JP7150425B2 - COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM - Google Patents

Description

The present invention relates to control technology for ensuring security in networks.

The introduction of IoT, which connects all kinds of things with networks, is progressing, and important infrastructure (information communication, finance, aviation, railway, electric power, gas, government/administrative services, medical care, water supply, logistics, chemicals, credit/petroleum) facilities, and important Life equipment (automobiles, housing equipment, smart meters, etc.) are connected to each other via a self-owned network (LAN) or a telecommunications carrier's network (WAN). communicates autonomously in an unattended state.

Under such circumstances, damage from cyber-attacks that exploit security vulnerabilities hidden in various software of devices such as network cameras and home routers and user setting errors has increased. , emergency response in the event of cyber terrorism, securing lifeline IoT communication in the event of a large-scale disaster, and shortening the recovery time from cyber-attacks and large-scale disasters. , IoT service providers, telecommunications carriers, cloud providers, and IoT service users.

However, from the cloud provider's point of view, there is no way to know what devices are connected and in what configuration for the enormous number of various IoT devices connected via LANs and WANs. However, the current situation is that it is difficult to appropriately manage the safety (security vulnerability) of these devices by taking into consideration the damage caused by cyberattacks.

JP 2010-193192 A

The present invention has been made in view of the above points, and an object thereof is to provide a technology that enables control of terminal access to a network based on security vulnerabilities of terminals such as IoT devices. and

According to the disclosed technology, a communication system comprising a gateway between a terminal and a network and a control device,
The control device sets a criterion for vulnerability determination when the number of abnormal occurrence information is equal to or greater than a threshold to be stricter than a criterion for vulnerability determination when the number of abnormal occurrence information is less than the threshold. determining whether the terminal can access the network based on the vulnerability score of
the gateway controls access from the terminal based on the result of the determination;
A communication system is provided, wherein the vulnerability score is a value of a result of a security vulnerability test performed on the terminal by a third party.

According to the disclosed technique, there is provided a technique that enables control of terminal access to a network based on the security vulnerability of a terminal such as an IoT device.

1 is a configuration diagram of a communication system according to an embodiment of the present invention; FIG. 2 is a functional configuration diagram of a secure gateway 100 (terminal-side gateway 100); FIG. 2 is a functional configuration diagram of a secure gateway 200 (cloud-side gateway 200); FIG. 3 is a functional configuration diagram of a secure IoT device 300; FIG. 2 is a functional configuration diagram of a network safety management system 400; FIG. 2 is a functional configuration diagram of a cloud safety management system 500; FIG. It is a figure which shows the hardware structural example. FIG. 4 is a sequence diagram for explaining an operation example of a communication system; FIG. 4 is a sequence diagram for explaining an operation example of a communication system; FIG. 4 is a sequence diagram for explaining an operation example of a communication system;

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described with reference to the drawings. The embodiments described below are merely examples, and embodiments to which the present invention is applied are not limited to the following embodiments.

(Overall system configuration)
FIG. 1 shows an overall configuration example in an embodiment of the present invention. A configuration according to an embodiment of the present invention is an IoT network system that accommodates various IoT devices. FIG. 1 shows a conventional communication system with a normal security level and a communication system with a high security level that can safely connect important infrastructures and important household appliances. is the communication system with the higher security level.

A normal security level communication system consists of, for example, an IoT device 10 that has not undergone a vulnerability test, a conventional network 20 (eg, general Internet), and a conventional cloud 30 .

On the other hand, the communication system according to the embodiment of the present invention includes secure IoT device 300, secure gateway 100, network security management system 400, secure gateway 200, and cloud security management system 500 that have passed the vulnerability test. In the communication system, secure gateway 100, network security management system 400, and secure gateway 200 are connected to secure network 600 (hereinafter referred to as network 600), and secure gateway 200 and cloud security management system 500 are connected to secure It is connected to a cloud 700 (hereinafter referred to as cloud 700). Also, the secure IoT device 300 and the secure gateway 100 are connected by a wired or wireless LAN (Local Area Network).

It should be noted that network 600 is, for example, a secure network such that communications in the network are performed using private communication procedures and/or encryption schemes proprietary to the carrier. However, the network 600 is not limited to this. Also, the cloud 700 is, for example, a cloud such that communications in the cloud are performed using undisclosed communication procedures and/or encryption schemes unique to the carrier. However, the cloud 700 is not limited to this.

An IoT device that can be connected to a communication system (that is, a system network with a high security level) according to an embodiment of the present invention is a secure IoT device 300 with a high security level that has passed a vulnerability test, as shown in FIG. A normal IoT device 10 that does not pass the vulnerability test cannot connect to the communication system. Such connection denial is realized by access control of the secure gateway 100 based on instructions from the network security management system 400. FIG.

FIG. 1 shows providers of each layer (IoT security manager 750, telecommunications carrier 800, cloud provider 900), but this is only an example. may be

In addition, although one secure IoT device 300, one secure gateway 100, one secure gateway 200, and one cloud 700 are shown in FIG. 1, a plurality of each are actually provided. FIG. 1 shows an example of a plurality, and the operations described below are performed in each of a plurality of devices.

In the embodiment of the present invention, the determination and registration of the security level (vulnerability score) of each IoT device can only be performed by a third-party organization (safety standard test operator) certified by the telecommunications carrier. It is assumed that only telecommunications carriers approved by the third party can directly refer to the information.

