JP7550975B2 - Air conditioner, security attack countermeasure method and program - Google Patents

Description

The present disclosure relates to air conditioners, methods and programs for dealing with security attacks.

In air conditioning systems that condition the air in buildings such as buildings and stores, it is commonly known that multiple outdoor units and multiple indoor units are connected via a field network within the air conditioning system. In recent years, with the improvement of connection environments to public networks such as the Internet, technology has been developed that allows devices that make up the air conditioning system to be directly or indirectly connected to public networks.

Such air conditioning systems are vulnerable to security attacks via public networks or by directly accessing the field network within the air conditioning system, and measures must be taken to address these issues.

For example, Patent Document 1 discloses an intrusion detection device that detects intrusions into a network connecting a controller that controls air conditioning equipment and a monitoring and control terminal that monitors the air conditioning equipment in a building management system. This intrusion detection device acquires communication data related to the air conditioning equipment flowing through the network, and generates communication judgment data by adding a system state and period to the acquired communication data. The intrusion detection device also generates communication permission rules that permit communication on the network, and compares the rules with the communication judgment data to detect intrusions into the network. Then, when an intrusion into the network is detected, the intrusion detection device outputs an alarm to the network. The output alarm is input to the monitoring and control terminal via the network and displayed on the display of the monitoring and control terminal.

International Publication No. 2019/004101

In the technology disclosed in the above-mentioned Patent Document 1, when an intrusion into a network is detected, an alarm is output by a monitoring and control terminal, so that a manager or the like can then take measures against the intrusion into the network. However, if a manual response is made after the alarm is output, it takes a considerable amount of time to complete appropriate measures against the intrusion into the network, and there is a concern that the intrusion into the network may have a significant impact on the building management system.

This disclosure has been made to solve the above-mentioned problems, and aims to provide an air conditioner, a method and program for dealing with security attacks that can reduce the impact of security attacks.

In order to achieve the above object, the air conditioner according to the present disclosure comprises:
a security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and for determining the type of the security attack if it is determined that a security attack has occurred;
a security attack response means for executing a security attack response process according to a type of the security attack when the security attack detection means determines that a security attack has occurred, the security attack response process being for eliminating an effect of the security attack ;
If the security attack detection means determines that there has been a security attack when receiving a communication frame transmitted from a device equipped with a user interface, the security attack response means transmits a confirmation request frame to the device requesting user confirmation, and then, if a response frame indicating confirmation has been received from the device, treats the received communication frame as a normal communication frame .

This disclosure makes it possible to mitigate the impact of security attacks.

FIG. 1 is a block diagram showing a configuration of an air conditioning system according to an embodiment. FIG. 1 is a block diagram showing a hardware configuration of a centralized management device according to an embodiment. FIG. 2 is a block diagram showing a hardware configuration of an outdoor unit according to an embodiment. FIG. 1 is a block diagram showing a hardware configuration of an indoor unit according to an embodiment. FIG. 1 is a block diagram showing a hardware configuration of a remote control according to an embodiment. FIG. 1 is a block diagram showing a hardware configuration of a communication adapter according to an embodiment. FIG. 1 is a block diagram showing a hardware configuration of a terminal device according to an embodiment. FIG. 2 is a diagram showing a functional configuration of an indoor unit according to an embodiment. FIG. 13 is a diagram showing an example of an attack type determination table according to an embodiment; A flowchart showing a procedure for processing when a communication frame is received according to an embodiment.

Below, the embodiments of the present disclosure are described in detail with reference to the drawings.

Figure 1 is a diagram showing the overall configuration of an air conditioning system 1 in an embodiment of the present disclosure. The air conditioning system 1 is a system that provides air conditioning for a building, such as a building or a store, and includes a server 2, a centralized management device 3, outdoor units 4a-4c, indoor units 5a-5f, a remote control 6, and a communication adapter 7. In addition, during maintenance, a terminal device 8 is temporarily connected to the air conditioning system 1.

<Server 2>
The server 2 is a cloud server that realizes a public cloud such as AWS (Amazon Web Services), and is connected to a network N such as the Internet. The server 2 transmits firmware updates to the air conditioners (outdoor units 4a to 4c, indoor units 5a to 5f) that require firmware updates. The server 2 also collects data related to the operation of each air conditioner (outdoor units 4a to 4c, indoor units 5a to 5f) and provides a service of controlling each air conditioner based on the collected data, or a service of presenting information based on the collected data to those involved in the air conditioning system 1 (the owner of the building, a system administrator, a maintenance technician, etc.).

