WO2018198733A1 - Security monitoring system and security monitoring method - Google Patents

Security monitoring system and security monitoring method Download PDF

Info

Publication number
WO2018198733A1
WO2018198733A1 PCT/JP2018/014842 JP2018014842W WO2018198733A1 WO 2018198733 A1 WO2018198733 A1 WO 2018198733A1 JP 2018014842 W JP2018014842 W JP 2018014842W WO 2018198733 A1 WO2018198733 A1 WO 2018198733A1
Authority
WO
WIPO (PCT)
Prior art keywords
incident
security
control system
monitoring device
alert
Prior art date
Application number
PCT/JP2018/014842
Other languages
French (fr)
Japanese (ja)
Inventor
訓 大久保
宏樹 内山
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2018198733A1 publication Critical patent/WO2018198733A1/en

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B25/00Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems
    • G08B25/01Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems characterised by the transmission medium
    • G08B25/04Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems characterised by the transmission medium using a single signalling line, e.g. in a closed loop

Definitions

  • the present invention relates to a security monitoring system and a security monitoring method.
  • control systems that monitor and control equipment such as pumps and valves have been connected to maintenance bases and other systems via a network.
  • a monitoring center provided at a maintenance base is increasingly using O & M (Operation & Maintenance) that remotely monitors the operation of a control system.
  • O & M Operaation & Maintenance
  • the control system is constructed by mixing old and new devices.
  • the control system is fully protected in advance by sophisticated, sophisticated viruses, malware, unauthorized access, etc. (hereinafter referred to as “attack from the outside”) that target control system devices connected to the network. It was a difficult situation.
  • SIEM Security Information and Event Management
  • the SIEM has a function of collecting logs of devices and devices in the control system and analyzing the presence or absence of incidents. Analyst in order to detect the occurrence of an incident, analyze whether the incident has an effect on the control system, or take action based on the analysis result (hereinafter referred to as “incident response”). Need advanced security knowledge. In the control system, incident response using SIEM is assumed to be performed by field maintenance personnel who are in charge of monitoring and control of the control system.
  • SIEM deals only with incidents mainly caused by external attacks, and does not support analysis of internal attacks. For this reason, although it is clear that a specific device or device in the control system is caused by using SIEM, for example, an incident caused by an unauthorized operation of a field maintenance worker or engineer in the control system can be specified. It was difficult.
  • Patent Document 1 discloses a method for connecting a control system and a monitoring center in which security specialists are stationed as a technique for field maintenance personnel with little security knowledge to deal with incidents in the control system. ing.
  • This patent document 1 uses a local prediction model that predicts an event from a monitored system, detects an abnormal state of the monitored system, analyzes the process leading to the abnormal state, An event analysis system to be presented to an engineer is disclosed.
  • an object of the present invention is to deal with detected incidents by using a control system familiar to field maintenance personnel.
  • a security monitoring system includes a control system that controls the operation of equipment, and a physical security system that is connected to the control system and that monitors and controls entry / exit of a field maintenance worker using the control system into the control system, , A physical security system that monitors and controls the entry and exit of the field maintenance personnel who use the control system via the network and the control system, and incidents that occur in the control system via the network connected to the control system
  • An incident management server for managing The control system includes a control device that detects an alert generated in the facility, a security device that detects an alert generated in the control system, a system monitoring device that monitors the control system and responds to an incident that occurs in the control system, and The security monitoring device that compares the alert collected from the control device or the security device with an abnormal scenario and detects that an incident has occurred in the control system, and transmits abnormal data including the contents of the incident to the system monitoring device.
  • the physical security system includes an entrance / exit management device, a monitoring camera device, and a physical security server that manages the physical security history data.
  • the system monitoring apparatus analyzes the abnormal data, handles incidents that can be handled by the system monitoring apparatus, and instructs the security monitoring apparatus to handle incidents that cannot be handled by the system monitoring apparatus.
