JP5028202B2 - Control network system - Google Patents

Description

  The present invention relates to a control network system used for data communication related to real-time control.

  In data communication related to real-time control (hereinafter referred to as control communication) in a control system, it is important to maintain synchronization with the control cycle of the system. Therefore, as a request for the control network, there is a case where importance is attached to the delay (latency) associated with communication and the fluctuation (jitter) of communication timing, rather than the communication speed (throughput) of control communication.

  As an existing technique related to the above, Patent Document 1 describes a method for maintaining the period of control communication. Here, the period of control communication in the transmission path is estimated from the reception time of the cyclic data sent from the device itself onto the ring-shaped virtual cyclic transmission path. When the reception cycle deviates from a predetermined value due to the congestion of the transmission line, the transmission of the cyclic data is eliminated by suppressing the transmission of acyclic data, and the cyclic communication period of the cyclic data is restored.

  Further, as another existing technique, Patent Document 2 describes a method for determining whether or not communication on a network is appropriate and controlling the communication. Here, for communication packets classified as equipment communication based on destination address, etc., if the packet is continuously transmitted to a specific address or multicast or broadcast with a certain frequency or more, it is determined that the packet is due to abnormal access, and measures such as blocking are taken. Have taken.

JP 2000-353011 A JP 2006-135950 A

  For the purpose of paralyzing control communication, a malicious person configures an unauthorized device and connects it to the control network, or deprives the right of control from a normal device already connected to the network by unauthorized means. In some cases, a so-called Denial of Service (DoS) attack is performed that releases a large number of illegal packets on the network.

  In Patent Document 1, each plant input / output device cannot apply transmission control to data transmitted from another plant input / output device. For this reason, when a DoS attack that sends a large amount of packets only to the target device is executed, the target device cannot block the sent packets. In addition, since devices other than the target cannot detect the abnormality, no action can be taken.

  In addition, when an unauthorized device is directly connected to the switching hub, any device cannot block the incoming unauthorized packet.

  On the other hand, in Patent Document 2, it is necessary to predetermine a reference value for determining abnormal access. However, a reference value that can clearly distinguish between true abnormal access and a state of high load is set. Is difficult in reality. Furthermore, in a network to which a large number of devices are connected, it is not practical to individually set the reference values as described above for all combinations of transfer sources and transfer destinations.

  It is an object of the present invention to provide a control network system that can cope with a failure caused by a malicious person, stabilizes the cycle of control communication, and realizes security improvement suitable for control communication. .

In order to solve the above problems, the present invention provides a plurality of control devices that perform control communication in a predetermined cycle, a communication path that includes a plurality of segments, and a segment that is disposed between each segment of the plurality of segments. A network switch for controlling a connection state with the control device; and a failure detection unit connected to the communication path, wherein the failure detection unit extracts a path from a header portion of the packet collected from the communication path, and the packet A route classifying unit that generates packet information from the collection time, a cycle measuring unit that calculates a control communication cycle in each route from the packet information, a control communication cycle in each calculated route, and a pre-stored route in each route A deviation determination unit that outputs a failure detection signal when the control communication cycle deviates from the appropriate range; Detecting the signal result, it estimates the path caused the control communication deviation Then, with estimates that the appropriate range wherein the packet sender in deviant path control device is the cause of the deviation, in the deviant path It is judged whether the control communication cycle has deviated at a cycle shorter than the appropriate range or deviated at a long cycle. A failure cause estimator that estimates that the release of a packet is a cause of failure, and a block that outputs to the network switch a command that blocks transmission of packet information that uses the address of the control device in the estimated route as a transmission source And a rule generation unit.

  It is possible to provide a control network system that can cope with a failure caused by a malicious person, stabilize the cycle of control communication, and realize security improvement suitable for control communication.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 shows the configuration of a control network system representing the first embodiment of the present invention.

  The plurality of control network segments 20 are respectively connected by the network switch 3 to form the control network 2 that is one communication path. Although the topology of the control network 2 is described as a bus connection in the figure, an arbitrary topology such as a star type or a ring type may be adopted in implementation, thereby affecting the contents of the present invention. There is nothing.

