WO2014155650A1 - 情報制御装置、情報制御システム、及び情報制御方法 - Google Patents
情報制御装置、情報制御システム、及び情報制御方法 Download PDFInfo
- Publication number
- WO2014155650A1 WO2014155650A1 PCT/JP2013/059448 JP2013059448W WO2014155650A1 WO 2014155650 A1 WO2014155650 A1 WO 2014155650A1 JP 2013059448 W JP2013059448 W JP 2013059448W WO 2014155650 A1 WO2014155650 A1 WO 2014155650A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- communication pattern
- communication
- information control
- abnormality
- database
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
- G05B23/0224—Process history based detection method, e.g. whereby history implies the availability of large amounts of data
- G05B23/0227—Qualitative history assessment, whereby the type of data acted upon, e.g. waveforms, images or patterns, is not relevant, e.g. rule based assessment; if-then decisions
- G05B23/0235—Qualitative history assessment, whereby the type of data acted upon, e.g. waveforms, images or patterns, is not relevant, e.g. rule based assessment; if-then decisions based on a comparison with predetermined threshold or range, e.g. "classical methods", carried out during normal operation; threshold adaptation or choice; when or how to compare with the threshold
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/40—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Definitions
- the present invention relates to an information control device, an information control system, and an information control method.
- the present invention relates to an abnormality detection device, an abnormality detection system, and an abnormality detection method for a control network.
- control network used in an automobile production plant or chemical plant
- the control network if the network is abnormal or stopped, the production stops and directly leads to damage.
- the control network is required to have higher availability than an information network used for communication such as a PC, a mail server, a Web server, and a file server in a general office.
- an information network used for communication such as a PC, a mail server, a Web server, and a file server in a general office.
- control networks used for power generation systems, water and sewage systems, and the like if abnormal communications such as unauthorized programs are written to equipment are overlooked, a serious accident may occur. Therefore, the control network is required to have high reliability.
- each vendor's unique communication protocol was used for the control network, so it was considered difficult to enter the control network and perform unauthorized operations.
- the control network that is conventionally operated separately from the Internet also makes it difficult for outsiders to enter the network.
- open communication protocols such as TCP / IP (Transmission Control Protocol / Internet Protocol) have been applied to control networks.
- TCP / IP Transmission Control Protocol / Internet Protocol
- a form in which the control network and the Internet are connected and operated is also widespread. With the opening of the communication protocol of the control network and the Internet connection of the control network, unauthorized intrusion into the control network becomes possible, and attacks on control systems are increasing.
- IDS Intrusion Detection System
- a list of normal communications performed in a network is defined, and it is determined that an abnormality has occurred when communication not corresponding to the list is performed.
- a control system composed of devices connected to the control network transitions between a plurality of system states depending on the stage of operation.
- Examples of the system state of the control system include an operation mode and a maintenance mode.
- the communication pattern in the control network changes according to the system state of the control system.
- the present invention is an invention for solving the above-described problems, and an object of the present invention is to detect unauthorized communication that is incompatible with the system state of the control system as an abnormality, and to increase the availability and reliability of the control network.
- a communication pattern between normal devices is stored for each system state, information indicating the system state is acquired, and the system state is obtained. Determining, acquiring information indicating a communication pattern between the devices, determining a communication pattern, and based on the determined communication pattern and the stored communication pattern as a normal communication pattern in the determined system state Determine whether a system error has occurred.
- control network availability and reliability can be improved.
- FIG. 1 shows an overall configuration diagram of a control system according to an embodiment of the present invention.
- the control network 102 is applied to the thermal power plant 101 .
- the application destination is a nuclear power plant, a wind power plant, a hydroelectric power plant, a water and sewage system, a petroleum plant, a chemical plant, and an automobile manufacturing plant. It may be a food production plant, a steel production plant, or others.
- a control network 102 is provided in the thermal power plant 101.
- Various devices operating in the thermal power plant 101 are connected to the control network 102.
- the control network 102 is connected to an information network 105 provided in the office 104 via a network connection device 103.
- the information network 105 is a network to which information devices used in OA work are connected.
- a personal computer (PC) a file server, a Web server, a mail server, a printer, and the like are connected to the information network 105.
- the information network 105 is connected to the Internet 107 via a network connection device 106.
- a remote monitoring control center 108 that performs control, maintenance, monitoring, etc. of the thermal power plant from a remote location is connected via the Internet 107.
- the network connection devices 103 and 106 are devices that relay communication between devices connected to the network, and are routers, layer 3 switches, switching hubs, repeater hubs, and the like.
- FIG. 2 shows an example of an overall configuration diagram of the control network 102 according to the embodiment of the present invention.
- the control network 102 in FIG. 2 includes a behavioral abnormality detection device 201, a control terminal 202, a programming terminal 203, a log server 204, a MES (Manufacturing Execution System) terminal 205, a monitoring terminal 206, a PLC (PLC) via a network connection device 103.
- Controller (207,208) is connected.
- the behavior abnormality detection device 201 is indispensable, but one or a plurality of other devices may not exist.
- the control network 102 is a network configured by wire, wireless, or both wired and wireless.
- the network connection device 103 is a device that connects devices connected to the control network 102, and corresponds to a device such as a router, a layer 3 switch, a switching hub, or a repeater hub.
- the topology of the control network 102 in FIG. 2 may be any of or a combination of a star topology, a bus topology, a ring topology, and other topologies.