  • the security monitoring apparatus deals with incidents analyzed in accordance with instructions from the system monitoring apparatus.
  • the incident management server analyzes alerts, abnormal data, and physical security history data collected through the security monitoring device, and deals with incidents that cannot be handled by the system monitoring device and security monitoring device for field maintenance personnel. Instruct.
  • the field maintenance staff not only deal with incidents with the control system, but also deal with incidents that could not be dealt with in the control system in a short time according to the actions instructed by the incident management server. It becomes possible. Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.
  • FIG. 6 is a flowchart showing a procedure in which a security monitoring apparatus according to an embodiment of the present invention collects alerts from a control device and a security device, collects history data from a physical security server, and notifies the system monitoring apparatus of abnormal data.
  • It is explanatory drawing which shows the example of a display of the system monitoring screen displayed on the data display and operation part of the system monitoring apparatus which concerns on one embodiment of this invention.
  • It is a flowchart which shows the procedure in which the system monitoring apparatus which concerns on one embodiment of this invention analyzes the abnormal data received from the security monitoring apparatus.
  • FIG. 1 is a block diagram showing an example of the overall configuration of the security monitoring system 1.
  • a control system 10 that is constructed at a local site and controls the operation of the equipment 101 and an incident management server 201 of the monitoring center 20 that is constructed at a maintenance base are connected by a network N such as the Internet, and control is performed.
  • the system 10 and a physical security server 401 of the physical security system 40 are connected by a network 108.
  • VPN Virtual Private Network
  • the physical security system 40 is connected to the control system 10 via the network 113, and monitors and controls the entrance and exit of the on-site maintenance staff 109 and the engineer 112 into the control system 10.
  • a physical security server 401 included in the physical security system 40 manages physical security history data (hereinafter referred to as “history data”) acquired from the entrance / exit management device 110 and the monitoring camera 111.
  • the control system 10 includes a facility 101, a control device 102, a system monitoring device 103, a security device 104, a security monitoring device 105, a one-way relay device 106, and a field data management server 107.
  • the equipment 101, the control device 102, the system monitoring device 103, the security device 104, and the security monitoring device 105 are connected via a network 108.
  • the facility 101 is, for example, a water treatment plant pump or valve, or a power plant turbine.
  • the control device 102 is a device that generically refers to a controller, a control server, a maintenance terminal, and the like that monitor the equipment 101 and control the operation of the equipment 101.
  • the control device 102 detects an alert generated in the facility 101, the control device 102 transmits an alert including an alert log to the security monitoring device 105.
  • the system monitoring device 103 monitors the control system 10 and deals with incidents occurring in the control system 10. For this reason, the system monitoring apparatus 103 collects the statuses of the control apparatus 102 and the network 108 (abnormality, operating, etc.), and displays the statuses of the control apparatus 102 and the network 108 in the system monitoring screen 30 shown in FIG. To display. For example, the field maintenance person 109 who uses the control system 10 maintains the operation of the control system 10 by operating the system monitoring device 103 to monitor and control the state of the control system 10. The field maintenance staff 109 then deals with incidents occurring in the equipment 101 etc. by referring to the manual or the like.
  • the field maintenance person 109 requests the security expert 202 in the monitoring center 20 to deal with the incident, and a countermeasure instructed by the security expert 202. I do.
  • the security device 104 detects a security alert generated in the control system 10 and protects an incident that may occur in the control system 10 in advance. When the security device 104 detects a security alert, it transmits an alert including an alert log to the security monitoring device 105.
  • the security device 104 for example, a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is used.
  • the security device 104 can detect and block many unauthorized accesses from outside.
  • the security monitoring device 105 compares the alert collected from the control device 102 or the security device 104 with an abnormal scenario 1053 (refer to FIG. 2 described later) representing the behavior of the incident.
  • an abnormal scenario 1053 (refer to FIG. 2 described later) representing the behavior of the incident.
  • the security monitoring apparatus 105 detects that an incident has occurred in the control system 10, it transmits abnormal data 1055 (see FIG. 2 described later) including the contents of the incident to the system monitoring apparatus 103.