  The network switch 2 is arranged between each of the plurality of control network segments 20 and controls the connection state between the control network segment 20 and the control device 1, and includes address information specified by the access control list 31. A pass or block action can be taken on a packet having. Addresses specified in the access control list 31 are described using IEEE 802.3 addresses (so-called MAC addresses), Internet Protocol (IP) addresses, and port numbers in Transmission Control Protocol (TCP) / User Datagram Protocol (UDP). It may be possible. The control device 1 is connected via a device port 32 of the network switch 2. A plurality of device ports 32 may be provided in the network switch 2.

  Each of the control devices 1 executes control calculation and control communication at a predetermined cycle. In the process, the control device 1 executes control communication with other control devices via the control network 2. On the other hand, the unauthorized device 1x is a device configured by a malicious person, and releases a large amount of packets to the control network 2 via the network switch 3 and attempts to disturb the control communication by the control device 1.

  The failure detection device 4 is connected to the control network 2 that is a communication path, and is provided on the communication path, and collects communication packets through a packet collection port 33 that collects packets transmitted on the communication path. At this time, the time when each packet is collected is recorded in association with the packet (not shown). An independent repeater hub may be used as the packet collection port 33, or one of the device ports 32 of the network switch 2 may be used (however, the device ports are all on the control network 2). Must be set to forward packets). The failure detection device 4 only collects packets so as not to interfere with communication, and does not send any form of reply to the collected packets.

  The route classification unit 40 extracts a source and destination address indicating a route from a header portion of a packet collected from the control network 2 that is a communication route, and packet information from the header portion of the packet and the collection time of the packet 410 is generated. As each address indicating a route, an IP address used in the system, an IEEE 802.3 address, a TCP / UDP port number, and a combination thereof may be arbitrarily used. Further, the packet information 410 is grouped together with the same route and stored in the packet information storage unit 41. When the destination address of the route is a broadcast address or a multicast address, a mark indicating that (in the figure, “B” for the broadcast packet) is added and treated in the same manner as other single addresses. . FIG. 2 schematically shows the procedure.

  As described above, the procedure from collecting packets to generating packet information 410 in the route classification unit 40 and storing the packet information in the packet information storage unit 41 needs to be executed every time the packet flows through the control network 2.

The period measuring unit 42 calculates an average period that is a control communication period in each route from the packet information 410. Specifically, a set of a route and a collection time is read from the packet information 410 stored in the packet information storage unit 41 for a unit time (for example, 1 second), and statistical processing of the collection time is performed on the set having the same route. The average period (T) 43 of the control communication in each route is calculated. FIG. 3 schematically shows the procedure. At this time, in addition to the average period, statistics such as period variance (σ ² ) and average period variation rate (ΔT / Δt) may be obtained (described later).

  The appropriate communication cycle range 44 is a parameter that is set in advance when the failure detection apparatus 4 is activated, and defines an appropriate communication cycle range for each route that is scheduled to be used on the network system.

The departure determination unit 50 compares the average cycle 43 that is the control communication cycle of each route calculated by the cycle measurement unit 42 with the appropriate range 44 of the control communication cycle in each route. As a result, if the average period 43 not fall proper range 44, it is determined that the communication pathway is normal, determining the communication cycle in the next path. If the average period 43 deviates from the appropriate range 44, it is determined that a failure has occurred in the communication, and the communication route information and failure degree information (for example, the average from the appropriate range 44). The fault detection signal 51 including the deviation ratio of the period 43 is output.

  At this time, the failure detection signal 51 may be received by, for example, a separately provided console 5 and used to generate an alarm 6 for reporting the occurrence of the failure to the operator. In addition, when the appropriate range 44 corresponding to the calculated average period 43 of the route is not defined, it means that unauthorized communication that is not assumed in the system has occurred in the first place, regardless of the value of the average period 43. A failure detection signal 51 is output.

  As described above, the procedure from the calculation of the average period 43 by the period measurement unit 42 to the comparison with the appropriate range 44 may be executed with the arbitrarily set unit time as the period. In this case, the storage capacity necessary for the packet information storage unit 41 is proportional to the unit time to be set. Therefore, if one of them becomes a constraint condition, the other may be determined based on that.

  When the failure cause estimation unit 52 detects that the failure detection signal 51 has been output, the failure cause estimation unit 52 obtains and examines the average period of all the routes calculated by the period measurement unit 42 to thereby determine the control communication that caused the deviation. Estimate the route, that is, on which route the communication that is the direct cause of the failure is. Hereinafter, simple examples of cause estimation will be described with reference to FIGS.

