JP6051061B2 - Security policy setting device and security policy dynamic setting method - Google Patents

Description

  The present invention relates to a method for dynamically changing settings related to network security.

  A technology called smart grid, which introduces IT technology in the field of power control and promotes efficient use of power, is attracting attention. In the smart grid, network communication technology is used to transmit and receive information between devices constituting the smart grid.

  A characteristic point in the smart grid is that the mobile body moves while connecting to different networks one after another so that the EV moves while passing through several charging stations in the city.

  For example, in the technique described in Patent Document 1, in a mobile communication network including a mobile firewall that filters packets using an access control list, access control that generates an access control list for actually filtering packets in the mobile firewall A list generation device comprising conversion means for converting dynamically settable items in an access control list transferred from an access control list management server into items for actually filtering packets in the mobile firewall. . That is, a technique is described in which a mobile firewall setting in one network is reflected in the mobile firewall when the mobile phone moves to a network under another mobile firewall.

  Patent Document 2 describes a technique in which a mobile communication terminal automatically sets an operating environment setting of a wireless LAN terminal based on received setting data.

JP 2006-67314 A JP 2005-160046 A

  A network connected to a mobile body such as an EV in a smart grid has the following characteristics.

  Since the smart grid is an open network, various devices that do not receive authentication from manufacturers or industry groups may be connected to the network as long as they support the protocol. In such a network, since it is assumed that unexpected infections to malicious programs such as computer viruses frequently occur, it is necessary to flexibly cope with such risks.

  However, although the technique shown in Patent Document 1 provides means for automatically applying a firewall setting based on a preset access control list to a moving destination of a moving object, it depends on the moving path of the moving object. Considering the risk of infection, it is difficult to set up the network.

  Further, in the technique described in Patent Document 2, a means for automatically applying a setting provided when a moving body is connected to a new environment (wireless LAN environment) is provided. As in the known example shown in FIG. 2, it is difficult to set up a network in consideration of risks in the movement route.

In order to solve the above problems, a security policy setting system including a gateway, a charger, and a security policy setting device connected via a network. When the charger is connected to the EV, EV information is acquired and EV information is transmitted to the gateway. The gateway determines infection risk information including the presence or absence of infection risk based on the EV information, and transmits the infection information to the charger. Depending on the information, the risk processing unit that starts charging or removes the risk, the alert transmission unit that transmits the alert or the alert release to the gateway according to the infection risk information, and the gateway based on the alert or the alert release Security level setting section that sets the security level of the network to high or low, and security to other gateways And a transmission unit for transmitting the utility level. .

ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to grasp | ascertain the infection risk according to the moving path | route of a moving body, and to change a network setting dynamically.

1 is a diagram showing an entire system for carrying out the present invention. 2 is a diagram illustrating an example of a configuration of an EV charger 107. FIG. 2 is a diagram illustrating an example of a configuration of a security gateway 102. FIG. 3 is a flowchart of an EV charging program 210. It is a figure which shows the structure of the security level definition database. It is a figure which shows the structure of the security gateway database 309. It is a figure which shows the structure of the connection EV database 310. FIG. It is a flowchart which shows the detail of operation | movement of the infection risk inquiry program 311. FIG. 10 is a flowchart showing details of an operation of EV history information registration processing 312. 10 is a flowchart showing details of an operation of a security level change program 313. It is a flowchart which shows the detail of operation | movement of the infection risk notification program 314. FIG. It is a flowchart which shows the detail of operation | movement of EV connection log | history response program 315. FIG. It is a flowchart which shows the detail of operation | movement of the infection risk registration program 316. FIG. It is a sequence diagram describing one of the flow of processing performed when EV is connected to the EV charger. It is a sequence diagram describing one of the processing flows when an abnormality such as a computer virus infection is found in a certain network. It is the figure which added the security information server 1601 in the example of a change to the whole block diagram shown in FIG.

  One mode for carrying out the present invention is shown below.

  FIG. 1 is a diagram showing the entire system for carrying out the present invention.