- the control terminal 202 is a terminal that performs operations such as firmware update of the PLC (207, 208) via the control network 102.
- the programming terminal 203 is a terminal that writes a control program operating on the PLC (207, 208) to the PLC (207, 208) via the control network 102.
- the log server 204 is a device that collects and records PLC (207, 208) operation logs via the control network 102.
- the log server 204 transmits the recorded operation log to the monitoring terminal 206 via the control network 102 in response to a request from the monitoring terminal 206.
- the MES terminal 205 is a device that transmits information such as a power generation target to the PLC (207, 208) via the control network 102.
- the monitoring terminal 206 is a device that accesses the log server 204 via the control network 102 to acquire log data, and monitors the operating state of the PLC (207, 208).
- PLCs are connected to field devices such as actuators, motors and sensors.
- the field network (209, 210) is a network for a controller such as a PLC (207, 208) to control field devices.
- the field networks (209, 210) are wired, wireless, or a network configured by both wired and wireless.
- Standards for the field network (209, 210) include Profibus, Modbus, HART, WirelessHART, and ISA100.11a.
- the PLC 1 (207) and the PLC 2 (208) are connected to the field device via the field network (209, 210), but may be configured to connect directly without using the network.
- the PLC 1 (207) is connected to the turbine 211 and the rotation speed sensor 212 via the field network 209.
- the PLC 1 (207) acquires the rotation speed information from the rotation speed sensor 212 that measures the rotation speed of the turbine 211 via the field network 209.
- the PLC 1 (207) transmits a control command to the turbine 211 via the field network 209.
- the PLC 2 (208) is connected to the boiler 213, the temperature sensor 214, and the pressure sensor 215 via the field network 210.
- the PLC 2 (208) acquires temperature information from the temperature sensor 214 that measures the temperature of the boiler 213 via the field network 210.
- the PLC 2 (208) acquires pressure information from the pressure sensor 215 that measures the pressure of the boiler 213 via the field network 210.
- the PLC 2 (208) transmits a control command to the boiler 213 via the field network 210.
- FIG. 3 is a table showing the correspondence between the device name 301 and the address 302 of the device connected to the control network 102 of this embodiment.
- the address of the control terminal 202 is A.
- the address of the programming terminal 203 is B.
- the address of the log server 204 is C.
- the address of the MES terminal 205 is D.
- the address of the monitoring terminal 206 is E.
- the address of PLC1 (207) is F.
- the address of PLC2 (208) is G. Examples of the address include an IP address and a MAC address. Any other address may be used as long as it can uniquely identify a device connected to the control network.
- FIG. 4 shows a functional block diagram of the behavioral abnormality detection apparatus 201 in the first embodiment of the present invention.
- the behavior abnormality detection apparatus 201 includes a communication interface 401, a packet classification unit 402, a system state acquisition unit 403, a communication acquisition unit 404, an abnormality determination unit 405, a state communication storage unit 406, a database 407, and a received communication pattern list 408.
- the database 407 shows the correspondence between the system state and the normal communication pattern in the system state.
- FIG. 5 shows an example of the database 407.
- the system state defines the state of the entire device group that constitutes the control system.
- the system state 501 includes a programming mode 503, a power generation target setting mode 504, an operation mode 505, an operation monitoring mode 506, and a maintenance mode 507.
- a programming mode 503 represents a state in which a control program is written from the programming terminal 203 to the PLC 1 (207) and the PLC 2 (208).
- the power generation target setting mode 504 represents a state where power generation targets are set from the MES terminal 205 to the PLC 1 (207) and the PLC 2 (208).
- the operation mode 505 represents a state in which the PLC 1 (207) and the PLC 2 (208) control devices such as the turbine 211 and the boiler 213 based on the set program and the power generation target.
- the operation monitoring mode 506 is based on a program in which PLC1 (207) and PLC2 (208) are set and a power generation target, such as a turbine 211 and a boiler 213.
- the monitoring terminal 206 is monitoring the operating state of each device.
- the maintenance mode 507 represents a state in which maintenance work such as firmware writing from the control terminal 202 to the PLC 1 (207) and the PLC 2 (208) is being performed.
- a specific pattern of communication is performed according to the system state 501 of the control system.
- the control system when the control system is in the programming mode 503, the following two normal communication patterns are defined. One is communication for writing operation programming from the programming terminal 203 having the address B to the PLC 1 (207) having the address F. The second is communication for writing operation programming from the programming terminal 203 having the address B to the PLC 2 (208) having the address G.
- the control system is in the power generation target setting mode 504
- the following two normal communication patterns are defined.
- the first is communication for writing a power generation target from the MES terminal 205 having the address D to the PLC 1 (207) having the address F.
- the second is communication for writing a power generation target from the MES terminal 205 having the address D to the PLC 2 (208) having the address G.
- the first is communication for writing an operation log from the PLC 1 (207) having the address F to the log server 204 having the address C.
- the second communication is for writing an operation log from the PLC 2 (208) having the address G to the log server 204 having the address C.
- the third is communication from PLC1 (207) having address F to PLC2 (208) having address G.
- the third communication is a communication for notifying the PLC 2 (208) of the operation states of the turbine 211 and the rotation speed sensor 212 connected to the PLC 1 (207) via the field network 209.
