KR101880162B1 - Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System - Google Patents
Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System Download PDFInfo
- Publication number
- KR101880162B1 KR101880162B1 KR1020150190868A KR20150190868A KR101880162B1 KR 101880162 B1 KR101880162 B1 KR 101880162B1 KR 1020150190868 A KR1020150190868 A KR 1020150190868A KR 20150190868 A KR20150190868 A KR 20150190868A KR 101880162 B1 KR101880162 B1 KR 101880162B1
- Authority
- KR
- South Korea
- Prior art keywords
- signal
- control
- control signal
- unit
- abnormal
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
- G05B19/058—Safety, monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/10—Plc systems
- G05B2219/14—Plc safety
- G05B2219/14114—Integrity, error detector, switch off controller, fail safe
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention is to verify the integrity of a control signal against various cyber attacks that malfunction a control signal in a control system operating in an industrial facility. The control unit includes a collecting unit for collecting control signals transmitted to operate the control device, A signal processing unit for analyzing and processing information, and a detection unit for analyzing an association relation with a previously stored abnormality signal to detect an abnormal signal.
Description
The present invention relates to a system for verifying the integrity of a control signal of an industrial facility, and more particularly, to a system for collecting control signals transmitted from an operation server or a user computer of a control system, To a method for preventing abnormal operation of the control system.
The information protection technology targeting the existing automatic control system has been developed as a method of performing filtering and anomaly detection targeting only a communication protocol for industrial automatic control such as a network-based firewall or MODBUS.
Korean Patent No. 10-1538927 discloses a method of automatically generating a sub key in a PLC and encrypting a control signal variable value using a sub key by an internal encryptor to expose a variable value related to a control signal from the outside It is blocking. However, it is not possible to respond to an attack that sends a signal that malfunctions an automatic control device under the same condition as a normal signal by infecting a user computer inside an automatic control system as in the recent attack type.
Korean Patent Laid-Open Publication No. 10-2013-0071138 discloses an access control filter using a source address, a port number, a destination address, and a port number included in a MODBUS protocol used for transmitting an automatic control signal, This paper describes a technique for preventing unauthorized access. However, such an apparatus and method are not applicable to a system using a new protocol other than the applied protocol, and it is inconvenient to newly apply an access control method for each protocol.
In addition, intrusion detection and analysis technologies targeting control systems are mainly based on TCP / IP and MODBUS protocol and DNP3 protocol, and are based on Ethernet / IP, BACnet (Building Control System), IEC61850 (Power Control System) Research on the security of control systems targeting specific communication protocols is mainly conducted. In addition, it is not suitable as a method of applying a new security system to an existing control system which is operated without a security system, and development of a security technology for a newly installed control system is limited.
Therefore, there is a need for a technology capable of safely protecting an automatic control system by installing or using a general protocol instead of a security system that is applicable only to a specific protocol or a newly installed automatic control system.
SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to solve the problem that it is difficult to prevent an attack by illegal manipulation which occurs inside from a specific protocol based on automatic control, And it is intended to overcome the limitation that it is difficult to detect a wrong control signal due to malfunction of the internal system on the protocol.
Furthermore, the present invention requires a variety of protocol-based security systems to detect and recognize internal signal malfunction processing due to operating system damage in the control system, to prevent attacks due to internal system damage due to viruses, and to detect anomalous indications To solve the economic difficulties.
According to an aspect of the present invention, there is provided a method of detecting an erroneous control signal of an integrity verification apparatus having at least one processor in a network, the method comprising: Collecting a control signal and registering it as a white list (200); (300) collecting control signals transmitted and received in the network, measuring the similarity of the control signals by comparing and analyzing the collected control signals with control signals registered in the whitelist DB (510); And a step (400) of determining whether an abnormal control signal is applied by applying a threshold value set for each control signal from the measured similarity.
The step (200) of registering the normal control signal in the white list includes a collecting unit (100) for collecting a control signal normally operated while operating the system during a predetermined use period in the steady state; An electrical
The
When the feature values of the new control signals not registered in the whitelist are found in
The step of determining the
The control signal integrity verification method for an automatic control system of the present invention analyzes a control signal transmitted to operate a control device constituting an automatic control system, extracts feature values and registers them in advance, And then extracts and compares the analog and digital characteristic values of all the control signals transmitted in the general operating environment, thereby generating an abnormal signal due to malicious attack from the outside, By detecting the abnormal signal caused by the insider caused by the attack of the system, it is possible to constitute a safe control system against the abnormal behavior and secure safety and reliability from the attack by the abnormal signal.
