240 by the processor 202 of the security unit 200 .

Permission unit 232 includes determination unit 2322 and matching request unit 2324 . Determination unit 2322 determines whether or not execution of control program 140 is permitted based on the verification results obtained from verification unit 238 of security unit 200 including determination unit 2322 and verification unit 238 of another security unit 200. and notifies the authentication unit 132 of the control unit 100 of the determination result. The collation request unit 2324 requests the collation unit 238 to collate the unique information.

The generator 234 generates a system hash value, which is unique information. Generation unit 234 includes collection request unit 2342 and system hash value calculation unit 2344 .

The collection requesting unit 2342 functions when requested by the matching unit 238 or the holding unit 236 to generate a system hash value. The verification unit 238 requests generation of a system hash value when starting verification. The holding unit 236 newly registers the unique information of the changed control device 1 in the management information 30 when the devices constituting the control device 1 are changed, for example, when the control device 1 is officially changed. to generate a system hash value. The collection request section 2342 requests the identification information collection section 138 of the control unit 100 to collect the identification information 40 .

The system hash value calculator 2344 generates a system hash value using the identification information 40 of each device sent from the identification information transmitter 136 . The system hash value calculator 2344 typically generates a system hash value using an algorithm used for known hash functions.

The system hash value calculation unit 2344 selects the identification information 40 (SGTIN) and the identification information 42 (GTIN) that is a part of the identification information 40 according to a preset security policy. Select information. The system hash value calculator 2344 uses the identification information (identification information 40 or identification information 42) selected for each device to generate a system hash value as unique information.

The system hash value calculation unit 2344 sends the generated system hash value to the verification unit 238 when the generation of the system hash value is requested by the verification unit 238 . Further, the system hash value calculation unit 2344 sends the generated system hash value to the holding unit 236 when the holding unit 236 requests the generation of the system hash value.

The holding unit 236 holds management information 30 including unique information 20 (system hash value) generated in response to a request from the holding unit 236 . Holding unit 236 includes registration unit 2362 .

The registration unit 2362 functions when a device constituting the control device 1 is changed, the unique information 20 of the changed control device 1 is newly registered in the management information 30, and management of the unique information 20 is started. . The registration unit 2362 starts processing when the condition that the preset access ID and password match the input information is satisfied.

The registration unit 2362 requests the generation unit 234 to generate unique information 20 . The registration unit 2362 registers the unique information 20 generated by the generation unit 234 as part of the management information 30 .

The holding unit 236 transmits the unique information 22 included in the management information 30 to the matching unit 238 in response to a request from the matching unit 238 .

The collation unit 238 receives the request from the collation request unit 2324 and requests the generation unit 234 to generate the unique information 22 . Also, upon receiving the request from the matching requesting unit 2324 , the matching unit 238 requests the holding unit 236 to transmit the unique information 20 included in the management information 30 . The collation unit 238 collates the unique information 22 sent from the system hash value calculation unit 2344 and the unique information 20 sent from the holding unit 236 and sends the collation result to the determination unit 2322 .

<G. Sequence diagram>
FIG. 8 is a sequence diagram showing a processing procedure when a request to start execution of control program 140 is received in this embodiment. In addition, below, a sequence is simply described as "SQ."

In SQ102, the control unit 100 notifies the security unit 200 of a control program start request.

At SQ104, the security unit 200 requests the control unit 100 to collect the identification information 40. FIG.

At SQ 106 , the control unit 100 sends the identification information 40 of each device that constitutes the control device 1 to the security unit 200 .

At SQ108, the security unit 200 selects one identity among the identity 40 (SGTIN) and the identity 42 (GTIN) that is part of the identity 40 for each device according to the security policy.

At SQ110, the security unit 200 generates unique information 22 (system hash value) using the identification information selected for each device.

In SQ112, the security unit 200 compares the generated unique information 22 with the unique information 20 (system hash value) in the management information 30 and obtains a matching result.

In SQ114, the security unit 200 determines whether or not the control program can be executed based on the verification result obtained in SQ112. Specifically, the security unit 200 permits execution of the control program when the collation result indicates "match". On the other hand, the security unit 200 prohibits execution of the control program in response to the collation result indicating "mismatch".