<Centralized management device 3>
The centralized control device 3 is a device for centrally managing each air conditioner (outdoor units 4a to 4c, indoor units 5a to 5f) in the air conditioning system 1, and is installed in a place where only related parties can enter, such as a management room in the building. As shown in Fig. 2, the centralized control device 3 includes, as its hardware configuration, a first communication interface 30, a second communication interface 31, an operation reception unit 32, a display 33, a control circuit 34, and an auxiliary storage device 35.

The first communication interface 30 is an interface for connecting to the network N and communicating with the server 2, and is, for example, an interface based on Ethernet (registered trademark). The second communication interface 31 is an interface for communicating with the outdoor units 4a to 4c via the transmission line 9, which is a centralized transmission line, for example, using a communication method in which an AMI waveform is superimposed on a DC power supply.

The operation reception unit 32 includes one or more input devices, such as a keyboard, a mouse, a keypad, a push button, a touch panel, a touchpad, etc., receives input operations from a user, and outputs a signal related to the received input operation to the control circuit 34. The display 33 includes a display device, such as a liquid crystal display or an organic EL (Electro Luminescence) display. Under the control of the control circuit 34, the display 33 displays a screen or the like for managing the air conditioning system 1.

The control circuit 34 is configured to include a CPU (Central Processing Unit), ROM (Read Only Memory), RAM (Random Access Memory), etc., and performs overall control of the centralized management device 3. The auxiliary storage device 35 is configured to include a readable/writable non-volatile semiconductor memory, a HDD (Hard Disk Drive), etc. The readable/writable non-volatile semiconductor memory is, for example, an EEPROM (Electrically Erasable Programmable Read-Only Memory), a flash memory, etc. The auxiliary storage device 35 stores a management program for managing the air conditioning system and data used when the management program is executed.

<Outdoor units 4a to 4c, indoor units 5a to 5f>
The outdoor unit 4a, the indoor unit 5a, and the indoor unit 5b are bus-connected to a transmission line 10a, which is an indoor/outdoor transmission line, and are also connected via a first refrigerant pipe (not shown) for circulating the refrigerant. The outdoor unit 4a, the indoor unit 5a, and the indoor unit 5b constitute one refrigerant system.

The outdoor unit 4b, the indoor unit 5c, and the indoor unit 5d are bus-connected to the transmission line 10b, which is an internal/external transmission line, and are connected via a second refrigerant pipe (not shown) that is different from the first refrigerant pipe. In other words, the outdoor unit 4b, the indoor unit 5c, and the indoor unit 5d constitute a single refrigerant system.

The outdoor unit 4c and the indoor units 5e and 5f are bus-connected to the transmission line 10c, which is an internal/external transmission line, and are connected via a third refrigerant pipe (not shown) that is different from both the first refrigerant pipe and the second refrigerant pipe. In other words, the outdoor unit 4c and the indoor units 5e and 5f constitute a single refrigerant system.

In the following, descriptions common to outdoor units 4a to 4c will be referred to as outdoor unit 4 without any specific designation of the individual units, descriptions common to indoor units 5a to 5f will be referred to as indoor unit 5 without any specific designation of the individual units, and descriptions common to transmission lines 10a to 10c will be referred to as transmission line 10 without any specific designation of the individual units.

The outdoor unit 4 is an example of an air conditioner according to the present disclosure. As shown in FIG. 3, the outdoor unit 4 includes, as a hardware configuration, a first communication interface 40, a second communication interface 41, a main unit 42, a control circuit 43, and an auxiliary storage device 44. The first communication interface 40 is an interface for communicating with the centralized control device 3, the remote control 6, and other outdoor units 4 via the transmission line 9. The second communication interface 41 is an interface for communicating with each indoor unit 5 connected to the outdoor unit via the transmission line 10, which is an internal/external transmission line. In this embodiment, the communication method of the transmission line 9, which is a centralized transmission line, and the communication method of the transmission line 10, which is an internal/external transmission line, are the same (for example, a communication method in which an AMI waveform is superimposed on a DC power source).

The main unit 42 is a component for realizing the original functions of a general outdoor unit, and includes, for example, a compressor, a heat exchanger, an expansion valve, a four-way valve, a fan, and various sensors (current sensor, temperature sensor, pressure sensor, frequency sensor, acceleration sensor, etc.). The control circuit 43 is a microcontroller that performs overall control of the outdoor unit 4.

The auxiliary storage device 44 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM or a flash memory. The auxiliary storage device 44 stores firmware, which is a software program for the control circuit 43 to control the outdoor unit 4 to realize functions related to air conditioning, and data used when the firmware is executed. Furthermore, the auxiliary storage device 44 stores a security attack countermeasure program, which is a program for realizing functions related to the present disclosure and is a program for dealing with external security attacks, and data used when the security attack countermeasure program is executed.