Hereinafter, functional configuration examples and operation outlines of each device constituting the communication system according to the embodiment of the present invention will be described. The operation of each functional unit described below is an example, and details of the operation of each functional unit will be described later with reference to sequence diagrams.

In addition, in order to make it easier to understand whether the "secure gateway" is on the IoT device side or on the cloud side, in the following explanation, the secure gateway 100 on the IoT device side is referred to as the terminal side gateway 100, and the cloud side is called a cloud-side gateway 200 . However, when it is not specified whether it is the terminal side or the cloud side, it is called a secure gateway. Moreover, when generically referring to normal (non-secure) IoT devices and secure IoT devices, they will be referred to as "IoT devices."

(Terminal-side gateway 100)
The terminal-side gateway 100 is a device that communicates with the secure IoT device 300 by wire or wirelessly, and also with the network security management system 400 via the network 600 . The terminal-side gateway 100 also relays packets transmitted and received between the secure IoT device 300 and the network 600 . The terminal-side gateway 100 also controls access from the secure IoT devices 300 under its control.

FIG. 2 shows a functional configuration diagram of the terminal-side gateway 100. As shown in FIG. As shown in FIG. 2 , the terminal-side gateway 100 has a communication section 110 , an information storage section 120 , a product information acquisition section 130 , an abnormality detection section 140 and a control section 150 .

The communication unit 110 performs communication (specifically, transmission and reception of packets) on the secure IoT device 100 side and the network 600 side. The communication unit 110 includes both a wireless communication function and a wired communication function, and can execute both wireless communication and wired communication. The information storage unit 120 stores various kinds of information.

The product information acquisition unit 130 automatically recognizes IoT devices connected to the LAN, acquires product information from the recognized IoT devices, and notifies the network safety management system 400 of the acquired product information via the communication unit 110. do.

The anomaly detection unit 140 analyzes packets transmitted from the secure IoT device 300 connected to the terminal-side gateway 100 and/or packets addressed to the secure IoT device 300 received from the network 600, performs anomaly detection, When an abnormality is detected, it notifies the network safety management system 400 of information about the abnormality via the communication unit 110 . The control unit 150 receives various commands from the network safety management system 400 via the communication unit 110 and executes processing according to the commands.

(Cloud side gateway 200)
The cloud-side gateway 200 is a device that relays packets between the network 600 and the cloud 700 .

FIG. 3 shows a functional configuration diagram of the cloud-side gateway 200. As shown in FIG. As shown in FIG. 3 , the cloud-side gateway 200 has a communication section 210 , an information storage section 220 and a control section 230 .

The communication unit 210 performs communication (specifically, transmission and reception of packets) on the network 600 side and the cloud 700 side. The communication unit 210 includes both a wireless communication function and a wired communication function, and can execute both wireless communication and wired communication.

In addition, the communication unit 210 executes communication with the network security management system 400 using the communication procedure and data format specified by the carrier, and uses the communication procedure and data format specified by the carrier. It includes a function to execute communication with the pre-registered cloud safety management system 500 . The information storage unit 220 stores various information. The communication procedures and data formats specified by telecommunications carriers are not fixed and unchanging. For example, in case the encryption is broken by a hacker, It is possible to change.

The control unit 230 identifies non-secure communication (eg, communication that does not go through the terminal-side gateway 100 and whose source cannot be specified) by examining the header of the packet received by the communication unit 210, and terminates the communication. The communication unit 210 is caused to cut off.

(Secure IoT device 300)
The secure IoT device 300 is an IoT device that communicates data, such as a sensor or actuator. In the embodiment of the present invention, it is assumed that the secure IoT device 300 is a device that may be attacked by exploiting security vulnerabilities (for example, a device that operates by executing a program). Yes, but not limited to this.

In addition, the secure IoT device 300 is not limited to a single IoT device, and may be a device such as an automobile in which a plurality of sensors, actuators, and devices are connected in parallel or hierarchically and mounted. In this case, each of a plurality of sensors, actuators, and devices that are automobile parts also corresponds to the secure IoT device 300 .

FIG. 4 shows a functional configuration diagram of the secure IoT device 300. As shown in FIG. As shown in FIG. 4 , the secure IoT device 300 has a communication section 310 , an attribute information storage section 320 , a log storage section 330 , an anomaly detection section 340 , a state management section 350 and a control section 360 . Note that FIG. 4 shows only functions related to the embodiment of the present invention in the secure IoT device 300, and does not show sensor functions and the like.

The communication unit 310 communicates (specifically, transmits and receives packets) with the terminal-side gateway 100 .

The attribute information storage unit 320 stores attribute information including its own security vulnerability test determination result. Note that, in the embodiment of the present invention, the security vulnerability test determination result is a vulnerability score. The attribute information storage unit 320 is realized by, for example, a memory in the secure IoT device 300, but the memory area corresponding to the attribute information storage unit 320 can be protected so that it cannot be read or written by the user. and has tamper resistance.

The log storage unit 330 stores the processing operation log and the communication log of the secure IoT device 300 itself.

The anomaly detection unit 340 constantly monitors the processing operation and communication state of the secure IoT device 300 itself, and when an anomaly is detected, the detection Sends information about anomalies that have occurred (source of anomaly, type, time of occurrence, etc.). The anomaly detection unit 340 is implemented by a resident program such as cron, for example.

