KR101878707B1 - Security system for industrial cloud connector and method thereof - Google Patents

Abstract

The present invention relates to a security system for an industrial cloud connector, and to a method thereof. The security system for an industrial cloud connector comprises: a process data acquiring device which transmits process data acquired from at least one manufacturing facility inside a factory through a plurality of sensors, along with unique identification information of each manufacturing facility; a cloud connector device which receives the unique identification information along with the process data on each manufacturing facility transmitted from the process data acquiring device, assigns metadata based on the unique identification information through a plurality of channels encoded by a different bitrate from one another according to a type and a size of the process data on each manufacturing facility, converts the metadata into facility state data of each manufacturing facility corresponding to a cloud compatible protocol and transmits the same; a cloud connector security device which receives and encodes the facility state data of each manufacturing facility converted and transmitted from the cloud connector device, and transmits a decoding key for decoding the encoded facility state data of each manufacturing facility; and a cloud server which is connected with the cloud connector security device through a communication network, receives the decoding key along with the encoded facility state data of each manufacturing facility from the cloud connector security device, decodes the encoded facility state data of each manufacturing facility based on the decoding key, stores the decoded facility state data of each manufacturing facility as a database in an additional facility state data DB and manages the same. Therefore, the security system for an industrial cloud connector and the method thereof are able to increase a data processing speed by classifying the same into channels with a different bit rate according to the type and size of processing data acquired from at least one manufacturing facility inside a factory, and are able to effectively convert and transmit data transmitted from each of the channels by assigning metadata.

Description

TECHNICAL FIELD [0001] The present invention relates to a security system for an industrial cloud connector,

The present invention relates to a security system for an industrial cloud connector, a method thereof, and a computer-readable recording medium on which a program for executing the security system is recorded.

In general, industrial development has been driven by exports led by IT, semiconductor, shipbuilding, automobile, and other industries, and by the manufacturing sector as a driving force for economic growth and exports.

In spite of these industrial developments, competitiveness is weakening due to lack of new product development ability due to weak technology base of SMEs, deepening of manufacturing disadvantages of high-end human resources, and rising labor costs.

And, in the past, the paradigm of the mass-production manufacturing industry has recently been demanding the manufacturers to reflect the market requirements more rapidly, quick delivery, and produce high-quality products, with the conversion to multi-product production.

In addition, recently, technology development is being carried out to build a high-efficiency eco-friendly system at the manufacturing site of SMEs. This is to improve productivity and green competitiveness by reducing energy resources through the development of manufacturing processes of SMEs and by converting them into a highly efficient eco-friendly system that stores greenhouse gas waste.

In building such a highly efficient eco-friendly system, environmental and social perspectives such as energy, humanity, eco-friendliness, and safety are emphasized, but competitiveness should be supported from an economic standpoint such as productivity and quality.

From an economic point of view as well as an environmental and social point of view, the following items should be considered in the high efficiency eco-system.

First, excessive manpower required in the manufacturing process increases manpower, risk factors, and costs.

Second, safety accidents caused by facilities, sites, and dust are frequent as workers are put into equipment requiring manual operation.

Third, there is a high possibility of quality deterioration and failure due to measurement error and carelessness of the operator during inspection.

Fourth, it is difficult to systematically manage the production status as it collects the results through the preparation of the work diary in the manufacturing process.

Fifth, it is difficult to check the status of the facilities disposed in the manufacturing process, and it is difficult to confirm the results of the respective processes and the final product production in real time.

In other words, the industrial management through the network is limited to a part, and the overall management of the industrial facilities can not be performed. Therefore, the human resources are wasted in the overall system management of the industrial facilities.

In addition, due to the comprehensive control of industrial facilities through manpower, real-time control is difficult, so it is not possible to prevent the occurrence of anomalous signs of industrial facilities in advance, and accordingly, an immediate response to disasters, There is a difficult problem.

On the other hand, in the prior art, production management was limited to the management of the production process and the production machines so as to purchase necessary materials according to the estimated sales quantity created in the sales department and produce the desired quantity of products within a predetermined time.

Due to recent developments in communication systems, production management systems using servers have been developed. Much of the production management related activities and procedures are carried out online with the development of computer networks. However, their role is transferred to the offline documents in the conventional way and the aggregated ones are passed on to online and collected by computer programs have.

Therefore, there is a problem in that there is a time difference between the kinds of products actually produced in the production site and the products to be shipped according to the demands of the actual market, so that they can not properly cope with the changes of the market. There is a problem in that there is inconsistency between the quantity and the contents due to input errors that can occur in the process of manually inputting quantity, stock status, production status, and the like.

Meanwhile, various systems have been emerging to acquire business information (BI) through collecting and utilizing various kinds of information in the information communication age. In the base of such system, a database management system (DBMS) Advances in related technologies have been the foundation.

The database management system (DBMS) stores and manages various and enormous data including business related information, customer information, product information, content information, and the like, and a relational database management Various database management systems (DBMS) such as Oracle, Sybase, MySQL, and MS SQL Server are used as the system.

Meanwhile, the configuration of a security system for enhancing the security of a database management system (DBMS) that manages important information is also generally applied at a certain scale or more in order to prevent various security incidents such as frequent occurrence of information leakage or information manipulation And has been developed to manage usage history for all users accessing a database management system (DBMS) in order to prevent a security accident caused by an insider emerging as the biggest problem in recent years.

In this way, various access rights of various users such as users of general database management system (DBMS), administrators of database management system (DBMS), security administrator and management can be managed, System is required.

Korean Patent No. 10-0313001 Korean Patent Publication No. 10-2016-0034023

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above-mentioned problems, and it is an object of the present invention to improve the data processing speed by classifying channels having different bit rates according to the type and size of process data acquired from at least one manufacturing facility in a factory, The present invention provides a security system and method for an industrial cloud connector in which meta data is provided to data transmitted from each channel and can be effectively converted and transmitted.

It is another object of the present invention to acquire process data from at least one manufacturing facility on the basis of unique identification information for legacy system compatibility with a cloud server, analyze legacy protocols and cloud protocols of each manufacturing facility, And to provide a security system and method for an industrial cloud connector that can transmit and receive data.

It is still another object of the present invention to provide a data access method of a facility state data DB managed by a cloud server by giving a specific access key corresponding to a user access right level based on user unique identification information previously stored in an external user terminal The present invention provides a security system and method for an industrial cloud connector that can prevent user information from being stolen and effectively prevent re-access of data of a facility state data DB by user information having an illegal access history .

In order to achieve the above object, a first aspect of the present invention is a process data acquiring device for transmitting process data acquired from at least one manufacturing facility in a factory through a plurality of sensors together with unique identification information of each manufacturing facility; The process data acquisition device receives the unique identification information together with the process data for each manufacturing facility and receives the unique identification information from the process data acquisition device. Based on the type and size of the process data for each manufacturing facility, A cloud connector device for providing data and converting it into equipment status data of each manufacturing facility corresponding to a cloud compatible protocol; A security device for a cloud connector that receives facility state data of each manufacturing facility converted and transmitted from the cloud connector device and encrypts the encrypted facility state data and transmits a decryption key for decrypting facility state data of each encrypted manufacturing facility; And a security key for the cloud connector, which is connected to the security device for the cloud connector, receives the decryption key together with the facility status data of each manufacturing facility encrypted from the security device for the cloud connector, And a cloud server that decodes and decodes the decrypted facility state data of each manufacturing facility into a database (DB) in a separate facility state data DB, and stores and manages the facility state data.

The DB server may further include a DB access control device for monitoring a query for accessing the facility status data DB of the cloud server in cooperation with the cloud server, and controlling the query to block illegal DB access.

Preferably, the DB access control device comprises: a DB access monitoring module for monitoring query information for accessing the facility status data DB of the cloud server in cooperation with the cloud server; The DB access monitoring module analyzes the query information monitored by the DB access monitoring module to check the data access commands and checks whether or not the data access commands corresponding to the corresponding query are matched with the illegal access commands stored in advance in the black list DB A DB access blocking module for allowing or blocking data access of the facility status data DB; And a DB access control module for controlling operations of the DB access monitoring module and the DB access blocking module.

Preferably, the DB access blocking module, when an unauthorized data access command matching the identified data access command exists in the blacklist DB, searches for a query corresponding to the data access command according to the control of the DB access control module A specific code set in advance, a query to which the specific code is assigned, and access user information and access IP address information are stored in the blacklist database, so that the blacklist information is updated.

Preferably, the illegal data access command stored in advance in the blacklist DB may be a command corresponding to at least one of an illegal data creation command, an illegal data modification command, and an illegal data deletion command.

Preferably, the DB access control module receives a message for requesting access to the facility status data DB of the cloud server together with user unique identification information transmitted from an external user terminal, analyzes the received message, extracts user unique identification information, A specific access key corresponding to a user access right level of the corresponding user unique identification information stored in advance in a separate license DB according to whether the extracted user unique identification information is identical to the user unique identification information previously stored in a separate user information DB To the corresponding user terminal.

Preferably, a message for data access stored in the facility state data DB of the cloud server together with a specific access key transmitted from the user terminal is received and analyzed to extract a specific access key, It is possible to control the operation of the DB access blocking module such that data access of the facility status data DB of the cloud server is permitted or blocked according to whether a specific access key previously stored in the DB for use right is matched.

Preferably, the DB access control module, when there is a specific access key corresponding to the extracted specific access key in the usage right DB, searches the facility status of the cloud server according to a user access right level assigned to the specific access key The operation of the DB access blocking module may be controlled such that data stored in the data DB is allowed to be accessed.

Preferably, the DB access control module permits data access stored in the facility state data DB of the cloud server according to a level of a user access right given to the specific access key, and then confirms data access result information in real time, The data access result information of the DB is accessed or blocked so that re-access of the data of the corresponding equipment state data DB by the specific access key is permitted or blocked according to whether the identified data access result information and illegal data access result information stored in advance in a separate security policy database The operation of the module can be controlled.

Preferably, the DB access control module, when there is illegal data access result information matching the confirmed data access result information in the security policy DB, stores the facility status data DB corresponding to the confirmed data access result information The data of the deleted facility state data DB is restored to the data before the illegal data access by using the separate backup process data DB and the data of the corresponding facility state data DB by the specific access key It is possible to delete a user access right level of the user unique identification information corresponding to the specific access key stored in the separate user information DB so that re-access is blocked.

The illegal data access result information stored in advance in the security policy DB may be data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion.

Preferably, the DB access control module receives the corresponding user unique identification information registered at the time of membership registration of the user in the cloud server through the user terminal, receives the equipment status data DB of the cloud server provided by the administrator, (DB) for each user's unique identification information in the user information DB together with one level of the user's access right for the user.

Preferably, the DB access control module includes at least one specific access key accessible to the facility status data DB of the cloud server according to one level of user access right to the facility status data DB of the cloud server, (DB) and stored.

