JP2023075526A - Communication management device and method - Google Patents

Abstract

To more easily maintain communication such as encryption communication even when malfunction including reduction in malfunction safety is caused in encryption means.SOLUTION: A communication management device 1 for managing communication of a plurality of communication apparatuses connected through a network, each of which can perform communication using a plurality of communication methods, comprises: a monitoring unit 12 that monitors safety of communication of the plurality of communication apparatuses according to communication methods and, as a result of the monitoring, identifies an expired communication apparatus whose safety is reduced; a communication method determination unit 13 for determining a communication method that is possible at the expired communication apparatus; and an output unit 14 for notifying the expired communication apparatus of the determined communication method.SELECTED DRAWING: Figure 2

Description

The present invention relates to communication management between multiple communication devices. In particular, it relates to monitoring and changing communication methods.

Conventionally, in business systems such as production systems, distribution systems, and financial systems, devices and devices (hereinafter simply referred to as communication devices) that make up these systems communicate with each other via a network to perform information processing for a given business. was doing A conventional business system is a so-called closed system in consideration of security, and its communication range is limited. For example, in a financial system (particularly, an accounting system), communication devices such as ATMs and bank staff terminals are connected via an intra-bank network. When collaborating with other banks, security was ensured by limited communication via a device or system called a firewall.

Here, with the development of IoT (Internet of Thing) technology, cloud computing, and the like, the target devices and range of communication are expanding. For example, there is a growing need for predictive diagnosis and remote control using the development of Internet banking and the use of the cloud in production systems. In such a case, it becomes necessary to communicate with an external device connected via the Internet or the like. When communicating with this external device, security concerns arise compared to conventional closed systems. For example, the risk of unauthorized access by a malicious third party increases.

For this reason, a communication method that enhances security, such as encrypted communication, has been adopted. One example of this encrypted communication is communication using an electronic certificate (simply referred to as certificate) (hereinafter simply referred to as certificate communication). In certificate communication, a certificate issued by a so-called certificate authority is used to confirm the safety of the communication destination.

Here, in certificate communication, some problem may occur in certificate communication. In such a case, if the communication itself stops, the business in the corresponding business system will also stop. For example, in a production system, the production line will stop. However, such a business system is required to carry out business continuously in consideration of social impact. Therefore, there is a need to continue communications for business continuity.

For example, Japanese Patent Laid-Open No. 2002-200002 describes how to deal with a case where a higher-level certificate authority among a plurality of certificate authorities is compromised. Japanese Patent Laid-Open No. 2002-200002 aims to continue using a distributed certificate so that certificate communication can be maintained even when such compromise occurs. In order to solve this problem, Patent Literature 1 discloses the following technique.

The authentication system 10 of Patent Literature 1 includes upper intermediate certificate authorities 21 and 22 and a lower intermediate certificate authority 31 subordinate thereto. When the lower intermediate certification authority 31 requests the issuance of a certificate, the higher intermediate certification authority exchanges status information with other higher intermediate certification authorities, and issues a certificate based on the exchanged status information. The requested certificate is issued to the lower intermediate certificate authority 31 that requested the issuance. The other upper intermediate certification authority with which the status information is exchanged further issues the same certificate as the previously issued certificate to the lower intermediate certification authority 31 that requested the issuance of the certificate based on the status information. do.

JP 2014-187475 A

However, in the technique described in Patent Document 1, if some trouble (compromise) occurs in certificate communication, it is necessary to reissue the electronic certificate. Therefore, it takes extra time and effort to maintain communication. In addition, no consideration has been given to countermeasures against failures in communication for ensuring security other than certificate communication. For example, there is no way to maintain secure communication even if the encryption means in encrypted communication fails.

Therefore, it is an object of the present invention to maintain communication more easily even when a problem including deterioration of safety occurs in communication.

In order to solve the above problems, in the present invention, security is monitored according to the communication method of each communication device, and as a result, when security is lowered, the communication method of the communication device is determined. This security monitoring includes monitoring whether the tools used to secure communications have expired. Note that the revocation of a tool includes not only the fact that the tool has been revoked, but also the possibility of revocation being a predetermined revocation schedule or expected revocation. The tool includes an electronic certificate (certificate) and a common key, which are examples of encryption means.

More specifically, in a communication management device that manages communication in a plurality of communication devices that are connected via a network and that are capable of communicating in a plurality of communication methods, the plurality of A monitoring unit that monitors the safety of communication according to the communication method of a communication device and, as a result of the monitoring, identifies the revoked communication device whose security has been lowered; The communication management device includes a method determining unit and an output unit for notifying the revoked communication device of the determined communication method.

The present invention also includes a communication management method using the communication management device, a program for causing the communication management device to function as a computer, and a storage medium storing the same.