  • the system monitoring apparatus 103 analyzes the abnormal data 1055 and deals with incidents that can be handled by the system monitoring apparatus 103.
  • the system monitoring apparatus 103 displays a system monitoring screen 30 shown in FIG. For this reason, the field maintenance staff 109 can operate the system monitoring apparatus 103 to deal with an incident that has occurred in the control system 10 according to a manual or the like. However, the system monitoring apparatus 103 instructs the security monitoring apparatus 105 to deal with incidents that cannot be handled by the system monitoring apparatus 103.
  • the physical security system 40 includes the physical security server 401 that collects and manages history data from the entrance / exit management device 110 and the monitoring camera 111 installed at the entrance of the control system 10.
  • the entrance / exit management device 110 can control entry / exit of the field maintenance staff 109 and the engineer 112 to / from the control system 10 by a card reader, biometric authentication, or the like.
  • the monitoring camera 111 captures the scenes of the field maintenance staff 109 and the engineer 112 entering and leaving the control system 10.
  • the physical security system 40 may be configured separately from the control system 10 depending on the configuration of the control system 10, or may be included in the control system 10.
  • the security monitoring device 105 deals with the incident analyzed according to the instruction from the system monitoring device 103.
  • the security monitoring apparatus 105 displays an incident list screen 71 and an incident cause analysis screen 72 shown in FIG. For this reason, the field maintenance staff 109 can operate the security monitoring apparatus 105 to deal with a security incident that has occurred in the control system 10 according to a manual or the like.
  • the one-way relay device 106 permits relaying of data transmitted from the control system 10 toward the incident management server 201, and disallows relaying of data transmitted from the incident management server 201 toward the control system 10. .
  • the one-way relay device 106 can relay only data transmitted in one direction from the inside of the control system 10 to the outside to the monitoring center 20.
  • a router, a firewall, or the like is used as the one-way relay device 106.
  • the one-way relay device 106 can prevent unauthorized access to the control system 10 through the network N.
  • the field data management server 107 is provided at a location accessible by the incident management server 201, and accumulates alerts, abnormality data 1055 (see FIG. 2 described later), and history data 1060-1 (see FIG. 6 described later). .
  • the anomaly data 1055 includes the occurrence time of an incident (alert), the device in which the incident occurred, the incident level, the content of the incident, and the like.
  • the history data 1060-1 includes entry / exit time, exit time, user ID, name, and the like.
  • the field data management server 107 receives field data such as alerts collected by the security monitoring apparatus 105 via the one-way relay apparatus 106 according to the transmission program of the security monitoring apparatus 105.
  • the on-site data managed by the on-site data management server 107 is a generic term for alerts, abnormality data 1055, and history data 1060-1 generated in the control system 10, for example.
  • the control system 10 includes a set of facilities 101, a control device 102, a system monitoring device 103, and a security device 104 (hereinafter referred to as “subsystem”).
  • the security monitoring device 105 may be installed for each subsystem, or the security monitoring device 105 may be installed by integrating a plurality of subsystems.
  • the monitoring center 20 includes an incident management server 201 that manages incidents that occur in the control system 10.
  • the incident management server 201 is operated by a security expert 202 resident in the monitoring center 20.
  • the incident management server 201 collects alerts, abnormality data, and history data 1060-1 accumulated in the field data management server 107 through the security monitoring apparatus 105 by a dedicated program.
  • the incident management server 201 accumulates incidents generated in a control system different from the control system 10 illustrated in FIG. 1 and countermeasures against the incidents.
  • the security expert 202 is based on not only the alerts collected from the field data management server 107, abnormal data and history data 1060-1, but also incidents occurring in other control systems, countermeasures for incidents, etc. The incident can be analyzed.
  • the incident countermeasures are set in the incident management server 201.
  • the security specialist 202 instructs the field maintenance staff 109 to deal with the incident that the system monitoring device 103 and the security monitoring device 105 could not handle, based on the analysis result of the incident.