  The network 101 is a wide area network such as the Internet. As another example, the network 101 may be a network called an M2M network. The M2M network is a network provided by, for example, a mobile phone carrier, and enables communication between devices connected to the network. In contrast to an open network such as the Internet, an M2M network may be a closed network in which devices connected by a SIM card or the like are limited.

  The security gateway (SGW) 102 is a device that is located at a location where the wide area network 101 and the local network 103 are connected, and controls the flow of packets transmitted and received between the networks.

  The network 103 is a local network such as an intranet or a home network.

  The KIOSK 104 is a terminal that is installed in a pay parking lot or the like and controls the EV charger 107.

  A HEMS (Home Energy Management System) 105 is a device that is installed in a home and transmits / receives information such as power consumption related to home power devices. Various devices such as a power device installed in the home and a terminal for monitoring the device can be connected to the HEMS 105. The information terminal 108 is an example thereof, and an application for visualizing power consumption is installed on a terminal such as a personal computer or a tablet PC.

  A BEMS (Building Energy Management System) 106 is a device that is installed in an office building or a commercial facility, and transmits and receives information such as power consumption related to power devices in the building. Various devices can be installed in the BEMS. The facility device 109 is such a device, and an example is an air conditioning management system that centrally manages air conditioning in a building.

  The EV charger 107 is a device that performs charging for the EV. In the present invention, the EV charger 107 also checks the security state of the EV connected to the charger.

FIG. 2 is a diagram illustrating an example of the configuration of the EV charger 107.
The EV charger 107 is a computer including a CPU 201, a memory 202, a storage device 203, a network interface 204 (interface is indicated as IF in the figure), and an input / output device 205, which are connected via a communication path 208. It is connected. The charger is connected to the charging device 206, and the EV 207 is connected to the charging device to perform charging.

  The storage device 202 is a storage medium such as a hard disk device that contains data to be processed by the CPU 203.

  The memory 203 is a storage medium that includes a program processed by the CPU 201, and includes an EV charging program 210. There may be an embodiment in which the program is temporarily recorded in the storage device 203 and read into the memory 202 and executed when the CPU 201 executes the program.

  An interface 204 is a communication interface for performing external communication with the data center. The interface 204 is connected to the external network 209.

  The input / output device 205 is a device for inputting / outputting data to / from the EV charger 107. Examples of the input / output device 205 include a device such as a touch panel and an input device, and an input device such as a numeric keypad. .

  The charging device 206 is a device connected to each functional unit of the EV charger via the communication path 208, and has a function of charging the EV by connecting to the EV.

  The function of the EV charging program 210 of the EV charger 107 is the same as that of the EV charger. The embodiment is executed in the KIOSK terminal 104 having a CPU, a storage device, a memory, an interface, an input / output device, and a communication path. possible. In this case, the EV charger 107 has only a charging device, and functions as a device that charges the EV in response to a charge execution or stop command from the KIOSK terminal.

  FIG. 3 is a diagram illustrating an example of the configuration of the security gateway 102.

  The security gateway 102 is a computer including a CPU 301, a memory 302, a storage device 303, a packet processing device 304, and an input / output device 305, which are connected via a communication path 307. The packet processing device 304 is connected to a plurality of network interfaces 306, and each network interface is connected to an external network. Here, the external network is a wide area network 101 such as the Internet and a local network 103.

  The memory 302 is a storage medium that includes a program processed by the CPU 201, and includes the following programs. An infection inquiry program 311, an EV connection information registration program 312, a security level change program 313, an alert information registration program 314, an EV connection history response program 315, and an infection risk registration program 316. There may be an embodiment in which the program is temporarily recorded in the storage device 303 and read into the memory 302 and executed when the CPU 201 executes the program.

  The storage device 303 is a storage medium such as a hard disk device or flash memory that contains data to be processed by the CPU 301. The storage device includes the following data. Security level definition database 308, security gateway database 309, EV connection database 310. The database is described as DB in the figure.