ADVANTAGE OF THE INVENTION According to this invention, a communication system can be determined more easily and stop of communication can be suppressed also when doubt arises about security.

It is a figure for explaining the technical background in one embodiment of the present invention. 1 is a system configuration diagram in one embodiment of the present invention; FIG. It is a figure which shows the structure of the communication management apparatus in one Embodiment of this invention. FIG. 4 illustrates a revocation list used in one embodiment of the invention; It is a figure which shows the apparatus management table used by one Embodiment of this invention. 4 is a diagram showing a communication method management table used in one embodiment of the present invention; FIG. It is a figure which shows the function management table used by one Embodiment of this invention. It is a flow chart which shows the processing flow in one embodiment of the present invention. It is a figure which shows the modification which implement|achieved one Embodiment of this invention by the cloud system.

An embodiment of the present invention will be described below with reference to the drawings.
<Background>
In the present embodiment, communication regarding production equipment will be described as an example of an application destination. FIG. 1 is a diagram for explaining the technical background of this embodiment. FIG. 1(a) shows a system configuration including a production system 70 for conventional production equipment.

In FIG. 1( a ), robots 3 a and 3 b , controller 4 , and control server 2 , which are one type of equipment to be controlled, are connected via a control network 41 . Also, the production control system (the terminal device 22 constituting this), the control server 2 and the firewall (hereinafter referred to as FW 30) are connected via a control information network 42. FIG. A control network 41 and a control information network 42 are connected. This figure shows an example in which a control network 41 and a control information network 42 are connected via the control server 2 . Also, the production system 70 is connected to other systems (the terminal device 33 constituting this) and an external network such as the Internet 43 via the FW 30 .

Here, in FIG. 1(a), the production system 70 is configured as a closed system, and the FW 30 protects against attacks such as virus 61 from an unauthorized accessor 60. FIG. In other words, the production system 70 centrally manages boundaries with other systems and external networks by the FW 30 . Thus, in FIG. 1(a), borderline defense by FW30 functioned well.

Here, in recent years, open systems, the cloud of production equipment, and the utilization of IoT have become common. Therefore, the system configuration of the production system is changing as shown in FIG. 1(a) to FIG. 1(b). In other words, due to openness and the like, connection destinations and connection paths have become complicated, and boundaries have become ambiguous.

For example, via the control information network 42, it may cooperate with the external production base 50 regarding production. Also, the production equipment may be monitored by the camera 5 via the control network 41 . In addition, the control server 2 may receive predictive diagnosis of AI utilization in the cloud system 80 and remote control. Furthermore, the external base station 90 and the mobile terminal 91 may communicate with each other for maintenance and inspection using the mobile terminal 91 brought into the production facility. These are communications outside the control of the FW 30, and a so-called security hole exists in the boundary type defense by the FW 30.

Therefore, especially when using the mode of FIG. 1(b), it is important to ensure safety in communication between the communication devices constituting the production system 70 and external communication devices. Therefore, it is important to secure, maintain, and manage safety in these communications. For this reason, for example, encrypted communication is adopted as a communication method to ensure a certain level of security.

However, for some reason, the security of communication may be compromised. For example, if a communication device such as the camera 5 is newly connected, its legitimacy is questionable. In addition, certificates and keys of encryption means used in encryption schemes for communication may expire due to aging or the like. Furthermore, the behavior of the communication device may raise doubts about the validity of the certificate or key.

In these cases, in order to ensure safety, it is conceivable to stop the communication itself of the corresponding communication device. However, in business systems such as production systems, there is a need to prevent communication stoppages. This is because the suspension of communication leads to the suspension of business and services, so it is required to maintain communication as much as possible. In the production system 70 of the present embodiment, communication stoppage leads to stoppage of production, which causes problems such as delivery delay and delivery rejection.

Therefore, in the present embodiment, even if the safety of communication is compromised or a question arises, a certain degree of safety is ensured and communication is continued. Details thereof will be described below with reference to the drawings.

<Configuration>
FIG. 2 is a system configuration diagram in this embodiment. In FIG. 2, a control network 41, a control information network 42, and the Internet 43, which are networks, are connected to communication devices, respectively, and communication is performed between the communication devices. Therefore, the system configuration shown in FIG. 2 is roughly divided into three layers for each network. The configuration of this embodiment will be described below for each layer, that is, for each network.

First, the hierarchy of the control network 41 will be described. The control network 41 mainly communicates information about control over production equipment. The following various communication devices are connected to the control network 41 . First, as production equipment, robots 3a to 3c, which are devices to be controlled, and controllers 4a to 4c for controlling them are connected. The production equipment (controlled equipment) is not limited to the robots 3a to 3c, and includes machine tools and the like.