Preferably, the DB access control module may manage the data stored in the facility status data DB of the cloud server to be backed up periodically in a separate backup process data DB.

Preferably, the plurality of sensors provided in the process data obtaining apparatus may be composed of Internet of Things (IOT) sensors.

Preferably, the cloud connector device comprises: a facility DB storing the facility information data for each manufacturing facility corresponding to the unique identification information of each manufacturing facility; The unique identification information is received together with the process data for each manufacturing facility transmitted from the process data obtaining device, and compared with the unique identification information of each manufacturing facility stored in the manufacturing facility DB and the facility information data for each corresponding manufacturing facility The process data for each manufacturing facility transmitted from the process data acquiring device is divided for each channel according to the type and size of the data and then transmitted through each channel encoded in parallel so as to have different bit rates module; And metadata for each data type of process data for each manufacturing facility transmitted from the data processing module, and confirms an industrial protocol of each manufacturing facility and a protocol of the cloud server, And a data conversion module for converting the data into facility status data and transmitting the data to the security device for the cloud connector.

Preferably, the security device for the cloud connector includes: an encryption module that receives facility status data of each manufacturing facility converted and transmitted from the cloud connector device and encrypts the facility status data by symmetric or asymmetric encryption; And a decryption key assigning module for assigning a decryption key for decrypting equipment state data of each manufacturing facility encrypted by the encryption module to the cloud server.

Preferably, the cloud server classifies the accessibility data for each level of the user's access right given in advance for each specific access key so that the data access paths are separated from each other when data of the facility status data DB is accessed by an external user terminal, It can be managed so as to be stored in the facility status data DB of the cloud server.

Preferably, the cloud server includes a decryption module that receives a decryption key together with facility state data of each manufacturing facility encrypted from the security device for the cloud connector and decrypts facility state data of each encrypted manufacturing facility based on the decryption key, A data analysis module for receiving equipment state data of each manufacturing facility decoded from the decoding module and classifying the equipment state data of each manufacturing facility according to the received metadata; A facility state data DB for storing and managing facility state data of each manufacturing facility in a database (DB); And a server control unit for controlling the equipment status data of each manufacturing facility classified by the data analysis module to be stored in the equipment status data DB.

Preferably, the server control device further includes a backup process data DB for backing up and storing data corresponding to the facility status data DB, wherein the server control device includes: The status data may be periodically backed up and stored in the backup process data DB.

Preferably, the cloud server provides a cloud computing service in response to a request from an external client terminal, and the client terminal uses the client member login cloud web service of the cloud server to transmit the facility status data of the cloud server The facility status data of each manufacturing facility stored in the DB can be searched in real time and displayed on the display screen.

Preferably, when the facility state data of each manufacturing facility is stored in the facility state data DB as a database (DB), the cloud server encrypts and stores the facility state data of each manufacturing facility using a symmetric or asymmetric encryption method And a decryption key capable of decrypting the facility state data of each encrypted manufacturing facility is transmitted to the client terminal.

Preferably, the client terminal decrypts facility state data of each manufacturing facility encrypted and stored in the facility state data DB of the cloud server using the decryption key transmitted from the cloud server together with the corresponding client member login information, And can be displayed on the display screen.

Preferably, the cloud server may provide a cloud web service so that facility state data of each manufacturing facility stored in the facility state data DB can be downloaded through the client terminal.

Preferably, the client terminal may display facility status data of each manufacturing facility stored in the facility status data DB of the cloud server on a real time search and display screen through a cloud application related to the manufacturing facility downloaded from the cloud server.

Preferably, the unique identification information of each manufacturing facility includes a name of the manufacturing facility, a password of the manufacturing facility, a serial number of the manufacturing facility, a type of the manufacturing facility, a manufacturer of the manufacturing facility, a MAC (Media Access Control) A unique IP (Internet Protocol) address of the manufacturing facility, a model of the manufacturing facility and a version of the manufacturing facility, authentication information of the device generated by the secret key of the manufacturing facility, or a PKI-based private key have.

A second aspect of the present invention is a security method for an industrial cloud connector using a system including a process data acquisition device, a cloud connector device, a security device for a cloud connector, and a cloud server, the security method comprising: (a) Transmitting process data obtained from at least one manufacturing facility in a factory through a plurality of sensors with unique identification information of each manufacturing facility; (b) encoding, at a different bit rate according to the type and size of the process data for each manufacturing facility, based on the unique identification information, together with the process data for each manufacturing facility transmitted in the step (a) through the cloud connector device And converting the metadata to equipment state data of each manufacturing facility corresponding to the cloud compatible protocol and transmitting the metadata; (c) encrypting the facility status data of each manufacturing facility converted and transmitted in the step (b) through the security device for the cloud connector, and decrypting the facility status data of each encrypted manufacturing facility ; And (d) decrypting facility state data of each encrypted manufacturing facility on the basis of the decryption key together with the facility state data of each manufacturing facility encrypted in the step (c) through the cloud server, And storing and managing facility status data of the manufacturing facility in a database (DB) in a separate facility status data DB.

Here, after step (d), (e) monitoring a query for accessing the facility state data DB of the cloud server through a DB access control apparatus interlocked with the cloud server, and blocking an illegal DB access The steps are more inclusive.

Preferably, the step (e) includes the steps of: (e-1) monitoring query information for accessing the facility status data DB of the cloud server through a DB access monitoring module provided in the DB access control device; (e-2) analyzing the query information monitored in the step (e-1) through the DB access blocking module provided in the DB access control device and confirming data access commands; And (e-3) determining whether or not an illegal access command stored in advance in the black list DB is in agreement with the data access commands identified in the step (e-2) through the DB access blocking module provided in the DB access control apparatus And allowing or disabling data access of the corresponding equipment state data DB for the query according to the query.

Preferably, in the step (e-3), if there is an illegal data access command matching the identified data access command in the black list DB, the DB access control module provided in the DB access control apparatus A specific code preset in the query corresponding to the data access command is deleted and then the query with the specific code is deleted and the access user information and the access IP address information are stored in the black list DB so that the black list information is updated And a step of controlling the display device.

Preferably, in the step (e-3), an illegal data access instruction stored in advance in the blacklist DB includes at least one of an illegal data creation instruction, an illegal data modification instruction, and an illegal data deletion instruction Command.

Preferably, after the step (e-3), (e-4) the DB access control module provided in the DB access control device, together with the user unique identification information transmitted from the external user terminal, Analyzing a message for the status data DB access request and extracting user unique identification information; (e-5) checking whether the user's unique identification information extracted in the step (e-4) through the DB access control module provided in the DB access control device matches the user's unique identification information previously stored in the separate user information DB Transmitting to the corresponding user terminal a specific access key corresponding to one level of the user's access right of the corresponding user unique identification information stored in advance in a separate license DB; (e-6) analyzes a message for data access stored in the facility state data DB of the cloud server together with a specific access key transmitted from the user terminal through a DB access control module provided in the DB access control device, Extracting a key; And (e-7) determining whether or not the specific access key extracted in the step (e-6) through the DB access control module provided in the DB access control device matches the specific access key previously stored in the usage right DB, And controlling the operation of the DB access blocking module such that data access of the facility status data DB of the cloud server is permitted or blocked.

Preferably, in the step (e-7), when a specific access key matching the extracted specific access key exists in the usage right DB, the user access right assigned to the specific access key through the DB access control module It is possible to control the operation of the DB access blocking module so that data stored in the facility status data DB of the cloud server is allowed to be allowed according to the level.

Preferably, the DB access control module permits access to data stored in the facility state data DB of the cloud server according to a level of a user access right granted to the specific access key, and then checks data access result information in real time, The data access result information of the DB is accessed or blocked so that re-access of the data of the corresponding equipment state data DB by the specific access key is permitted or blocked according to whether the identified data access result information and illegal data access result information stored in advance in a separate security policy database And controlling the operation of the module.

Preferably, if illegal data access result information matching the confirmed data access result information exists in the security policy database, the DB access control module may update the facility state data DB corresponding to the confirmed data access result information The data of the deleted facility state data DB is restored to the data before the illegal data access by using the separate backup process data DB and the data of the corresponding facility state data DB by the specific access key It is possible to delete a user access right level of the user unique identification information corresponding to the specific access key stored in the separate user information DB so that re-access is blocked.

The illegal data access result information stored in advance in the security policy DB may be data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion.

Preferably, before the step (e-4) or the step (e-5), the DB access control module transmits corresponding user unique identification information registered at the time of membership of the user to the cloud server through the user terminal (DB) for each user unique identification information in the user information DB together with one level of user access right to the facility status data DB of the cloud server provided by the administrator on the basis of the level information .

Preferably, before the step (e-4) or the step (e-5), the facility state data DB of the cloud server is accessed through the DB access control module, And controlling at least one specific access key accessible to the data DB to be stored in a database (DB) for each user access level.

Preferably, the data stored in the facility state data DB of the cloud server is transmitted to the DB server through the DB access control module provided in the DB access control device before the step (e-1) or after the step (e-3) And managing the data to be backed up periodically in the backup process data DB.

Preferably, in the step (a), the plurality of sensors provided in the process data obtaining apparatus may be composed of Internet of Things (IOT) sensors.

Preferably, the step (b) includes the steps of: (b-1) storing facility information data for each manufacturing facility corresponding to unique identification information of each manufacturing facility through the cloud connector device in a separate manufacturing facility DB; (b-2) receiving unique identification information together with process data for each manufacturing facility transmitted in the step (a) through a data processing module provided in the cloud connector device, (A), the process data for each manufacturing facility transmitted in the step (a) is separated according to the type and size of the data when the unique identification information of the manufacturing facility is compared with the facility information data for each corresponding manufacturing facility And transmitting through each channel encoded in parallel so as to have different bit rates; And (b-3) assigning metadata to each data type of process data for each manufacturing facility transmitted in the step (b-2) through a data conversion module included in the cloud connector device, Protocol and the protocol of the cloud server to convert the data into equipment status data of each manufacturing facility corresponding to the cloud compatible protocol and transmitting the data to the security device for the cloud connector.

Preferably, the step (c) includes the steps of: (c-1) transmitting facility state data of each manufacturing facility converted and transmitted in the step (b) through a cryptographic module provided in the security device for the cloud connector, Encrypting; And (c-2) providing a decryption key capable of decrypting facility state data of each manufacturing facility encrypted at the step (c-1) through a decryption key granting module provided in the security device for a cloud connector, To the server.

Preferably, in the step (d), when data access of the facility status data DB is performed using an external user terminal through the cloud server, data access paths are separated by user access right levels The accessibility data can be classified and managed to be stored in the facility state data DB of the cloud server.