- the fourth communication is from the PLC 2 (208) having the address G to the PLC 1 (207) having the address F.
- the fourth communication is a communication for notifying the operation state of the boiler 213, the temperature sensor 214, and the pressure sensor 215 connected to the PLC 2 (208) via the field network 210 to the PLC 1 (207).
- the third and fourth communications are generally called “success communication” or “memory transfer”, and a plurality of PLCs connected to the control network share the operation state of the devices connected to each PLC. To be done.
- the control system is in the operation monitoring mode 506, the following five normal communication patterns are defined. Of the five normal communication patterns, four are the same as the normal communication patterns when the system state is the operation mode 505.
- the fifth is communication for transmitting the operation log recorded by the log server 204 to the monitoring terminal 206 from the log server 204 having the address C to the monitoring terminal 206 having the address E.
- a pair of a transmission source address and a transmission destination address is defined as a normal communication pattern, but may be defined using another index. Examples of other indexes that define a normal communication pattern include a port number, a packet size, a communication interval, and a communication frequency.
- the communication interface 401 receives a packet communicated in the control network 102 and inputs it to the packet classification unit 402.
- the packet classification unit 402 refers to the header or content of the packet input from the communication interface 401 and determines whether the packet is a system status notification packet or a communication packet.
- the system status notification packet is a packet for notifying the system status.
- the system status notification packet is transmitted from an administrator of the control system via a device connected to the control network 102, for example.
- the system notification packet is transmitted from the administrator of the control system via a device connected to the information network 105 that is higher than the control network 102.
- it is transmitted from the administrator of the control system in the remote management center via the Internet 107.
- the system status notification packet may be transmitted by other methods.
- the system status notification packet may be directly input to the behavior abnormality detection device 201 without going through the network.
- the communication packet is a normal packet communicated between devices connected to the control network 102. If the packet input from the communication interface 401 is a system status notification packet, the packet classification unit 402 inputs the packet to the system status acquisition unit 403. When there is a communication interface 401 and the input packet is a communication packet, the packet classification unit inputs the packet to the communication acquisition unit 404.
- the system state acquisition unit 403 extracts the system state and inputs it to the state communication storage unit 406.
- the communication acquisition unit 404 refers to the content of the communication packet input from the packet classification unit 402 and extracts the transmission source address and the transmission destination address of the communication packet.
- the communication acquisition unit 404 inputs the extracted transmission source address and transmission destination address to the abnormality determination unit 405.
- the state communication storage unit 406 displays the combination of the transmission source address and the transmission destination address. Record in the received communication pattern list 408.
- the abnormality determination unit 405 When the abnormality determination unit 405 receives the combination of the transmission source address and the transmission destination address from the communication acquisition unit 404, the abnormality determination unit 405 acquires the current system state recorded by the state communication device unit 406. Next, the abnormality determination unit 405 refers to the database 407 to confirm a list of normal communication patterns 502 corresponding to the current system state 501, and includes the transmission source address acquired from the communication acquisition unit 404 in the list. If there is a pair of transmission destination addresses, it is determined that the control system is operating normally, and the combination of the transmission source address and the transmission destination address is input to the state communication storage unit 406. If there is no combination of the transmission source address and the transmission destination address in the normal communication pattern 502, it is determined that an abnormality has occurred in the control system.
- the abnormality determination unit 405 has a clock function, and manages the current time, all communication pattern reception confirmation time, and all communication pattern reception confirmation intervals. All communication pattern reception confirmation intervals are set in advance.
- the abnormality determination unit 405 performs the following operation when the value obtained by subtracting the total communication pattern reception confirmation time from the current time is equal to or greater than the total communication pattern reception interval.
- the abnormality determination unit 405 updates the all communication pattern reception confirmation time to the current time.
- the abnormality determination unit 405 acquires the current system state and the received communication pattern list 408 from the state communication storage unit 406. Next, the abnormality determination unit 405 refers to the database 407 and the received communication pattern list 408 and confirms whether or not all the normal communication patterns 502 of the current system state 501 have been received.
- the abnormality determination unit 405 determines that the control system is operating normally when all the normal communication patterns have been received, and when there is one or more normal communication patterns that have not been received, FIG. It is used to determine whether or not an abnormality has occurred in the control system based on processing based on an elapsed time threshold, which will be described later.
- the abnormality determination method will be described using a specific example. 6, 7, and 8 show a system state, a communication pattern acquired by the behavior abnormality detection device within a certain time (all communication pattern reception confirmation interval) in the system state, and a received communication pattern list 408 created.
- FIG. 6A shows a case where two patterns of communication from address B to address F and communication from address B to G are acquired when the system state is the programming mode.
- Each of these two patterns of communication matches the normal communication pattern when the system state 501 is the programming mode 503 in the database 407 of FIG.
- the two patterns of communication from address B to address F and communication from address B to G match the normal communication pattern when the system state 501 is the programming mode 503 in the database 407 of FIG. 6 is registered in the received communication pattern list 408 of FIG. From the received communication pattern list 408 in FIG. 6B, all the normal communication patterns in the database 407 in FIG. 5 when the system state 501 is the programming mode 503 are received within the all communication pattern reception confirmation interval. Therefore, it is determined that the control system is normal.
- FIG. 7 shows an example in which communication from address A to address F is acquired when the system state is the power generation target setting mode.