A control server 2 for managing and controlling the controllers 4a to 4c is also connected. Also connected to the control network 41 are a camera 5 for monitoring these production facilities and a terminal device 6 for managing the production facilities such as displaying the monitoring results of the camera 5 . Furthermore, the communication management device 1 that executes the main processing of this embodiment is also connected to the control network 41 .

Here, the robots 3a-3c operate for production according to control signals from the controllers 4a-4c. Also, the robots 3a-3c and the controllers 4a-4c may be directly connected or may be connected via a control network 41. FIG. Furthermore, the controllers 4a-4c may be provided inside the robots 3a-3c. In addition, in order to manage the entire production facility, the control server 2 outputs control notifications to the controllers 4a-4c and receives operating states of the controllers 4a-4c and the robots 3a-3c. In order to implement this function, the control server 2 is implemented by a so-called computer. Also, the camera 5 acquires an image of the production facility and notifies the control server 2 and the terminal device 6 of the image. It is desirable that the camera 5 operates according to instructions from the terminal device 6 . Furthermore, the terminal device 6 can be implemented by a computer such as a so-called PC, tablet, or smart phone.

Also, the communication management device 1 monitors the safety of the communication equipment and determines the communication method according to the monitoring result. For this purpose, the communication management device 1 has an input unit 11 , a monitoring unit 12 , a communication method determination unit 13 , an output unit 14 and a storage unit 15 . The input unit 11 receives information for confirming the safety of communication equipment via the control network 41 . In addition, the monitoring unit 12 determines whether or not the safety of communication has been compromised or doubt has arisen based on the received information. In other words, it is determined whether or not the safety has deteriorated. Here, the decrease in security includes the invalidation of security tools used according to the communication method, and the fact that the communication device is the target or subject of attack by a virus, malicious program, or the like. Tools also include keys such as certificates and common keys, and their revocation includes lack of validity such as authority.

Further, the communication method determination unit 13 determines the communication method of the revoked communication device, which is the corresponding communication device, when security is lowered (for example, a tool such as a certificate is revoked). In addition, the output unit 14 notifies related communication devices of the determined communication method. Furthermore, the storage unit 15 stores various information and the like for executing the processing of the communication management device 1 . In addition, the communication method in the present embodiment includes the type of communication, in particular, the type of encrypted communication for ensuring safety, the suppression (stop) control of communication, and the communication related to any of the functions of the communication device. includes control over whether to run An implementation example of the communication method determination unit 13 and details of its processing will be described later.

In addition, the control network 41 communicates, as communication contents of these communication devices, image data which is the monitoring result of the camera 5, control signals for controlling the robots 3a to 3c, and the like. Furthermore, information for the communication management device 1 to perform monitoring and notification of the determined communication method are also communicated.

The hierarchy of the control network 41 has been described above, and the hierarchy of the control information network 42 will now be described. Various communication devices are connected to the control information network 42, and so-called information communication for production management is mainly performed. The control information network 42 is connected to a production control server 23 for production control and a terminal device 22 for production control. Also connected to the control information network 42 is an internal CA 21 that is a certificate authority for internal use in an organization such as a company that operates the production system 70 .

Here, the production management server 23 executes information processing for production operations such as production planning and production management in production facilities, and for this purpose can be realized by, for example, a computer. Also, the terminal device 22 is used by a user who performs production work to output instructions to the production control server 23 and display processing results in the production control server 23 . For this reason, the terminal device 22 can be realized by a computer such as a so-called PC, tablet, or smart phone.

Also, the internal CA 21 can be implemented by a computer that issues and manages certificates such as public key certificates.

The control information network 42 is also connected to the FW 30 for connecting with the outside of the production system 70 . This completes the description of the hierarchy of the control information network 42. Next, the hierarchy of the Internet 43 will be described. The Internet 43 is also connected to various communication devices described below.

First, the FW 30 connects with other systems in the organization that operates the production system 70 . The other system is a system for performing business other than production, such as product sales and distribution management, and has a business server 32 and a terminal device 33 . The business server 32 executes information processing for various business according to instructions from the terminal device 33 and outputs the result to the terminal device 33 . In this way, the terminal device 33 is used for executing business. For this reason, the business server 32 and the terminal device 33 are realized by computers, and in particular the terminal device 33 can be realized by a so-called PC, tablet, smartphone, or the like.

In addition, the external CA 31 and the terminal device 34 as well as the external production base 50 are connected via the Internet 43 . The external CA 31 is a certification authority operated outside the organization that operates the production system 70 . In other words, like the internal CA, the external CA 31 can be implemented by a computer that issues and manages certificates such as public key certificates. The terminal device 34 is implemented by a computer such as a so-called PC, tablet, or smart phone, and executes various information processing according to various user operations. Also, the external production base 50 is provided with a production system at a base different from the production system 70 . This production system desirably has the same configuration as the production system 70 such as the FW 30 .