The security attack countermeasure program can be downloaded to the outdoor unit 4 from another device such as the server 2 via the network N. The outdoor unit 4 can also receive the security attack countermeasure program from the terminal device 8 by communication via the remote control 6. The security attack countermeasure program can also be stored and distributed on a computer-readable recording medium such as a CD-ROM (Compact Disc Read Only Memory), a DVD (Digital Versatile Disc), a magneto-optical disk, a USB (Universal Serial Bus) memory, a HDD, an SSD (Solid State Drive), or a memory card. When such a recording medium is attached to the outdoor unit 4, the outdoor unit 4 can read and import the security attack countermeasure program from the recording medium.

The indoor unit 5 is an example of an air conditioner according to the present disclosure. As shown in FIG. 4, the indoor unit 5 includes, as a hardware configuration, a first communication interface 50, a second communication interface 51, a main unit 52, a control circuit 53, and an auxiliary storage device 54. The first communication interface 50 is an interface for communicating with the outdoor unit 4 and other indoor units 5 via the transmission line 10. The second communication interface 51 is an interface for electrically connecting to the communication adapter 7 so as to be able to communicate with each other. In this embodiment, the second communication interface 51 is a serial interface such as a Universal Asynchronous Receiver/Transmitter (UART).

The main unit 52 is a component for realizing the original functions of a general indoor unit, and includes, for example, a fan, a heat exchanger, a temperature sensor, a humidity sensor, etc. The control circuit 53 is a microcontroller that performs overall control of the indoor unit 5.

The auxiliary storage device 54 is composed of, for example, a readable/writable non-volatile semiconductor memory such as an EEPROM or a flash memory. The auxiliary storage device 54 stores firmware, which is a software program for the control circuit 53 to control the indoor unit 5 to realize functions related to air conditioning, and data used when the firmware is executed. In addition, like the outdoor unit 4, the auxiliary storage device 54 stores a security attack countermeasure program and data used when the security attack countermeasure program is executed.

The above-mentioned security attack countermeasure program can be downloaded to the indoor unit 5 from another device such as the server 2 via the network N. The indoor unit 5 can also receive the security attack countermeasure program from the terminal device 8 by communication via the remote control 6. When the above-mentioned recording medium on which the security attack countermeasure program is stored is attached to the indoor unit 5, the indoor unit 5 can also read and import the security attack countermeasure program from the recording medium.

<Remote control 6>
The remote control 6 is a remote controller for the air conditioning, is connected to the transmission line 9, and receives operations related to the air conditioning from a user. As shown in Fig. 5, the remote control 6 includes, as its hardware configuration, a first communication interface 60, a second communication interface 61, an operation receiving unit 62, a display 63, a control circuit 64, and an auxiliary storage device 65.

The first communication interface 60 is an interface for communicating with each outdoor unit 4 and the centralized management device 3 via the transmission line 9. The second communication interface 61 is an interface for performing short-range wireless communication with the terminal device 8, such as NFC (Near Field Communication), BLE (Bluetooth (registered trademark) Low Energy) communication, visible light communication, and infrared communication.

The operation reception unit 62 is configured to include one or more input devices, such as a push button, a touch panel, a touch pad, etc., and receives input operations from a user and outputs a signal related to the received input operation to the control circuit 64.

The display 63 includes a display device such as a liquid crystal display or an organic electroluminescence display. The display 63 displays various screens under the control of the control circuit 64. For example, the display 63 displays an air conditioning operation screen for accepting operations related to air conditioning from the user, such as switching between starting and stopping the operation, switching between operation modes such as cooling, heating, dehumidification, and fan operation, and changing the set temperature, set humidity, and air speed.

The control circuit 64 includes a CPU, ROM, RAM, etc., and controls the remote control 6. The auxiliary storage device 65 includes, for example, an EEPROM, a flash memory, or other readable/writable non-volatile semiconductor memory. The auxiliary storage device 65 stores a program for functioning as a user interface, a program related to communication with the terminal device 8, and data used when these programs are executed.

<Communication adapter 7>
The communication adapter 7 is a device for communicatively connecting the indoor unit 5 to the network N. As shown in Fig. 6, the communication adapter 7 includes, as its hardware configuration, a first communication interface 70, a second communication interface 71, a control circuit 72, and an auxiliary storage device 73.

The first communication interface 70 is an interface for electrically connecting to the indoor unit 5 so as to be able to communicate with it. In this embodiment, the first communication interface 70 is a serial interface such as a UART. The second communication interface 71 is a wireless LAN (Local Area Network) interface for connecting to the network N and communicating with the server 2, or hardware for mobile data communication.

