JP5358599B2 - Software rewriting device and software rewriting method using the device - Google Patents

Description

  The present invention relates to a card board having a rewritable non-volatile memory in a plant device that requires special reliability and security such as a nuclear power plant, and particularly for a software write request to the card board from the outside. The present invention relates to a software rewriting apparatus provided with a configuration that cannot be easily rewritten, and a software rewriting method using the apparatus.

  As a conventional technique, an operation program is stored in a ROM, and when rewriting, the operation program can be rewritten by connecting a connector provided in the interface unit to an external device and reading a new operation program from the external device. Prevents rewriting that the operation program cannot be rewritten without knowing the security code if the security program is not input from the external device with the same number as the security code written in the installed initial program. (For example, Patent Document 1).

Japanese Patent Laid-Open No. 06-045998

  However, the technique disclosed in the above-mentioned Patent Document 1 allows anyone to read the contents of the non-volatile memory if an external code such as a personal identification number is known, and performs artificial input. There is no description about countermeasures against the case where a malicious code or an incorrect code is input, and it is not always satisfactory for a system requiring high reliability such as a nuclear power plant.

  The present invention has been made to solve the above-described problem, and enables software rewriting only when an external device storing predetermined authentication information is attached to a card board. An object of the present invention is to provide a software rewriting device that enables operation of plant equipment by removing an external device after software rewriting.

  A software rewriting apparatus in which a detachable writing mounting unit is provided on a card board storing software for controlling and operating a controlled unit according to the first invention is provided in a first manner provided in the writing mounting unit. The nonvolatile memory stores update software and first authentication information for authenticating a technician who handles the update software, and a plurality of technicians are included in the CPU circuit portion provided on the card board. A second non-volatile memory storing a plurality of second authentication information and software for authenticating the card, and the first mounting unit provided in the writing mounting unit when the writing mounting unit is mounted on the card substrate. The second CPU provided in the CPU circuit unit that receives the first authentication information read by the CPU is one of the plurality of second authentication information stored in the second nonvolatile memory. The second authentication information that matches the first authentication information is read to confirm the consistency, and the update software is received from the first CPU, and the software stored in the second nonvolatile memory is downloaded. The update is performed by the update software, and when the writing mounting unit is detached from the card substrate, the display unit displays that the controlled unit can be operated.

  A software rewriting apparatus in which a detachable writing mounting unit is provided on a card board storing software for controlling and operating a controlled unit according to the second invention is provided by the first method provided in the writing mounting unit. The nonvolatile memory stores update software and first authentication information for authenticating a technician who handles the update software. A plurality of technicians are assigned to the CPU circuit portion provided on the card board. A second non-volatile memory storing a plurality of second authentication information to be authenticated and a plurality of second fingerprint authentication information and software is provided, and writing is performed when the writing mounting unit is mounted on the card substrate. The second CPU provided in the CPU circuit unit that receives the first authentication information read by the first CPU provided in the mounting unit is stored in the second nonvolatile memory. The second authentication information that matches the first authentication information is read out from the plurality of second authentication information, and the consistency is confirmed. Based on the confirmation result, the first CPU is provided in the writing mounting unit. The first fingerprint authentication information of the engineer who handles the update software authenticated by the fingerprint authentication circuit unit is read, and the second CPU reads the first fingerprint authentication information from the plurality of second fingerprint authentication information The second fingerprint authentication information matching the above is read to confirm the consistency, the update software is received from the first CPU, and the software stored in the second nonvolatile memory is updated with the update software. When the writing mounting unit is detached from the card substrate, the display unit displays that the controlled unit can be operated.

  A software rewriting method according to a third invention is stored in a non-volatile memory provided on a card substrate using the software rewriting device described in the first or second claim. The existing software is updated with the update software.

  Since the software rewriting apparatus according to the first invention employs the configuration as described above, the software for update is written in advance in the software writing / implementing section separately stored and managed by the plant engineer. Only when the authentication information of the engineer handling the update software is confirmed while the wear writing mounting part is attached to the card board, the update software can be rewritten, so the card part is mounted on the controlled part. In the normal operation state, there is an excellent effect that malicious writing from the outside is completely impossible.

  Also, since the software rewriting apparatus according to the second invention also employs the above-mentioned configuration, if the software is to be updated by an external engineer who is not stored in the second authentication information, for some reason Even if it is erroneously determined that the first authentication information and the second authentication information coincide with each other, the error can be pointed out by checking with the fingerprint authentication information, thereby preventing external writing. There is an effect that can be done.