Here, the control network 41 is located furthest from the Internet 43 in the production system 70, that is, it is a network that is difficult to intrude from the outside. Conversely, the Internet 43 is the outside itself, and the control information network 42 is configured closer to the outside. For this reason, the content of communication on the control network 41 may be made less secure than the communication on the control information network 42 and the Internet 43 . For example, while certificate communication is performed on the control information network 42 and the Internet 43, the control network 41 may perform common key communication or communication without encryption (plain communication). However, these may be determined for each communication device or communication, and each network (hierarchy) is not limited to a uniform communication method, and may have a configuration in which a plurality of communication methods are mixed. To summarize the above, as an overall trend, there is a tendency for communication to be performed using a communication method with a higher degree of security as the layers appear higher in FIGS. 1 and 2 . In this embodiment, even in a configuration in which a plurality of communication methods are mixed in this manner, the communication method is determined according to its security. A configuration for this purpose will be described below.

FIG. 3 is a diagram showing the configuration of the communication management device 1 in the embodiment. In other words, FIG. 3 is a configuration example for realizing the functional blocks of the communication management device 1 shown in FIG. In FIG. 2, the communication management device 1 will be described as an example of a computer that performs processing according to a program (software). However, it may be configured using dedicated hardware, an FPGA (field-programmable gate array), or the like.

2, the communication management device 1 has a network I/F 110 (network interface), a processing unit 120, a main storage unit 130 and an auxiliary storage unit 140, which are connected to each other via a communication path such as a bus. there is Here, the network I/F 110 has a function of communicating with other communication devices via the control network 41, and corresponds to the input section 11 and the output section 14 in FIG. Note that the network I/F 110 may implement the input function and the output function with independent configurations. Furthermore, the network I/F 110 may be connected to a network other than the control network 41 or a direct communication device.

Further, the processing unit 120 is realized by a processor, a CPU, etc., and performs calculations according to each program developed in the main storage unit 130 . That is, the processing unit 120 executes the processing in the monitoring unit 12 and the communication method determining unit 13 in FIG.

In addition, the main storage unit 130 develops programs stored in the auxiliary storage unit 140 and other storage media, and information necessary for other calculations. Here, the programs developed in the main storage unit 130 include a monitoring program 141 and a communication method determination program 142 . Here, the monitoring program 141 corresponds to the function of the monitoring unit 12 in FIG. 2, and the communication method determination program 142 corresponds to the function of the communication method determination unit 13 in FIG. Moreover, each of these programs may not be an independent program. That is, each of these may be implemented as a module of a program.

Furthermore, the auxiliary storage unit 140 can be realized by a so-called storage such as an HDD (Hard Disk Drive) or an SSD (Solid State Drive). The auxiliary storage unit 140 stores, as information, a revocation list 143, a device management table 144, a communication method management table 145, and a function management table 146 in addition to the programs described above. Incidentally, the auxiliary storage unit 140 may be configured independently from the communication management device 1 . For example, it can be realized by a file server connected via the network I/F 110 . Here, the main storage section 130 and the auxiliary storage section 140 correspond to the storage section 15 in FIG.

Note that the communication management device 1 may be implemented by a plurality of computers. In this case, it is possible to share a plurality of computer functions.

This completes the description of the configuration of the present embodiment, and various types of information stored in the auxiliary storage unit 140 will be described below.

<Information>
FIG. 4 is a diagram showing the revocation list 143 used in this embodiment. The revocation list 143 is information for identifying communication devices whose security has been lowered according to the communication method. For this reason, the revocation list 143 of this embodiment indicates security for each communication device. As shown in FIG. 4, the revocation list 143 of this embodiment has items of device ID, device name, and status. A device ID is information for identifying a communication device. The device name is information indicating the name of the communication device. Only one of the device ID and the device name may be used.

In addition, the status indicates the safety status based on the communication method of the communication device. In other words, it is an item that indicates whether the security has expired. Here, in this embodiment, the deterioration of security is determined by whether or not a certificate, which is a kind of tool for ensuring security, is revoked. In this case, a communication device that satisfies at least one of the following conditions is determined to have lowered security. In other words, the monitoring unit 12 identifies the device as a revoked communication device.
・Communication equipment whose certificate has expired ・Communication equipment whose validity has been questioned ・Communication equipment whose certificate has been notified of revocation by another device In addition to these conditions, conditions may be set .