1 is a flowchart illustrating a method for a verification apparatus having at least one processor in a network to verify the integrity of a control signal of the network according to an embodiment of the present invention.
Hereinafter, preferred embodiments of the present invention will be described in more detail.
The features and advantages of the present invention will become more apparent from the following detailed description of preferred embodiments with reference to the accompanying drawings.
Prior to this, terms and words used in the present specification and claims are to be interpreted in accordance with the technical idea of the present invention based on the principle that the inventor can properly define the concept of the term in order to explain his invention in the best way. It must be interpreted in terms of meaning and concept.
In addition, it will be apparent to those skilled in the art that the present invention may be practiced without specific details, such as specific software methods, in the following description.
1 is a functional block diagram illustrating a method for verifying integrity of a control signal on a network constituting an automatic control system according to an embodiment of the present invention.
A control signal integrity verification method using control signal analysis in an automatic control system of the present invention includes an electrical
In the following, the organic functions of each configuration and the principle of the system will be described in detail based on the overall system configuration of the present invention described above.
The electric
The operation
The electric
The electric
The
The white
When the new signal received in the operating state is received, the
The
The abnormal
The control signal integrity verification method and apparatus using the control signal analysis in the automatic control system is a technology for detecting an irregular signal in the control system in order to ensure the availability of the industrial communication facility. It provides control system control and malicious signal detection as a way to effectively detect possible cyber attacks.
The control system protection device collects operation signal types based on a control signal circuit diagram constituting the PLC system, forms a white list thereof, detects an unauthorized signal in the operation environment based on the configured usage pattern, Can be safely protected.
In addition, for real-time traffic analysis, an open-source based large-scale data analysis platform is used to analyze and check control signals transmitted from the automatic control system to detect anomalous signals in transmitted signals, The control variable is extracted from the transmitted signal and used as information for detecting abnormal behavior.
The foregoing description has set forth, somewhat broadly, the features and technical advantages of the present invention in order to better understand the claims of the invention to be described below. It should be appreciated by those skilled in the art that the concepts and specific embodiments of the invention described above may be readily used as a basis for designing or modifying other features to accomplish the invention and similar purposes.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the inventions. You will understand. Therefore, it should be understood that the disclosed embodiments are to be considered in an illustrative rather than a restrictive sense, and that various modifications and changes may be made without departing from the spirit and scope of the invention as defined in the appended claims and equivalents thereof All differences should be construed as being included in the present invention.
Claims (4)
An electric signal collector for collecting an electric control signal for operating the control device in the control system;
An operation mode checking unit for checking whether the collected control signal is a collection of control signals in a steady state or a control signal collection in an operating state and delivering a control signal to a corresponding processing routine;
An electric signal verifying unit for analyzing characteristic values of a control signal according to each control operation mode when the control signal is a steady state control signal;
An electric signal registration unit for registering the characteristic values of the control signal analyzed in the above-mentioned white list;
A feature extraction unit for analyzing a control signal that may include an attack of any type acquired by the electrical signal collection unit and extracting the feature value if the operation mode confirmation unit collects the control signal of the operational state;
A white list checking unit for comparing the extracted feature values with feature values in a pre-registered white list to check whether they are signals within a tolerance range of a normal signal and an operation error of each control device;
If the feature value of the control signal in the white list checking unit is a feature value of a new control signal that has a value within the error range and is not stored in the initial whitelist, it is confirmed by the operation system or the operator that the new control signal is a new normal control signal, A registration confirmation unit for storing the registered information;
An integrity discrimination unit for discriminating a control signal out of an error range or a control signal judged as a new attack as an abnormal control signal due to an attack by the white list checking unit and verifying the integrity of a control signal;
And an abnormal signal alarm unit for informing an operation system or an operator of the control system of the abnormal control signal discriminated by the integrity discrimination unit and recording an abnormal signal log,
The abnormal signal alarm unit 420 verifies whether the control signal value extracted from the electrical signal collecting unit and the control signal value recorded in the white list have a defect, that is, a signal value within an error range, Is forged or modulated,