The details of the operation of the EV charger 107 will be described below with reference to FIG.
FIG. 4 is a flowchart of the EV charging program 210. The EV charging program 210 is executed with the EV 207 connected to the EV charger 107 as a trigger.

  In the process 401, the EV charger 107 sets the connected EV 207 in a temporary connection state, and acquires EV_ID that is an ID number of the EV 207. The ID number of the EV 207 is a number assigned to uniquely identify the EV. Here, the temporary connection state is a connection in a state where packets exchanged between the EV 207 and the EV charger 107 are limited to a minimum. In the present embodiment, EV_ID is acquired in the temporary connection state, and communication other than the security check is not permitted.

  In the process 402, EV_ID that is an identifier of the EV is transmitted to the security gateway 102 in order to acquire the risk state of the connected EV. Here, the risk state is a value for determining the degree of risk that the connected EV is infected with a malicious program such as a virus, and the value is determined and given by the security gateway 102.

  In process 403, the risk state of the EV connected from the security gateway 102 is acquired. The risk state is acquired as one of “with infection risk” and “without infection risk”. The risk determination method of the security gateway 102 will be described later with reference to FIG.

  In the branch 404, the branch is performed depending on the risk state. If “infectious risk” is acquired as a return value, the process branches to step 405, and if “infectious risk” is acquired, the process branches to step 411.

  In the process 405, the EV connection is retained in the temporary connection state, and the connection is temporarily interrupted.

  In process 406, alert information is transmitted to the security gateway 102.

  In process 407, an EV security check is performed. The security check is, for example, processing such as virus scanning on an EV system and removal of a virus found thereby.

  In branch 408, the result of the security check in process 407 is checked. If no risk such as infection with a virus is found, or if a risk is found but its removal is completed, the process branches to process 410. Otherwise, the process branches to process 409.

  In the process 409, since the EV risk removal has not been completed, the EV is disconnected from the network.

  In process 410, alert cancellation information is transmitted to the security gateway.

  In the process 411, when it is determined that there is no risk, or when the removal of the risk is completed, the connection with the EV is changed from the temporary connection state to the normal connection state, and the charging operation is performed. Here, the normal connection state is a state in which information such as a charge command can be exchanged between the EV and the EV charger.

  In process 412, the history information is registered in the security gateway 102, and the process ends. Here, EV history information is EV_ID, which is an EV identifier, EV connection start time, and EV connection end time. These pieces of information correspond to the items in the EV connection database of the security gateway 102.

  The operation of the security gateway 102 will be described in detail with reference to FIGS.

  FIG. 5 is a diagram showing the configuration of the security level definition database 308. The first line of the security level definition database 308 describes the level name of the security level. In this embodiment, there are two levels of security levels, “low” and “high”, and security items and set values to be set for each are described in the second and subsequent lines.

  A security policy item 501 is an item name of a setting item regarding security set for the security gateway 102.

  The security policy setting value 502 is a setting value of a security item when the security level shown in the first line is “low”.

  The security policy setting value 503 is a setting value of a security item when the security level shown in the first line is “high”.

  FIG. 6 is a diagram showing the configuration of the security gateway database 309.

  The security gateway ID 601 is an ID for uniquely identifying the security gateway.

  An IP address 602 is an IP address of the security gateway.

  The network status 603 is an item indicating the status of the network under the security gateway. The network state 603 takes a state of “with infection risk” or “without infection risk”.

  In addition to these pieces of information, the security gateway database 309 may separately record the time when “with infection risk” and “without infection risk” are registered.

  FIG. 7 is a diagram showing the configuration of the connection EV database 310. The connected EV database is a database that holds a list of EVs connected to EV chargers on the network under the security gateway.

  EV_ID 701 is an ID assigned to uniquely identify an EV.

  EV connection start time 702 is a time when the EV starts connection.

  The EV connection end time 703 is the time when the EV ends the connection.

  FIG. 8 is a flowchart showing details of the operation of the infection risk inquiry program 311. The infection risk inquiry program 311 starts with an EV_ID inquiry from the EV charger as a trigger.