The state management unit 350 constantly monitors the power ON/OFF, reboot, operation mode, communication mode, software version, setting parameters, vulnerability test result score, etc. of the secure IoT device 300 itself, and changes any of them. is detected, the information (changed item and its value) is transmitted to the terminal-side gateway 100 by, for example, a communication procedure defined by the carrier. The state management unit 350 is implemented by, for example, a resident program such as cron.

The control unit 360 reads the attribute information stored in the attribute information storage unit 320 when receiving a request from the terminal-side gateway 100 according to the communication procedure defined by the telecommunications carrier, and stores the attribute information in the communication procedure defined by the telecommunications carrier. Send with Further, when the control unit 360 receives a request from the terminal-side gateway 100 according to the communication procedure specified by the carrier, it reads the log stored in the log storage unit 330, and stores the log according to the communication procedure specified by the carrier. Send.

(Network safety management system 400)
The network security management system 400 collects information from the terminal-side gateway 100, the network devices that make up the network 600, the cloud-side gateway 200, and the like, and performs various determinations and controls for security management based on the collected information. It is a device. The network security management system 400 may be one device (computer) or may be a collection of multiple devices. Also, the network security management system 400 may be called a "control device".

FIG. 5 shows a functional block diagram of the network safety management system 400. As shown in FIG. As shown in FIG. 5 , the network security management system 400 has a communication section 410 , an authentication section 420 , an information storage section 430 , an information acquisition section 440 , a vulnerability determination section 450 , an abnormality processing section 460 and a control section 470 .

The communication unit 410 transmits and receives packets to and from the network 600 . The authentication unit 420 authenticates the secure gateway.

The information storage unit 430 stores information collected from the terminal-side gateway 100, the cloud-side gateway 200, the secure IoT device 300, the network 600, and the like. The information acquisition unit 440 collects information from the terminal-side gateway 100, the cloud-side gateway 200, the secure IoT device 300, the network 600, and the like.

Vulnerability determination unit 450 determines whether each device of terminal-side gateway 100, cloud-side gateway 200, and secure IoT device 300 has a security vulnerability test determination result value (vulnerability score) based on each device. It is determined whether or not the security level predetermined by the telecommunications carrier has been reached in accordance with the purpose of use of the system, the conditions of provision, the request of the user, and the like. In addition, the vulnerability determination unit 450 determines the risk level of the device based on abnormality detection information collected from the terminal-side gateway 100, the cloud-side gateway 200, the secure IoT device 300, the network 600, and the like. It also includes a function that allows the criteria for determining whether a device has reached a security level predetermined by a telecommunications carrier (eg, the value of a parameter representing the risk level of the device) and the determination result to be changed at any time.

When an abnormality is detected, the abnormality processing unit 460 executes processing (data analysis, abnormality cause elimination processing, etc.) according to the abnormality. The abnormality processing unit 460 can also detect an abnormality by monitoring packets flowing through the network 600 . Also, the control unit 470 performs various command transmissions, information transmissions to other systems, and the like.

(Cloud safety management system 500)
The cloud security management system 500 is a device that performs various determinations and controls for security management on the cloud side, based on information received from the network security management system 400 and the like. The cloud safety management system 500 may be one device (computer) or may be a collection of multiple devices.

FIG. 6 shows a functional configuration diagram of the cloud safety management system 500. As shown in FIG. As shown in FIG. 6 , the cloud safety management system 500 has a communication section 510 , an information storage section 520 and a control section 530 .

The communication unit 510 transmits and receives packets to and from the network forming the cloud 700 . In particular, the communication unit 510 receives the information of the abnormality occurrence notification from the network safety management system 400 according to the communication procedure defined by the communication carrier. The information storage unit 520 stores information received from the network security management system 400 and the like.

The security level required for the IoT network system is set in the control unit 530 according to the type of application, purpose of use of the IoT system, provision conditions, user's request, and the like. The control unit 530 cuts off communication of IoT data with the network in which an abnormality has occurred, depending on the set security level and the content of the abnormality notification (security risk level, target range, etc.), hardware on the cloud (VM) and software operation mode change, hardware (VM) and software operation stop/restart on the cloud, and the like.

The control unit 530 also has a function of detecting anomalies in the cloud 700 (e.g., malware infection, abnormal communication due to setting errors or malfunctions). The network security management system 400 of the communication carrier is notified of the scheduled recovery time and the like.

As described above, there are multiple clouds, and each cloud provides its own application. The cloud safety management system 500 manages these clouds and executes control based on security levels according to the types of applications of each cloud, the purpose of use of the IoT system, provision conditions, user requests, and the like.

(Hardware configuration example)
Each of the devices described above (terminal-side gateway 100, cloud-side gateway 200, secure IoT device 300, network safety management system 400, cloud safety management system 500) is a computer, and the processing content described in the embodiments of the present invention can be realized by executing a program describing That is, the functions of the device can be realized by executing a program corresponding to the processing performed by the device using hardware resources such as a CPU and memory built into the computer. The above program can be recorded in a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.

FIG. 7 is a diagram showing a hardware configuration example of the above device. 7 includes a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, etc., which are connected to each other via a bus B. FIG. Note that the terminal-side gateway 100, the cloud-side gateway 200, and the secure IoT device 300 may not include the display device 1006 and the input device 1007. FIG.