The control circuit 72 includes a CPU, ROM, RAM, etc., and controls the communication adapter 7. The auxiliary storage device 73 includes a readable/writable non-volatile semiconductor memory such as an EEPROM or flash memory. The auxiliary storage device 73 stores a program for communicating with the indoor unit 5, a program for communicating with the server 2, and data used when these programs are executed.

<Terminal Device 8>
The terminal device 8 is a portable electronic device such as a smartphone or a tablet terminal carried by a maintenance technician of the air conditioning system 1. As shown in Fig. 7, the terminal device 8 includes, as hardware configuration, a communication interface 80, an operation reception unit 81, a display 82, a control circuit 83, and an auxiliary storage device 84.

The communication interface 80 is an interface for performing the above-mentioned short-range wireless communication with the remote control 6. The operation reception unit 81 is configured to include one or more input devices such as a push button, a touch panel, a touch pad, etc., and receives operation input from a user and outputs a signal related to the received operation to the control circuit 83.

The display 82 is configured to include a display device such as a liquid crystal display, an organic electroluminescence display, etc. Under the control of the control circuit 83, the display 82 displays various screens etc. in response to user operations.

The control circuit 83 includes a CPU, ROM, RAM, etc., and performs overall control of the terminal device 8. The auxiliary storage device 84 includes, for example, an EEPROM, a flash memory, or other readable/writable non-volatile semiconductor memory. The auxiliary storage device 84 stores programs to be executed during maintenance of the air conditioning system 1 and data to be used when the programs are executed.

<Functional configuration of outdoor unit 4 and indoor unit 5>
Next, the functional configurations of the outdoor unit 4 and the indoor unit 5, both of which are examples of air conditioners according to the present disclosure, will be described. Note that since the functional configurations of the outdoor unit 4 and the indoor unit 5 share characteristic configurations according to the present disclosure in common, the functional configuration of the indoor unit 5 will be described in detail below as a representative of both.

8, the indoor unit 5 includes a security attack detection unit 500, a communication anomaly detection unit 501, a normal response unit 502, a communication anomaly response unit 503, and a security attack response unit 504. These functional units are realized by the control circuit 53 executing the above-mentioned security attack response program stored in the auxiliary storage device 54.

The security attack detection unit 500 is an example of a security attack detection means according to the present disclosure. The security attack detection unit 500 determines whether or not there is a security attack when a communication frame is received, and if it determines that there is a security attack, determines the type of the security attack. In detail, the security attack detection unit 500 includes an attack presence/absence determination unit 510 and an attack type determination unit 511, where the attack presence/absence determination unit 510 determines whether or not there is a security attack, and the attack type determination unit 511 determines the type of security attack.

Specifically, the attack presence/absence determination unit 510 determines whether or not the received communication frame satisfies each of the following conditions A to C. If the received communication frame satisfies any of conditions A to C, the attack presence/absence determination unit 510 determines that there is a security attack, and if none of the conditions are met, the attack presence/absence determination unit 510 determines that there is no security attack.

(Condition A) The sender address is the same as the device's own address. (Condition B) The same communication frame is received from the same sender a certain number of times within a certain period of time. (Condition C) The combination of sender and command does not match.

In the above condition B, the fixed time is, for example, 1 minute, and the fixed number of times is, for example, 15 times. The same communication frame means that the command, data value, and sequence number are the same. The above condition C means that the type of device from which the command is sent does not match the content of the command, and this applies, for example, when the indoor unit 5 receives a start command or stop command from the outdoor unit 4 (normally, the centralized control device 3, remote control 6, and representative unit of the indoor unit 5 send start command/stop command to other indoor units 5 and outdoor units 4). A table (not shown) showing combinations of device types and commands is stored in the auxiliary storage device 54 in advance.

When the attack determination unit 510 determines that there is no security attack, it notifies the normal response unit 502 that no security attack has been detected. On the other hand, when the attack determination unit 510 determines that there is a security attack, it notifies the attack type discrimination unit 511 that a security attack has been detected and the determination results for each of conditions A to C (i.e., whether or not they are met).

When a security attack is detected by the attack presence/absence determination unit 510, the attack type determination unit 511 determines the type of the security attack. In this embodiment, three types of security attacks are assumed: "replay attack," "spoofing," and "hijacking." The attack type determination unit 511 determines the type of the security attack based on information notified by the attack presence/absence determination unit 510 as to whether each of conditions A to C is met, and an attack type determination table stored in advance in the auxiliary storage device 54.