  • Incidents that could not be dealt with include incidents that could not be detected by the system monitoring device 103 and the security monitoring device 105, for example.
  • the security expert 202 operates the incident management server 201 to detect not only incidents that have been revealed by analyzing alerts and incidents, but also detect potential incidents, and deal with field maintenance personnel 109. I can tell you.
  • the incident management server 201 sends an incident countermeasure report shown in FIG. 13 to be described later to the field maintenance staff 109 to instruct the field maintenance staff 109 to deal with the incident.
  • the incident countermeasure report is sent to the field maintenance staff 109 through a route different from, for example, telephone, FAX, electronic mail, and network N.
  • FIG. 2 is a block diagram showing an example of the internal configuration of each device constituting the control system 10. In FIG. 2, the description of the equipment 101 is omitted.
  • the control device 102 includes a data collection / analysis unit 1021, an alert storage unit 1022, and an alert transmission unit 1023.
  • the data collection / analysis unit 1021 acquires an alert generated in the facility 101.
  • the alert generated in the control device 102 indicates that, for example, another device of the control system 10 has tried to log in to the control device 102 many times, continues to send packets to a specific port, etc. This is to notify the field maintenance staff 109.
  • the alert storage unit 1022 stores the alert acquired by the data collection / analysis unit 1021.
  • the alert transmission unit 1023 transmits the alert stored in the alert storage unit 1022 to the security monitoring device 105.
  • the system monitoring apparatus 103 includes a data reception / analysis unit 1031, an abnormality determination unit 1032, an alert storage unit 1033, and a data display / operation unit 1034.
  • the data reception / analysis unit 1031 analyzes the abnormal data 1055 notified from the security monitoring apparatus 105.
  • the abnormality determination unit 1032 determines whether the incident that has occurred in the control system 10 is a system abnormality or a security abnormality based on the analysis result of the abnormality data 1055 notified from the security monitoring apparatus 105.
  • the alert storage unit 1033 stores an alert generated when the abnormality determination unit 1032 detects an abnormality.
  • the data display / operation unit 1034 displays a system monitoring screen 30 shown in FIG.
  • the security device 104 includes a data transmission / reception unit 1041, an abnormality detection unit 1042, an alert storage unit 1043, and a command transmission unit 1044.
  • the data transmission / reception unit 1041 transmits a security alert generated in the control system 10 to the security monitoring apparatus 105.
  • the data transmission / reception unit 1041 receives from the security monitoring device 105 an instruction for dealing with the incident (an instruction to isolate the cause device, an instruction to isolate the attack target network, etc. shown in FIG. 11 described later).
  • the abnormality detection unit 1042 detects a security abnormality that has occurred in the control system 10 and generates an alert.
  • the alert storage unit 1043 stores an alert generated when the abnormality detection unit 1042 detects an abnormality.
  • the alert generated by the security device 104 is, for example, on-site maintenance that an unauthorized packet is transmitted / received by a device in the control system 10 or that an unauthorized device (non-volatile memory or the like) is connected to the control device 102. This is to notify the member 109.
  • the command transmission unit 1044 transmits, for example, a command for disconnecting the cause device or isolating the network to the device or network instructed by the security monitoring device 105.
  • the physical security server 401 includes a data collection unit 4011, a data storage unit 4012, and a data transmission unit 4013.
  • the data collection unit 4011 collects history data from the entrance / exit management device 110 and the monitoring camera 111.
  • the data storage unit 4012 stores the history data acquired by the data collection unit 4011.
  • the data transmission unit 4013 transmits the history data stored in the data storage unit 4012 to the security monitoring device 105.
  • the security monitoring apparatus 105 includes a data transmission / reception unit 1051, an alert storage unit 1052, a history data storage unit 1060, an alert analysis / determination unit 1054, an abnormal scenario 1053, a data display / operation unit 1056, an abnormality notification unit 1057, an alert notification unit 1058, A handling instruction unit 1059 is included.