  As shown in FIG. 4, when a packet is transmitted on a route (1x → 1a) determined to be a failure with a period significantly shorter than an appropriate communication period in normal control communication, the transmission source address is an unauthorized device. It is presumed that a DoS attack to the control device 1a is being performed. In this case, at the same time, there is a possibility that a failure due to a delay from an appropriate communication cycle is detected on another route (1a → 1b, 1a → 1c) having the transmission source of the control device 1a, and a DoS attack is also performed. It is possible to strengthen the presumption that it is done.

  As shown in FIG. 5, the route determined to be a failure is a broadcast route (1x → 1a, 1b, 1c,...), And a packet is transmitted at a cycle shorter than an appropriate communication cycle in normal control communication. If it is, the transmission source address is acquired by the unauthorized device 1x, and it is estimated that an indiscriminate DoS attack is being performed therefrom.

  As shown in FIG. 6, in the route (1a → 1b) determined to be a failure, a packet is transmitted with a period significantly longer than the proper communication cycle in normal control communication, but other routes (1b → 1b) If no failure is detected in 1c and the like), it is estimated that this is a failure of the control device 1a alone and not a failure as a network system.

In any of the examples, it is possible to make a determination based only on the average period of each path at the time of failure detection as described above. However, the period measurement unit 42 uses the period variance (σ ² ) and the average period variation rate (ΔT). / Δt) and other statistics can be determined together, for example, whether or not the deviation from the appropriate range 44 is significant due to the variance of the cycle, or the variation rate of the average cycle, It is possible to determine whether the failure is abrupt or has a possibility of continuing for a certain period of time, and the accuracy of the cause estimation of the failure can be improved.

  If the failure cause estimation unit 52 identifies a route that is the cause of the failure and the cause is estimated to be harmful, such as a DoS attack, the network system is blocked by blocking communication performed on the route. Must be recovered from the fault state.

  The failure cause estimation unit 52 outputs the estimated failure cause route address information to the cutoff rule generation unit 54 as cutoff route information 53. As shown in FIG. 7, the blocking rule generation unit 54 instructs the network switch 3 to block the failure cause path by the access control list 31 based on the address information indicated by the blocking path information 53. “Deny src 1x dst all” in the figure means “blocks a packet to an arbitrary transmission destination having the address 1x as a transmission source”.

  Eventually, each network switch 3 blocks communication packets belonging to the failure cause path at the boundary of the network segment 20, so that the failure can be eliminated and normal control communication can be performed.

  In this embodiment, the control communication on the control network is monitored by the above-described operation, and the communication of the route that is estimated to cause an abnormality harmful to the control is interrupted to maintain the cycle of other control communication. In addition, the stability of the entire system can be improved.

  FIG. 8 shows the configuration of the control network system representing the second embodiment of the present invention.

  In this embodiment, it is assumed that the unauthorized device 1x is connected to the control network 3 for the purpose of disturbing the control network and disturbing the control operation of the system.

  In the first embodiment, it has been described that a communication path in which the appropriate range 44 of the control communication cycle is not defined is regarded as unauthorized communication and treated as a failure. However, the unauthorized device 1x hides its presence and performs a disturbing operation. In order to perform as long as possible, the address of the existing control devices 1a, 1b,. Thereby, since the period is monitored based on the unreliable route information, it is impossible to accurately detect the failure, and in some cases, the route including the control devices 1a and 1b that should be normal is determined to be abnormal, There is a possibility of being blocked by mistake. In order to deal with the above cases, it is an object to correctly detect a packet transmitted by a malicious person intentionally trying to disturb the period of control communication and appropriately deal with it.

  In the present embodiment, in addition to the configuration in the first embodiment, the control devices 1a and 1b each include an authentication code generation unit 60 and an authentication code verification unit 61, and the failure detection device 4 also includes an authentication code verification unit 61.

  In normal control communication from the control device 1a to the control device 1b, as shown in FIG. 9, the authentication code 63 generated by the authentication code generation unit 60 is added to the control communication message 62 generated inside the control device 1a. In addition, a control communication packet 65 is generated and transmitted to the control device 1b. The control device 1b re-disassembles the received control communication packet 65 into a control communication message 62 and an authentication code 63, and verifies whether or not the authentication code verification unit 61 can generate the same authentication code as the received authentication code 63. To do.