The attack type discrimination table is a table that defines rules for discriminating the type of security attack. Specifically, as shown in Figure 9, it is a table that associates the type of attack with a combination of whether or not each discrimination condition is met. In Figure 9, "○" means that the discrimination condition is met, and "×" means that the discrimination condition is not met. The discrimination conditions include the above conditions A to C, and the following condition D.

(Condition D) No periodic communication frame is received correctly from the sender, or no correct response is received.

In the above condition D, a periodic communication frame is a communication frame received periodically from the sender, for example a communication frame indicating an inquiry (i.e., a request) for the status of the air conditioner (operating mode, air speed, suction temperature, etc.). Furthermore, "normal reception of a periodic communication frame" means reception of the periodic communication frame at the correct period. A table (not shown) that associates the device (server 2, centralized control device 3, outdoor unit 4, other indoor units 5 or remote control 6) that is the sender of the air conditioner (here, indoor unit 5), the contents of the periodic communication frame, and the reception period is stored in advance in the auxiliary storage device 54.

In addition, in condition D, "no normal response" means that no response to a communication frame previously sent from the air conditioner (here, indoor unit 5) to the sender is returned from the sender within a predetermined timeout period.

If the received communication frame does not meet conditions A and C but meets condition B, the attack type determination unit 511 determines that the type of security attack is a "replay attack" regardless of the result of the determination of condition D. Furthermore, if the received communication frame does not meet condition A but meets condition C, the attack type determination unit 511 further determines whether the sender meets condition D regardless of the result of the determination of condition B, and determines the type of security attack based on the result. Specifically, if the sender does not meet condition D, the attack type determination unit 511 determines that the type of security attack is "spoofing," and if the sender meets condition D, the attack type determination unit 511 determines that the type of security attack is "hijacking."

Furthermore, when the received communication frame satisfies condition A, the attack type determination unit 511 determines that the type of security attack is "spoofing" regardless of the results of conditions B to D. The attack type determination unit 511 notifies the security attack response unit 504 of the determined type of security attack.

Returning to FIG. 8, the communication error detection unit 501 detects a communication error. Specifically, the communication error detection unit 501 periodically determines whether or not there is a communication destination that satisfies the above-mentioned condition D. If there is a communication destination that satisfies condition D, the communication error detection unit 501 notifies the communication error response unit 503 that a communication error has been detected.

The normal response unit 502 executes normal processing based on the contents of the received communication frame. For example, if the received communication frame contains a command to change the operation, the normal response unit 502 executes processing to change the operation of the own unit (here, the indoor unit 5) in accordance with the command. Also, if the received communication frame contains a command to inquire about the status, the normal response unit 502 executes processing to send the status of the own unit to the sender in accordance with the command.

The communication anomaly response unit 503 executes processing corresponding to the occurrence of a communication anomaly. For example, the communication anomaly response unit 503 notifies the centralized management device 3, the remote control 6, or the terminal device 8 that an anomaly has occurred in communication with the communication destination. Upon receiving such a notification, the centralized management device 3, the remote control 6, or the terminal device 8 displays information about the anomaly on the display 33, the display 63, or the display 82 to notify the user. In addition, if the device is equipped with an LED (Light Emitting Diode), the communication anomaly response unit 503 may notify the user of the communication anomaly by making the LED emit light in a predetermined manner, or if the device is equipped with a speaker, may notify the user of the communication anomaly by making the speaker output an electronic sound.

The security attack response unit 504 is an example of a security attack response means according to the present disclosure. When the security attack detection unit 500 determines that a security attack has occurred, the security attack response unit 504 executes a security attack response process to eliminate the effects of the security attack. Specifically, the security attack response unit 504 executes a security attack response process according to the type of the security attack determined by the attack type determination unit 511, as follows:

(Replay Attack)
If the security attack is determined to be a "replay attack," the security attack response unit 504 will discard all communication frames that meet condition B, i.e., the same communication frames that have been sent in large quantities from the same source within a certain period of time, without taking any action. However, communication frames that do not meet condition B will be handled normally even if they are from the same source, and the same processing as that of the normal response unit 502 will be executed.

(Impersonation)
If the security attack is determined to be "spoofing", the security attack response unit 504 will silently discard all communication frames that meet condition B or condition C, i.e., the same communication frames sent in large quantities from the same sender within a certain period of time, or communication frames with mismatched combinations of sender and command. However, communication frames that do not meet either condition B or condition C will be handled normally even if they are from the same sender, and the same processing as the normal response unit 502 will be executed.

(Takeover)
If the security attack is determined to be a "takeover", the security attack response unit 504 discards all communication frames from the source without taking any action. Also, the security attack response unit 504 prohibits the transmission of communication frames addressed to the source.