  In process 801, EV_ID from the EV charger is acquired.

  In the process 802, the security gateway database 309 is referred to, EV_ID is transmitted to the IP addresses of all the security gateways whose network status is “infectious risk”, and the EV connection is made to the network. Ask if there was any.

  In process 803, the result of process 802 is received.

  In branch 804, if the corresponding EV_ID has been connected to at least one “infectious risk” network in the past based on the information received in process 803, the process branches to process 805 and otherwise to process 806.

  In process 802, process 803, and branch 804, an inquiry is made to a security gateway that has become “infectious risk” within a certain period of time in process 802, and EV is connected to the network in process 803. There is also an implementation that branches to the processing 805 when the EV connection is established within a certain time in the past from the time when the branch time 804 was “infectious risk” in the branch 804 obtain.

  In process 805, the result of infection risk is returned to the inquiry source, and the process ends.

  In process 806, a result with no infection risk is returned to the inquiry source, and the process ends.

  FIG. 9 is a flowchart showing details of the operation of the EV history information registration process 312. The EV history information registration process is executed with an EV history registration request (process 412) as a trigger.

  In process 901, history information related to EV connection is registered in the connected EV database 310, and the process ends.

  FIG. 10 is a flowchart showing details of the operation of the security level changing program 313. The security level change program 313 is triggered by reception of alert information from the EV charger (process 406) or reception of alert release information (process 410).

  In branch 1001, when the security gateway 102 receives alert information and sets the security level to “high”, processing 1002 receives alert release information and sets the security level to “low”. Branch to 1003.

  In process 1002, the security level in the security gateway 102 is raised to “high” and the program is terminated.

  In process 1003, the security level in the security gateway 102 is lowered to "low" and the program is terminated.

  FIG. 11 is a flowchart showing details of the operation of the infection risk notification program 314. The infection risk notification program 314 is a program that is executed when an unauthorized program such as a computer virus is found in the network under the security gateway 102 or when the safety of the network under the security gateway is confirmed.

  The discovery of an unauthorized program in a device in the network is received using an alert function such as anti-virus software, for example. As for confirmation of network safety, for example, a network administrator performs a virus scan on each device and inputs that the security level is manually lowered in response to the result.

  The branch 1101 branches to a process 1102 when the infection risk in the security gateway 102 is set to “high”, and to a process 1104 when set to “low”.

  In process 1102, the security level of the security gateway 102 is set to “high”.

  In the processing 1103, “there is an infection risk” is notified to the other security gateways regarding the infection risk of the network, and the processing is terminated.

  In process 1104, the security level of the security gateway 102 is set to “low”.

  In process 1105, “no infection risk” is notified to the other security gateways regarding the infection risk of the network, and the process is terminated.

  FIG. 12 is a flowchart showing details of the operation of the EV connection history response program 315. The EV connection history response program 315 starts the operation with an EV connection history inquiry from another security gateway as a trigger.

  In process 1201, EV_ID is received from the inquiring security gateway.

  In the process 1202, the EV connection database 310 is searched for whether or not there is a history of connection of the corresponding EV to the security gateway in the past for the received EV_ID.

  In a process 1203, a search result is returned according to the result of the process 1202. In the process 1203, not only EV_ID but also a time zone in which the EV is connected to the charger may be transmitted as a response.

  FIG. 13 is a flowchart showing details of the operation of the infection risk registration program 316. The infection risk registration program 316 starts the operation with a notification about the infection risk from another security gateway as a trigger.

  In the branch 1301, regarding the infection risk registration, if the notification content is “infectious risk”, the process branches to a process 1302, and if “not infected risk”, the process branches to a process 1303.

  In process 1302, the content of “infectious risk” is registered for the security gateway that is the notification source.

  In process 1303, the content of “no infection risk” is registered for the security gateway of the notification source.

  In the processing 1302 and processing 1303, there may be an embodiment in which the time when the content is registered is recorded.