Preferably, the step (d) includes the steps of: (d-1) transmitting the facility state data of each manufacturing facility encrypted in the step (c) through the decryption module provided in the cloud server, Decoding equipment state data of each manufacturing facility; (d-2) the facility status data of each manufacturing facility according to the provided metadata on the basis of the facility status data of each manufacturing facility decrypted in the step (d-1) through the data analysis module provided in the cloud server ; And (d-3) converting the facility status data of each manufacturing facility classified in the step (d-2) into a database (DB) in the facility status data DB through the server control device provided in the cloud server, So that it can be controlled.

Preferably, after the step (d-3), the facility state data of each manufacturing facility stored in the step (d-3) is periodically updated so that only a predetermined administrator can access the server through the server control device provided in the cloud server And controlling the data to be stored and managed in a separate backup process data DB.

Preferably, after the step (d-3), (d-4) providing a cloud computing service in response to a request of an external client terminal through the cloud server; And (d-5) using the client member login cloud web service of the cloud server through the client terminal to search facility status data of each manufacturing facility stored in the facility status data DB of the cloud server in real time, And a step of displaying an image.

Preferably, in step (d-4), a cloud web service is provided so that facility state data of each manufacturing facility stored in the facility state data DB of the cloud server can be downloaded using the client terminal through the cloud server can do.

Preferably, in the step (d-5), facility status data of each manufacturing facility stored in the facility status data DB of the cloud server is stored in real time using the manufacturing facility-related cloud application downloaded from the cloud server through the client terminal, Can be displayed on the search and display screen.

Preferably, in the step (d-3), when facility state data of each manufacturing facility is stored in the facility state data DB through a database, the symmetric or asymmetric encryption method is used for each manufacture It is possible to provide the service such that the decryption key for encrypting and storing the facility state data of the facility and decrypting the facility state data of each encrypted manufacturing facility is transmitted to the external client terminal.

Preferably, the client terminal decrypts facility state data of each manufacturing facility encrypted and stored in the facility state data DB of the cloud server using the decryption key transmitted from the cloud server together with the corresponding client member login information, And can be displayed on the display screen.

Preferably, in step (a), the unique identification information of each manufacturing facility includes at least one of a name of the manufacturing facility, a password of the manufacturing facility, a serial number of the manufacturing facility, a type of the manufacturing facility, a manufacturer of the manufacturing facility, At least one of authentication information of a device generated by a Media Access Control (MAC) address, a unique IP (Internet Protocol) address of the manufacturing facility, a model of the manufacturing facility and a version of the manufacturing facility, And may include one piece of information.

A third aspect of the present invention provides a computer-readable recording medium on which a program capable of executing the security method for the above-described industrial cloud connector is recorded.

The security method for an industrial cloud connector according to the present invention can be implemented as a computer readable code on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

For example, the computer-readable recording medium includes a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, a removable storage device, a nonvolatile memory, , And optical data storage devices.

According to the security system and method for an industrial cloud connector of the present invention as described above, it is possible to classify a data rate into a channel having a different bit rate according to the type and size of process data acquired from at least one manufacturing facility in the factory, There is an advantage that meta data can be given to data transmitted from each channel and can be effectively converted and transmitted.

In addition, according to the present invention, for compatibility between a legacy system and a cloud server, process data is acquired from at least one specific manufacturing facility based on unique identification information, and legacy protocols and cloud protocols of each manufacturing facility are analyzed There is an advantage that it can be effectively converted and transmitted.

According to the present invention, a specific access key corresponding to a user access right level is assigned based on user unique identification information stored in advance in an external user terminal, and data access of the facility status data DB managed by the cloud server is performed It is possible not only to prevent the user information from being stolen but also to effectively prevent re-access of the data of the equipment status data DB by the user information having the illegal access history.

Also, according to the present invention, it is possible to control the monitoring level through the change of the security policy DB, and to effectively prevent access to user information and access IP address information with illegal access history.

FIG. 1 is a block diagram illustrating a security system for an industrial cloud connector according to an embodiment of the present invention. Referring to FIG.
2 is a block diagram illustrating a cloud connector device according to an embodiment of the present invention.
3 is a block diagram illustrating a security device for a cloud connector according to an embodiment of the present invention.
4 is a block diagram illustrating a cloud server according to an embodiment of the present invention.
FIG. 5 is a block diagram illustrating a DB access control apparatus according to an embodiment of the present invention. Referring to FIG.
FIG. 6 is a block diagram illustrating a user terminal or a client terminal according to an exemplary embodiment of the present invention. Referring to FIG.
7 to 12 are overall flowcharts illustrating a security method for an industrial cloud connector according to an embodiment of the present invention.

The above and other objects, features, and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, which are not intended to limit the scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

Terms including ordinals, such as first, second, etc., may be used to describe various elements, but the elements are not limited to these terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise.

While the present invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments. Also, in certain cases, there may be a term selected arbitrarily by the applicant, in which case the meaning thereof will be described in detail in the description of the corresponding invention. Therefore, the term used in the present invention should be defined based on the meaning of the term, not on the name of a simple term, but on the entire contents of the present invention.

When an element is referred to as "including" an element throughout the specification, it is to be understood that the element may include other elements as well, without departing from the spirit or scope of the present invention. Also, the terms "part," " module, "and the like described in the specification mean units for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software .

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the following embodiments of the present invention may be modified into various other forms, and the scope of the present invention is not limited to the embodiments described below. The embodiments of the present invention are provided to enable those skilled in the art to more fully understand the present invention.

Each block of the accompanying block diagrams and combinations of steps of the flowcharts may be performed by computer program instructions (execution engines), which may be stored in a general-purpose computer, special purpose computer, or other processor of a programmable data processing apparatus The instructions that are executed through the processor of the computer or other programmable data processing equipment will generate means for performing the functions described in each block or flowchart of the block diagram. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of the flowchart.

Computer program instructions may also be loaded onto a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the data processing equipment are capable of providing the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or step may represent a portion of a module, segment, or code that includes one or more executable instructions for executing the specified logical functions, and in some alternative embodiments, It should be noted that functions may occur out of order. For example, two successive blocks or steps may actually be performed substantially concurrently, and it is also possible that the blocks or steps are performed in the reverse order of the function as needed.

FIG. 1 is a block diagram illustrating a security system for an industrial cloud connector according to an embodiment of the present invention. FIG. 2 is a block diagram of a cloud connector device according to an embodiment of the present invention. FIG. 3 is a block diagram illustrating a security device for a cloud connector according to an embodiment of the present invention. FIG. 4 is a block diagram illustrating a cloud server according to an embodiment of the present invention. FIG. 5 is a block diagram illustrating a DB access control apparatus according to an embodiment of the present invention. FIG. 6 is a block diagram illustrating a DB access control apparatus according to an exemplary embodiment of the present invention. Fig.

1 to 6, a security system for an industrial cloud connector according to an embodiment of the present invention includes a process data acquisition device 100, a cloud connector device 200, a security device 300 for a cloud connector, , And a cloud server (400). Meanwhile, the components shown in FIG. 1 are not essential, and a manufacturing facility process operation system based on a cloud connector according to an embodiment of the present invention may have more or fewer components. For example, the security system for an industrial cloud connector according to an embodiment of the present invention may further include a DB access control device 500.

Hereinafter, components of a security system for an industrial cloud connector according to an embodiment of the present invention will be described in detail.

The process data acquisition apparatus 100 includes a plurality of sensors 110-1 to 110-N and is connected to at least one manufacturing facility 10- 1 to 10-N) to the cloud connector device 200 together with the unique identification information of each manufacturing facility.

At this time, it is preferable that the plurality of sensors 110-1 to 110-N provided in the process data obtaining apparatus 100 are composed of Internet of Things (IOT) sensors.

In other words, the Internet (IoT) is an evolutionary level of Internet than the existing wired Internet and mobile Internet. It combines objects used in everyday life and sensing technology to obtain information from the surrounding environment, Is an intelligent technology and service that communicates information between the two.

In the early wired communication age, however, data interchange occurred only through the connection between objects such as PCs, and thus human intervention was required as an intermediary. However, due to progress in wireless communication technology, people, people, objects and objects , The range of communication is expanded by objects and objects, and furthermore, it has developed into M2M, which can communicate autonomously between objects.

As the Internet (IoT) evolves, various devices are converted into IoT devices, and the Internet (IoT) is connected to each other by various network methods to construct an Internet network.

The plurality of sensors 110-1 to 110-N provided in the process data obtaining apparatus 100 are installed in a monitored area or a specific object to detect data in response to an event occurrence, Or wirelessly.

The plurality of sensors 110-1 to 110-N provided in the apparatus 100 for acquiring process data may be a three-dimensional image sensor, an infrared thermal image sensor, a temperature sensor, a humidity sensor, a dust sensor, a smoke sensor, (10-1 to 10-N) including at least one selected from various sensors such as a carbon monoxide sensor, a carbon dioxide sensor, an ozone sensor, an ultrasonic sensor, a motion sensor, a lighting sensor, a household appliance, a door lock, Two or more of them may be mounted.

On the other hand, the unique identification information of each manufacturing facility 10-1 to 10-N includes, for example, the name of the manufacturing facility, the password of the manufacturing facility, the serial number of the manufacturing facility, the type of the manufacturing facility, Of the authentication information of the device generated by the MAC (Media Access Control) address of the manufacturing facility, the unique IP (Internet Protocol) address of the manufacturing facility, the model of the manufacturing facility and the version of the manufacturing facility, It is preferable to include at least any one piece of information.

The cloud connector device 200 receives the unique identification information together with the process data for each manufacturing facility 10-1 to 10-N transmitted from the process data obtaining device 100, 10-1 to 10-N), and supplies the meta data to each of the manufacturing facilities 10-1 to 10-N corresponding to the cloud compatible protocol -N) to the security device 300 for the cloud connector.

2, the cloud connector device 200 may include a manufacturing facility DB 210, a data processing module 220, a data conversion module 230, and the like. Meanwhile, the components shown in FIG. 2 are not essential, so that the cloud connector device 200 applied to an embodiment of the present invention may have more or fewer components.

Here, the manufacturing facility DB 210 stores equipment information data for each manufacturing facility 10-1 to 10-N corresponding to the unique identification information of each manufacturing facility 10-1 to 10-N, And stores and manages them.

The data processing module 220 receives the unique identification information together with the process data for each manufacturing facility 10-1 to 10-N transmitted from the process data obtaining device 100, When the unique identification information of the manufacturing equipments 10-1 to 10-N is compared with the corresponding equipment information data for each of the manufacturing equipments 10-1 to 10-N, The process data for each of the manufacturing facilities 10-1 to 10-N transmitted is separated according to the type and size of data according to the channel, and then transmitted through each channel encoded in parallel so as to have different bit rates do.