Figure 10 is a flowchart showing the steps of the processing performed by the air conditioner (outdoor unit 4 and indoor unit 5) when receiving a communication frame.

(Step S101)
The air conditioner determines whether or not a new communication frame has been received from any device in the air conditioning system 1. If a communication frame has been received from any device (step S101; YES), the processing of the air conditioner transitions to step S102.

(Step S102)
The air conditioner determines whether or not there is a security attack. Specifically, the air conditioner determines whether or not the received communication frame satisfies each of the above-mentioned conditions A to C. If the received communication frame satisfies any of conditions A to C, the air conditioner determines that there is a security attack, and if the received communication frame satisfies none of the conditions, the air conditioner determines that there is no security attack. If it is determined that there is no security attack (step S102; NO), the air conditioner's processing transitions to step S103. On the other hand, if it is determined that there is a security attack (step S102; YES), the air conditioner's processing transitions to step S104.

(Step S103)
The air conditioner executes normal processing based on the contents of the received communication frame, after which the processing of the air conditioner returns to step S101.

(Step S104)
The air conditioner determines the type of the security attack. Specifically, the air conditioner uses the attack type determination table shown in Fig. 9 to determine whether the type of security attack is a "replay attack,""spoofing," or "takeover." After that, the processing of the air conditioner proceeds to step S105.

(Step S105)
The air conditioner executes a security attack response process according to the type of security attack that has been determined, and then the process of the air conditioner returns to step S101.

As described above, according to the air conditioning system 1 of this embodiment, when each air conditioner (each outdoor unit 4 and each indoor unit 5) detects a security attack, it determines the type of the security attack and immediately executes security attack response processing according to the determined type. This makes it possible to quickly eliminate the effects of the security attack and suppress the effects of the security attack.

In addition, during security attack response processing, each air conditioner restricts certain processes based on communication with a sender that has been determined to have caused a security attack as highly risky processes, but executes other processes as normal processes, thereby minimizing the impact on the air conditioning system 1 and enabling user comfort to be maintained.

This disclosure is not limited to the above-described embodiments, and various modifications are of course possible without departing from the spirit and scope of this disclosure.

(Variation 1)
For example, the conditions under which the security attack detection unit 500 determines whether or not there is a security attack (for example, the condition in condition B that a certain period of time and a certain number of times are considered to be the same communication frame), the rules for determining the type of security attack (contents of the attack type determination table in FIG. 9 ), etc. may be changed as appropriate via the server 2, the centralized control device 3, the remote control 6, the terminal device 8, etc. Also, the air conditioner may be able to learn and update the contents of conditions such as condition B during operation.

(Variation 2)
The air conditioner (outdoor unit 4 and indoor unit 5) may further include a user notification unit (one example of a user notification means according to the present disclosure) that notifies a user that a security attack has been detected when the security attack detection unit 500 determines that there has been a security attack. For example, when the security attack detection unit 500 determines that there has been a security attack, the user notification unit issues a notification (security attack detection notification) including the time when the security attack was detected (i.e., the current time) and information indicating the type of the security attack to the centralized management device 3, the server 2, the remote control 6, or the terminal device 8 (hereinafter referred to as the centralized management device 3, etc.).

The security attack detection notification may further include a combination of discrimination conditions used when determining the type of security attack, and the contents of the security attack response process. The centralized management device 3 or the like that receives the security attack detection notification notifies users such as the system administrator and maintenance personnel by displaying the information indicated by the security attack detection notification on the display 33 or outputting it as audio. The security attack detection unit 500 may also send the security attack detection notification to a pre-registered address by email, SMS (Short Message Service), or the like.

Alternatively, or in combination with the above, the user notification unit may notify the user that a security attack has been detected by causing an LED provided on the device to light up in a predetermined manner, or may notify the user that a security attack has been detected by outputting sound from a speaker provided on the device.

(Variation 3)
If the security attack detection unit 500 determines that there has been a security attack when receiving a communication frame transmitted from a device equipped with a user interface (the centralized management device 3, the remote control 6, and the terminal device 8), the security attack response unit 504 will transmit a confirmation request frame to the device requesting user confirmation, and if it subsequently receives a response frame from the device indicating that confirmation has been confirmed, it will treat the previously received communication frame as a normal communication frame and may execute normal processing based on the contents of the communication frame.