  • the data transmission / reception unit 1051 transmits / receives various data to / from the control device 102, the system monitoring device 103, the security device 104, and the physical security server 401.
  • the data transmission / reception unit 1051 receives an alert from the control device 102 and the security device 104.
  • the alert storage unit 1052 stores the alert received by the data transmission / reception unit 1051 from the control device 102.
  • the abnormal scenario 1053 is data indicating the behavior of the device in the control system 10 that is a precursor of an incident. For example, when an unauthorized access, an unauthorized attack is performed on a device in the control system 10 or a virus is infected, a specific movement that is a precursor of an incident may occur before the device stops. . The specific movement that occurs in such a device is stored as an abnormal scenario 1053.
  • the alert analysis / determination unit 1054 analyzes the alerts collected by the data transmission / reception unit 1051 and stored in the alert storage unit 1052. At this time, the alert analysis / determination unit 1054 refers to the abnormal scenario 1053 and compares the alert with the abnormal scenario 1053. When the alert and the abnormal scenario 1053 match, the alert analysis / determination unit 1054 can determine that an incident has occurred.
  • the abnormal data 1055 is data indicating the analysis result of the alert analyzed by the alert analysis / determination unit 1054.
  • the abnormal data 1055 includes an alert (incident) occurrence time, a target device, an incident level, and an incident description as shown in FIG.
  • the data display / operation unit 1056 displays the contents of the abnormal data 1055 on the incident list screen 71 and the incident cause analysis screen 72 shown in FIG. 10 to be described later, and instructs the security device 104 to deal with the incident when an incident occurs. Send.
  • the abnormality notification unit 1057 stores the abnormality data 1055 in the system monitoring device 103 and history data 1060-1 read from the history data storage unit 1060 (described later) (See FIG. 6).
  • the alert notification unit 1058 notifies the site data management server 107 of the alert. This alert is accumulated in the site data management server 107.
  • the handling instruction unit 1059 transmits a handling instruction to the security device 104 through the data transmission / reception unit 1051.
  • the history data storage unit 1060 stores the history data 1060-1 described above.
  • the site data management server 107 includes an alert receiving unit 1071 and an alert storage unit 1072.
  • the alert receiving unit 1071 receives the alert relayed from the security monitoring device 105 by the one-way relay device 106.
  • the alert storage unit 1072 stores the alert received by the alert receiving unit 1071.
  • FIG. 3 is a network configuration diagram illustrating a configuration example of the subsystem.
  • the control system 10 may include a subsystem including the equipment 101, the control device 102, and the security device 104 as a set.
  • Subsystems 10 a and 10 b shown in FIG. 3 are connected to a network 108.
  • the operating time of the subsystems 10a and 10b is from 9:00 to 17:00, and the system monitoring time by the system monitoring device 103 is 24 hours.
  • a control server 101a1, controllers 101b1 and 101b2, and a security device 104a1 are connected to a subnetwork 108a1.
  • the controllers 101b1 and 101b2 are represented as “controller 1” and “controller 2”, respectively, and will be described as “controller 1” and “controller 2” in the following description.
  • control server 101a2 the controllers 101b3 and 101b4, and the security device 104a2 are connected to the sub network 108a2 in the sub system 10b.
  • controllers 101b3 and 101b4 are referred to as “controller 3” and “controller 4”, respectively, and will be described as “controller 3” and “controller 4” in the following description.
  • the field maintenance staff 109 monitors the status of the devices in the subsystems 10a and 10b and the sub networks 108a1 and 108a2 connected to the network 108 through the system monitoring device 103. For example, an incident may occur in the controller 1 to attack a device in the subsystem 10a or a device in the subsystem 10b. At this time, the system monitoring device 103 displays a device that is attacking or performing a suspicious operation and the status of the subsystem that includes the device. Then, the field maintenance staff 109 who operates the system monitoring apparatus 103 can perform control to disconnect the apparatus that is the source of the incident from the subsystem.