The contents shown in FIG. 4 will be specifically described below. FIG. 4 shows that the “control server” with the device ID=“0000” maintains the safety of the communication without revoking it. On the other hand, “robot A” with device ID=“1234” indicates that the safety of communication has been revoked. Also, the “controller” with the device ID=“2468” indicates that the safety of communication is scheduled to be revoked. In the example of FIG. 4, the list includes items whose status is "maintenance", but the list may be narrowed down to "expired" or "scheduled to expire".

This revocation list 143 may be created by the communication management device 1 or may be created by another device such as the terminal device 6 or the internal CA 21 . When the communication management device 1 creates it, it can receive information about the validity of the certificate from the internal CA 21 or the external CA 31 and create it. Also, it is possible to check the communication state and connection state of the communication device to the control network 41 and the like and create it.

Then, the communication management device 1 uses this revocation list 143 to determine the communication method. The details of this determination will be described later using a flowchart.

Next, FIG. 5 is a diagram showing the device management table 144 used in this embodiment. The device management table 144 is a table in which information related to communication for each communication device is registered. As shown in FIG. 5, the device management table 144 of this embodiment has device IDs, device names, IP addresses, MAC addresses, communication methods, time limits, functions, and communication states.

Here, the device ID and device name are the same as those in the revocation list 143 . The IP address and MAC address each indicate an address related to communication of the target communication device, and at least one of them may be provided. Further, the communication method indicates a communication method that can be supported by the target communication device.

In addition, the expiration date indicates the expiration date (the expiration date) of the common key or certificate of the target communication device. Also, the function indicates whether the function can be stopped by the target communication device (whether non-stop operation is required). It is particularly desirable that this function is a function related to communication. Also, the communication state indicates a communication state related to the safety of communication of the target communication device.

In the example shown in FIG. 5, the IP address and MAC address of the “control server” with the device ID=“0000” are shown in the figure. The communication method indicates that both certificate communication (including SSL communication, which is an example thereof) and common key communication can be supported. The expiration dates of the certificate and common key are 00:00 on 3/31 and 00:00 on 12/1, respectively, indicating that non-stop operation is required for all functions. The current communication state is normal, indicating that the safety of communication is ensured. In other words, the "control server" indicates that there is no need for revocation at this point.

On the other hand, “controller D” with device ID=“2400” can only support shared key communication as a communication method, and the expiration date of the common key is 00:00 on December 1st. Also, as functions of the "controller D", command notification, emergency reception and normal reception are possible. Command notification and emergency reception indicate that non-stop operation is required, and normal reception indicates that suspension is possible. Note that the command notification indicates output of a command (control signal) from the controller to the robot. Also, emergency reception means receiving an emergency stop command for accident prevention or the like. Furthermore, normal reception is reception for normal operations other than emergency reception.

Also, the communication state of "controller D" is normal, indicating that the security of the common key is maintained. However, for “controller C” with device ID=“2468”, the communication management device 1 has received a revocation notice from the internal CA 21, indicating that the certificate is scheduled to be revoked.

The communication management apparatus 1 also uses this device management table 144 to determine the communication method. The details of this determination will be described later using a flowchart. It should be noted that items of functions in the device management table 144 may be managed in a function management table 146 to be described later. In this case, the function item can be omitted from the device management table 144 .

Next, FIG. 6 is a diagram showing the communication method management table 145 used in this embodiment. The communication method management table 145 is a table in which information for managing communication methods between communication devices is registered. As shown in FIG. 6, the communication method management table 145 of this embodiment has a device ID, partner device, communication method, and communication state for each communication device.
The device ID is information similar to the revocation list 143 . The partner device indicates the device ID of the communication device that communicates with the target communication device. The communication method indicates the current communication method of the target communication device and the partner device. Furthermore, the communication state indicates the current communication state of the target communication device and the partner device, which is the same information as the device management table 144 .

By using the communication method management table 145, the communication management apparatus 1 can identify the related communication device to which the communication method determination result is notified. For example, when the communication method with the device ID=“0000” is determined, the partner device is specified as the related communication device, and the determined communication method is notified to them.

Furthermore, the current communication method can be grasped from the communication method management table 145 . Therefore, when the certificate of a certain communication device is revoked, the communication method can be determined for each communication partner. For example, if the certificate of device ID=“1234” is revoked, some sort of response is required because the partner device=“0000” and “1357” are performing certificate communication. On the other hand, since common key communication is being performed with the partner device=“2468”, it can be determined that common key communication can be maintained. The details of this determination will be described later using a flowchart. In this embodiment, determination processing using the communication method management table 145 is performed, but this determination processing may be omitted. Details of the processing using the communication method management table 145 will be described later using a flowchart.

Finally, FIG. 7 is a diagram showing the function management table 146 used in this embodiment. The function management table 146 is a table in which information is registered in the function for each type of communication device. As shown in FIG. 7, the function management table 146 of the present embodiment has device type, function, stop possibility, and countermeasure for each type of communication device. The device type indicates the type of communication device, but may be for each communication device.