The data conversion module 230 assigns metadata to the data types of process data for each manufacturing facility 10-1 to 10-N transmitted from the data processing module 220, 10-N) and the protocol of the cloud server 400 and converts them into the facility state data of each manufacturing facility 10-1 to 10-N corresponding to the cloud compatible protocol, ). ≪ / RTI >

The security device 300 for the cloud connector receives the facility status data of each of the manufacturing facilities 10-1 to 10-N converted and transmitted from the cloud connector device 200 and encrypts the facility status data, And transmits a decryption key capable of decrypting the facility state data of the manufacturing facilities 10-1 to 10-N.

The security device 300 for a cloud connector monitors a query for accessing the facility status data DB 430 of the cloud server 400 in cooperation with the cloud server 400 and provides a blocking function for illegal access Can be performed.

As shown in FIG. 3, the security device 300 for a cloud connector includes an encryption module 310 and a decryption key granting module 320. 3 are not essential, a security device 300 for a cloud connector applied to an embodiment of the present invention may have more or fewer components.

Here, the encryption module 310 receives facility status data of each manufacturing facility 10-1 to 10-N converted and transmitted from the cloud connector device 200, and encrypts the facility status data by a symmetric or asymmetric encryption method do.

The decryption key granting module 320 applies an authentication key or decryption key for decrypting the facility state data of each manufacturing facility 10-1 to 10-N encrypted by the encryption module 310 to the cloud server 400 ). ≪ / RTI >

The cloud server 400 is connected to the security device 300 for the cloud connector through the communication network 20 and is connected to each manufacturing facility 10-1 to 10- And decrypts the facility state data of each of the encrypted manufacturing equipments 10-1 to 10-N based on the received decryption key, and decrypts the equipment state data of each of the decrypted manufacturing equipments 10-1 to 10- N in a separate facility state data DB 430, and stores and manages the facility state data.

In addition, the cloud server 400 can access the accessibility data for each level of the user's access right given in advance for each specific access key so that the data access paths are separated from each other when data is accessed by the external user terminal 600 To be stored in the equipment status data DB 430. [0064] FIG.

4, the cloud server 400 includes a decryption module 410, a data analysis module 420, a facility status data DB 430, and a server control unit 440. Meanwhile, the components shown in FIG. 4 are not essential, so that the cloud server 400 applied to an embodiment of the present invention may have more or fewer components. For example, the cloud server 400 applied to an embodiment of the present invention may further include a backup process data DB 450.

Here, the decryption module 410 receives the decryption key together with the facility status data of each manufacturing facility 10-1 to 10-N encrypted by the security device 300 for the cloud connector, And decodes the facility status data of the facilities 10-1 to 10-N.

The data analysis module 420 receives the facility status data of each manufacturing facility 10-1 to 10-N decoded from the decryption module 410 and receives the facility status data of each manufacturing facility 10- 1 to 10-N).

The facility status data DB 430 functions to store and manage the facility status data of each of the manufacturing facilities 10-1 to 10-N as a database (DB) under the control of the server control unit 440. [

The server control unit 440 performs overall control of the cloud server 400. In particular, the server control unit 440 transmits equipment status data of each of the manufacturing equipments 10-1 to 10-N classified by the data analysis module 420, DB 430 in accordance with the control information.

The server control unit 440 periodically backs up the equipment status data of each of the manufacturing facilities 10-1 to 10-N stored in the equipment status data DB 430 so that only a predetermined administrator can access the data, The control unit 450 may perform the function of controlling to be stored.

The backup process data DB 450 performs a function of backing up and managing data corresponding to the equipment status data DB 430 under the control of the server control unit 440.

The cloud server 400 configured as described above may perform a function of providing a cloud computing service in response to a request from an external client terminal 700. [

At this time, the client terminal 700 uses the client member login cloud web service of the cloud server 400 to access each of the manufacturing facilities 10-1 to 10-N (not shown) stored in the facility status data DB 430 of the cloud server 400 ) Can be searched in real time and displayed on the display screen.

When the cloud server 400 stores the facility state data of each manufacturing facility 10-1 to 10-N as a database (DB), the cloud server 400 transmits the facility state data of each of the manufacturing facilities 10-1 to 10-N using a symmetric or asymmetric encryption method. 10-N are encrypted and stored in the facility state data DB 430, and a decryption key capable of decrypting the facility state data of each of the encrypted manufacturing facilities 10-1 to 10-N is stored in the facility state data DB 430, And perform a function of providing a service to be transmitted to the terminal 700.

At this time, the client terminal 700, using the decryption key transmitted from the cloud server 400 together with the corresponding client member login information, transmits the encryption key to each manufacturing facility 10 (FIG. 1) encrypted and stored in the facility status data DB 430 of the cloud server 400 -1 to 10-N) can be decoded and displayed on the display screen in real time.

The cloud server 400 also receives facility status data of each of the manufacturing facilities 10-1 to 10-N stored in the facility status data DB 430 of the cloud server 400 through the client terminal 700 You can also perform the function of providing a cloud web service.

At this time, the client terminal 700 is connected to each of the manufacturing facilities 10-1 to 10-N (not shown) stored in the facility state data DB 430 of the cloud server 400 through the cloud application 400 related to the manufacturing facility, which is downloaded from the cloud server 400 -N) can be displayed on the real time search and display screen.

The client terminal 700 and / or the user terminal 600 are connected to the cloud server 400 through the communication network 20, and the communication network 20 is a large-sized communication network capable of providing large capacity, long- (Wi-Fi), WiGig, Wireless Broadband Internet, Wibro, and World Interoperability for Microwave Access (WiMAX) to provide Internet or high-speed multimedia service. Wimax), and the like.

The Internet includes a plurality of services such as HTTP (Hyper Text Transfer Protocol), Telnet, File Transfer Protocol (FTP), Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP) Refers to a worldwide open computer network structure providing a Simple Network Management Protocol (SNMP), a Network File Service (NFS), and a Network Information Service (NIS), and the user terminal 600 and / And provides an environment in which the server 400 can be connected. Meanwhile, the Internet may be a wired or wireless Internet, or may be a core network integrated with a wired public network, a wireless mobile communication network, or a portable Internet.

If the communication network 20 is a mobile communication network, it may be a synchronous mobile communication network or an asynchronous mobile communication network. As an example of the asynchronous mobile communication network, a WCDMA (Wideband Code Division Multiple Access) communication network is exemplified. In this case, although not shown in the drawing, the mobile communication network may include, for example, a radio network controller (RNC). Meanwhile, although the WCDMA network is described as an example, it may be a next generation communication network such as a 3G LTE network, a 4G network, and a 5G network, or an IP network based on other IPs. The communication network 20 transmits signals and data between the user terminal 600 and / or the client terminal 700 and the cloud server 400.

The user terminal 600 and / or the client terminal 700 may be a smart phone, a smart pad, or a smart note communicating through a wireless Internet or a portable Internet. A portable PC, a mobile PC, a mobile PC, a mobile PC, a mobile game device, a DMB (Digital Multimedia Broadcasting) phone having a communication function, a tablet PC, an iPad And the like, and a wired / wireless home appliance / communication device having a user interface for accessing the cloud server 400, for example.

6, the user terminal 600 and / or the client terminal 700 may include a wireless communication module 610, an audio / video input module 620, a user input module 630, A sensing module 640, an output module 650, a storage module 660, an interface module 670, a terminal control module 680, and a power module 690. On the other hand, the components shown in FIG. 6 are not essential, so that the user terminal 600 and / or the client terminal 700 may have more or fewer components.

Hereinafter, the components of the user terminal 600 and / or the client terminal 700 will be described in detail.

The wireless communication module 610 may include one or more modules that enable wireless communication between the user terminal 600 and / or the client terminal 700 and the cloud server 400. For example, the wireless communication module 610 may include a broadcast receiving module 611, a mobile communication module 612, a wireless Internet module 613, a short distance communication module 614, and a location information module 615.

The broadcast receiving module 611 receives a broadcast signal (e.g., a TV broadcast signal, a radio broadcast signal, a data broadcast signal, etc.) from an external broadcast management server through various broadcast channels (e.g., a satellite channel and a terrestrial channel) And receives the related information.

The mobile communication module 612 transmits and receives a radio signal to at least one of a base station, an external terminal, and a server on a mobile communication network. The wireless signal may include various types of data in response to a voice call signal, a video call call signal, or a text / multimedia message transmission / reception.

The wireless Internet module 613 is a module for wireless Internet access, and may be embedded in or embedded in the user terminal 600 and / or the client terminal 700. [ As the wireless Internet technology, for example, WLAN (Wi-Fi), Wibro, Wimax, HSDPA, LTE and the like can be used.

The short-range communication module 614 is a module for short-range communication and may be a Bluetooth communication module, a ZigBee communication module, an UWB (Ultra Wideband) communication module, an RFID (Radio Frequency Identification) ) Communication can be used.

The location information module 615 is a module for confirming or obtaining the location of the user terminal 600 and / or the client terminal 700, It is possible to obtain the current position information of the mobile terminal 700.

In accordance with the control of the terminal control module 680, the production facility-related cloud application program stored in the storage module 660 via the wireless communication module 610 and / or the wired communication module (not shown) And can perform data transmission / reception with the mobile station 400.

The A / V input module 620 is a module for inputting an audio signal or a video signal. Basically, the A / V input module 620 may include a camera unit 621 and a microphone unit 622. The camera unit 621 processes an image frame such as a still image or a moving image obtained by the image sensor in the video communication mode or the photographing mode. The microphone unit 622 receives an external sound signal by a microphone in a communication mode, a recording mode, a voice recognition mode, or the like, and processes it as electrical voice data.

The user input module 630 is a module for generating input data for controlling the operation of the user terminal 600 and / or the client terminal 700, (Static pressure / static) type input by a user's touch or a separate input device (for example, a key pad dome switch, a jog dial, etc.) Wheel, jog switch, etc.).

The sensing module 640 may determine whether the user touches the open / close state of the user terminal 600 and / or the client terminal 700, the position of the user terminal 600 and / or the client terminal 700, The user terminal 600 and / or the client terminal 700, such as the orientation of the user terminal 600 and / or the client terminal 700, the acceleration / deceleration of the user terminal 600 and / And generates a sensing signal for controlling the operations of the user terminal 600 and / or the client terminal 700. [ The sensing signal is transmitted to the terminal control module 680, and the terminal control module 680 can be a basis for performing a specific function.

The output module 650 is a module for generating an output related to visual, auditory or tactile sense and basically includes a display portion 651, an acoustic output portion 652, an alarm portion 653, a haptic portion 654, .

The display unit 651 is for displaying and outputting information processed by the user terminal 600 and / or the client terminal 700. For example, when the user terminal 600 and / or the client terminal 700 are in a call mode (UI) or GUI (Graphical User Interface) related to the call. In the video communication mode or the photographing mode, the captured and / or received image, UI, and GUI are displayed.