(Variation 4)
In the air conditioners (outdoor unit 4 and indoor unit 5), when a communication frame with the same content (meaning the same command, data value, etc.) as a communication frame determined to be a "replay attack" must be transmitted to another device, the security attack response unit 504 may change the content of the communication frame to the extent that it does not affect the operation of the air conditioner, the user's comfort, etc. For example, if the communication frame determined to be a "replay attack" indicates a notification of a change in the set temperature and the set temperature is "26°C", when it becomes necessary to transmit a communication frame with the same content, the security attack response unit 504 transmits a communication frame in which the set temperature value has been changed to "25.5°C".

In addition, the security attack response unit 504 may issue a notification (hereinafter referred to as a replay attack detection notification) including the contents of the communication frame that has been determined to be a "replay attack" to each device in the air conditioning system 1. In this case, each outdoor unit 4 and each indoor unit 5 that receives the replay attack detection notification may take measures such as changing the contents of the communication frame to be transmitted, as described above.

(Variation 5)
The security attack response unit 504 may issue a notification (hereinafter referred to as a spoofing detection notification) including the address of the sender of the communication frame determined to be "spoofed" to each device of the air conditioning system 1. In this case, a legitimate device having the same address as the address indicated in the spoofing detection notification may change its own address to another legitimate address and send a notification indicating the address change to each device of the air conditioning system 1. Alternatively, the centralized control device 3, outdoor unit 4, etc. may reassign another legitimate address to the legitimate device having the address indicated in the spoofing detection notification and issue a notification indicating the address change of the device to each device of the air conditioning system 1.

(Variation 6)
The security attack response unit 504 may issue a notification (hereinafter referred to as a hijacking detection notification) including the address of the sender of the communication frame determined to be "hijacked" to each device of the air conditioning system 1. In this case, each device that receives the hijacking detection notification may thereafter discard all communication frames from the address indicated in the hijacking detection notification without doing anything, and may also be prevented from transmitting communication frames addressed to that address.

Furthermore, a legitimate device with the same address as the address indicated in the hijacking detection notification may change its own address to another legitimate address and send a notification indicating the address change to each device in the air conditioning system 1. Alternatively, the centralized management device 3, outdoor unit 4, etc. may reassign another legitimate address to the legitimate device with the address indicated in the hijacking detection notification and send a notification indicating the address change to each device in the air conditioning system 1.

(Variation 7)
When the security attack detection unit 500 determines that there has been a security attack, the security attack response unit 504 changes the order of a set of communication frames that are regularly transmitted in a predetermined order, in addition to performing the security attack response process according to the security attack described above. For example, in a set of communication frames for inquiring about the state of an air conditioner (operation mode, air speed, intake temperature, etc.), if the inquiry communication frames were previously transmitted in the order of state A, state B, and state C, the security attack response unit 504 changes the order so that the communication frames are transmitted in the order of state B, state A, and state C. In addition, the security attack response unit 504 issues a notification indicating the change (hereinafter referred to as a transmission order change notification) to the inquirer of the state.

Once a device has received the above-mentioned transmission order change notification, it will treat any communication frames related to status inquiries as normal communication frames only if they are received in the order indicated in the transmission order change notification.

(Variation 8)
When the security attack detection unit 500 determines that a security attack has occurred, the security attack response unit 504 may restrict the transmission and reception of communication frames related to predetermined information of high importance, in addition to the security attack response process according to the security attack described above. For example, the security attack response unit 504 may restrict the transmission and reception of information used for advanced control, such as information indicating whether or not a person has been detected by a thermal image sensor provided in the indoor unit 5, or restrict the downloading of firmware when updating firmware for the outdoor unit 4 and the indoor unit 5.

(Variation 9)
The attack presence/absence determination unit 510 may further determine whether a warning is necessary, and a warning unit may be added to the functional configuration of the air conditioner (see FIG. 8). In this case, the condition for determining that a warning is necessary is less strict than the condition for determining that there is a security attack. For example, in condition B, if the same communication frame is received 15 or more times within a certain period of time, it is determined that there is a security attack, but if the same communication frame is received 8 or more times but less than 15 times within the certain period of time, it is determined that there is a warning.

If the conditions for determining that a security attack has occurred are not met, but the conditions for determining that a warning is necessary are met, the warning unit warns the user by issuing a notification to that effect to the centralized management device 3, server 2, remote control 6, terminal device 8, etc., by lighting up the device's LED, by outputting voice or electronic sounds from the device, etc. However, in this case, the security attack response unit 504 does not execute security attack response processing.

(Variation 10)
Furthermore, the centralized control device 3 and the remote controller 6 may have the same functional configuration (see FIG. 8) as the air conditioner in the above embodiment.