In S116, the security unit 200 notifies the control unit 100 of the determination result.

<H. Variation>
(h1. Modification 1)
The holding unit 236 of the security engine 230 may hold the management information 30 in the form of a distributed ledger with other devices. For example, the management information 30 is held in the form of a distributed ledger with the host device 3 . In this case, the management information 30 is managed and shared by the control device 1 and the host device 3 using known distributed ledger technology. Alternatively, the management information 30 may be held in the form of a distributed ledger with other control devices 1 . In this case, the management information 30 is managed and shared by multiple control devices 1 using known distributed ledger technology. Alternatively, the management information 30 may be held in the form of a distributed ledger on the cloud. Since the management information 30 is held in the form of a distributed ledger, it is less likely to be falsified.

FIG. 9 is a diagram showing an example of management information 30 held in the form of a distributed ledger. As shown in FIG. 9, the management information 30 is composed of a series of blocks 50 . Each block 50 includes at least unique information 20 (system hash value) obtained from the configuration of the control device 1 at certain timing. A block 50 is generated when a change occurs in the devices that make up the control device 1 . The information in each block 50 is never updated and new blocks 50 are generated relative to the latest block 50 .

Specifically, each block 50 includes a block hash value 52 , system configuration information 54 and a nonce 56 . The system configuration information 54 includes identification information 40 of the security unit 200 and unique information 20 (system hash value) of the control device 1 including the security unit 200 .

The block hash value 52 is unique information indicating information of the previous block. The block hash value 52 is, for example, a return value obtained according to a known hash function with information on the previous block as an argument.

In FIG. 9, the management information 30 includes blocks 50-1 to 50-n in order. The management information 30 when added is shown. Block 50-n+1 contains block hash value 52-n. The block hash value 52-n is a return value obtained according to a known hash function with the information of the block 50-n as an argument.

The nonce 56 is a numerical value generated when the block 50 is newly generated, and is a numerical value generated each time the block 50 is generated. The nonce 56 has a unique value for each block 50 .

FIG. 10 is a diagram showing the functional configuration of the security unit 200 that functions when a new block 50 is generated. It should be noted that the functions described with reference to FIG. 7 will not be described again. Further, FIG. 10 shows the flow of data when block 50-n+1 is newly stored based on the fact that the devices up to block 50-n are changed, and the device constituting the control device 1 is changed. It is In addition, in the example shown in FIG. 10, the management information 30 is held in the form of a distributed ledger with the host device 3 .

As described above, the collection requesting section 2342 of the generating section 234 requests the control unit 100 to collect the identification information 40 in response to the generation request of the unique information 20 (system hash value) from the holding section 236 . The system hash value calculation unit 2344 generates unique information 20 based on the identification information 40 of each device constituting the control device 1 sent from the control unit 100 .

Registration unit 2362 of holding unit 236 includes distribution unit 236A, mining unit 236B, and block hash value calculation unit 236C. The system hash value calculator 2344 sends the generated unique information 20 to the distributor 236A.

The host device 3 includes a mining unit 236D, a block hash value computing unit 236E, and management information 30.

The distribution unit 236A generates system configuration information 54 from the unique information 20 and the identification information 40 of the security unit 200, and distributes it to the mining unit 236B and the host device 3. FIG.

The mining unit 236B of the registration unit 2362 cooperates with the mining unit 236D of the host device 3 to generate block 50-n+1.

A block hash value calculation unit 236</b>C of the registration unit 2362 generates a block hash value 52 from the last block 50 registered in the management information 30 . In the example shown in FIG. 8, the last registered block 50 is block 50-n, so block hash value 52-n is generated based on block 50-n. Similarly, the block hash value calculation unit 236E of the host device 3 also generates the block hash value 52 from the last block 50 registered in the management information 30. FIG.