- the communication from the address A to the address F does not correspond to the normal communication pattern when the system state 501 is the power generation target setting mode 504, it is determined that the control system is abnormal.
- the communication from the address F to the address C, the communication from the address G to the address C, and the communication from the address G to the address F are acquired. Shimese.
- Each of these three patterns of communication matches the normal communication pattern when the system state 501 is the operation mode 505 in the database 407 of FIG. 5, and therefore the control system is determined to be normal.
- the communication from the address F to the address C, the communication from the address G to the address C, and the communication from the address G to the address F are normal communication patterns when the system state 501 is the operation mode 505 in the database 407 of FIG. Therefore, it is registered in the received communication pattern list 408 of FIG.
- Communication from the address F to G is received from the received communication pattern list 408 in FIG. 8B in the normal communication pattern when the system state 501 is the operation mode 505 in the database 407 in FIG.
- the control system determines that it is abnormal.
- a database is set (901).
- the system state reception process (902), the communication packet reception process (903), and the all communication pattern communication confirmation process (904) are repeated in order.
- the database setting (901) the database may be created by the system administrator.
- the database may be automatically generated by the behavioral abnormality detection apparatus 201.
- the database may be updated while the behavior abnormality detection apparatus 201 is operating.
- FIG. 10 shows details of the system status reception process (902) of FIG.
- the system status reception process 902
- it is first checked whether the system status is received (1001). If not received, the process is terminated. If the system status has been received, it is next checked whether the received system status is the same as the current system status (1002). If the received system state is the same as the current system state, the process ends. If the acquired system state is different from the current system state, the system state is updated (1003). Next, the communication pattern reception confirmation time is changed to the current time (1004). Next, the received communication pattern list is cleared (1005), and the process ends.
- FIG. 11 shows details of the communication packet reception process (903) of FIG. First, it is confirmed whether a communication packet has been received (1101). If no communication packet has been received, the process ends. If a communication packet has been received, it is checked whether there is a communication pattern in the normal communication pattern in the current system state in the database (1102). If the communication pattern does not exist in the normal communication pattern in the current system state in the database, it is determined that the control system is abnormal (1103), and the process ends. If the communication pattern exists in the normal communication pattern in the current system state in the database, it is confirmed whether the communication pattern is recorded in the received communication pattern list (1104). If the communication pattern is recorded in the received communication pattern list, the process ends. If the communication pattern is not recorded in the received communication pattern list, the communication pattern is added to the received communication pattern list (1105), and the process ends.
- FIG. 12 shows the details of the all communication pattern reception confirmation process (904) of FIG. First, it is checked whether or not a value obtained by subtracting all communication pattern reception confirmation times from the current time is larger than the all communication pattern reception confirmation interval (1201). If the value obtained by subtracting all communication pattern reception confirmation times from the current time is not greater than the threshold value, the process is terminated. If the value obtained by subtracting the reception confirmation time of all communication patterns from the current time is greater than the threshold, refer to the received communication pattern list and database to check whether all communication patterns of the current system status in the database have been received. (1202). If all have been received, the reception confirmation time of all communication patterns is updated to the current time (1204), the received communication pattern list is cleared (1205), and the process ends. If not all have been received, it is determined that the control system is abnormal (1203). Next, the reception confirmation time of all communication patterns is updated to the current time (1204), the received communication pattern list is cleared (1205), and the process ends.
- the behavior abnormality detection device of this embodiment is characterized by automatically creating a database.
- FIG. 13 shows a behavior abnormality detection device 1301 of this embodiment.
- the system state acquisition unit 1302 of the behavior abnormality detection device 1301 illustrated in FIG. 13 extracts the system state and stores the system state in the state communication storage unit 406 and the database creation unit. Input to both 1303.
- the communication acquisition unit 1304 refers to the content of the communication packet input from the packet classification unit 402 and extracts the transmission source address and the transmission destination address of the communication packet.
- the communication acquisition unit 1304 inputs the extracted transmission address and transmission destination address to the abnormality determination unit 405, the state communication storage unit 406, and the database creation unit 1303.
- the database creation unit 1303 creates the database 406 using the system state input from the system acquisition unit 1302 and the source address and destination address input from the communication acquisition unit.
- the database creation process will be described with reference to the database creation flowchart shown in FIG. First, it is confirmed whether the system state has been acquired (1401). If the system state has not been acquired, it is confirmed whether a communication pattern has been acquired (1405). When the system state is acquired, it is confirmed whether the acquired system state exists in the database (1402). If the acquired system state does not exist in the database, the system state is registered in the database (1403). Next, the current system state is updated to the acquired system state (1404). Next, it is confirmed whether or not a communication pattern has been acquired (1405). If the communication pattern has not been acquired, it is confirmed whether or not the learning period has ended (1408). When the communication pattern is acquired, it is confirmed whether or not the acquired communication pattern is registered as a normal communication pattern of the current system state in the database (1406).
- the acquired communication pattern is registered as a normal communication pattern of the current system state in the database, it is confirmed whether or not the learning period has ended (1408). If the acquired communication pattern is not registered as a normal communication pattern of the current system state in the database, the acquired communication pattern is registered as a normal communication pattern of the current system state in the database (1407). Next, it is confirmed whether or not the learning period has ended (1408). If the learning period has not ended, it is checked again whether the system state has been acquired (1401). If the learning period has ended, the database creation process ends.