A program for realizing processing in the device is provided by a recording medium 1001 such as a CD-ROM or a memory card, for example. When the recording medium 1001 storing the program is set in the drive device 1000 , the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 . However, the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network. The auxiliary storage device 1002 stores installed programs, as well as necessary files and data.

The memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received. The CPU 1004 implements functions related to the device according to programs stored in the memory device 1003 . The interface device 1005 is used as an interface for connecting to the network.

A display device 1006 displays a program-based GUI (Graphical User Interface) or the like. An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions.

(Example of communication system operation)
An operation example of the communication system having the above configuration will be described below with reference to sequence diagrams (FIGS. 8 to 10). In the following description, the names of the functional units of each device described with reference to FIGS. 2 to 6 are appropriately used.

An operation example at the time of initial connection will be described with reference to FIG. Here, the operation in FIG. 8 is described as the operation at the time of initial connection, but the operation in FIG. 8 (for example, acquisition of vulnerability score and access determination, access control) may be performed.

For example, when the terminal-side gateway 100 is connected to the network 600, the communication unit 110 of the terminal-side gateway 100 transmits its own authentication information (eg, attribute information such as ID, password, and model number) to the network security management system 400. (S101).

The information storage unit 430 of the network security management system 400 stores contractor information or gateway information including the authentication information. The authentication unit 420 of the network security management system 400 authenticates the terminal-side gateway 100 by comparing the authentication information received from the terminal-side gateway 100 with the information stored in the information storage unit 430. 100 to the network 600 is determined (S102). Here, it is assumed that the authentication is successful and the connection is permitted.

A secure IoT device 300 is connected to the terminal-side gateway 100 via a wired or wireless LAN.

The secure IoT device 300 stores its own attribute information (e.g., manufacturer, product name, model number, version, manufacturing lot number, setting parameter value, operation mode, operation state, security vulnerability test judgment result, security vulnerability test execution person, examinee, etc.) are stored in the attribute information storage unit 320, which is an area in which the user cannot write.

Note that the terminal-side gateway 100 (similar to the cloud-side gateway 200) also stores its own attribute information (e.g., manufacturing manager, product name, model number, version, manufacturing lot number, setting parameter value, operation mode, operation state, security vulnerability test judgment results, security vulnerability testers, examinees, etc.) are stored in an area (a part of the information storage unit 120) that cannot be read and written by the user.

The above security vulnerability test judgment result will be explained. In the embodiment of the present invention, each secure IoT device (the terminal side gateway 100 and the cloud side gateway 200 are the same) is certified by a third party (eg, a safety certification body such as TÜV in Germany and UL in the United States). It is assumed that vulnerability (security vulnerability, safety) testing will be performed. For example, there are a plurality of test items regarding vulnerability for each of software and hardware, and each test item is tested by a third party, and a vulnerability score is assigned to each test item. Also, based on the test results of each test item, a comprehensive vulnerability score of the secure IoT device may be determined. Hereinafter, the term "vulnerability score" is a generic term that includes both multiple vulnerability scores corresponding to each test item and an overall vulnerability score, unless otherwise specified. In addition, the "vulnerability score" may be a numerical value, information representing a pass/fail judgment result (eg, NG, OK), or other forms of information.

The vulnerability score of the secure IoT device 300 determined by the third party is encrypted, for example, in the attribute information storage unit 320, which is an area that cannot be written by the user, by the third party according to the procedure determined by the third party. written in a modified state.

Vulnerability score, for example, by taking a secure IoT device (physical device) to the location of a third-party organization, the vulnerability test is performed, the results may be written, A secure IoT device may be in situ, remotely (via a network), and written to by a third party. In the remote case, for example, the secure IoT device's software configuration information, hardware configuration information, etc. is sent to a third party, where a vulnerability score is determined and written to the secure IoT device.

The product information acquisition unit 120 of the terminal-side gateway 100 acquires the product information of the secure IoT device 300 connected to the terminal-side gateway 100. setting parameter values, operation modes, operation states, security vulnerability test judgment results, security vulnerability testers and examinees, etc.) are automatically obtained from the secure IoT device 300 via the LAN, and stored in the information storage unit 120. Hold (S103). Here, in the acquisition process, a request is sent from the product information acquisition unit 120 of the terminal-side gateway 100 to the secure IoT device 300 according to a communication procedure determined by the carrier. Send the product information according to the established communication procedure.

The information acquisition unit 440 (or the control unit 470) of the network security management system 400 transmits an information request command to the terminal-side gateway 100 according to the procedure determined by the carrier (S104). In the terminal-side gateway 100 that has received the command, the control unit 150 reads information of the terminal-side gateway 100 itself (manufacturer, product name, model number, version, production lot number, setting parameter value, operation, etc.) based on the command. mode, operating state, security vulnerability test determination result, etc.) and information of the secure IoT device 300 connected to the terminal-side gateway 100 (manufacturer, product name, model number, version, production lot number, setting parameter value, operation mode, operation state, security vulnerability test determination result, etc.) are transmitted to the network security management system 400 according to the communication procedure and encryption method determined by the carrier (S105).

The information acquisition unit 440 of the network safety management system 400 receives the above information from the terminal-side gateway 100, and stores (registers) the received information in the information storage unit 430 (S106).