The audio output unit 652 may output audio data received from the wireless communication module 610 or stored in the storage module 660 in, for example, a call signal reception, a call mode or a recording mode, a voice recognition mode, a broadcast reception mode, .

The alarm unit 653 may output a signal for notifying the user terminal 600 and / or the client terminal 700 of an event occurrence. Examples of events generated in the user terminal 600 and / or the client terminal 700 include a call signal reception, a message reception, a key signal input, a touch input, and the like.

The haptic portion 654 generates various tactile effects that the user can feel. A typical example of the haptic effect generated by the haptic portion 654 is vibration. The intensity and pattern of the vibration generated by the haptic part 654 can be controlled.

The storage module 660 may store a program for operation of the user terminal 600 and / or the terminal control module 680 and may store input / output data (e.g., phonebook, message, ) May be temporarily stored.

In addition, the storage module 660 can store data related to vibrations and sounds of various patterns output when a touch is input on the touch screen, and can store a cloud application program related to the manufacturing facility.

In addition, the storage module 660 can store source data for the formation of manufacturing facility-related information, and the manufacturing facility-related data can be formed in the form of video and sound. The manufacturing facilities 10-1 to 10- -N) can also be stored together.

The storage module 660 may be a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (for example, SD or XD memory), a RAM, an SRAM, a ROM, an EEPROM, , A magnetic memory, a magnetic disk, or an optical disk.

The interface module 670 serves as a communication path between the user terminal 600 and all external devices connected to the client terminal 700. The interface module 670 receives data from an external device or receives power from the external device to transfer the data to the respective components in the user terminal 600 and / or the client terminal 700, or transmits the data to the user terminal 600 and / ) To be transmitted to an external device.

The terminal control module 680 typically controls the overall operation of the user terminal 600 and / or the client terminal 700 and may be used to control and / Processing is performed.

That is, the terminal control module 680 controls the manufacturing facility-related cloud application program stored in the storage module 660 to be executed, requests the generation of the manufacturing facility-related data through execution of the cloud application program related to the manufacturing facility, And controls to receive data related to the manufacturing facility.

In addition, the terminal control module 680 may display auxiliary components including at least one of video, audio, or sound in the process of generating the manufacturing facility related data desired by the user through the execution of the manufacturing facility related application program, The sound output unit 652, the alarm unit 653, the haptic unit 654, and the like).

The terminal control module 680 may regularly monitor the charging current and the charging voltage of the battery unit 695 and may temporarily store the monitoring value in the storage module 660. [ At this time, it is preferable that the storage module 660 not only stores the battery charge status information such as the monitored charge current and the charge voltage, but also battery specification information (product code, rating, etc.).

The power supply module 690 receives external power and internal power under the control of the terminal control module 680 and supplies power necessary for operation of the respective components. The power module 690 supplies the power of the built-in battery unit 695 to each of the components and operates the battery, and the battery can be charged using a charging terminal (not shown).

The various embodiments described herein may be embodied in a recording medium readable by a computer or similar device using, for example, software, hardware, or a combination thereof.

According to a hardware implementation, the embodiments described herein may be implemented as application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays Microprocessors, microprocessors, and electrical units for performing functions, as will be described in more detail below. In some cases, such embodiments may be implemented by the terminal control module 680.

According to a software implementation, embodiments such as procedures or functions may be implemented with separate software modules that perform at least one function or operation. The software code may be implemented by a software application written in a suitable programming language. The software code may also be stored in the storage module 660 and executed by the terminal control module 680. [

In contrast, when the user terminal 600 and / or the client terminal 700 is a smart phone, the smart phone may provide various application programs desired by the user, unlike a general mobile phone (a feature phone) It is a phone based on an open operating system that can be downloaded and used freely and can be used for all mobile phones or voice calls with mobile office functions as well as functions such as voice / , But it is desirable to be understood as a communication device including all Internet phones or Tablet PCs capable of accessing the Internet.

Such a smart phone can be implemented as a smartphone equipped with various open operating systems. Examples of the open operating system include Nokia, Nokia, Symbian, RIMS, BlackBerry, Apple, Microsoft's Windows Mobile, Google's Android, and Samsung's ocean.

As such, since the smartphone uses an open operating system, a user can arbitrarily install and manage various application programs, unlike a mobile phone having a closed operating system.

That is, the smartphone basically includes a control unit, a memory unit, a screen output unit, a key input unit, a sound output unit, a sound input unit, a camera unit, a wireless network communication module, a short- do.

The controller is a generic term for controlling the operation of the smartphone, and includes at least one processor and an execution memory, and is connected to each functional unit provided in the smart phone through a bus.

The controller controls the operation of the smartphone by loading at least one program code included in the smart phone into the execution memory through the processor and calculating the result by transmitting the result to the at least one functional unit through the bus .

The memory unit is a general term of a nonvolatile memory included in a smartphone, and stores and maintains at least one program code executed through the control unit and at least one data set used by the program code. The memory unit basically stores a system program code and a system data set corresponding to an operating system of a smartphone, a communication program code and a communication data set for processing a wireless communication connection of the smartphone, at least one application program code and an application data set , And the program code and data set for implementing the present invention are also stored in the memory unit.

The screen output unit includes a screen output device (e.g., an LCD (Liquid Crystal Display) device) and an output module for driving the screen output device. The screen output unit is connected to the control unit through a bus, And outputs it to the screen output device.

The key input unit is composed of a key input device having at least one key button (or a touch screen device interlocked with the screen output unit) and an input module for driving the key input unit. The control unit is connected to the control unit via a bus, Or inputs data necessary for the operation of the control unit.

The sound output unit includes a speaker for outputting a sound signal and a sound module for driving the speaker. The sound output unit is connected to the control unit through a bus, and outputs a result of operation corresponding to the sound output from the various operation results of the control unit through the speaker . The sound module decodes sound data to be output through the speaker and converts the sound data into a sound signal.

The sound input unit includes a microphone for receiving a sound signal and a sound module for driving the microphone, and transmits the sound data input through the microphone to the control unit. The sound module encodes and encodes a sound signal input through the microphone.

The camera unit includes an optical unit, a CCD (Charge Coupled Device) and a camera module for driving the CCD unit, and obtains bitmap data input to the CCD through the optical unit. The bitmap data may include both still image data and moving image data.

The wireless network communication module is a collective term for communicating wireless communication and includes at least one antenna, an RF module, a baseband module, and a signal processing module for transmitting and receiving a radio frequency signal of a specific frequency band. And transmits the calculation result corresponding to the wireless communication among the various calculation results of the control unit through the wireless communication or receives the data through the wireless communication and transmits the data to the control unit, , Communication, and handoff procedures.

Also, the wireless network communication module includes a mobile communication structure for performing at least one of connection, location registration, call processing, call connection, data communication, and handoff to a mobile communication network according to the CDMA / WCDMA standard. Meanwhile, according to the intention of those skilled in the art, the wireless network communication module may further include a portable Internet communication structure for performing at least one of connection to the portable Internet, location registration, data communication, and handoff according to the IEEE 802.16 standard, It is evident that the present invention is not limited by the wireless communication configuration provided by the communication module.

The short-range wireless communication module is composed of a short-range wireless communication module that connects a communication session using a radio frequency signal as a communication medium within a predetermined distance. Preferably, the short-range wireless communication module includes RFID communication, Bluetooth communication, Wi- And wireless communication. The short-range wireless communication module may be integrated with the wireless network communication module.

The thus configured smartphone means a terminal capable of wireless communication, and any device capable of transmitting and receiving data through a network including the Internet may be applicable as well as a smart phone. That is, the smart phone may include at least one of a notebook PC, a tablet PC, and a mobile terminal capable of carrying and moving a mobile phone having a short message transmission function and a network connection function.

The DB access control apparatus 500 monitors the query to access the facility status data DB 430 of the cloud server 400 in cooperation with the cloud server 400 and controls the access to the illegal DB access .

5, the DB access control apparatus 500 includes a user information DB 510, a usage right DB 520, a security policy DB 530, a blacklist DB 540, a DB access monitoring module 550, a DB access blocking module 560, a DB access control module 570, and the like. Meanwhile, the components shown in FIG. 5 are not essential, and the DB access control apparatus 500 applied to an embodiment of the present invention may have more or fewer components. For example, the DB access control apparatus 500 applied to an embodiment of the present invention may further include a backup process data DB 580. [

Here, the user information DB 510 functions as a database (DB) for storing and managing user unique identification information and IP address information accessible to the facility status data DB 430 of the cloud server 400.

The user's unique identification information includes, for example, a user ID / password (ID / PW) of a user registered at the time of joining the user to the cloud server 400 through the user terminal 600, a resident number, Information, at least one of public key infrastructure (PKI), one time password (OTP), and authorized certificate information.

The DB 520 for use right may access at least one specific access key that can access the equipment status data DB 430 of the cloud server 400 according to one level of user access right to the equipment status data DB 430 of the cloud server 400 (DB) for each level of user access rights, and stores and manages the database.

At this time, the specific access key may be, for example, a provisional access key that can be used as a disposable, but it is not limited thereto, and may be a fixed unique access key that can be used each time.

The security policy DB 530 stores data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion into a database (DB) And performs management functions.

The blacklist DB 540 stores a database (DB) and stores and manages an instruction corresponding to at least one of an illegal data access instruction, for example, an illegal data generation instruction, an illegal data modification instruction, and an illegal data deletion instruction Function.

The blacklist DB 540 is a database (DB) for storing user information and IP address information that have performed illegal data access to the equipment status data DB 430 managed by the cloud server 400, Can be performed.

The DB access monitoring module 550 performs a function of monitoring query information for accessing the equipment status data DB 430 of the cloud server 400 in cooperation with the cloud server 400.

The DB access blocking module 560 analyzes the query information monitored by the DB access monitoring module 550 and confirms the data access commands and transmits the data access commands and the illegal access information stored in advance in the blacklist DB 540 And permits or blocks data access to the corresponding facility status data DB 430 for the query according to whether or not the command is matched.

The DB access control module 570 performs overall control of the DB access control apparatus 500 and in particular controls the operations of the DB access monitoring module 550 and the DB access blocking module 560. [

That is, when there is an illegal data access command in the blacklist DB 540 through the DB access blocking module 560, the DB access control module 570 responds to the data access command And a function of deleting the query to which the specific code is assigned and storing the access user information and the access IP address information in the blacklist DB 540 so that the blacklist information is updated Can be performed.

In addition, the DB access control module 570 receives a message for requesting access to the facility status data DB of the cloud server 400 together with the user unique identification information transmitted from the external user terminal 600, analyzes the received message, The user access right level of the user unique identification information stored in advance in the DB 520 in accordance with whether the extracted user unique identification information is identical to the user unique identification information previously stored in the user information DB 510 And transmits the specific access key corresponding to the specific access key to the corresponding user terminal 600.