- the present embodiment by automatically creating a database, it becomes unnecessary for an administrator or the like to manually create the database, and it becomes possible to easily introduce the behavior abnormality detection device.
- the behavior abnormality detection device of this embodiment is characterized by updating the database.
- FIG. 15 shows the behavioral abnormality detection device of this embodiment.
- parts that perform the same operations as those shown in FIG. 15 are identical to FIG. 15
- the packet classification unit 1502 of the behavior abnormality detection device illustrated in FIG. 15 refers to the header or content of a packet input from the communication interface 401, and determines whether the packet is a system status notification packet, a communication packet, or a database update. It is determined whether it is a notification packet. If the packet input from the communication interface 401 is a system status notification packet, the packet classification unit 1502 inputs the packet to the system status acquisition unit. When the packet input from the communication interface 401 is a communication packet, the packet classification unit 1502 inputs the packet to the communication acquisition unit 404. When the packet input from the communication interface 401 is a database update notification packet, the packet classification unit 1502 inputs the packet to the database update unit 1503.
- the system status notification packet is a packet for notifying the system status.
- the communication packet is a normal packet communicated between devices connected to the control network.
- the database update notification packet is a packet for instructing the database update unit 1503 to update the database.
- the database update unit 1503 extracts the database update content from the packet and updates the database 407.
- the behavioral abnormality detection device includes an abnormality notification unit.
- FIG. 16 shows the behavioral abnormality detection device of this embodiment.
- parts that perform the same operations as those in FIG. 16 are identical to FIG. 16
- the abnormality determination unit 1602 of the behavior abnormality detection device 1601 illustrated in FIG. 16 receives a combination of a transmission source address and a transmission destination address from the communication acquisition unit 404, the abnormality communication unit 406 records the current system state recorded by the state communication device unit 406. get.
- the abnormality determination unit 1602 confirms a list of normal communication patterns corresponding to the current system state with reference to the database 407, and the source address and destination address acquired from the communication acquisition unit are included in the list.
- the abnormality determination unit 1603 periodically performs the following operation.
- the abnormality determination unit 1603 acquires the current system state and the received communication pattern list from the state communication storage unit 406.
- the abnormality determination unit 1602 refers to the database 407 and confirms whether all the normal communication patterns of the current system state have been received.
- the abnormality determination unit 1602 determines that the control system is operating normally when all the normal communication patterns have been received, and if there is one or more normal communication patterns that have not been received, It is determined that an abnormality has occurred, and the determination result is input to the abnormality notification unit 1603.
- the abnormality notification unit 1603 notifies the administrator of the determination result indicating the presence / absence of abnormality notified from the abnormality determination unit 1602 via the communication interface 401.
- the administrator may be present in the control network 102, the information network 105, or a remote place via the Internet 107.
- the administrator can recognize the abnormality that has occurred in the control network.
- the behavior abnormality detection apparatus of the present embodiment has a database that records three types of system status, normal communication pattern corresponding to the system status, and abnormality response method corresponding to the system status. It is characterized by carrying out.
- FIG. 17 shows a behavior abnormality detection device 1701 of the present embodiment.
- the database 1702 of the behavior abnormality detection device shown in FIG. 17 shows the correspondence between the system state, the normal communication pattern in the system state, and the correspondence method of the abnormality when an abnormality is detected in the system state. .
- the abnormality determination unit 1703 notifies the abnormality handling unit 1704 of the abnormality handling method described in the database when an abnormality is detected.
- the abnormality handling unit 1704 implements the abnormality handling method notified from the abnormality determination unit 1703.
- FIG. 18 shows an example of the database 1702 in the present embodiment.
- abnormal communication blocking and administrator notification (1803) are performed as an abnormality handling method 1801.
- an administrator notification (1804) is performed as the abnormality handling method 1801.
- an administrator notification (1805) is performed as the abnormality handling method 1801. If an abnormality is detected when the system state 501 is the maintenance mode 507, abnormal communication blocking and administrator notification (1806) are implemented as an abnormality handling method 1801.
- the system state 501 When the system state 501 is in the operation mode 505 or the operation monitoring mode 506, equipment such as the turbine 211 in the thermal power plant 101 is in operation. If the communication that the behavior abnormality detection device 1701 determines to be abnormal when the device is in operation is actually communication necessary for control, the control of the device may be lost, leading to an accident or the like. Therefore, the abnormal communication is not blocked and only the administrator notification is performed.
- the system state 501 is in the programming mode 503, the power generation target setting mode 504, or the maintenance mode 507, equipment such as the turbine 211 in the thermal power plant is not operating. Since the communication that the behavior abnormality detection device 1701 determines to be abnormal when the device is not in operation is actually normal communication, it is considered that it does not affect the operation of the device. Not only abnormal communication is cut off.
- the invention made by the present inventor has been specifically exemplified and explained based on the embodiments.
- the contents of the present invention are not limited to the embodiments, and various modifications can be made without departing from the scope of the invention.
- some or all of the functional units constituting the behavior abnormality detection device may be incorporated in a network connection device such as a router, a layer 3 switch, a switching hub, or a repeater hub.
- each function part which comprises a behavior abnormality detection apparatus may be integrated and comprised in two or more several apparatuses.
- a behavior abnormality detection device using one or a combination of a plurality of functional units among the functional units of the behavior abnormality detection device described in the first to fifth embodiments may be configured.