In the embodiment of the present invention, the communication procedure between the secure gateway and the network security management system 400 is standardized in all layers for the security of communication in each country in the event of a cyber war. Instead of disclosing it to the public, each country / region or each communication by placing its own method (encryption method, command parameter value, etc.) specified by each country / region or each communication carrier on top of the international standard framework It is envisioned that this will be an operator's own private communication protocol. In addition, by making the communication module in the secure gateway different specifications for each country and region and keeping it private, it is possible to prevent interference and intervention from telecommunications carriers and cloud providers in other countries. However, defining the communication procedure and the like in this way is an example.

Subsequently, the vulnerability determination unit 450 of the network security management system 400 reads the vulnerability score of the secure IoT device 300 acquired from the terminal-side gateway 100 and the vulnerability score of the terminal-side gateway 100 from the information storage unit 430. . Based on the vulnerability score, the vulnerability determination unit 450 determines whether the terminal-side gateway 100 and the secure IoT device 300 have reached the security level set by the carrier (S107). . When making that determination, in order to be able to review and reset the risk levels of the terminal-side gateway 100 and the secure IoT device 300 according to the occurrence of cyber-attacks on the IoT system, the terminal-side Abnormality occurrence information or the like notified from the abnormality detection unit 140 of the gateway 100 may be used as a criterion parameter. For example, if the total number of anomaly occurrence information notified from the anomaly detection unit 140 of the terminal-side gateway 100 within the most recent predetermined time period is greater than or equal to a certain threshold, it is conceivable to tighten the vulnerability determination criteria. For example, when indicating that the higher the vulnerability score is, the more vulnerable it is, when there are few abnormalities, it is determined that communication is OK when the vulnerability score is X or less, and when there are many abnormalities, the vulnerability score is Y. (Y is smaller than X) It is determined that communication is OK as follows. Note that determination may be made for both the terminal-side gateway 100 and the secure IoT device 300 , or for one of the terminal-side gateway 100 and the secure IoT device 300 .

For each of the terminal-side gateway 100 and the secure IoT device 300, if the result of the determination is pass, a determination flag of communication OK is set, and if disqualified, a determination flag of communication NG is set. It is written in the storage unit 430 and the information storage unit 120 in the terminal-side gateway 10 (S108). Note that this determination flag writing process cannot be performed only once. It is also possible to modify the determination flag and retain the modification history.

As an example, in a case where a larger vulnerability score indicates a higher vulnerability, if the overall vulnerability score of a specific secure IoT device 300 is equal to or greater than a predetermined threshold, the vulnerability determination unit 450 It determines that the IoT device 300 is not allowed to access the network 600 , and transmits a communication NG determination flag (access control instruction) for the secure IoT device 300 to the terminal-side gateway 100 . Upon receiving this instruction, the control unit 150 of the terminal-side gateway 100 executes access control such as rejecting packets transmitted from the secure IoT device 300 .

In addition, in the case of a device such as an automobile that includes a plurality of secure IoT devices, for example, the total vulnerability score of the entire automobile and the total vulnerability score of each secure IoT device that constitutes the automobile are combined. , are hierarchically managed in the information storage unit 430 of the network security management system 400 . Then, for example, even if the vulnerability determination unit 450 determines that the overall vulnerability score of the entire automobile is less than the threshold and is safe, the overall vulnerability score of a specific secure IoT device that constitutes the automobile is If it is equal to or greater than the threshold, it is determined that there is a possibility of an attack on the control system of the entire vehicle exploiting the vulnerability of the secure IoT device, and the terminal issues an instruction to prohibit access to the network 600 by the vehicle. Send to side gateway 100 .

It should be noted that performing access control by the above method is merely an example. For example, access control may be performed by the following method. Modifications 1 and 2 of access control will be described below.

In Modified Example 1, for example, on the network 600, a server that holds correspondence between product information and vulnerability scores is provided. Alternatively, a server may be provided that holds a correspondence relationship between product information and vulnerability scores for each secure IoT device type and manufacturer. These servers are called information servers. The product information here includes, for example, the person in charge of manufacture, product name, model number, version, manufacturing lot number, setting parameter value, operation mode, operation state, software configuration information, hardware configuration information, etc. one or more. Further, in Modification 1, it is assumed that product information that does not include a vulnerability score is stored in the secure IoT device 300 .

In Modified Example 1, the product information acquisition unit 130 of the terminal-side gateway 100 acquires product information from the secure IoT device 300, as in S103 of FIG. Then, the product information is transmitted to the network safety management system 400 in the same manner as S104 and S105 in FIG.

Then, the vulnerability determination unit 450 of the network security management system 400 transmits the product information received from the terminal-side gateway 100 to the information server, thereby inquiring about the vulnerability score of the secure IoT device 300 having the product information. The vulnerability determination unit 450 receives the vulnerability score from the information server, determines the security level of the secure IoT device 300 based on the vulnerability score, and executes access control. The determination and access control are as already explained in S107 and S108 of FIG.

Next, modification 2 will be described. In Modification 2, the information storage unit 430 of the network safety management system 400 holds the correspondence relationship between the product information and the vulnerability score. The product information here is the same as in Modification 1, and includes, for example, manufacturer, product name, model number, version, manufacturing lot number, setting parameter values, operation mode, operation state, software configuration information, and hardware configuration. Any one or any plural of information and the like. Also, in Modification 2, it is assumed that the secure IoT device 300 stores product information that does not include a vulnerability score.