The DB access control module 570 receives a message for accessing data stored in the equipment status data DB 430 of the cloud server 400 together with the specific access key transmitted from the user terminal 600, The data access of the facility state data DB 430 of the cloud server 400 is permitted or blocked according to whether the extracted specific access key is matched with a specific access key stored in advance in the DB 520 So as to control the operation of the DB access blocking module 560.

When there is a specific access key corresponding to the extracted specific access key in the DB 520 for access right, the DB access control module 570 controls the access right of the cloud server 400 The DB access blocking module 560 may be configured to control the operation of the DB access blocking module 560 such that data access stored in the facility status data DB 430 of the DB access blocking module 560 is permitted.

In addition, the DB access control module 570 allows data access stored in the facility status data DB 430 of the cloud server 400 according to one level of user access right given to the specific access key, And determines whether or not the data access result information of the corresponding equipment state data DB 430 is re-accessed based on whether the identified data access result information matches the illegal data access result information previously stored in the security policy DB 530 The DB access blocking module 560 may control the operation of the DB access blocking module 560 such that the DB access blocking module 560 is allowed or blocked.

If the illegal data access result information matching the confirmed data access result information exists in the security policy DB 530, the DB access control module 570 updates the facility status data corresponding to the confirmed data access result information The data of the deleted facility state data DB 430 is transferred to the data before the illegal data access by using the backup process data DB 580 or the backup process data DB 450 after deleting the data of the DB 430 The user access right level of the user unique identification information corresponding to the specific access key stored in the user information DB 510 is stored in the user information DB 510 so that the data access to the equipment status data DB 430 by the specific access key is blocked And the like.

In addition, the DB access control module 570 receives corresponding user unique identification information registered at the time of membership registration of the user in the cloud server 400 through the user terminal 600, and receives the user unique identification information registered in the cloud server 400 (DB) for each user's unique identification information in the user information DB 510 together with one level of the user's access right to the facility status data DB 430 of the facility status DB 430.

The DB access control module 570 may access at least one facility state data DB 430 of the cloud server 400 according to one level of user access right to the facility state data DB 430 of the cloud server 400 A function of converting a specific access key into a database (DB) for each user access right level and controlling the DB to be stored in the usage right DB 520 can be performed.

The DB access control module 570 may also be configured to periodically back up and manage the data stored in the equipment status data DB 430 of the cloud server 400 in the backup process data DB 580 or the backup process data DB 450 And the like.

Hereinafter, a security method for an industrial cloud connector according to an embodiment of the present invention will be described in detail.

7 to 12 are overall flowcharts illustrating a security method for an industrial cloud connector according to an embodiment of the present invention.

1 to 12, a security method for an industrial cloud connector according to an embodiment of the present invention includes: first, a plurality of sensors 110-1 to 110-N via a process data acquisition device 100, And transmits the process data acquired from at least one manufacturing facility 10-1 to 10-N in the factory together with the unique identification information of each manufacturing facility 10-1 to 10-N (S100).

At this time, in step S100, the plurality of sensors 110-1 to 110-N included in the process data obtaining apparatus 100 may be, for example, Internet of Things (IOT) sensors.

On the other hand, in step S100, the unique identification information of each manufacturing facility 10-1 to 10-N includes, for example, the name of the manufacturing facility, the password of the manufacturing facility, the serial number of the manufacturing facility, (MAC) address of a manufacturer, a manufacturing facility, a unique IP address of a manufacturing facility, a model of a manufacturing facility and a version of a manufacturing facility, a private key of the manufacturing facility, or a PKI-based private key And information on at least one of authentication information of the apparatus.

Thereafter, based on the unique identification information together with the process data for each of the manufacturing facilities (10-1 to 10-N) transmitted in the step S100 through the cloud connector device 200, N), metadata is provided through multiple channels encoded at different bit rates according to the type and size of the process data for each manufacturing facility 10-1 to 10-N corresponding to the cloud compatible protocol, And converts it into state data (S200).

That is, as shown in FIG. 8, the step S200 is performed through the cloud connector device 200 to connect the manufacturing equipments 10-1 to 10-N corresponding to the unique identification information of each of the manufacturing equipments 10-1 to 10- (S210) of storing and managing facility information data on the manufacturing facility DB 210 in a separate manufacturing facility DB 210 and a step S210 of transmitting and receiving facility information data on the manufacturing facility DB 210 via the data processing module 220 provided in the cloud connector device 200 N unique identification information together with the process data for each of the manufacturing facilities 10-1 to 10-N, and stores the unique identification information of each manufacturing facility 10-1 to 10-N The process data for each of the manufacturing equipments 10-1 to 10-N transmitted in the step S100 is compared with the type of the data for the manufacturing equipments 10-1 to 10-N, After separating each channel according to the size, each channel encoded in parallel so as to have different bit rates And the data conversion module 230 provided in the cloud connector device 200. The process data for each manufacturing facility 10-1 to 10-N transmitted at the step S220 And then confirms the industrial protocol of each manufacturing facility 10-1 to 10-N and the protocol of the cloud server 400 so that each of the manufacturing facilities 10-1 to 10-N corresponding to the cloud compatible protocol To the security device 300 for the cloud connector (S230).

Then, the facility state data of each manufacturing facility 10-1 to 10-N converted and transmitted at the step S200 is encrypted through the security device 300 for the cloud connector, and each of the encrypted manufacturing facilities 10 -1 to 10-N) is transmitted (S300).

That is, in step S300, as shown in FIG. 9, the manufacturing facilities 10-1 through 10-N converted and transmitted in the step S200 through the encryption module 310 provided in the security device 300 for the cloud connector 300, N is encrypted in a symmetric or asymmetric encryption method in step S310 and a decryption key assigning module 320 provided in the security device for a cloud connector 300 in step S310, (S320), to the cloud server 400, a decryption key for decrypting the facility status data of the facility status data (10-1 to 10-N).

Next, with the facility state data of each of the manufacturing facilities 10-1 to 10-N encrypted at the above-described step S300 via the cloud server 400, the respective encrypted manufacturing facilities 10-1 to 10- And decodes the facility state data of each of the decrypted manufacturing equipments 10-1 to 10-N into a database (DB) in a separate facility state data DB 430 (S400).

At this time, in step S400, a user who is given in advance for each specific access key so that data access paths are separated from each other when accessing the facility state data DB 430 using the external user terminal 600 through the cloud server 400 It is preferable that the accessibility data for each level of access rights is classified and managed to be stored in the facility status data DB 430 of the cloud server 400. [

10, the facility state data of each of the manufacturing facilities 10-1 to 10-N encrypted in the step S300 through the decryption module 410 provided in the cloud server 400, (S410) of decrypting facility state data of each of the encrypted manufacturing equipments (10-1 to 10-N) based on the decryption key, and a data analysis module (420) provided in the cloud server (400) Based on the equipment state data of each manufacturing facility 10-1 to 10-N decoded in the above step S410, the facility state data of each manufacturing facility 10-1 to 10-N is determined according to the provided metadata The facility state data of each of the manufacturing facilities 10-1 to 10-N classified in the step S420 through the server control device 440 provided in the cloud server 400, (DB) in the DB 430 to be stored and managed (S430) . ≪ / RTI >

If the equipment status data of each of the manufacturing facilities 10-1 to 10-N is stored in the equipment status data DB 430 via the cloud server 400 as a database (DB) in step S430, The facility state data of each manufacturing facility 10-1 to 10-N is encrypted and stored using the asymmetric encryption method, and the facility state data of each of the encrypted manufacturing facilities 10-1 to 10-N is decrypted It is desirable to provide a service such that the decryption key is transmitted to the external client terminal 700.

The client terminal 700 is connected to each of the manufacturing facilities 10 (FIG. 1) encrypted and stored in the facility state data DB 430 of the cloud server 400, using the decryption key transmitted from the cloud server 400, -1 to 10-N) are decoded and displayed on a display screen in real time.

In addition, after the step S430, a step S440 of providing a cloud computing service in response to a request of an external client terminal 700 through the cloud server 400, a step S440 of providing a cloud computing service through the client terminal 700 through the cloud server 400 The facility status data of each of the manufacturing facilities 10-1 to 10-N stored in the facility status data DB 430 of the cloud server 400 is retrieved and displayed in real time using the client member login cloud web service of the cloud server 400, (S450). ≪ / RTI >

At this time, in step S440, it is determined whether or not each of the manufacturing equipments 10-1 to 10-N stored in the equipment status data DB 430 of the cloud server 400 using the client terminal 700 through the cloud server 400 It is desirable to provide a cloud web service to download facility status data.

In step S450, the manufacturing facility-related cloud application downloaded from the cloud server 400 through the client terminal 700 is used to manage each manufacturing facility 10 (FIG. 10) stored in the facility status data DB 430 of the cloud server 400 -1 to 10-N) is displayed on the real time search and display screen.

Although it is not shown in the drawing, it is also possible that, after the step S430 or after the step S450, the server control unit 440 provided in the cloud server 400 accesses only the predetermined manager (10-1 to 10-N) are periodically backed up and controlled to be stored and managed in a separate backup process data DB (450).

After the step S400, a query for accessing the equipment status data DB 430 of the cloud server 400 is monitored through the DB access control device 500 interlocked with the cloud server 400, and then an illegal DB (S500) for blocking the access.

That is, as shown in FIG. 11, the step S500 is a query for accessing the facility status data DB 430 of the cloud server 400 through the DB access monitoring module 550 provided in the DB access control apparatus 500 (S520) of analyzing the query information monitored in the step S510 through the DB access blocking module 560 included in the DB access control apparatus 500 and confirming the data access commands (S520) And the DB access control module 560 provided in the DB access control device 500, the data access commands identified in step S520 are compared with the illegal access instructions previously stored in the blacklist DB 540 (S530) of allowing or blocking data access of the corresponding equipment condition data DB 430 for the query according to the query.

If an unauthorized data access command corresponding to the data access command identified in step S520 exists in the black list DB 540 in step S530, the DB access control module 570 to the query corresponding to the data access command and then deletes the query to which the specific code is assigned and stores the corresponding access user information and access IP address information in the blacklist DB 540 And controlling the blacklist information to be updated (S540).

Meanwhile, in step S530, an illegal data access instruction stored in advance in the blacklist DB 540 may be a command corresponding to at least one of an illegal data generation instruction, an illegal data modification instruction, and an illegal data deletion instruction .