Abstract
Description
102 制御ネットワーク
103、106 ネットワーク接続装置
104 オフィス
105 制御ネットワーク
107 インターネット
108 遠隔監視制御センタ
201、1301、1501、1601、1701 振舞異常検知装置
202 制御端末
203 プログラミング端末
204 ログサーバ
205 MES端末
206 監視端末
207 PLC1
208 PLC2
209、210 フィールドネットワーク
211 タービン
212 回転数センサ
213 ボイラ
214 温度センサ
215 圧力センサ
301 機器名
302 アドレス
401 通信インターフェース
402、1502 パケット分類部
403、1302 システム状態取得部
404、1304 通信取得部
405、1602、1703 異常判定部
406 状態通信機億部
407、1702 データベース
408 受信済通信パターンリスト
501 システム状態
502 正常通信パターン
503 プログラミングモード
504 発電目標設定モード
505 稼動モード
506 稼動監視モード
507 保守モード
1303 データベース作成部
1503 データベース更新部
1603 異常通知部
1704 異常対応部
1801 異常対応方法
1802、1803、1806 異常通信遮断と管理者通知
1804、1805 管理者通知
Claims (12)
- システムの状態毎に正常な機器間の通信パターンを記憶したデータベースと、
前記システムの状態を示す情報を取得してシステムの状態を判定するシステム状態判定部と、
前記機器間の通信パターンを示す情報を取得して通信パターンを判定する通信パターン判定部と、
前記通信パターン判定部が判定した通信パターンと、前記システム状態取得部が判定したシステムの状態における正常な通信パターンとして前記データベースに記憶された通信パターンと、に基づいて、前記システムにおける異常発生の有無を判定する異常判定部と、
を備えることを特徴とする情報制御装置。 - 請求項1に記載の情報制御装置であって、
前記異常判定部は、
前記通信パターン判定部が判定した通信パターンの少なくとも一部が前記データベースに記憶された正常な通信パターンに該当しない場合に、前記システムに異常が発生していると判定する、
ことを特徴とする情報制御装置。 - 請求項1に記載の情報制御装置であって、
前記データベースは、前記機器の送信元アドレスと前記機器の送信先アドレスの組みにより前記通信パターンを定義する、
ことを特徴とする情報制御装置。 - 請求項1に記載の情報制御装置であって、
前記異常判定部は、
前記システムの状態に対応する前記データベースの正常な通信が一定時間内に全て行われていない場合に、前記システムに異常が発生していると判定する、
ことを特徴とする情報制御装置。 - 請求項1に記載の情報制御装置であって、
前記データベースを自動的に生成するデータベース作成部をさらに備えることを特徴とする情報制御装置。 - 請求項1に記載の情報制御装置であって、
前記データベースは、
前記システムの状態と、前記機器間の正常な通信パターンと、前記システムの状態における異常対応方法と、を対応付けて記憶している、ことを特徴とする情報制御装置。 - 通信を行う機器と、
前記機器間の接続を行う接続装置と、
システムの状態毎に正常な前記機器間の通信パターンを記憶し、前記システムの状態を示す情報を取得してシステムの状態を判定し、前記機器間の通信パターンを示す情報を取得して通信パターンを判定し、前記判定した通信パターンと、前記判定したシステムの状態における正常な通信パターンとして前記記憶した通信パターンと、に基づいて、システム異常発生の有無を判定する異常判定装置と、
を備えることを特徴とする情報制御システム。 - 請求項7に記載の情報制御システムであって、
前記異常判定装置は、
前記判定した通信パターンの少なくとも一部が前記記憶された正常な通信パターンに該当しない場合に、システム異常が発生していると判定する、
ことを特徴とする情報制御システム。 - 請求項7に記載の情報制御システムであって、
前記異常判定装置は、
前記機器の送信元アドレスと前記機器の送信先アドレスの組みにより前記通信パターンを定義する、
ことを特徴とする情報制御システム。 - 請求項7に記載の情報制御システムであって、
前記異常判定装置は、
前記システムの状態に対応する前記データベースの正常な通信が一定時間内に全て行われていない場合に、前記システムに異常が発生していると判定する、
ことを特徴とする情報制御システム。 - 請求項7に記載の情報制御システムであって、
前記データベースは、
前記システムの状態と、前記機器間の正常な通信パターンと、前記システムの状態における異常対応方法と、を対応付けて記憶している、
ことを特徴とする情報制御システム。 - システムの状態毎に正常な機器間の通信パターンを記憶し、
システムの状態を示す情報を取得してシステムの状態を判定し、
前記機器間の通信パターンを示す情報を取得して通信パターンを判定し、
前記判定した通信パターンと、前記判定したシステムの状態における正常な通信パターンとして前記記憶した通信パターンと、に基づいて、システム異常発生の有無を判定する、
ことを特徴とする情報制御方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/777,609 US9874869B2 (en) | 2013-03-29 | 2013-03-29 | Information controller, information control system, and information control method |
JP2015507857A JP5844944B2 (ja) | 2013-03-29 | 2013-03-29 | 情報制御装置、情報制御システム、及び情報制御方法 |
PCT/JP2013/059448 WO2014155650A1 (ja) | 2013-03-29 | 2013-03-29 | 情報制御装置、情報制御システム、及び情報制御方法 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2013/059448 WO2014155650A1 (ja) | 2013-03-29 | 2013-03-29 | 情報制御装置、情報制御システム、及び情報制御方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014155650A1 true WO2014155650A1 (ja) | 2014-10-02 |
Family
ID=51622715
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/059448 WO2014155650A1 (ja) | 2013-03-29 | 2013-03-29 | 情報制御装置、情報制御システム、及び情報制御方法 |
Country Status (3)
Country | Link |
---|---|
US (1) | US9874869B2 (ja) |
JP (1) | JP5844944B2 (ja) |
WO (1) | WO2014155650A1 (ja) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2537457A (en) * | 2015-03-04 | 2016-10-19 | Fisher Rosemount Systems Inc | Anomaly detection in industrial communications networks |
CN107580772A (zh) * | 2015-05-06 | 2018-01-12 | 通用电器技术有限公司 | 用于工业控制系统的监控组件 |
WO2018134939A1 (ja) | 2017-01-19 | 2018-07-26 | 三菱電機株式会社 | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