(Modification 11)
In addition, all or part of the functional units (see FIG. 8 ) of the air conditioner (the outdoor unit 4 and the indoor unit 5) may be realized by dedicated hardware, such as a single circuit, a composite circuit, a programmed processor, an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array), or a combination of these.

The technical ideas relating to each of the above modified examples may be realized individually or in appropriate combination.

Various embodiments and modifications of the present disclosure are possible without departing from the broad spirit and scope of the present disclosure. Furthermore, the above-described embodiments are intended to explain the present disclosure and do not limit the scope of the present disclosure. In other words, the scope of the present disclosure is indicated by the claims, not the embodiments. Various modifications made within the scope of the claims and within the scope of the meaning of the disclosure equivalent thereto are deemed to be within the scope of the present disclosure.

The present disclosure can be suitably adopted in air conditioning systems consisting of multiple air conditioners.

1 Air conditioning system, 2 Server, 3 Centralized management device, 4, 4a to 4c Outdoor unit, 5, 5a to 5f Indoor unit, 6 Remote control, 7 Communication adapter, 8 Terminal device, 9, 10, 10a to 10c Transmission line, 30, 40, 50, 60, 70 First communication interface, 31, 41, 51, 61, 71 Second communication interface, 32, 62, 81 Operation reception unit, 33, 63, 82 Display, 34, 43, 53, 64, 72, 83 Control circuit, 35, 44, 54, 65, 73, 84 Auxiliary storage device, 42, 52 Main unit, 80 Communication interface, 500 Security attack detection unit, 501 Communication anomaly detection unit, 502 Normal response unit, 503 Communication anomaly response unit, 504 Security attack response unit, 510 Attack presence/absence determination unit, 511 Attack type discrimination unit, N network

Claims (7)

a security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and for determining the type of the security attack if it is determined that a security attack has occurred;
a security attack response means for executing a security attack response process according to a type of the security attack when the security attack detection means determines that a security attack has occurred, the security attack response process being for eliminating an effect of the security attack ;
an air conditioner in which, when a communication frame transmitted from a device equipped with a user interface is received and the security attack detection means determines that there has been a security attack, the security attack response means transmits a confirmation request frame to the device requesting user confirmation, and then, when a response frame indicating confirmation has been received from the device, treats the received communication frame as a normal communication frame . a security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and for determining the type of the security attack if it is determined that a security attack has occurred;
a security attack response means for executing a security attack response process according to a type of the security attack when the security attack detection means determines that a security attack has occurred, the security attack response process being for eliminating an effect of the security attack;
When the security attack detection means determines that a security attack has occurred, the security attack response means further restricts the transmission and reception of predetermined information of high importance . The air conditioner according to claim 1 or 2 , further comprising a user notification unit that notifies a user when the security attack detection unit determines that a security attack has occurred. When receiving a communication frame, the presence or absence of a security attack is determined, and if it is determined that a security attack has occurred, the type of the security attack is identified;
A security attack response method , comprising: when it is determined that a security attack has occurred, executing a security attack response process corresponding to a type of the security attack, the security attack response process eliminating an effect of the security attack,
A method for dealing with security attacks, which, when it is determined that there is a security attack upon receiving a communication frame transmitted from a device equipped with a user interface, transmits a confirmation request frame to the device requesting user confirmation, and then, when a response frame indicating confirmation has been received from the device, treats the received communication frame as a normal communication frame . When receiving a communication frame, the presence or absence of a security attack is determined, and if it is determined that a security attack has occurred, the type of the security attack is identified;
A security attack countermeasure method, which, when it is determined that a security attack has occurred, executes a security attack response process according to the type of security attack, which eliminates the effects of the security attack, and restricts the transmission and reception of predetermined information of high importance. Air conditioners,
a security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and for determining the type of the security attack if it is determined that a security attack has occurred;
when the security attack detection means determines that a security attack has occurred, the security attack response means executes a security attack response process corresponding to the type of the security attack, thereby eliminating the influence of the security attack ;
A program in which, when a security attack is determined by the security attack detection means upon receiving a communication frame transmitted from a device equipped with a user interface, the security attack response means transmits a confirmation request frame to the device requesting user confirmation, and then, when a response frame indicating confirmation has been received from the device, treats the received communication frame as a normal communication frame . Air conditioners,
a security attack detection means for determining whether or not a security attack has occurred when a communication frame is received, and for determining the type of the security attack if it is determined that a security attack has occurred;
when the security attack detection means determines that a security attack has occurred, the security attack response means executes a security attack response process corresponding to the type of the security attack, thereby eliminating the influence of the security attack;
When the security attack detection means determines that a security attack has occurred, the security attack response means further restricts the transmission and reception of predetermined information of high importance.

Images