  • FIG. 4 is a block diagram illustrating a hardware configuration example of the computer C.
  • the computer C is hardware used as a so-called computer.
  • the computer C includes a CPU (Central Processing Unit) C1, a ROM (Read Only Memory) C2, and a RAM (Random-access Memory) C3 connected to the bus C4. Further, the computer C includes a display unit C5, an operation unit C6, a nonvolatile storage C7, and a network interface C8.
  • CPU Central Processing Unit
  • ROM Read Only Memory
  • RAM Random-access Memory
  • the CPU C1 reads the program code of software that realizes each function according to the present embodiment from the ROM C2, and executes it.
  • the display unit C5 is, for example, a liquid crystal display monitor, and displays a result of processing performed by the computer C.
  • a keyboard, a mouse, or the like is used for the operation unit C6, and the field maintenance staff 109 or the security specialist 202 can perform predetermined operation input and instructions.
  • the system monitoring device 103, the security monitoring device 105, and the incident management server 201 are provided with a display unit C5 and an operation unit C6.
  • the control unit 102, the security device 104, the one-way relay device 106, the field data management server 107, and the physical security server 401 may not include the display unit C5 and the operation unit C6.
  • non-volatile storage C7 for example, HDD (Hard Disk Drive), SSD (Solid State Drive), flexible disk, optical disk, magneto-optical disk, CD-ROM, CD-R, magnetic tape, nonvolatile memory, etc. are used. It is done.
  • OS Operating System
  • a program for causing the computer C to function is recorded in the nonvolatile storage C7.
  • the ROM C2 and the non-volatile storage C7 record programs and data necessary for the operation of the CPU C1, and are computer-readable non-transitory recording media that store programs executed by the computer C. Used as an example. Therefore, this program is permanently stored in the ROM C2 and the non-volatile storage C7.
  • a NIC Network Interface Card
  • various data can be transmitted and received between devices via a LAN (Local-area Network) connected to a terminal, a dedicated line, etc. It is.
  • FIG. 5 is an explanatory diagram showing a configuration example of the abnormal data 1055 that the security monitoring apparatus 105 has.
  • the abnormal data 1055 shown in the upper part of FIG. 5 includes a time 1055-1, a target device 1055-2, an incident level 1055-3, and an incident description 1055-4.
  • the time 1055-1 stores the alert occurrence time transmitted from the control device 102 and the security device 104, that is, the incident occurrence time.
  • the target device 1055-2 stores the IP (Internet Protocol) address of the incident occurrence source.
  • the incident level 1055-3 stores a level determined by the severity of the incident.
  • the incident description 1055-4 stores the description of the incident.
  • the alert occurrence time is “January 30, 2017 15:30:50” by the abnormal data 1055
  • an apparatus assigned “192.168.1.55” as an IP address It indicates that an incident with an incident level of “3” has occurred.
  • the content of the incident indicates that an unauthorized device is connected to a device assigned with “192.168.1.55” as an IP address.
  • the incident level definition data shown at the bottom of FIG. 5 stores the contents and definition of incidents for each incident level.
  • the incident level definition data is stored in, for example, the data reception / analysis unit 1031 of the system monitoring apparatus 103.
  • the incident level definition data includes an incident level 1055-3, an incident 1055-3-1, and a system definition 1055-3-2.
  • Incident level 1055-3 is uniquely determined by incident 1055-3-1 obtained by comparing abnormal scenario 1053 with the alert acquired from control device 102 or security device 104 and stored in alert storage unit 1052. Is done. For example, incident level “1” indicates a minor incident (minor failure), and incident levels “2” and “3” indicate a heavier incident (major failure). In the present embodiment, three types of incident levels “1” to “3” are defined, but more types of incident levels may be defined.
  • the system definition 1055-3-2 is data for the system monitoring apparatus 103 to recognize the abnormal data 1055 transmitted from the security monitoring apparatus 105 to the system monitoring apparatus 103. For example, “warning”, “abnormal”, and the like are stored in the system definition 1055-3-2.