JP2018129579A (ja) * | 2017-02-06 | 2018-08-16 | オムロン株式会社 | ネットワークシステム管理装置、ネットワークシステム管理方法、制御プログラム、および記録媒体 |
WO2019004101A1 (ja) * | 2017-06-27 | 2019-01-03 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法ならびに侵入検知システム |
WO2019142264A1 (ja) | 2018-01-17 | 2019-07-25 | 三菱電機株式会社 | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
JP2019140578A (ja) * | 2018-02-13 | 2019-08-22 | Kddi株式会社 | 優先度算出装置、優先度算出方法及び優先度算出プログラム |
US10429829B2 (en) | 2015-07-13 | 2019-10-01 | Hitachi, Ltd. | Monitoring system, particle beam therapy system, and method of repairing plant |
WO2019240020A1 (ja) * | 2018-06-13 | 2019-12-19 | パナソニックIpマネジメント株式会社 | 不正通信検知装置、不正通信検知方法及び製造システム |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015060675A (ja) * | 2013-09-18 | 2015-03-30 | ソニー株式会社 | 蓄電システム |
WO2016113911A1 (ja) * | 2015-01-16 | 2016-07-21 | 三菱電機株式会社 | データ判定装置、データ判定方法及びプログラム |
EP3432184B1 (en) | 2016-04-26 | 2020-04-15 | Mitsubishi Electric Corporation | Intrusion detection device, intrusion detection method, and intrusion detection program |
US10277534B2 (en) * | 2016-06-01 | 2019-04-30 | Juniper Networks, Inc. | Supplemental connection fabric for chassis-based network device |
TWI672605B (zh) * | 2017-11-29 | 2019-09-21 | 財團法人資訊工業策進會 | 應用層行為辨識系統與方法 |
US20210026343A1 (en) * | 2018-03-30 | 2021-01-28 | Nec Corporation | Information processing device, information processing method, and program |
WO2019242868A1 (en) * | 2018-12-12 | 2019-12-26 | Mitsubishi Electric Corporation | Software testing device, software testing method, and software testing program |
CN113882908B (zh) * | 2020-07-03 | 2023-07-25 | 东方电气股份有限公司 | 基于被动监测算法的汽轮机网络安全离线监测系统及方法 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008181299A (ja) * | 2007-01-24 | 2008-08-07 | Fujitsu Ltd | 通信エラー情報出力プログラム、通信エラー情報出力方法および通信エラー情報出力装置 |
JP2008278272A (ja) * | 2007-04-27 | 2008-11-13 | Kddi Corp | 電子システム、電子機器、中央装置、プログラム、および記録媒体 |
JP2009278293A (ja) * | 2008-05-13 | 2009-11-26 | Nec Corp | パケット送信元特定システム、パケット送信元特定方法、およびパケット送信元特定プログラム |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004312176A (ja) | 2003-04-03 | 2004-11-04 | Mitsubishi Electric Corp | メッセージ判定処理装置 |
US8111787B2 (en) * | 2008-11-05 | 2012-02-07 | Telefonaktiebolaget L M Ericsson (Publ) | OFDM channel estimation method and apparatus |
JP5454363B2 (ja) * | 2010-06-02 | 2014-03-26 | 富士通株式会社 | 解析プログラム、解析装置および解析方法 |
JP2012084994A (ja) | 2010-10-07 | 2012-04-26 | Hitachi Ltd | マルウェア検出方法、およびマルウェア検出装置 |
-
2013
- 2013-03-29 JP JP2015507857A patent/JP5844944B2/ja not_active Expired - Fee Related
- 2013-03-29 US US14/777,609 patent/US9874869B2/en not_active Expired - Fee Related
- 2013-03-29 WO PCT/JP2013/059448 patent/WO2014155650A1/ja active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008181299A (ja) * | 2007-01-24 | 2008-08-07 | Fujitsu Ltd | 通信エラー情報出力プログラム、通信エラー情報出力方法および通信エラー情報出力装置 |
JP2008278272A (ja) * | 2007-04-27 | 2008-11-13 | Kddi Corp | 電子システム、電子機器、中央装置、プログラム、および記録媒体 |
JP2009278293A (ja) * | 2008-05-13 | 2009-11-26 | Nec Corp | パケット送信元特定システム、パケット送信元特定方法、およびパケット送信元特定プログラム |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10291506B2 (en) | 2015-03-04 | 2019-05-14 | Fisher-Rosemount Systems, Inc. | Anomaly detection in industrial communications networks |
GB2537457B (en) * | 2015-03-04 | 2021-12-22 | Fisher Rosemount Systems Inc | Anomaly detection in industrial communications networks |
GB2537457A (en) * | 2015-03-04 | 2016-10-19 | Fisher Rosemount Systems Inc | Anomaly detection in industrial communications networks |
CN107580772A (zh) * | 2015-05-06 | 2018-01-12 | 通用电器技术有限公司 | 用于工业控制系统的监控组件 |
EP3091692B1 (en) * | 2015-05-06 | 2020-07-15 | General Electric Technology GmbH | A network connection monitoring assembly for an industrial control system |