  Furthermore, the software rewriting method according to the third invention has the same effects as those of the first and second inventions.

1 is a block diagram showing a software rewriting device according to Embodiment 1. FIG. 4 is a flowchart of an operation performed by the software rewriting device according to the first embodiment. FIG. 10 is a block diagram illustrating a software rewriting device according to a second embodiment. 10 is a flowchart of an operation performed by the software rewriting device according to the second embodiment. 10 is a flowchart of an operation performed by the software rewriting device according to the second embodiment.

Embodiment 1 FIG.
Embodiment 1 of the present invention will be described below with reference to the drawings.
FIG. 1 is a block diagram showing a software (hereinafter, abbreviated as S / W) rewriting device 200 that is used for controlling, for example, plant equipment that is a controlled part of a nuclear power plant facility according to the first embodiment. The S / W rewriting device 200 includes a write mounting unit 1 having a structure that can be attached to and detached from the card substrate 100, a CPU circuit unit 8 provided on the card substrate 100, and a power supply unit 14. The write mounting unit 1 is provided with a first CPU 2, a first RAM 3, a first nonvolatile memory 4, and a first I / F unit 6, and a second in a CPU circuit unit 8 described in detail later. The non-volatile memory 10 is attached to the card substrate 100 only at the time of S / W update of the application S / W 10b, and is removed from the card substrate 100 during normal plant operation. The CPU circuit unit 8 includes a second CPU 9, a second nonvolatile memory 10, a second RAM 11, a display unit 12, and a second I / F unit 13. The power supply unit 14 supplies power to the write mounting unit 1 and the CPU circuit unit 8.

As described above, the writing mounting unit 1 is removed from the card board 100 during normal operation of the plant, and is managed so that an outside intruder cannot touch the plant engineer. In the plant equipment not shown, when the application S / W is to be updated, the S / W 4b for update is stored in the first nonvolatile memory 4 provided in the writing mounting unit 1 by the plant engineer.
The first nonvolatile memory 4 stores in advance first authentication information 4a that is I / D information of a plant engineer who intends to update the application S / W. The first authentication information 4 a for calculation is written in the first RAM 3, and the second authentication information 10 a for calculation is also written in the second RAM 11. The first I / F unit 6 and the second I / F unit 13 exchange signals between the write mounting unit 1 and the CPU circuit unit 8.
The second non-volatile memory 10 provided in the CPU circuit 8 stores in advance second authentication information 10b that is I / D information of a plurality of plant engineers that is the same as the first authentication information 4a. In addition, an application S / W 10b for operating plant equipment is written.
The display unit 12 has a function of displaying the update preparation completion 12a, the update completion 12b, and the non-updatable 12c for displaying the state at the time of updating the update S / W, and the write mounting unit 1 is attached to the card substrate 100. A function for displaying the plant operation OK12d for displaying the state of no operation is provided. The display unit 12 may be provided at a place other than the CPU circuit unit 8. The power supply unit 14 is supplied with power from the external power supply 15.

An update S / W write operation and method in the S / W rewrite device 200 having the above-described configuration will be described with reference to the flowchart shown in FIG.
In ST1, when the necessity of updating the application S / W used in the card substrate 100 arises, the plant engineer writes the update S / W 4b to the writing mounting unit 1 separately managed and stored.
In ST2, the write mounting unit 1 is attached to the card substrate 100.
In ST3, the display unit 12 of the CPU circuit unit 8 on the card substrate 100 is updated ready 12a and, for example, an indicator lamp is lit.
In ST4, the first CPU 2 of the writing mounting unit 1 reads the first authentication information 4a that is I / D information stored in the first nonvolatile memory 4.
In ST5, the first authentication information 4a is written and stored in the first RAM 3 for calculation.
In ST6, the first authentication information 4a is output to the CPU circuit unit 8 via the first I / F unit 6 and the second I / F unit 13, and written and stored in the second RAM 11 for calculation.
In ST7, the second CPU 9 matches the I / D information of the first authentication information 4a from the I / D information as the plurality of second authentication information 10a stored in the second nonvolatile memory 10. I / D information that is the second authentication information 10a to be read is read out.
In ST8, the second CPU 9 compares the first authentication information 4a stored in the second RAM 11 with the read second authentication information 10a, and whether or not the comparison result matches. Confirm. If it matches,
In ST9, the calculation result is output to the first CPU 21 of the write mounting unit 1.
In ST 10, the first CPU 2 reads the update S / W 4 b stored in the first nonvolatile memory 4 and writes it in the first RAM 3.
In ST 11, the update S / W 4 b is output to the CPU circuit unit 8 and written in the second RAM 11.
In ST12, the second CPU 9 rewrites and updates the application S / W 10b in the second nonvolatile memory 10 to the update S / W 4b.
In ST13, the indicator lamp of update completion 12b of the display unit 12 is turned on.
In ST14, the write mounting unit 1 is removed from the card substrate 100.
In ST15, the plant operation OK12d is turned on on the display unit 12.
On the other hand, if the comparison results do not match in ST8,
Moving to ST16, the non-updatable 12c of the display unit 12 is turned on.