The collected control signal is a control signal including a command value for directly operating the control device, either analogously or digitally, and has a signal value related to ON / OFF of the control device, not data packaged by a specific protocol,
The information on the characteristic value of the control signal includes information on a unique identifier (User ID, IP) assigned to the user and the operating system for giving an operation command to the control device, operation event information on the control device (signal type, analog signal value, An identifier (unique ID)), an error range for the control device,
The operation mode checking unit 120 performs an operation for generating a whitelist to be used for verifying the integrity of the received control signal,
The operation mode is divided into a normal state and an operation state, and the normal state is performed during the pilot operation of the control system in the state where abnormal external connection is blocked, and all the control signals acquired by the electric signal collection unit 110 are normal Signal is added to the whitelist DB 510 by the operation system or the operator and confirmed by the control signal,
The operation state is an environment for operating the control device, and includes an abnormal signal due to external abnormal connection or virus, etc. The control signal obtained by the electric signal collecting unit 110 is a signal obtained by mixing a normal signal and an abnormal signal And,
In order to verify the integrity of the control signal, the integrity checking unit 410 always checks and processes the integrity of the control signal,
When a signal not registered in the whitelist DB 510 is generated, the transmission of a new signal is notified to the operating system or the operator. If the signal is determined to be a safe signal after the confirmation procedure, Registered as a normal signal,
The electric signal verifying unit 210 operates in the normal operation mode in the operation mode checking unit 120 and registers the control signal obtained by the electric signal collecting unit 110 in the whitelist,
The normal signal collected for operating the control device may be received as a digital signal or an analog signal according to the characteristics of the control device. When the signal is received as a digital signal, the digital signal value is extracted, When transmitted, the voltage or current values of the analog signal are extracted and used as characteristic values of the corresponding signal,
The feature value analyzed by the electrical signal verifying unit 210 is used as a normal signal of the control device in the white list connected to the control device to be received and operated and has error range information of the operation signal of the control device , The error range information of the operation signal is a criterion for determining a normal signal of the control signal received in the operating state,
The electric signal registration unit 220 registers the characteristic values of the control signal received from the electrical signal verification unit 210 in the whitelist DB 510. The registered information is all information on the normal signal, The type of the signal, the identifier or address (IP) of the control device, and the feature value extracted from the control signal,
The feature extraction unit 310 is operated when the operation mode confirmation unit 120 is in the operation state operation mode and outputs the control signal obtained by the electric signal collection unit 110 to the normal Extracts characteristic values for discriminating the operation state control signal collected by the electrical signal collection unit 110 for comparison and analysis with the signal,
The white list checking unit 320 compares the feature values of the control signal extracted by the feature extracting unit 310 with the feature values of the normal signals registered in the whitelist DB 510, If the signal is a new signal not registered in the whitelist, a registration confirmation unit 330 is performed to confirm the signal, and if it is a signal registered in the whitelist, The discriminator 410 determines whether the signal is normal or abnormal,
When the new signal received in the operating state is received, the registration confirmation unit 330 is operated to determine whether the signal is a normal signal or an abnormal signal. If it is determined that the signal is a normal signal, Registers an identifier or address (IP) of the control signal, a feature value extracted from the control signal, and an identifier indicating that the signal is added in the operating state, in the white list DB 510,
The integrity discriminator 410 is operated to verify the integrity of the control signal, and the integrity discriminator 410 receives the control signal transmitted from the whitelist inspector 320 and the characteristic values of the normal signal of the white list DB 510, And checks the similarity degree of the control signal within the error range using the tolerance range of the different hardware operation signals for each control device. The signal included in the error range is transmitted as a normal signal to the control device The signal which is out of the error range is determined to be an abnormal signal to abnormally operate the control device and is not transmitted to the control device but is transmitted to the abnormal signal alarm part 420 of the next stage for processing,
The abnormal signal alarm unit 420 informs the operating system or the operator of the information of the control signal discriminated as an abnormal signal through the whitelist-based integrity verification, and the abnormal signal information is transmitted to the command sender The information identifying the abnormal signal such as the address information, the control device information, the communication type (analog or digital), the control signal characteristic value, and the time information is displayed on the screen and recorded in the abnormal signal DB 520 How to Verify the Integrity of a Signal