In addition, the function and whether it can be stopped indicates whether the function that can be executed by the target communication device can be stopped (whether non-stop operation is required), like the function of the device management table 144 . Furthermore, countermeasures indicate countermeasures for the corresponding function when communication is invalidated. For example, since non-stop operation is required for the activation function of the device type=“robot”, it is necessary to change the communication method. In addition, since the same display function can be stopped, it indicates that communication regarding display can be suppressed (stopped). Note that this item can be omitted because the countermeasure is the reversed information about whether or not to stop. Furthermore, since the device management table 144 can be used, the function management table 146 can be omitted. In this case, the device management table 144 may be provided with items for countermeasures.

This completes the description of the information in this embodiment, and next, the processing flow in this embodiment will be described using flowcharts.

<Processing flow>
FIG. 8 is a flow chart showing the processing flow in this embodiment. The processing of the communication management apparatus 1 will be described below with reference to FIG. 8. At that time, the main body of processing in each step will be described using the units shown in FIG.

First, in step S1, the monitoring unit 12 starts monitoring safety of communication in the communication device. This may be executed in response to an instruction from the terminal device 6, or may be executed when an activation condition such as a predetermined cycle is satisfied. Note that the communication management device 1 may be operated continuously to continuously execute the processes after step S2.

Next, in step S2, the monitoring unit 12 determines whether any of the communication devices is degraded in safety as a result of monitoring. In this embodiment, the monitoring unit 12 monitors whether the certificate or the like has been revoked. For this purpose, the monitoring unit 12 checks the revocation list 143 . As a result, if the status of the revocation list 143 includes revocation or scheduled revocation (hereinafter simply referred to as revocation) (YES), the process proceeds to step S3. If there is no revocation or revocation schedule in the revocation list 143 (NO), the process returns to step S1 to continue monitoring. Here, regarding the status of the revocation list 143, the records confirmed in step S2 may be appropriately deleted and unconfirmed records may be left, or a flag indicating confirmation may be recorded. As a result, redundant processing after step S3 can be prevented.

Revocation means that the validity of a certificate or key is questioned due to the expiration of the certificate or key due to aging or the behavior of communication equipment, etc., and includes scheduled revocation. The key includes a private key and a common key in addition to the public key. Further, revocation may also include reduced safety due to viruses and the like.

Next, in step S3, the monitoring unit 12 identifies, from the revocation list 143, the communication device indicated by the revoked or revoked device ID as a revoked communication device. In the example of FIG. 4, the robot A with the device ID=“1234” and the controller C with the device ID=“2468” are identified as the revoked communication devices.

Next, in step S4, the communication method determination unit 13 identifies the communication method that has been revoked by the revoked communication device and the communication method that can be handled. Here, in order to identify the invalid communication method, the communication method determination unit 13 may use the communication state of the device management table 144, or check the communication method and communication state of the communication method management table 145. good. In addition, the revocation list 143 may be used to record communication methods that have been revoked or are scheduled to be revoked. Also, in order to specify a compatible communication method, the communication method determining unit 13 uses the communication method of the device management table 144 .

Also, in step S5, the communication method determining unit 13 identifies related communication devices related to the revoked communication device identified in step S3. For this purpose, the communication method determination unit 13 uses the communication method management table 145 . In other words, the monitoring unit 12 identifies the partner device corresponding to the device ID of the revoked communication device as the related communication device. In this embodiment, the partner device that is the communication destination of the revoked communication device is specified, but the related communication device is not limited to this. For example, each communication device managed by the communication management apparatus 1 may be the related communication device, or a communication device connected to the same network as the expired communication device may be the related communication device.

Also, in step S6, the communication method determining unit 13 identifies a communication method that can be used by the related communication device identified in step S5. For this purpose, the communication method determination unit 13 identifies the communication method of the related communication device from the device management table 144 .

Then, in step S7, the communication method determination unit 13 determines the communication method using the results of steps S4 to S6. The details are described below.

This determination method includes a plurality of methods such as the following (1) and (2).

(1) Consideration of Related Communication Equipment First, the communication method determination unit 13 identifies a valid communication method that has not expired among the available communication methods identified in step S4. Next, the communication method determining unit 13 matches the communication method that can be supported by the associated communication device identified in step S6 with the identified effective communication method.
Then, the communication method determining unit 13 determines a matching communication method.

(2) Correspondence to expired communication equipment As in (1), the communication method determination unit 13 identifies a valid communication method that has not expired among the available communication methods identified in step S4, and selects it as a communication method. Determined as In this case, steps S5 and S6 can be omitted.