In Modified Example 2, the product information acquisition unit 130 of the terminal-side gateway 100 acquires product information from the secure IoT device 300, as in S103 of FIG. Then, the product information is transmitted to the network safety management system 400 in the same manner as S104 and S105 in FIG.

Then, the vulnerability determination unit 450 of the network security management system 400 determines the vulnerability score of the secure IoT device 300 based on the product information received from the terminal-side gateway 100 and the correspondence stored in the information storage unit 430. to get The vulnerability determination unit 450 determines the security level of the secure IoT device 300 based on the vulnerability score, and executes access control. The determination and access control are as already explained in S107 and S108 of FIG.

Next, an operation example of the communication system in the communication state will be described with reference to the sequence diagram of FIG.

The secure IoT device 300 sequentially transmits packets (S201). The anomaly detection unit 140 in the terminal-side gateway 100 analyzes the packet received from the secure IoT device 300 and performs anomaly detection using techniques such as whitelisting, machine learning, and anomaly detection (S202). When an anomaly is detected, the anomaly detection unit 140 notifies the network security management system 400 of information about the anomaly (e.g., type, time of occurrence, etc.) using the communication procedure and encryption method specified by the carrier ( S203). Along with the notification operation or separately from the notification operation, the abnormality detection unit 140 acquires from the secure IoT device 300 information on an abnormality detected by the secure IoT device 300 itself, and transmits the abnormality detection information in S203. The network safety management system 400 may be notified.

The abnormality processing unit 460 of the network safety management system 400 receives the abnormality detection information transmitted from the terminal-side gateway 100 and writes the abnormality detection information into the information storage unit 430 . Then, the abnormality processing unit 460 determines the risk level of the terminal-side gateway 100 based on the abnormality detection information. For example, the abnormality processing unit 460 determines the risk level based on, for example, the type of abnormality, the total number of abnormal occurrences, the date and time when the abnormality occurred (S204).

More specifically, for example, when the abnormality processing unit 460 detects that the number of occurrences of a specific type of abnormality in a specific secure IoT device 300 is equal to or greater than a predetermined threshold, Set the risk level to a high value. Also, for example, when the number of abnormal occurrences of all secure IoT devices under the terminal-side gateway 100 is equal to or greater than a predetermined threshold value, the risk level of the terminal-side gateway 100 is set to a high value.

The abnormality processing unit 460 (which may be the control unit 470) instructs the terminal-side gateway 100 according to the determined risk level (eg, when the value of the risk level is equal to or greater than a certain threshold value) to send the specific secure IoT device 300 Send a command to suspend communication (transmission/reception) with or with all secure IoT devices (transmission/reception) according to the communication procedure specified by the carrier, and the network security management of the carrier The information is notified to the person (S205).

In the terminal-side gateway 100 that has received the above command, the control unit 150 executes access control such as suspension (temporary blocking) of communication with the specific secure IoT device 300 or the like based on the command.

The abnormality processing unit 460 of the network safety management system 400 also has a function of monitoring packets flowing through the network 600 and determining network abnormality (S204 in FIG. 9).

For example, the abnormality processing unit 460 detects, as abnormal communication, a DDoS attack, communication to a malicious site, communication attempting unauthorized access to the terminal-side gateway 100 (or cloud-side gateway 200), and the like. For example, upon detecting an abnormality in the terminal-side gateway 100, the abnormality processing unit 460 rewrites the communication OK flag of the terminal-side gateway 100 in the information storage unit 430 of the network safety management system 400 to NG. Then, the abnormality processing unit 460 transmits a command to suspend the communication of IoT data to the terminal-side gateway 100, and notifies the network safety manager of the communication carrier of the information (eg, S205 in FIG. 9). . However, in this case, the encrypted communication channel between the secure gateway and network security management system 400 is not blocked.

When the control unit 470 of the network safety management system 400 detects (is notified of) an abnormality in the secure IoT device 300 or the like, the terminal-side gateway 100 receives logs of the secure IoT device 300 and the terminal-side gateway 100 under its control. (eg, communication log, operation log), and a command requesting transmission of setting information (S206).

Based on the command, the control unit 150 of the terminal-side gateway 100 transmits a request for a log or the like to the secure IoT device 300 according to the communication procedure defined by the carrier (S207).

The control unit 360 in the secure IoT device 300 logs its own actions and communications in a format defined by the telecommunications carrier for an arbitrary period set by the user (e.g. system security manager). is recorded in the area (log storage unit 330). Then, when the above request is received from the terminal-side gateway 100, the control unit 360 transmits the recorded log, setting information, etc. to the terminal-side gateway 100 (S208).

Also, the control unit 150 of the terminal-side gateway 100 records a log of its own operations and communications in the information storage unit 120 . The control unit 150 of the terminal-side gateway 100 transmits the information (log, setting information, etc.) received from the secure IoT device 300 in S208 and its own information (log, setting information, etc.) to the network safety management system 400 (S209 ). Also, the control unit 150 of the terminal-side gateway 100 may collect the latest information on the repaired/replaced secure IoT devices and transmit the information to the network security management system 400 .