12, after the step S530 or after the step S540, the DB access control module 570 of the DB access control device 500 transmits the data transmitted from the external user terminal 600 through the DB access control module 570 (S550) of analyzing a message for requesting access to the facility state data DB of the cloud server 400 together with the user's unique identification information and extracting the user's unique identification information; a DB access control Stored in the separate license DB 520 in accordance with whether the user unique identification information extracted in step S550 is identical to the user unique identification information previously stored in the user information DB 510 through the module 570, (S560) of transmitting a specific access key corresponding to one level of the user access right of the unique identification information to the corresponding user terminal 600 and a DB access control module 570 of the DB access control device 500 (S570) of extracting a specific access key by analyzing a message for data access stored in the facility status data DB 430 of the cloud server 400 together with the specific access key transmitted from the own terminal 600, The DB access control module 570 of the control device 500 determines whether the specific access key extracted in step S570 matches the specific access key stored in advance in the DB 530 (S580) controlling the operation of the DB access blocking module 560 such that data access of the facility status data DB 430 is permitted or blocked.

At this time, if there is a specific access key matching the specific access key extracted in step S570 in the usage right DB 520 in step S580, the DB access control module 570 notifies the user It is preferable to control the operation of the DB access blocking module 560 such that data access stored in the facility status data DB 430 of the cloud server 400 is allowed according to one level of the access right.

After the step S580, the DB access control module 570 permits access to data stored in the equipment status data DB 430 of the cloud server 400 according to a level of the user access right granted to the specific access key After confirming the data access result information in real time, whether or not the data access result information is identical to the illegal data access result information stored in advance in the security policy DB 530, (S590) the operation of the DB access blocking module 560 such that data re-access of the data DB 430 is permitted or blocked.

If illegal data access result information matching the confirmed data access result information exists in the security policy DB 530 in step S590, the DB access control module 570 transmits the determined data access result information The data of the facility state data DB 430 is deleted using the separate backup process data DB 580 as data before the illegal data access The user access right level of the user unique identification information corresponding to the specific access key stored in the user information DB 510 is stored in the user information DB 510 so that the data access to the equipment status data DB 430 by the specific access key is blocked The deletion is preferable.

Meanwhile, illegal data access result information stored in advance in the security policy DB 530 is preferably composed of data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion .

On the other hand, although not shown in the figure, before the step S550 or S560, the DB access control module 570 notifies the cloud server 400 via the DB 600 of the corresponding user (DB) for each user unique identification information in the user information DB 520 together with one level of user access right to the facility status data DB 430 of the cloud server 400 given by the administrator based on the unique identification information To be stored.

Also, before the step S550 or S560, the facility status data of the cloud server 400 according to one level of user access right to the facility status data DB 430 of the cloud server 400 through the DB access control module 570 The method may further include controlling at least one specific access key accessible to the data DB 430 to be stored in a database (DB) for each user access level.

The data stored in the equipment status data DB 430 of the cloud server 400 may be separately stored in the DB server 400 through the DB access control module 570 provided in the DB access control device 500 before or after the step S510. The backup process data DB 580 of FIG.

Meanwhile, the security method for an industrial cloud connector according to an embodiment of the present invention can also be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

For example, the computer-readable recording medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, a removable storage device, a nonvolatile memory, , And optical data storage devices.

In addition, the computer readable recording medium may be distributed and executed in a computer system connected to a computer communication network, and may be stored and executed as a code readable in a distributed manner.

Although the preferred embodiments of the security system and method for an industrial cloud connector according to the present invention have been described above, the present invention is not limited thereto. It is possible to carry out the modification by branching, and this also belongs to the present invention.

100: process data acquisition device,
200: a cloud connector device,
210: Manufacturing facility DB,
220: Data processing module,
230: Data conversion module,
300: Security device for the cloud connector,
310: encryption module,
320: Decryption key grant module,
400: Cloud server,
410: Decryption module,
420: data analysis module,
430: Equipment status data DB,
440: server control device,
450: backup process data DB,
500: DB access control device,
510: user information DB,
520: License DB,
530: security policy DB,
540: Blacklist DB,
550: DB access monitoring module,
560: DB access blocking module,
570: DB access control module,
580: backup process data DB,
600: user terminal,
700: client terminal

Claims (28)