If security is compromised by a virus or the like, the communication method can be determined as follows. First, for each communication method, it is set whether or not the factor can be dealt with. Then, in step S4, the communication method determination unit 13 uses the setting contents to identify the communication method that can and cannot cope with the factor in the expired communication device. Further, in step S6, the communication method determining unit 13 uses the setting contents to specify the communication method that can or cannot deal with the factor in the related communication device. Then, in this step, the communication method is determined by comparing the communication methods that can deal with the factor. In this case, it is desirable to determine the communication method with the highest security among the communication methods that can be supported by both parties.

Further, the determination of the communication method includes the following aspects. First, change the communication type. For example, changing certificate communication to common key communication or plain communication, or changing common key communication to plain communication. Although it is desirable to change from a communication with a higher security to a communication with a lower security like these, the change in the opposite direction may be performed.

Furthermore, as the communication method to be determined, whether to suppress communication or maintain communication may be determined for each function of the revoked communication device. For this purpose, the communication method determination unit 13 uses the functions of the device management table 144 or the function management table 146 . As described above, the communication method includes specifying the communication method itself (type of communication) and the communication function of the communication device. Also, the communication method may be determined by a combination of these.

As described above, in step S7, the communication method determining unit 13 determines at least the communication method that can communicate with the expired communication device.

Next, in step S8, the communication method determined in step S7 is notified from the output unit 14. FIG. The notification destination at this time is the revoked communication device or the related communication device. At this time, it is desirable that the communication method determination unit 13 updates the communication method of the communication method management table 145 to the determined communication method. In addition, it is desirable that the communication method determination unit 13 also updates the communication status of the device management table 144 and the communication method management table 145 .

As a result of the above step S8, the revoked communication device and the related communication device communicate with the determined communication method. Next, in step S9, the monitoring unit 12 monitors the expired communication device that communicates with the determined communication method. Then, in step S10, the monitoring unit 12 monitors whether or not the revocation of the revoked communication device has been restored. This can be realized by a process similar to that of step S2. In other words, the monitoring unit 12 can confirm whether the revocation has been restored by checking the revocation list 143 or the like. As a result, when it recovers (YES), it changes to step S11. On the other hand, if it has not recovered, the process proceeds to step S9 to continue monitoring.

Here, the recovery in step S10 will be described using an example of renewing a revoked certificate. As will be described later, when invalidation occurs, a warning is sent to each terminal device. Therefore, the terminal device outputs a certificate update request to the internal CA 21 or the external CA 31 according to the user's operation. Then, in the internal CA 21 or the external CA 31, when the certificate is updated in response to the update request, it is determined that the recovery in this step has been completed. Note that this recovery may be automatically executed by the internal CA 21 or the external CA 31 .

Next, in step S11, the communication method determination unit 13 re-determines the communication method of the expired communication device. This is the process of restoring the content determined to be invalid in step S2. In other words, if the revoked communication device or related communication device is changed from certificate communication to common key communication as a result of determination in step S7, it is determined again (restored) to change to certificate communication.

Next, in step S12, the communication method re-determined in step S11 is notified from the output unit 14. FIG. This notification destination is the revoked communication device or the related communication device, as in step S8. Also, at this time, it is desirable that the communication method determination unit 13 updates the communication method of the communication method management table 145 to the re-determined communication method, as in step S8. In addition, it is desirable that the communication method determination unit 13 also updates the communication status of the device management table 144 and the communication method management table 145 . As a result, the revoked communication device and the related communication device communicate with each other using the re-determined communication method, that is, the original communication method.

Note that this flow is continuously executed, and communication between communication devices is maintained as much as possible. As a result, it is possible to minimize the stoppage of work such as production in the production equipment, and to prevent the stagnation of business activities.

With this, the processing flow in this flow chart ends, but the following notification may be executed from the output unit 14 according to the processing in steps S2, S7, and S10.

First, when it is determined in step S2 that there is an expiration schedule, the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 of a warning. This is an advanced warning. Therefore, it is desirable that the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 of a warning when it is determined that there is an expiration. In this way, it is possible to notify the fact that the security of communication has been lowered by dividing it into an advance warning and a main warning. As described above, the user of each terminal, such as a communication or business manager, can grasp that the security of communication has changed, for example, has been lowered.

Also, for the communication method determined in step S7, at least one of the terminal device 6, the terminal device 22, and the terminal device 34 is notified that the communication method has been changed. This may be done only when safety is compromised, or may be done without any particular conditions.

Furthermore, when it is determined to recover in step S11, the output unit 14 notifies at least one of the terminal device 6, the terminal device 22, and the terminal device 34 to that effect. This allows the user of each terminal device to know that the safety of communication has been restored.