  FIGS. 14 and 15 describe the flow of processing between the EV charger and the security gateway in the sequence diagram with respect to the processing described in FIGS. 8 to 13.

  FIG. 14 describes a process executed when an EV is connected to the EV charger. In this figure, the sequence is particularly described when there is a risk of infection in the connected EV.

  FIG. 15 describes the flow of processing when an abnormality such as a computer virus infection is found in a certain network.

  This embodiment can also be implemented with some changes as follows.

  This embodiment can be implemented by providing a security information server connected to the wide area network 101 and changing the security gateway database and the connection EV database to be managed by the security information server.

  Moreover, the whole block diagram in this case is shown in FIG. FIG. 16 is obtained by adding a security information server 1601 to the overall configuration diagram shown in FIG. In this case, the process of registering and inquiring regarding the EV connection history and the status of the network under the security gateway requests the security information server for processing instead of requesting the security gateway.

  According to this modification, the information is collectively managed by the server 1601, so that communication destinations can be easily managed.

DESCRIPTION OF SYMBOLS 101 ... Wide area network 102 ... Security gateway 103 ... Local network 104 ... KIOSK terminal 105 ... HEMS (Home Energy Management System)
106 ... BEMS (Building Energy Management System)
107 ... EV charger 108 ... information terminal 109 ... equipment 201 ... CPU
202 ... Memory 203 ... Storage device 204 ... Interface 205 ... Input / output device 206 ... Charging device 207 ... EV (electric vehicle)
208 ... Communication path 301 ... CPU
302 ... Memory 303 ... Storage device 304 ... Packet processing device 305 ... I / O device 306 ... Interface 307 ... Communication path

Claims (6)

And the gateway, and the charger, but a connected security policy setting system via the network,
When the charger is connected to an EV, the charger acquires EV information from the EV, and transmits the EV information to the gateway.
The gateway includes an infection determination unit that determines infection risk information including presence / absence of infection risk of a network to which the EV is connected based on the EV information, and transmits the infection risk information to the charger.
The charger, in accordance with the infection risk information, and risk processing unit for removing the start or risk to charge in response to the infection risk information, and alert transmitting unit for transmitting the alert or alert releasing the gateway, the Prepared,
The gateway, wherein a security level setting unit for setting the security level of the gateway to the high or low based on the released the alert or alert, a transmission unit that transmits the security level to other gateways, further comprising a Security policy setting system. In the security policy setting system according to claim 1,
The gateway further includes a gateway storage unit that stores a network state including other gateways,
The infection determination unit of the gateway requests history information of the EV in another gateway based on the EV information,
The other gateway sends the EV history information to the gateway,
The gateway, security policy setting system characterized in determining, that the presence of the risk of infection on the basis of the history information of the state of the network stored in the gateway storage unit EV. In the security policy setting system according to claim 2,
The said other gateway memorize | stores the presence or absence of the said infection risk information based on the received said security level, The security policy setting system characterized by the above-mentioned. And the gateway, and the charger, but a security policy setting method definitive security policy setting system connected via a network,
When the charger is connected to an EV, the charger acquires EV information from the EV, and transmits the EV information to the gateway.
The gateway determines infection risk information including presence / absence of infection risk of the network to which the EV is connected based on the EV information, and transmits to the charger.
The charger starts charging or removes the risk according to the infection risk information, and sends an alert or alert release to the gateway according to the infection risk information.
The gateway, the alert or based on an alert is cleared and set the security level of the gateway to the high or low, and transmits the security level to other gateways, security policy setting wherein the. In the security policy setting method according to claim 4,
The gateway includes a gateway storage unit that stores a network state including other gateways,
The gateway requests the EV history information in another gateway based on the EV information,
The other gateway sends the EV history information to the gateway,
The gateway determines whether the risk of infection on the basis of the history information of the state of the network stored in the gateway storage unit EV, security policy setting wherein the. In the security policy setting method according to claim 5,
The said other gateway memorize | stores the presence or absence of the said infection risk information based on the received said security level, The security policy setting method characterized by the above-mentioned.

Images