Based on the system configuration information 54 and the block hash value 52-n, the mining unit 236B of the registration unit 2362 sets the nonce 56 so that the information obtained from the block 50 to be generated satisfies a predetermined condition, and generates the block 50. do. The process of setting the nonce 56 and generating the block 50 that satisfies a predetermined condition is called mining. The mining unit 236D of the host device 3 also performs mining. The block 50 generated by the mining unit that finds the nonce 56 that satisfies the predetermined condition earliest among the mining units 236B and 236D is stored in the management information 30 of each of the control device 1 and the host device 3 .

That is, the entity that generated the system configuration information 54 and the entity that generated the block 50 may be different.

Thus, the block 50 is stored in the management information 30 of each of the control device 1 and the host device 3. FIG. That is, the management information 30 of each of the control device 1 and the host device 3 is common as long as it is not falsified.

Each block 50 included in management information 30 includes a block hash value 52 derived from the previous block 50 . That is, when one block 50 is tampered with, it becomes necessary to tamper with the other blocks 50 in a chain reaction. That is, it can be said that the management information 30 is information that is difficult to falsify. By using the unique information 20 included in the management information 30 that is difficult to falsify as a collation target, it is possible to suppress illegal duplicate use of the control program 140 .

The method for generating one block 50 is not limited to the method described with reference to FIGS. 9 and 10. FIG. The method of generating one block 50 may be arbitrarily designed.

For example, the method of generating block 50 may be selected according to the security level of control device 1 . For example, if the security level of the control device 1 is high, the security level (transparency, strictness) of the process of generating the block 50 can be lowered. On the other hand, if the security level of the control device 1 is low, it is necessary to raise the security level (transparency, strictness) of the process of generating the block 50 .

Specifically, when the management information 30 is held in the form of a distributed ledger using private or consortium blockchain technology, the hurdles for consensus building are lowered and the time required for consensus building, that is, one , and storing it in the management information 30 can be shortened. On the other hand, when the management information 30 is held in the form of a distributed ledger using public blockchain technology, it is necessary to raise the hurdles for consensus building.

FIG. 11 is a sequence diagram showing a processing procedure when receiving a request to start execution of the control program 140 in Modification 1. As shown in FIG. In addition, in FIG. 11, the SQ number common to FIG. 8 shall be a common process. Only processing different from that in FIG. 8 will be described below. That is, the processes of SQ102 to SQ112 and SQ116 are common to those in FIG. 8, and the added SQ120 to SQ126 will be explained.

Specifically, in SQ120 after SQ112, the security unit 200 transmits the unique information 22 (system hash value) generated in SQ110 to the higher-level device 3 .

In SQ122, the host device 3 compares the unique information 20 and the unique information 22 included in the latest block 50 in the management information 30 and obtains a matching result.

In SQ124, the host device 3 transmits the collation result obtained in SQ122 to the security unit 200. FIG.

In SQ126, the security unit 200 determines whether or not the control program can be executed based on the verification result of SQ112 and the verification result obtained in SQ124. Specifically, the security unit 200 permits execution of the control program in response to both of the two verification results indicating "match". On the other hand, the security unit 200 prohibits execution of the control program in response to at least one of the two verification results indicating "mismatch".

For example, when another control device is generated by illegally imitating the control device 1, the management information 30 held by the other control device is falsified, and the unique information 20 of the another control device is changed to the management information. It shall be registered within 30. In this case, the security program of the other control device checks not only the management information 30 within its own device, but also the management information 30 of the host device 3 . Therefore, unless the management information 30 of the host device 3 is also falsified, execution of the control program is not permitted, so the security level can be raised.

(h2. Modification 2)
Similar to Modification 1, Modification 2 is an example in which management information 30 is held in the form of a distributed ledger between other devices (for example, host device 3). It differs in the processing procedure when it is received.

FIG. 12 is a sequence diagram showing another example of the processing procedure when a request to start execution of the control program 140 is received in Modification 2. As shown in FIG. In FIG. 12, SQ numbers common to those in FIG. 11 are common processes. As shown in FIG. 12, in modification 2, SQ112 is omitted and SQ128 is executed instead of SQ126.

At SQ128, the security unit 200 determines whether or not the control program can be executed based on the verification result obtained at SQ124. Specifically, the security unit 200 permits execution of the control program when the collation result indicates "match". On the other hand, the security unit 200 prohibits execution of the control program in response to the collation result indicating "mismatch".