Further, management by the communication management device 1 of the present embodiment is not limited to communications of communication devices under its control. For example, it is assumed that the production management server 23 is not under the control of the communication management device 1 and that the control server 2 communicates with it. In this case, as a function of the control server 2, a communication method is determined such that the communication function with the production management server 23 is maintained and other functions are disabled. This allows the production control server 23 to behave as if it is maintaining the communication up to that point.

In the processing flow of this embodiment, when the communication security is revoked (including scheduled or expected revocation), the communication method is changed by changing the type of communication or inhibiting communication of some functions of the communication device. It will be Revocation in this embodiment includes not only the revocation itself but also the possibility of revocation being greater than or equal to a predetermined value. As a result of the above, stoppage of communication can be suppressed, and business continuity can be maintained. This completes the description of the processing flow of the present embodiment. Next, the interface (display) of the present embodiment will be described.

<Modification (cloud type)>
FIG. 9 is a diagram showing a modification in which the present embodiment is realized by a cloud system. In this modified example, the communication management device 1 is connected to the Internet 43 . The communication management device 1 manages the communication devices of each network connected to the Internet 43 . Specifically, it manages communication devices of the control information network 42a and the control network 41a connected via the FW 30a and communication devices of the control information network 42b and the control network 41b connected via the FW 30b. Note that the configuration and processing flow of this modified example are as described above, and the details thereof will be omitted. By adopting such a configuration, it becomes possible to manage communication devices related to multiple organizations and to manage communication devices in multiple bases or multiple business systems. In the former case, it is possible to manage the communication equipment as outsourcing in an organization different from the organization that operates the communication equipment.

Further, the communication management device 1 may be provided so as to connect the control information network 42a and the control information network 42b.

This completes the description of this embodiment, but the present invention is not limited to this embodiment. For example, it can be applied to fields other than production, such as financial services. Also, as the communication equipment, various equipment related to control, mobile units, ATMs, etc. can be used in addition to the illustrated communication equipment. Also, in the present embodiment, encrypted communication is taken as an example of communication, but the communication is not limited to this. Furthermore, encrypted communication is not limited to certificate communication or common key communication.

DESCRIPTION OF SYMBOLS 1... Communication management apparatus, 11... Input part, 12... Monitoring part, 13... Communication method determination part, 14... Output part, 15... Storage part, 2... Control server, 3... Robot, 4... Controller, 5... Camera , 6... Terminal device, 21... Internal CA, 22... Terminal device, 23... Production control server, 30... FW, 31... External CA, 32... Business server, 33... Terminal device 34... Terminal device, 41... Control network, 42... Control information network, 43... Internet, 50... External production base

Claims (8)

In a communication management device that manages communication in a plurality of communication devices connected via a network, each of which is capable of communicating by a plurality of communication methods,
a monitoring unit that monitors the safety of communication according to the communication method of the plurality of communication devices, and identifies the revoked communication device whose safety has been lowered as a result of the monitoring;
a communication method determination unit that determines a communication method that can be used by the revoked communication device;
A communication management device having an output unit for notifying the revoked communication device of the determined communication method. The communication management device according to claim 1,
The monitoring unit uses a revocation list indicating the safety of each of the plurality of communication devices to identify a communication device for which the tool for ensuring communication safety has been revoked as the revoked communication device. In the communication management device according to claim 2,
said tool includes a certificate issued by a certificate authority;
The monitoring unit uses the revocation list to detect communication devices for which the certificate has expired, communication devices for which the authenticity of the certificate has been questioned, and communication for which a notice of revocation of the certificate has been received from another device. A communication management device that identifies at least one device as the revoked communication device. In the communication management device according to claim 3,
The communication management device, wherein the communication method determination unit changes the communication method of the revoked communication device from certificate communication using the certificate to common key communication using a common key. In the communication management device according to claim 2,
The communication method determination unit is a communication management device that disables at least some of the plurality of functions of the revoked communication device and maintains communication for other functions. The communication management device according to any one of claims 1 to 5,
The monitoring unit identifies a communication device to which the revoked communication device communicates or a communication device connected to the network as a related communication device related to the revoked communication device,
The communication method determination unit determines a communication method for communication between the revoked communication device and the related communication device,
The communication management device, wherein the output unit notifies the revoked communication device and the related communication device of the determined communication method. In the communication management device according to claim 6,
The output unit is a communication management device that causes a terminal device to display information about the revoked communication device. In a communication management method for managing communication in a plurality of communication devices connected via a network, each of which is capable of communicating in a plurality of communication methods, using a communication management device,
The monitoring unit monitors the safety of communication according to the communication method of the plurality of communication devices, and as a result of the monitoring, identifies the revoked communication device whose security has deteriorated,
determining a communication method that can be used by the revoked communication device by a communication method determining unit;
A communication management method in which an output unit notifies the revoked communication device of the determined communication method.

Images