A process data acquisition device that transmits process data acquired from at least one manufacturing facility in a factory through a plurality of Internet of Things (IoT) sensors together with unique identification information of each manufacturing facility;
The process data acquisition device receives the unique identification information together with the process data for each manufacturing facility and receives the unique identification information from the process data acquisition device. Based on the type and size of the process data for each manufacturing facility, A cloud connector device for providing data and converting it into equipment status data of each manufacturing facility corresponding to a cloud compatible protocol;
A security device for a cloud connector that receives facility state data of each manufacturing facility converted and transmitted from the cloud connector device and encrypts the encrypted facility state data and transmits a decryption key for decrypting facility state data of each encrypted manufacturing facility; And
And a decryption key, which is connected to the security device for the cloud connector through a communication network, together with the facility status data of each manufacturing facility encrypted by the security device for the cloud connector, receives facility status data of each encrypted manufacturing facility based on the decryption key, And a cloud server for storing and managing the facility state data of each of the decrypted manufacturing facilities in a database (DB) of a separate facility state data DB,
The cloud server classifies accessible data for each level of user access rights assigned in advance for each specific access key so that the data access paths are separated from each other when data is accessed by the external user terminal, And to be stored in the equipment status data DB.
The method according to claim 1,
Further comprising a DB access control device interlocked with the cloud server to monitor a query for accessing the facility status data DB of the cloud server and to block illegal DB access,
The DB access control apparatus includes:
A DB access monitoring module for monitoring query information accessing the facility status data DB of the cloud server in cooperation with the cloud server;
The DB access monitoring module analyzes the query information monitored by the DB access monitoring module to check the data access commands and checks whether or not the data access commands corresponding to the corresponding query are matched with the illegal access commands stored in advance in the black list DB A DB access blocking module for allowing or blocking data access of the facility status data DB; And
And a DB access control module for controlling operations of the DB access monitoring module and the DB access blocking module,
Wherein the DB access blocking module is configured to set a black access DB in response to the control of the DB access control module when an unauthorized data access command corresponding to the confirmed data access command exists in the black list DB Assigns a specific code, deletes the query to which the specific code is assigned, stores the access user information and the access IP address information in the black list DB, and controls the black list information to be updated,
Wherein the illegal data access instruction stored in advance in the blacklist DB comprises at least one of an illegal data generation instruction, an illegal data modification instruction, and an illegal data erase instruction. Security system.
3. The method of claim 2,
The DB access control module receives a message for requesting access to the facility status data DB of the cloud server together with the user unique identification information transmitted from an external user terminal, analyzes the received message to extract user unique identification information, A specific access key corresponding to a user access right level of corresponding user unique identification information stored in advance in a separate license DB in accordance with whether the user unique identification information is stored in a separate user information DB, Lt; / RTI >
A message for accessing data stored in the facility state data DB of the cloud server together with a specific access key transmitted from the user terminal is received and analyzed to extract a specific access key, The DB access control module controls the operation of the DB access blocking module so that data access of the facility state data DB of the cloud server is permitted or blocked according to whether or not specific access keys stored in advance in the DB are matched,
When the extracted access specific key is identical to the extracted specific access key in the usage right DB, the data access in the facility status data DB of the cloud server is permitted according to the level of the user access right given to the specific access key Controls the operation of DB access blocking module,
Accessing the data stored in the facility state data DB of the cloud server according to one level of the user access right granted to the specific access key, checking the data access result information in real time, The operation of the DB access blocking module is controlled so that re-access of data of the corresponding equipment state data DB by the specific access key is permitted or blocked according to whether or not the illegal data access result information stored in the policy DB is stored in advance,
If the illegal data access result information matching the confirmed data access result information exists in the security policy DB, the data of the equipment status data DB corresponding to the confirmed data access result information is deleted, The data of the deleted facility state data DB is restored to the data before the illegal data access using the data DB and the data of the facility state data DB of the corresponding facility state data DB is blocked by the specific access key Deletes one user access right level of the user unique identification information corresponding to the specific access key stored in the storage unit,
Wherein the illegal data access result information stored in advance in the security policy DB comprises data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion. Security system for.
The method of claim 3,
The DB access control module receives corresponding user unique identification information registered at the time of membership registration of the user in the cloud server through the user terminal, (DB) for each user unique identification information in the user information DB together with one access right level,
At least one specific access key capable of accessing the facility status data DB of the cloud server according to one level of user access right to the facility status data DB of the cloud server,
And the data stored in the facility state data DB of the cloud server is periodically backed up and stored in a separate backup process data DB.
The method according to claim 1,
The cloud connector device includes:
A manufacturing equipment DB for storing facility information data for each manufacturing facility corresponding to the unique identification information of each manufacturing facility;
The unique identification information is received together with the process data for each manufacturing facility transmitted from the process data obtaining device, and compared with the unique identification information of each manufacturing facility stored in the manufacturing facility DB and the facility information data for each corresponding manufacturing facility The process data for each manufacturing facility transmitted from the process data acquiring device is divided for each channel according to the type and size of the data and then transmitted through each channel encoded in parallel so as to have different bit rates module; And
Metadata is provided for each type of process data for each manufacturing facility transmitted from the data processing module, and the industrial protocol of each manufacturing facility and the protocol of the cloud server are confirmed, and the equipment of each manufacturing facility corresponding to the cloud compatible protocol And a data conversion module for converting the state data to the security data for the cloud connector.
The method according to claim 1,
The security device for the cloud connector includes:
An encryption module for receiving facility status data of each manufacturing facility converted and transmitted from the cloud connector device and encrypting the facility status data using symmetric or asymmetric encryption; And
And a decryption key assigning module for assigning a decryption key for decrypting the facility state data of each manufacturing facility encrypted by the encryption module to the cloud server, and transmitting the decryption key to the cloud server.
delete The method according to claim 1,
The cloud server includes:
A decryption module for receiving the decryption key together with the facility state data of each manufacturing facility encrypted from the security device for the cloud connector and decrypting the facility state data of each encrypted manufacturing facility based on the decryption key;
A data analysis module for receiving equipment state data of each manufacturing facility decoded from the decoding module and classifying the equipment state data of each manufacturing facility according to the received metadata;
A facility state data DB for storing and managing facility state data of each manufacturing facility in a database (DB);
And a server control unit for controlling the facility state data of each manufacturing facility classified by the data analysis module to be stored in the facility state data DB.
9. The method of claim 8,
And a backup process data DB for backing up and storing data corresponding to the facility status data DB,
Wherein the server control device periodically backs up the equipment status data of each manufacturing facility stored in the equipment status data DB so that only a predetermined administrator can access it and controls the equipment status data to be stored in the backup process data DB. Security system for.
The method according to claim 1,
The cloud server provides a cloud computing service in response to a request from an external client terminal,
The client terminal displays real-time facility status data of each manufacturing facility stored in the facility status data DB of the cloud server on the display screen using the client member login cloud web service of the cloud server Security system for industrial cloud connectors.
11. The method of claim 10,
When the facility state data of each manufacturing facility is stored in the facility state data DB as a database (DB), the cloud server encrypts and stores facility state data of each manufacturing facility using a symmetric or asymmetric encryption method, Providing a service such that a decryption key capable of decrypting facility state data of each encrypted manufacturing facility is transmitted to the client terminal,
The client terminal decrypts the facility state data of each manufacturing facility encrypted and stored in the facility state data DB of the cloud server using the decryption key transmitted from the cloud server together with the corresponding client member login information, And displays it on a display screen.
11. The method of claim 10,
Wherein the cloud server provides a cloud web service to download facility state data of each manufacturing facility stored in the facility state data DB through the client terminal.
11. The method of claim 10,
Wherein the client terminal displays the facility status data of each manufacturing facility stored in the facility status data DB of the cloud server on a real time search and display screen through the cloud app related to the manufacturing facility downloaded from the cloud server. Security system for connectors.
The method according to claim 1,
The unique identification information of each manufacturing facility includes the name of the manufacturing facility, the password of the manufacturing facility, the serial number of the manufacturing facility, the type of manufacturing facility, the manufacturer of the manufacturing facility, the MAC address of the manufacturing facility, A unique IP (Internet Protocol) address, a model of a manufacturing facility and a version of a manufacturing facility, a secret key of a manufacturing facility, or authentication information of a device generated by a PKI-based private key Security system for industrial cloud connectors.
A security method for an industrial cloud connector using a system including a process data acquisition device, a cloud connector device, a security device for a cloud connector, and a cloud server,
(a) transmitting process data acquired from at least one manufacturing facility in a factory through a plurality of Internet of Things (IoT) sensors through the process data acquisition device together with unique identification information of each manufacturing facility;
(b) encoding, at a different bit rate according to the type and size of the process data for each manufacturing facility, based on the unique identification information, together with the process data for each manufacturing facility transmitted in the step (a) through the cloud connector device And converting the metadata to equipment state data of each manufacturing facility corresponding to the cloud compatible protocol and transmitting the metadata;
(c) encrypting the facility status data of each manufacturing facility converted and transmitted in the step (b) through the security device for the cloud connector, and decrypting the facility status data of each encrypted manufacturing facility ; And
(d) decrypting facility state data of each encrypted manufacturing facility on the basis of the decryption key together with the facility state data of each manufacturing facility encrypted in the step (c) through the cloud server, And storing and managing facility status data of the facility into a database (DB) in a separate facility status data DB,
In the step (d), the data access paths are separated from each other when the data of the facility state data DB is accessed using an external user terminal through the cloud server, Are managed and stored in the facility state data DB of the cloud server. ≪ RTI ID = 0.0 > [10] < / RTI >
16. The method of claim 15,
After the step (d)
(e) monitoring an access to the facility status data DB of the cloud server through a DB access control apparatus interlocked with the cloud server, and blocking an illegal DB access,
The step (e)
(e-1) monitoring query information for accessing the facility status data DB of the cloud server through a DB access monitoring module provided in the DB access control device;
(e-2) analyzing the query information monitored in the step (e-1) through the DB access blocking module provided in the DB access control device and confirming data access commands; And
(e-3) whether or not the illegal access command stored in advance in the black list DB is compared with the data access commands confirmed in the step (e-2) through the DB access blocking module provided in the DB access control device And allowing or blocking data access to the facility status data DB for the query,
If an unauthorized data access command corresponding to the confirmed data access command exists in the black list DB in the step (e-3), the data access command through the DB access control module included in the DB access control apparatus And a step of deleting the query to which the specific code is assigned and storing the access user information and the access IP address information in the black list DB so that the black list information is updated Further comprising:
Wherein the illegal data access instruction stored in advance in the blacklist DB comprises at least one of an illegal data generation instruction, an illegal data modification instruction, and an illegal data erase instruction. Security method.
17. The method of claim 16,
After step (e-3) above,
(e-4) a DB access control module included in the DB access control device analyzes the message for requesting access to the facility status data DB of the cloud server together with the user unique identification information transmitted from an external user terminal, Extracting identification information;
(e-5) checking whether the user's unique identification information extracted in the step (e-4) through the DB access control module provided in the DB access control device matches the user's unique identification information previously stored in the separate user information DB Transmitting to the corresponding user terminal a specific access key corresponding to one level of the user's access right of the corresponding user unique identification information stored in advance in a separate license DB;
(e-6) analyzes a message for data access stored in the facility state data DB of the cloud server together with a specific access key transmitted from the user terminal through a DB access control module provided in the DB access control device, Extracting a key; And
(e-7) a DB access control module provided in the DB access control device, the DB access control module compares the specific access key extracted in the step (e-6) with a specific access key stored in advance in the DB, Further comprising controlling the operation of the DB access blocking module such that data access to the facility status data DB of the server is permitted or blocked,
If the specific access key corresponding to the extracted specific access key exists in the usage right DB at the step (e-7), the DB access control module Controlling operations of the DB access blocking module such that data accesses stored in the facility state data DB of the cloud server are allowed; and controlling the operation of the cloud access control module based on the level of the user access right granted to the specific access key through the DB access control module. The data access result information is checked in real time after the data access stored in the equipment status data DB of the server is permitted and then the data access result information is compared with the illegal data access result information stored in advance in the separate security policy DB Therefore, it is allowed to re-access the data of the corresponding equipment status data DB by the specific access key Or controlling the operation of the DB access blocking module so as to be blocked,
If the illegal data access result information matching the confirmed data access result information exists in the security policy DB, the data of the equipment status data DB corresponding to the confirmed data access result information is deleted through the DB access control module The data of the deleted facility state data DB is restored to the data before the illegal data access by using the separate backup process data DB and the data access of the corresponding facility state data DB by the specific access key is restored The level of the user's access right of the user unique identification information corresponding to the specific access key stored in the separate user information DB is deleted,
Wherein the illegal data access result information stored in advance in the security policy DB comprises data access result information corresponding to at least one of illegal data generation, illegal data modification, and illegal data deletion. Security method for.
18. The method of claim 17,
Prior to the step (e-4) or the step (e-5)
A user access right level for the facility status data DB of the cloud server provided by the administrator on the basis of corresponding user unique identification information registered at the time of membership registration of the user to the cloud server through the DB through the DB access control module (DB) for each user unique identification information in the user information DB,
And a database access control module for accessing at least one specific access key to the facility status data DB of the cloud server according to one level of user access right to the facility status data DB of the cloud server, The method further comprising the step of controlling the storage device to be stored in the storage device.
18. The method of claim 17,
The data stored in the facility state data DB of the cloud server is stored in separate backup process data (DB) through the DB access control module provided in the DB access control device before the step (e-1) or after the step DB to be periodically backed up and stored in the DB. ≪ RTI ID = 0.0 > 11. < / RTI >
16. The method of claim 15,
The step (b)
(b-1) storing facility information data for each manufacturing facility corresponding to the unique identification information of each manufacturing facility through the cloud connector device in a separate manufacturing facility DB;
(b-2) receiving unique identification information together with process data for each manufacturing facility transmitted in the step (a) through a data processing module provided in the cloud connector device, (A), the process data for each manufacturing facility transmitted in the step (a) is separated according to the type and size of the data when the unique identification information of the manufacturing facility is compared with the facility information data for each corresponding manufacturing facility And transmitting through each channel encoded in parallel so as to have different bit rates; And
(b-3) assigning metadata to each data type of process data for each manufacturing facility transmitted in the step (b-2) through a data conversion module included in the cloud connector device, And a protocol of the cloud server to convert the data into equipment status data of each manufacturing facility corresponding to the cloud compatible protocol and transmitting the data to the security device for the cloud connector.
16. The method of claim 15,
The step (c)
(c-1) encrypting facility state data of each manufacturing facility converted and transmitted in the step (b) through a symmetric or asymmetric encryption scheme through an encryption module included in the security device for a cloud connector; And
(c-2) a decryption key capable of decrypting equipment state data of each manufacturing facility encrypted in the step (c-1) through a decryption key granting module provided in the security device for a cloud connector, The method comprising the steps of: (a)
delete 16. The method of claim 15,
The step (d)
(d-1) decrypting facility state data of each encrypted manufacturing facility on the basis of the decryption key together with the facility state data of each manufacturing facility encrypted in the step (c) through a decryption module provided in the cloud server step;
(d-2) the facility status data of each manufacturing facility according to the provided metadata on the basis of the facility status data of each manufacturing facility decrypted in the step (d-1) through the data analysis module provided in the cloud server ; And
(d-3) the facility state data of each manufacturing facility classified in the step (d-2) through a server control device provided in the cloud server, into a database (DB) Wherein the method further comprises the step of:
24. The method of claim 23,
After the step (d-3)
The facility status data of each manufacturing facility stored in the step (d-3) is periodically backed up so that only a predetermined administrator can access the server through the server control device provided in the cloud server, so that it is stored and managed in a separate backup process data DB Wherein the method further comprises the step of:
24. The method of claim 23,
After the step (d-3)
(d-4) providing a cloud computing service in response to a request from an external client terminal through the cloud server; And
(d-5) Facility status data of each manufacturing facility stored in the facility status data DB of the cloud server is searched in real time and displayed on a display screen using the client member login cloud web service of the cloud server through the client terminal Further comprising the steps of:
The method of claim 1, wherein in step (d-4), a cloud web service is provided so that facility state data of each manufacturing facility stored in the facility state data DB of the cloud server can be downloaded using the client terminal through the cloud server,
In the step (d-5), facility status data of each manufacturing facility stored in the facility status data DB of the cloud server is retrieved and displayed in real time by using the manufacturing facility-related cloud application downloaded from the cloud server through the client terminal And displaying the image on the screen.
24. The method of claim 23,
In the step (d-3), when the facility status data of each manufacturing facility is stored in the facility status data DB in the form of a database (DB) through the cloud server, the facilities of each manufacturing facility are managed using a symmetric or asymmetric encryption method. And a decryption key capable of decrypting the facility state data of each encrypted manufacturing facility is transmitted to an external client terminal,
The client terminal decrypts the facility state data of each manufacturing facility encrypted and stored in the facility state data DB of the cloud server using the decryption key transmitted from the cloud server together with the corresponding client member login information, And displaying the information on the display screen.
16. The method of claim 15,
In the step (a), the unique identification information of each manufacturing facility includes the name of the manufacturing facility, the password of the manufacturing facility, the serial number of the manufacturing facility, the type of the manufacturing facility, the manufacturer of the manufacturing facility, At least any one of authentication information of a device generated by a private key of a manufacturing facility, a unique IP (Internet Protocol) address of a manufacturing facility, a model of a manufacturing facility and a version of a manufacturing facility, The method comprising the steps of:
A computer-readable recording medium having recorded thereon a computer program for executing the method according to any one of claims 15 to 21, 23 to 27.

Images