In the network safety management system 400 that has received the above information, the abnormality processing unit 460 analyzes the received information, estimates the location and cause of the abnormality, and notifies the network safety manager of the telecommunications carrier ( S210).

After that, for example, the network security management system 400 receives an instruction regarding abnormality resolution from the network security manager of the communication carrier. The abnormality processing unit 460 of the network security management system 400, based on instructions from the network security manager of the telecommunications carrier, implements means for resolving the cause of the abnormality (e.g., upgrading the software of secure IoT devices, changing setting parameters, (S211).

By executing the received command, the control unit 150 of the terminal-side gateway 100 executes the above-described means (S212), acquires the execution result (S213), and transmits it to the network safety management system 400 (S214). ). The abnormality processing unit 460 of the network safety management system 400 confirms the execution result (S215). For example, the control unit 150 of the terminal-side gateway 100 receives information indicating that the cause of the abnormality has been resolved (for example, by upgrading to the latest version of software whose safety has been confirmed by a vulnerability test by a third party). , information indicating that the vulnerability score has been improved) is received from the terminal-side gateway 100, the latest information is added to the information storage unit 430 in the network security management system 400, and the corresponding device (eg, secure The communication NG flag of the IoT device 300) is changed to communication OK.

In addition, in order to prevent the above-mentioned functions of the network security management system 400 from being abused by persons inside or outside the telecommunications carrier, each function is controlled by a network equipment operation system (e.g., SD - WAN/SD-LAN traffic control, communication path change, security function placement, etc.) may be provided in the form of a communication carrier dedicated API that can be operated only from the orchestrator, etc.).

Next, an operation example related to the cloud safety management system 500 will be described with reference to FIG. The Clyde safety management system 500 receives the information of the abnormality occurrence notification from the network safety management system 400 according to the communication procedure defined by the communication carrier, and stores it in the information storage unit 520 (S301).

The information storage unit 520 stores the security level required in the IoT network system for each cloud according to the type of application of the cloud, the purpose of use of the IoT system, the provision conditions, the user's request, etc. .

The control unit 530 of the cloud safety management system 500, based on the information of the abnormality occurrence notification received from the network safety management system 400, according to the content (security risk level, target range, etc.), cuts off IoT data communication, Change the operation mode of hardware (VM) and software on the cloud, stop the operation (restart when the abnormality ends), etc.

For example, the control unit 530 of the cloud safety management system 500 determines that the security level of the IoT network system has fallen below the security level required by a specific cloud (eg cloud 700 in FIG. 1) due to the content of the abnormality notification. When this is detected, a communication control command for blocking communication between the cloud 700 and the network 600 is transmitted to the cloud side gateway 200 to block communication (S302 in FIG. 10). This process of blocking communication may be performed completely automatically, or a communication control command may be manually transmitted after judgment by a person (eg, a cloud security manager, etc.).

In addition, the control unit 530 has a function of detecting anomalies in the cloud (malware infection, abnormal communication due to setting errors or malfunctions, etc.). The scheduled recovery time and the like are notified to the network safety management system 400 of the communication carrier (S303).

(Effects of the embodiment, etc.)
With the technology according to the embodiment of the present invention, the communication carrier managing the IoT network can check the type of connected device, software version, pass/fail of security vulnerability test (vulnerability score), presence or absence of tampering or replacement, abnormality It is possible to centrally manage the occurrence status etc. on the network and minimize the damage in the event of an abnormality or failure due to a cyber attack. In addition, by sharing this information between telecommunications carriers and cloud service providers in each country, it is possible to identify high-security "stray IoT terminals" (which have not undergone security vulnerability tests and whose software version is unknown). A secure IoT network and cloud service for important infrastructure/important life equipment that excludes devices with unknown administrators) and consists of hardware and software certified for a certain level of safety by a third-party organization. can be provided.

As a result, for example, it is possible to reduce the social cost of IoT security management that connects important facilities related to lifelines, and to prevent damage from international cyber terrorism and disasters such as serious disasters. Businesses can quickly share information on the location, cause, and countermeasures of abnormalities, shorten the time required for emergency measures and restoration, and reduce the loss of business opportunities in the industrial world and the deterioration of living standards of consumers due to the suspension of IoT systems. It is possible to suppress the influence.

In addition, the level of safety (security vulnerability) of the hardware and software that make up the IoT system (pass/fail results and scores of certification tests by third-party organizations) can be measured by vendors, SI operators, cloud operators, users, and terrorists. It can be managed and shared only by third parties and telecommunications carriers who have been granted special authority by each country's government, without being overwritten or tampered with by be able to.

In addition, the manufacturing manager, product name, model number, version, manufacturing lot number, setting parameter values, etc. of the hardware and software that make up the IoT are incorporated into the non-overwritable secure area on the IC chip of various devices and software modules. Disturbance due to falsification, spoofing, etc. can be centrally managed by reading and writing in encrypted data storage areas, etc., using private communication procedures and encryption methods (known only to security certification bodies and telecommunications carriers). can minimize the risk of

That is, according to the embodiment of the present invention, it is possible to reduce the cost of security management for the IoT system connected to important infrastructures and important life appliances for society as a whole. In addition, in the event of cyber terrorism, the governments (police and military) of each country will ask their telecommunications carriers to take emergency emergency measures (such as blocking communication from hardware/software whose safety cannot be confirmed), and to identify damage points. , analysis of the cause, tracking of criminals, recovery, etc., it is possible to quickly respond to them, so it is possible to minimize social damage caused by cyberattacks. In general, telecommunications carriers are managed and regulated by the laws of each country and their business activities are disclosed to the public from the viewpoint of national defense and social stability. By being managed by telecommunications carriers, the risk of the mechanism of the present invention falling into the hands of specific commercial enterprises or criminal groups without the public's knowledge and jeopardizing the safety of important infrastructure and important life equipment is suppressed. can do.