Thus, according to Modification 2, the collation result is not obtained by collating with the unique information 20 in the management information 30 held by the control device 1, but by another device (for example, the host device 3). ) is obtained by collating with the unique information 20 in the management information 30 held by .

When another control device is installed by illegally imitating the control device 1, it is more difficult to falsify the data in the host device 3 than to falsify the data in the other control device. . Therefore, according to Modification 2, execution of the control program is not permitted unless the management information 30 of the host device 3 is also falsified, so the security level can be raised.

(h3. Other Modifications)
In the above embodiment, the processor 102 that executes the control program and the processor 202 that executes the security program are provided in different devices. Note that one device may include the processor 202 executing the security program and the processor 102 executing the control program.

§3. Additional Notes As described above, the disclosure according to the above embodiments and modifications includes the following disclosures.

<Configuration 1>
A controller (1) comprising one or more devices,
a control engine (142) that executes a control program (140);
a security engine (230) that manages whether or not the control program can be executed by the control engine;
The security engine is
generating means (234) for generating unique information using identification information obtained from each of said one or more devices;
holding means (236) for holding pre-generated first unique information;
collation means (238) for collating the first unique information with the second unique information generated by the generating means according to a collation request;
a permitting means (232) for making the verification request in response to the control program execution start request and determining whether or not the control program can be executed based on the verification result obtained from the verification means;
The generating means, for each of the one or more devices, according to a security policy from first identification information (42) for identifying the type of the device and second identification information (42) for individually identifying the device. to select the identification information.

<Configuration 2>
the security policy is preset from among a first policy, a second policy and a third policy;
the first policy is a policy for selecting the first identification information for each of the one or more devices;
The second policy selects the first identification information for a first device belonging to a first group among the one or more devices, and selects the first identification information among the one or more devices than the first group. A policy for selecting the second identification information for a second device belonging to a second group having a high security measure priority;
The controller of configuration 1, wherein the third policy is a policy that selects the second identification information for each of the one or more devices.

<Configuration 3>
each of the one or more devices holds the second identification information;
The second identification information is a combination of the first identification information and third identification information (44) uniquely assigned to an individual device of the type identified by the first identification information. can be,
3. The control device according to claim 1, wherein said generating means acquires said first identification information from said second identification information.

<Configuration 4>
4. The controller of any of the configurations 1-3, wherein the one or more devices include a control device (100) having the control engine and a security device (200) having the security engine.

<Configuration 5>
5. The control device according to any one of configurations 1 to 4, wherein said holding means holds said first unique information in the form of a distributed ledger with an external device (3).

<Configuration 6>
The control device according to configuration 5, wherein the collation means further collates the second unique information and the first unique information held by the external device.

<Configuration 7>
A management method performed in a controller (1) comprising one or more devices, comprising:
a step of holding pre-generated first unique information (S1);
generating second unique information using identification information obtained from each of the one or more devices in response to a request to start execution of the control program (140) (S5, SQ108, SQ110);
a step of collating the first unique information and the second unique information (S6, SQ112);
A step (S8, SQ114) of determining whether the control program can be executed based on the collation result,
In the step of generating, for each of the one or more devices, the identification information is generated from first identification information identifying a type of the device and second identification information individually identifying the device according to a security policy. A management method including a step of selecting (SQ108).

<Configuration 8>
A security program (230) for causing a computer to execute a management method executed in a controller (1) comprising one or more devices,
The management method is
a step of holding pre-generated first unique information (S1);
generating second unique information using identification information obtained from each of the one or more devices in response to a request to start execution of the control program (140) (S5, SQ108, SQ110);
a step of collating the first unique information and the second unique information (S6, SQ112);
A step (S8, SQ114) of determining whether the control program can be executed based on the collation result,
In the step of generating, for each of the one or more devices, the identification information is generated from first identification information identifying a type of the device and second identification information individually identifying the device according to a security policy. A security program including a selecting step (SQ108).