  In ST14, the signal information for removing the writing mounting unit 1 from the card substrate 100 in ST14 or the signal information for the plant operation OK in ST15 is taken out of the S / W rewriting device 200, and the device controlled by the card substrate 100 is extracted. The driving may be automatically enabled.

  As described above, the S / W rewriting apparatus 200 according to the first embodiment has to update the S / W of the card substrate 100 that controls and operates the plant equipment installed in the nuclear power plant or the like. The first CPU 2 and the second CPU 9 indicate that the update S / W is written and stored in advance in the writing mounting unit 1 separately stored and managed by a plant engineer, and that the rewriting mounting unit 1 is mounted on the card substrate 100. Recognizes. In other words, when the update preparation is completed, the authentication information is automatically confirmed, and then the update S / W 4b write sequence operates to be rewritten to the update S / W 4b, and further to the update S / W 4b. Then, the rewrite mounting part 1 is removed from the card substrate 100, so that the plant equipment can be operated. That is, the rewriting of the update S / W 4b can be executed only when the rewrite mounting unit 1 is attached to the card substrate 100, and the rewrite mounting unit 1 is removed from the card substrate 100 during normal operation of the plant equipment. Therefore, it is possible to prevent the input of a malicious code or an erroneous code from the outside, and there is an excellent effect that safety, reliability, and security in a nuclear power plant and the like are improved.

Embodiment 2. FIG.
Next, Embodiment 2 will be described with reference to the drawings.
FIG. 3 is a block diagram showing the S / W rewriting device 200 according to the second embodiment. The fingerprint authentication circuit unit 7 is added to the write mounting unit 1 shown in FIG. The second fingerprint authentication information 10c is additionally provided in the non-volatile memory 10, and the other configuration is the same as that of FIG.
The fingerprint authentication circuit unit 7 authenticates and reads a fingerprint which is the first fingerprint authentication information of the plant engineer in charge of S / W update. The second fingerprint authentication information 10c of the nonvolatile memory 10 stores in advance fingerprints of a plurality of plant engineers as a plurality of second fingerprint authentication information.

An update S / W 4b write operation and method in the S / W rewriting apparatus 200 having the above-described configuration will be described with reference to the flowcharts shown in FIGS.
In FIG. 4, ST1, ST3 to ST9 and ST16 are the same as ST1, ST3 to ST9 and ST16 of the first embodiment described above, so the description is omitted.
In ST20, the writing mounting unit 1 is attached to the card substrate 100, and the fingerprint of the technician who updates the application S / W 10b is read by the fingerprint authentication circuit unit 7 and stored as the first fingerprint authentication information 7a.
In ST 21, the first CPU reads the first fingerprint authentication information 7 a stored in the fingerprint authentication circuit unit 7, and writes and stores it in the first RAM 3. The following flow is shown in FIG.
In ST 22, the first fingerprint authentication information 7 a is output to the CPU circuit unit 8 via the first I / F unit 6 and the second I / F unit 13, and written and stored in the second RAM 11.
In ST23, the second CPU 9 uses the second fingerprint authentication information 10c that matches the first fingerprint authentication information 7a from the second fingerprint authentication information 10c of the plurality of engineers stored in the second nonvolatile memory 10. Is read.
In ST24, the second CPU 9 compares the first fingerprint authentication information 7a stored in the second RAM 11 with the read second fingerprint authentication information 10c, and whether or not the comparison results match. To check. If it matches,
In ST25, the calculation result is output to the first CPU 2 of the write mounting unit 1.
Here, ST10 to ST15 shown in FIG. 5 are the same as ST10 to ST15 of the first embodiment described above, and thus the description thereof is omitted.
If the comparison result does not match in ST24 of FIG. 5, the process proceeds to ST26, and the non-updatable 12c is lit on the display unit 12.