(Summary of embodiment)
As described above, according to the embodiments of the present invention, there is provided a communication system comprising a gateway between a terminal and a network, and a control device, wherein the control device determines the vulnerability score of the terminal. The gateway determines whether or not the terminal can access the network based on the result of the determination, and the gateway controls access from the terminal based on the result of the determination.

The vulnerability score is, for example, information acquired from the terminal, or information acquired based on a correspondence relationship between the product information of the terminal and the vulnerability score. Further, the gateway notifies the control device of information regarding an abnormality in the terminal, and the control device causes the gateway to control access from the terminal based on the information regarding the abnormality. good too.

Further, according to an embodiment of the present invention, there is provided a communication control method executed in a communication system comprising a gateway between a terminal and a network, and a control device, wherein the control device detects vulnerability of the terminal determining whether or not the terminal can access the network based on the score; and performing control of access from the terminal by the gateway based on the result of the determination. A communication control method is provided.

Further, according to an embodiment of the present invention, the control device in a communication system comprising a gateway between a terminal and a network, and a control device, wherein the vulnerability score obtained from the terminal, or the means for determining whether or not the terminal can access the network based on the vulnerability score acquired based on the corresponding relationship between the product information of the terminal and the vulnerability score; In contrast, there is provided a control device characterized by comprising means for instructing control of access from the terminal.

Further, according to an embodiment of the present invention, the gateway in a communication system comprising a gateway between a terminal and a network, and a control device, acquires product information from the terminal, and sends the product information to the a means for transmitting to a control device; receiving an access control instruction from the terminal from the control device based on an access permission judgment executed in the control device using the product information; and means for performing control of access from said terminal.

Further, according to an embodiment of the present invention, there is provided a program for causing a computer to function as each means in the control device, and a program for causing a computer to function as each means in the gateway.

Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It is possible.

10 IoT device 20 Conventional network 30 Conventional cloud 100 Secure gateway 200 Secure gateway 300 Secure IoT device 400 Network safety management system 500 Cloud safety management system 600 Secure network 700 Secure cloud 750 IoT safety manager 800 Carrier 900 Cloud Business operator 110 Communication unit 120 Information storage unit 130 Product information acquisition unit 140 Abnormality detection unit 150 Control unit 210 Communication unit 220 Information storage unit 230 Control unit 310 Communication unit 320 Attribute information storage unit 330 Log storage unit 340 Abnormality detection unit 350 State management Unit 360 Control unit 410 Communication unit 420 Authentication unit 430 Information storage unit 440 Information acquisition unit 450 Vulnerability determination unit 460 Abnormality processing unit 470 Control unit 510 Communication unit 520 Information storage unit 530 Control unit

Claims (6)

A communication system comprising a gateway between a terminal and a network and a control device,
The control device sets a criterion for vulnerability determination when the number of abnormal occurrence information is equal to or greater than a threshold to be stricter than a criterion for vulnerability determination when the number of abnormal occurrence information is less than the threshold. determining whether the terminal can access the network based on the vulnerability score of
the gateway controls access from the terminal based on the result of the determination;
A communication system, wherein the vulnerability score is a value of a security vulnerability test determination result executed by a third party on the terminal. The communication system according to claim 1, wherein the vulnerability score is information acquired from the terminal, or information acquired based on a correspondence relationship between product information of the terminal and the vulnerability score. . The gateway notifies the control device of information regarding an abnormality in the terminal, and the control device causes the gateway to control access from the terminal based on the information regarding the abnormality. The communication system according to claim 1 or 2. A communication control method executed in a communication system comprising a gateway between a terminal and a network and a control device,
The control device makes a criterion for vulnerability determination when the number of abnormal occurrence information is equal to or greater than a threshold stricter than a criterion for vulnerability determination when the number of abnormal occurrence information is less than the threshold, and the terminal determining whether the terminal can access the network based on the vulnerability score of
the gateway performing access control from the terminal based on the result of the determination;
The communication control method, wherein the vulnerability score is a value of a result of a security vulnerability test performed on the terminal by a third party. A control device in a communication system comprising a gateway between a terminal and a network, and a control device,
Vulnerability determination criteria obtained from the terminal are made stricter than criteria for vulnerability determination when the number of abnormal occurrence information is equal to or greater than the threshold than the criteria for vulnerability determination when the number of abnormal occurrence information is less than the threshold. means for determining whether the terminal can access the network based on a vulnerability score or a vulnerability score obtained based on a correspondence relationship between the product information of the terminal and the vulnerability score;
means for instructing the gateway to control access from the terminal based on the result of the determination;
The control device, wherein the vulnerability score is a value of a result of a security vulnerability test performed on the terminal by a third party. A program for causing a computer to function as each means in the control device according to claim 5.

Images