  • FIG. 6 is an explanatory diagram showing a configuration example of history data 1060-1 included in the security monitoring apparatus 105.
  • the history data 1060-1 includes an entry / exit time 1060-1-1, an exit time 1060-1-2, a user ID 1060-1-3, and a name 1060-1-4.
  • the entry / exit time 1060-1-1 is the time when the on-site maintenance staff 109 and the engineer 112 entered / exited the control system 10, and the exit time 1060-1-2 was the exit of the on-site maintenance staff 109 / engineer 112 from the control system 10. It's time.
  • the user ID 1060-1-3 is the ID of the ID card uniquely lent to the field maintenance staff 109 and the engineer 112, and the name 1060-1-4 is the name of the user associated with the ID card or ID. It is.
  • FIG. 7 shows a procedure in which the security monitoring device 105 collects alerts from the control device 102 and the security device 104, collects history data 1060-1 from the physical security server 401, and notifies the system monitoring device 103 of abnormal data 1055. It is a flowchart to show.
  • the control device 102, the security device 104, and the physical security server 401 transmit alerts and history data 1060-1 to the security monitoring device 105 in the same procedure.
  • a process in which the control apparatus 102 transmits an alert and the physical security server 401 transmits history data 1060-1 will be described, and a description of a process in which the security device 104 transmits an alert will be omitted.
  • an alert is acquired in the data collection / analysis unit 1021 of the control device 102, and history data 1060-1 is collected in the data collection unit 4011 of the physical security server 401 (S1).
  • the data collection / analysis unit 1021 of the control device 102 checks whether there is an untransmitted alert in the security monitoring device 105.
  • the data transmission unit 4013 checks whether there is untransmitted history data 1060-1 in the security monitoring apparatus 105 (S2). If there is an untransmitted alert (YES in S2), the alert transmitter 1023 transmits an alert to the security monitoring device 105 (S3).
  • the data transmission unit 4013 transmits the history data 1060-1 to the security monitoring device 105 (S3). If there is no unsent alert and history data 1060-1 (NO in S2), the data collection / analysis unit 1021 again waits for the acquisition of the alert, and the data collection unit 4011 again obtains the history data 1060-1. Wait for.
  • the alert analysis / determination unit 1054 of the security monitoring apparatus 105 acquires and analyzes the alert transmitted from the control apparatus 102 and the history data 1060-1 transmitted from the physical security server 401 (S4). Then, the alert analysis / determination unit 1054 compares the alert and history data 1060-1 with the abnormal scenario 1053, and checks whether there is an incident (S5). The method of comparing the alert and history data 1060-1 with the abnormal scenario 1053 is performed, for example, depending on whether or not the change in the alert and history data 1060-1 matches the change defined in the abnormal scenario 1053.
  • the alert analysis / determination unit 1054 determines that there is no incident (NO in S5), it waits for the acquisition of the alert and history data 1060-1 again. On the other hand, when the alert analysis / determination unit 1054 determines that there is an incident (YES in S5), the abnormality notification unit 1057 notifies the system monitoring device 103 of the abnormality data 1055 (S6).
  • FIG. 8 is an explanatory diagram showing a display example of the system monitoring screen 30 displayed on the data display / operation unit 1034 of the system monitoring apparatus 103.
  • the system monitoring screen 30 is implemented as one function of the data display / operation unit 1034 of the system monitoring apparatus 103.
  • the system monitoring screen 30 displays a display time 31, legend information 32, a system monitoring area 33, and the like.
  • the system monitoring area 33 shows a state in which a monitoring / operation terminal, a maintenance terminal, and a system monitoring device are connected to the network 1 (network 108 shown in FIG. 3).
  • the control server, the controller 1, the controller 2, and the security device 104 are shown connected to the network 2 (subnetwork 108a1 shown in FIG. 3).