US10429829B2 (en) | 2015-07-13 | 2019-10-01 | Hitachi, Ltd. | Monitoring system, particle beam therapy system, and method of repairing plant |
WO2018134939A1 (ja) | 2017-01-19 | 2018-07-26 | 三菱電機株式会社 | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
JP2018129579A (ja) * | 2017-02-06 | 2018-08-16 | オムロン株式会社 | ネットワークシステム管理装置、ネットワークシステム管理方法、制御プログラム、および記録媒体 |
JPWO2019004101A1 (ja) * | 2017-06-27 | 2019-12-19 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法ならびに侵入検知システム |
WO2019004101A1 (ja) * | 2017-06-27 | 2019-01-03 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法ならびに侵入検知システム |
WO2019003300A1 (ja) * | 2017-06-27 | 2019-01-03 | 三菱電機ビルテクノサービス株式会社 | 侵入検知装置および侵入検知方法 |
JPWO2019142264A1 (ja) * | 2018-01-17 | 2020-05-28 | 三菱電機株式会社 | 攻撃検知装置 |
CN111566643A (zh) * | 2018-01-17 | 2020-08-21 | 三菱电机株式会社 | 攻击检测装置、攻击检测方法和攻击检测程序 |
WO2019142264A1 (ja) | 2018-01-17 | 2019-07-25 | 三菱電機株式会社 | 攻撃検知装置、攻撃検知方法および攻撃検知プログラム |
CN111566643B (zh) * | 2018-01-17 | 2023-08-08 | 三菱电机株式会社 | 攻击检测装置、攻击检测方法和计算机能读取的记录介质 |
JP2019140578A (ja) * | 2018-02-13 | 2019-08-22 | Kddi株式会社 | 優先度算出装置、優先度算出方法及び優先度算出プログラム |
WO2019240020A1 (ja) * | 2018-06-13 | 2019-12-19 | パナソニックIpマネジメント株式会社 | 不正通信検知装置、不正通信検知方法及び製造システム |
JP7378089B2 (ja) | 2018-06-13 | 2023-11-13 | パナソニックIpマネジメント株式会社 | 不正通信検知装置、不正通信検知方法及び製造システム |
Also Published As
Publication number | Publication date |
---|---|
JP5844944B2 (ja) | 2016-01-20 |
JPWO2014155650A1 (ja) | 2017-02-16 |
US20160085237A1 (en) | 2016-03-24 |
US9874869B2 (en) | 2018-01-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5844944B2 (ja) | 情報制御装置、情報制御システム、及び情報制御方法 | |
Galloway et al. | Introduction to industrial control networks | |
US11212315B2 (en) | Tunneling for network deceptions | |
US10819721B1 (en) | Systems and methods for monitoring traffic on industrial control and building automation system networks | |
JP5274667B2 (ja) | 安全ステップの判定方法および安全マネージャ | |
US11190486B2 (en) | Automatic security response using one-way links | |
KR101083925B1 (ko) | 보안 위협 방어 장치 및 방법, 그 기록 매체 | |
CN110326268A (zh) | 用于保护现场设备的透明防火墙 | |
CN106063221A (zh) | 用于在切换后用冗余设备建立安全通信的装置和方法 | |
Iturbe et al. | Visualizing network flows and related anomalies in industrial networks using chord diagrams and whitelisting | |
US10320747B2 (en) | Automation network and method for monitoring the security of the transfer of data packets | |
ES2450469T3 (es) | Dispositivo de protección de acceso para una red de automatización | |
JP2018510544A (ja) | インフラストラクチャ監視ソフトウェアを使用してサイバーセキュリティリスクデータを収集するための技法 | |
JP6194835B2 (ja) | 鉄鋼プラント制御システム | |
US11595409B2 (en) | Method for monitoring an industrial network | |
WO2020195640A1 (ja) | 監視システム、設定装置および監視方法 | |
Yu et al. | Security and Forensic Analysis for Industrial Ethernet Protocols | |
Canovas et al. | Remote Monitoring and Actuation Based on LonWorks Technology | |
JP6384107B2 (ja) | 通信検査モジュール、通信モジュール、および制御装置 | |
JP5817658B2 (ja) | 接続監視方法 | |
Nyce | Comments on Cyber Security in Industrial Control Systems and Automation | |
WO2014184942A1 (ja) | セキュリティ管理システム、装置、および方法 | |
Prisco et al. | OCSVM-Based Novelty Detector on PLC as a Cyber Attack and Fault Application in SCADA System | |
Kemmerer et al. | Control system retrofits—The network is key | |
Capano | Make the Most of Your SCADA System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13879954 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015507857 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14777609 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13879954 Country of ref document: EP Kind code of ref document: A1 |