It should be considered that the embodiments disclosed this time are illustrative in all respects and not restrictive. The scope of the present invention is indicated by the scope of the claims rather than the above description, and is intended to include all modifications within the scope and meaning equivalent to the scope of the claims. Also, the inventions described in the embodiments and modifications are intended to be implemented independently or in combination as much as possible.

1 control device, 2 information system network, 3 host device, 4 field network, 10 control system, 20 unique information (first unique information), 22 unique information (second unique information, 30 management information, 40 identification information ( second identification information), 42 identification information (first identification information), 44 serial number (third identification information), 50 block, 52 block hash value, 54 system configuration information, 56 nonce, 100 control unit, 102 , 202 processor, 104, 204 chipset, 106, 206 main storage device, 108, 208 secondary storage device, 110, 210 communication controller, 112, 212 USB controller, 114, 214 memory card interface, 115, 215 memory card, 116 field network controller, 118 internal bus controller, 120, 220 information system network controller, 130 authentication program, 132 authentication unit, 134 determination request unit, 136 identification information transmission unit, 138 identification information collection unit, 140 control program, 142 control engine , 144 control program execution unit, 200 security unit, 230 security engine, 232 permission unit, 234 generation unit, 236 holding unit, 236A distribution unit, 236B, 236D mining unit, 236C, 236E block hash value calculation unit, 238 verification unit, 240 security program, 300 I/O unit, 400 communication coupler, 1082, 2082 system program, 2322 determination unit, 2324 collation request unit, 2342 collection request unit, 2344 system hash value calculation unit, 2362 registration unit.

Claims (8)

A controller comprising one or more devices,
a control engine that executes a control program;
a security engine that manages whether or not the control program can be executed by the control engine;
The security engine is
generating means for generating unique information using identification information obtained from each of the one or more devices;
holding means for holding pre-generated first unique information;
collation means for collating the first unique information with the second unique information generated by the generating means according to a collation request;
a permitting means for requesting the collation in response to a request to start execution of the control program, and determining whether or not the control program can be executed based on the collation result obtained from the collation means;
The generating means selects, for each of the one or more devices, the identification information from first identification information identifying a type of the device and second identification information individually identifying the device according to a security policy. control device. the security policy is preset from among a first policy, a second policy and a third policy;
the first policy is a policy for selecting the first identification information for each of the one or more devices;
The second policy selects the first identification information for a first device belonging to a first group among the one or more devices, and selects the first identification information among the one or more devices than the first group. A policy for selecting the second identification information for a second device belonging to a second group having a high security measure priority;
The control device according to claim 1, wherein said third policy is a policy for selecting said second identification information for each of said one or more devices. each of the one or more devices holds the second identification information;
the second identification information is a combination of the first identification information and third identification information uniquely assigned to an individual device of the type identified by the first identification information;
3. The control device according to claim 1, wherein said generating means acquires said first identification information from said second identification information. 4. A controller according to any preceding claim, wherein the one or more devices comprise a control device with the control engine and a security device with the security engine. The control device according to any one of claims 1 to 4, wherein said holding means holds said first unique information in the form of a distributed ledger with an external device. 6. The control device according to claim 5, wherein said collating means further collates said second unique information with said first unique information held by said external device. A management method executed in a control device including one or more devices,
holding pre-generated first unique information;
generating second unique information using identification information obtained from each of the one or more devices in response to a control program execution start request;
matching the first unique information with the second unique information;
and determining whether or not the control program can be executed based on the collation result,
In the step of generating, for each of the one or more devices, the identification information is generated from first identification information identifying a type of the device and second identification information individually identifying the device according to a security policy. Management method, including steps to select. A security program that causes a computer to execute a management method that is executed in a control device that includes one or more devices,
The management method is
holding pre-generated first unique information;
generating second unique information using identification information obtained from each of the one or more devices in response to a control program execution start request;
matching the first unique information with the second unique information;
and determining whether or not the control program can be executed based on the collation result,
In the step of generating, for each of the one or more devices, the identification information is generated from first identification information identifying a type of the device and second identification information individually identifying the device according to a security policy. Security program, including steps to select.

Images