  The authentication code 63 uses a technique known as a message authentication code (MAC) from the control communication message 62 and a secret common key 64 agreed in advance between the control devices 1. Generated and verified. Due to the mathematical nature of a function called a hash function used in the process of generating the MAC, it is extremely difficult for a person who does not know the common key 64 to generate the same authentication code 63. In the present embodiment, the authentication code generation unit 60 generates a packet based on a common key 64 determined in advance. The authentication code verification unit 61 verifies the authentication code based on the common key. The common key 64 is stored in advance in the control device 1 and the failure detection device 4.

  Therefore, in this embodiment, as long as the secret of the common key 64 is kept, only the valid control devices 1a, 1b,... Can generate the control communication packet 65 including the valid authentication code 63. For example, Even if the unauthorized device 1x improperly names the address of the control device 1a or the like, it is possible to distinguish packets transmitted from the unauthorized device 1x.

  In the failure detection device 4, when the same authentication code as the authentication code 63 can be generated from the control communication packet 65 by the above procedure, it is counted for each route in the same manner as in the first embodiment, and it is determined whether or not it is an appropriate cycle. To check. On the other hand, as shown in FIG. 10, when the authentication code 63x generated from the received control communication packet 65 and the received authentication code 63 do not match, the packet information storage unit 41 indicates that the packet is an illegal packet. A mark ("!" In the figure) is attached and counted separately from other legitimate packets. If the occurrence of such packets is sporadic, the possibility of mere packet corruption due to noise or the like is high, but if it is detected beyond a certain frequency, it is estimated that there is a high possibility of an attack by an unauthorized device Is done. In such a case, the access control list 31 for blocking unauthorized packets from the blocking rule generation unit 54 may be immediately output to the network switch 2 without performing aggregation or checking of an appropriate period. .

  FIG. 11 shows a configuration of a control network system representing the third embodiment of the present invention.

  The basic configuration is the same as that of the first embodiment including the failure detection device 4, but a design information conversion / verification unit 71 and design information 70 given thereto are added.

  In the first and second embodiments, the method of giving the appropriate range 44 of the communication cycle in each route was not defined. However, in a large-scale system, it is considered that the number of control communication routes becomes enormous, and these are handled manually. It is a very complicated task to determine and input in the above. In the present embodiment, the above problem is solved by extracting the appropriate range based on the design information 70 of the control network system. On the other hand, it is also intended to contribute to system improvement by using the control communication cycle observed in the operating system as information when the design is reviewed.

  As design information 70 to be used, in addition to specific data such as setting files and control software that are actually mounted on the control device 1, specific specifications of control communication to be performed by each control device 1 (control data An electronic document in which the throughput, data length, allowable delay time, etc. (of course, the communication cycle itself may be defined) may be used. The design information conversion / verification unit 71 scans the given design information 70 when the control network system is activated, and extracts control communication specification information contained therein. The appropriate range 44 is calculated and set in the failure detection device 4.

  During steady operation of the system, the failure detection device 4 monitors each control communication path, and the period measurement unit 42 calculates an average period 43 that is a control communication period. The design information conversion / verification unit 71 acquires the average period 43 of each route at a predetermined frequency, compares the acquired average period with the calculated appropriate range 44, and creates a report 72 that is a report of the comparison result. To notify the system administrator. From the reported report 72, it is possible to read whether there is a path in which the communication cycle is within the appropriate range 44 but there is no room for fluctuation, or whether there is a path that has a large fluctuation in the communication period and lacks stability, For example, it can be used as data for reviewing communication specifications to solve them.