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150190868A KR101880162B1 (en) | 2015-12-31 | 2015-12-31 | Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150190868A KR101880162B1 (en) | 2015-12-31 | 2015-12-31 | Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170079858A KR20170079858A (en) | 2017-07-10 |
KR101880162B1 true KR101880162B1 (en) | 2018-08-16 |
Family
ID=59356278
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150190868A KR101880162B1 (en) | 2015-12-31 | 2015-12-31 | Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101880162B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111813096A (en) * | 2020-08-11 | 2020-10-23 | 北京航空航天大学 | Unmanned aerial vehicle safety control method under attack of expected track signal |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102069954B1 (en) * | 2017-12-28 | 2020-01-23 | 주식회사 포스코아이씨티 | System and Method for Generating Normal Sequence Pattern of Control Data |
KR102027044B1 (en) * | 2017-12-28 | 2019-09-30 | 주식회사 포스코아이씨티 | System for Detecting Abnormal Control Data |
KR102131689B1 (en) | 2018-01-30 | 2020-08-06 | 고려대학교 산학협력단 | An efficient control-flow integrity vefifing method based on unpredictability |
WO2020241959A1 (en) * | 2019-05-31 | 2020-12-03 | 주식회사 포스코아이씨티 | System for detecting abnormal control data |
KR102282843B1 (en) * | 2019-05-31 | 2021-07-27 | 주식회사 포스코아이씨티 | Abnormal Control Data Detection System Using Swiching Device |
KR102282847B1 (en) * | 2019-05-31 | 2021-07-27 | 주식회사 포스코아이씨티 | System for Detecting Abnormal Control Data |
WO2021107259A1 (en) * | 2019-11-29 | 2021-06-03 | (주) 앤앤에스피 | Method and system for iacs packet flow security monitoring in association with network packet whitelist |
CN112543123B (en) * | 2020-12-17 | 2023-07-28 | 云南昆钢电子信息科技有限公司 | Safety protection and early warning system of industrial automatic control system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101538709B1 (en) * | 2014-06-25 | 2015-07-29 | 아주대학교산학협력단 | Anomaly detection system and method for industrial control network |
JP2015172945A (en) * | 2009-08-28 | 2015-10-01 | 株式会社日立製作所 | Facility state monitoring method and apparatus for the same |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH08221117A (en) * | 1995-02-09 | 1996-08-30 | Mitsubishi Electric Corp | Analyzing device for supporting abnormality diagnosis |
KR101360591B1 (en) | 2011-09-29 | 2014-02-11 | 한국전력공사 | Apparatus and method for monitoring network using whitelist |
KR20130071138A (en) | 2011-12-20 | 2013-06-28 | 삼성전자주식회사 | Method for performing image forming operation using user information and image forming apparatus performing the same |
KR101889502B1 (en) | 2013-03-26 | 2018-08-20 | 한국전자통신연구원 | Abnormal traffic detection method on control system protocol |
KR101977731B1 (en) | 2013-03-29 | 2019-05-14 | 한국전자통신연구원 | Apparatus and method for detecting anomaly in a controller system |
KR101538927B1 (en) | 2013-10-25 | 2015-07-23 | 대우조선해양 주식회사 | PLC data management system for preemptive and method thereof |
-
2015
- 2015-12-31 KR KR1020150190868A patent/KR101880162B1/en active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015172945A (en) * | 2009-08-28 | 2015-10-01 | 株式会社日立製作所 | Facility state monitoring method and apparatus for the same |
KR101538709B1 (en) * | 2014-06-25 | 2015-07-29 | 아주대학교산학협력단 | Anomaly detection system and method for industrial control network |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111813096A (en) * | 2020-08-11 | 2020-10-23 | 北京航空航天大学 | Unmanned aerial vehicle safety control method under attack of expected track signal |
CN111813096B (en) * | 2020-08-11 | 2021-11-19 | 北京航空航天大学 | Unmanned aerial vehicle safety control method under attack of expected track signal |
Also Published As
Publication number | Publication date |
---|---|
KR20170079858A (en) | 2017-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101880162B1 (en) | Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System | |
CN110495138B (en) | Industrial control system and monitoring method for network security thereof | |
CN107659583B (en) | Method and system for detecting attack in fact | |
US10931635B2 (en) | Host behavior and network analytics based automotive secure gateway | |
US9471770B2 (en) | Method and control unit for recognizing manipulations on a vehicle network | |
US8418247B2 (en) | Intrusion detection method and system | |
KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
JP4619254B2 (en) | IDS event analysis and warning system | |
KR101977731B1 (en) | Apparatus and method for detecting anomaly in a controller system | |
CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
US20110307936A1 (en) | Network analysis | |
KR101585342B1 (en) | Apparatus and method for detecting abnormal behavior | |
EP4092553B1 (en) | Intrusion path analysis device and intrusion path analysis method | |
CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
US20210126925A1 (en) | Extraction apparatus, extraction method, computer readable medium | |
CN112968869A (en) | Information safety monitoring system of electric power production control large area | |
KR101871406B1 (en) | Method for securiting control system using whitelist and system for the same | |
CN106899977B (en) | Abnormal flow detection method and device | |
CN112104608A (en) | Vehicle information safety protection method, system and storage medium | |
JP4159814B2 (en) | Interactive network intrusion detection system and interactive intrusion detection program | |
KR20180012548A (en) | Method for discriminating of abnormal behavior in automatic control system | |
WO2021237739A1 (en) | Industrial control system safety analysis method and apparatus, and computer-readable medium | |
JP2005284523A (en) | System, method and program for illegal intrusion detection | |
CN111711626A (en) | Method and system for monitoring network intrusion |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) |