As described above, the S / W rewriting apparatus 200 according to the second embodiment has the fingerprint authentication circuit unit 7 in the writing mounting unit 1 and the second circuit of the CPU circuit unit 8 in addition to the configuration of the first embodiment described above. Since the fingerprint authentication information 10c is provided in the non-volatile memory 10, after attaching the writing mounting unit 1 to the card substrate 100, the fingerprint of the plant engineer who intends to update the S / W is authenticated and confirmed, and the S / W Updates are made automatically.
That is, even if the verification confirmation in ST8 shown in FIG. 4 is for some reason, for example, when I / D information is known by a malicious external person and the S / W is about to be updated by the external person, in ST21 Since the person verification and confirmation are performed again by the fingerprint authentication information, in addition to the operation of the first embodiment, there is an effect that reliability, safety, and security are further improved.

  In the first embodiment and the second embodiment, the signal communication between the write mounting unit 1 and the CPU circuit unit 8 is raw information. However, the encryption circuit unit is added to each of the write mounting unit 1 and the CPU circuit unit 8. The security can be further improved by adopting a configuration in which the information to be updated by the encryption circuit unit is encrypted and transmitted and the received encryption is restored.

  The present invention can be used for a data protection circuit of a rewritable nonvolatile memory in a plant or apparatus that requires high security.

1 writing mounting unit, 2 first CPU, 3 first RAM,
4 first nonvolatile memory, 4a first authentication information, 4b S / W for update,
7 fingerprint authentication circuit unit, 7a first fingerprint authentication information, 8 CPU circuit unit,
9 second CPU, 10 second non-volatile memory, 10a second authentication information,
10b Application S / W, 10c Second fingerprint authentication information, 11 Second RAM,
12 Display unit, 100 card substrate, 200 S / W rewrite device.

Claims (3)

A software rewriting device provided with a detachable writing mounting unit on a card board storing software for controlling and controlling a controlled unit,
The first non-volatile memory provided in the writing mounting unit stores update software and first authentication information for authenticating a technician who handles the update software, and is stored in the card board. The provided CPU circuit unit is provided with a second non-volatile memory in which a plurality of second authentication information and software for authenticating a plurality of engineers are stored, and the write mounting unit is provided on the card substrate. The second CPU provided in the CPU circuit unit that receives the first authentication information read by the first CPU provided in the writing mounting unit is stored in the second non-volatile memory. The second authentication information that matches the first authentication information is read from the plurality of second authentication information that has been checked to confirm the matching, and the update software is updated from the first CPU. Receiving and updating the software stored in the second non-volatile memory with the update software, and when the write mounting unit is detached from the card board, the controlled unit is displayed on the display unit. Is a software rewrite device that is displayed as operable. A software rewriting device provided with a detachable writing mounting unit on a card board storing software for controlling and controlling a controlled unit,
The first nonvolatile memory provided in the write mounting unit stores update software and first authentication information for authenticating a technician who handles the update software, and is provided on the card board. The CPU circuit unit is provided with a second non-volatile memory in which a plurality of second authentication information for authenticating a plurality of engineers, a plurality of second fingerprint authentication information, and software are stored. The second CPU provided in the CPU circuit unit that receives the first authentication information read by the first CPU provided in the write mounting unit when the write mounting unit is mounted on the card substrate is The second authentication information that matches the first authentication information is read from the plurality of second authentication information stored in the second non-volatile memory, and the consistency is confirmed. From the result, the first CPU reads out first fingerprint authentication information of a technician who handles the update software authenticated by the fingerprint authentication circuit unit provided in the writing mounting unit, and the second CPU The second fingerprint authentication information that matches the first fingerprint authentication information is read from the plurality of second fingerprint authentication information to confirm the matching, and the update software is received from the first CPU. The software stored in the second non-volatile memory is updated with the update software, and when the writing mounting unit is detached from the card board, the controlled unit is operated on the display unit. A software rewriting device characterized by being displayed as possible. Updating software stored in a non-volatile memory provided on a card board with update software using the software rewriting device described in the first or second claim. Software rewriting method that features.

Images