1 is a diagram showing a first embodiment of a control network system according to the present invention. It is a schematic diagram which shows the accumulation | storage procedure of the packet collected in 1st embodiment. It is a schematic diagram which shows the procedure which calculates a communication period. It is a schematic diagram of the example (1) of estimation of the cause of a failure in a control network system. It is a schematic diagram of an estimation example (2) of a failure cause in the control network system. It is a schematic diagram of an example (3) of estimating the cause of failure in the control network system. It is a schematic diagram which shows the packet blocking procedure of the control network system according to the present invention. It is a figure which shows 2nd embodiment of the control network system which concerns on this invention. It is a schematic diagram of the MAC application procedure in 2nd embodiment. It is a schematic diagram which shows the example of handling of an unauthorized packet. It is a figure which shows 3rd embodiment of the control network system which concerns on this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Control apparatus 1x Unauthorized apparatus 2 Control network 3 Network switch 4 Failure detection apparatus 5 Console 6 Alarm 20 Network segment 31 Access control list 32 Equipment port 33 Packet collection port 40 Path classification part 41 Packet information storage part 42 Period measurement part 43 Average period 44 Appropriate range 50 Deviation determination unit 51 Failure detection signal 52 Failure cause estimation unit 53 Blocking path information 54 Blocking rule generation unit 60 Authentication code generation unit 61 Authentication code verification unit 62 Control communication message 63 Authentication code 64 Common key 65 Control Communication packet 70 Design information 71 Design information conversion / verification means 72 Report 410 Packet information

Claims (10)

A plurality of control devices that perform control communication in a predetermined cycle;
A communication path composed of a plurality of segments;
A network switch that is arranged between each of the plurality of segments and controls a connection state between the segment and the control device;
Fault detection means connected to the communication path,
The failure detection means includes
A route classifying unit that extracts a route from a header portion of a packet collected from the communication path and generates packet information from a collection time of the packet;
A cycle measuring unit that calculates a control communication cycle in each path from the packet information;
The calculated control communication cycle in each route is compared with a preset appropriate range of the control communication cycle in each route, and a failure detection signal is output when the control communication cycle deviates from the appropriate range A deviation determination unit to
When the failure detection signal is detected , it is estimated that the control device of the packet transmission source in the route that deviates from the appropriate range is the cause of the deviation, and the control communication cycle in the deviated route is shorter than the appropriate range. Judgment whether it deviated in a cycle or deviated in a long cycle, and when deviating in a short cycle, it is presumed that the emission of an illegal packet by the control device presumed to be the cause of the deviation is the cause of the failure A failure cause estimation unit;
A blocking rule generating unit that outputs a command to block transmission of packet information whose source is the address of the control device in the estimated route to the network switch;
A control network system. The control network system according to claim 1,
The failure cause estimation unit is a case where the control communication cycle in the deviated route deviates at a cycle longer than the appropriate range, and the control communication cycle of a route different from the deviated route is in the appropriate range. If it does not deviate from the above, it is estimated that a failure of the control device of the packet transmission source in the deviated route is the cause of the failure . The control network system according to claim 1 or 2,
A control network system having a packet collection port that is provided on the communication path and collects packets transmitted on the communication path. The control network system according to claim 1 or 2,
A control network system including a packet information storage unit that stores packet information generated by the route classification unit in groups of the same routes. The control network system according to claim 1 or 2,
The control device is
An authentication code generation unit that adds an authentication code to the generated control communication message, generates a packet, and outputs the packet;
An authentication code verification unit that separates the control communication message and the authentication code from the input packet and verifies whether or not the same authentication code as the separated authentication code can be generated;
A control network system. The control network system according to claim 5, wherein
The authentication code generation unit generates an authentication code based on a predetermined common key,
The authentication code verification unit is a control network system that verifies the authentication code using the common key. The control network system according to claim 6, wherein
The failure detection unit includes an authentication code verification unit that separates the control communication message and the authentication code from an input packet and verifies whether or not the same authentication code as the separated authentication code can be generated,
The authentication code verification unit verifies the authentication code separated using the common key for packets collected from the communication path,
The route classification unit extracts a route from the header portion of the packet only for a packet whose validity is confirmed as a result of verification by the authentication code verification unit, and generates packet information from the collection time of the packet Control network system. The control network system according to claim 1 or 2,
A control network system comprising design information conversion / verification means for generating an appropriate range of the control communication cycle based on design information of the control network system. The control network system according to claim 8,
The design information conversion / verification unit is a control network system that extracts control communication specification information from the design information when the control network system is activated, and calculates an appropriate range of the control communication cycle based on the specification information. The control network system according to claim 9, wherein
The design information conversion / verification unit acquires a control communication cycle of each route at a predetermined frequency, compares the acquired control communication cycle of each route with the calculated appropriate range of the control communication cycle, and compares Control network system that outputs the result of the operation as a report.

Images