  • the monitoring / operation terminal, the maintenance terminal, the control server, and the controllers 1 and 2 displayed in the system monitoring area 33 are all examples of the control device 102 shown in FIG.
  • the system monitoring device 103 is a monitoring / operation terminal, maintenance terminal, control server, controllers 1 and 2, various alerts generated from the security device 104, abnormal data based on history data generated from the entrance / exit management device 110, etc. And the status of each device (major failure, minor failure, network abnormality, other abnormality, etc.) is displayed on the system monitoring screen 30.
  • the field maintenance person 109 who operates the system monitoring device 103 looks at the system monitoring screen 30 and confirms what kind of abnormality has occurred in the device in which the alert has occurred. Then, when the field maintenance worker 109 clicks an icon indicating a control server, for example, detailed information 34 shown at the bottom of FIG. 8 is displayed. In the following description, a state in which a screen is displayed when a certain icon is clicked is represented by a dashed arrow.
  • the detailed information 34 displays the type of abnormality, the name of the device in which the abnormality has occurred, and the content of the abnormality. Thereby, the field maintenance staff 109 can know the details of the abnormality and can deal with the abnormality.
  • FIG. 9 is a flowchart illustrating a procedure in which the system monitoring apparatus 103 analyzes the abnormal data 1055 received from the security monitoring apparatus 105.
  • the security monitoring apparatus 105 is coupled to the connector B shown in FIG. 7, and the system monitoring apparatus 103 is coupled to the connector C shown in FIG.
  • the data reception / analysis unit 1031 analyzes the abnormal data 1055 notified from the security monitoring apparatus 105. Then, the data receiving / analyzing unit 1031 refers to the incident level definition data, and assigns information indicating an abnormality of the system monitoring apparatus 103 to the abnormality data 1055 according to the incident level 1055-3 of the abnormality data 1055 (S11). . Examples of information indicating an abnormality of the system monitoring apparatus 103 include a minor failure and a major failure.
  • the data display / operation unit 1034 updates the display content of the system monitoring screen 30 based on the abnormality data 1055 to which information indicating abnormality is assigned (S12). Thereby, information (for example, legend information 32) indicating an abnormality detected by each device is displayed on the icon of each device.
  • the field maintenance worker 109 determines whether a system abnormality has occurred in the control system 10 based on the display content of the system monitoring screen 30 (S13).
  • an abnormality occurring in the control system 10 is referred to as a “system abnormality”.
  • the system abnormality represents, for example, an incident that has occurred in the facility 101, and is an abnormality that can be dealt with as usual by the field maintenance staff 109 using a manual or the like.
  • the field maintenance person 109 determines that a system abnormality has occurred (YES in S13)
  • the field maintenance person 109 deals with the system abnormality through the system monitoring screen 30 (S14).
  • the security monitoring device 105 takes action.
  • the security abnormality is an abnormality that needs to be dealt with by the security monitoring apparatus 105. For this reason, the field maintenance staff 109 takes measures against the security abnormality in the security monitoring apparatus 105 as shown in FIG.
  • FIG. 10 is an explanatory view showing a display example of an incident list screen 71 and an incident cause analysis screen 72 for performing cause analysis performed by the field maintenance staff 109 by operating the security monitoring device 105 and coping with it.
  • the incident list screen 71 is displayed when the field maintenance worker 109 starts the execution program of the security monitoring apparatus 105.
  • the incident list screen 71 shown in the upper part of FIG. 10 is a screen that displays the incident source identified by the security monitoring apparatus 105 and the range in which the incident occurred.
  • the incident list screen 71 displays the occurrence time indicating the incident occurrence time, the occurrence location indicating the incident occurrence location, the incident level indicating the level of the incident that has occurred, and the content of the incident that has occurred.
  • the incident occurrence time is equal to the alert occurrence time generated in the facility 101 or the security device 104, but may be a different time.
  • a cause analysis button 711 is displayed at the upper right of the incident list screen 71.
  • the field maintenance worker 109 clicks the cause analysis button 711 one of the incident cause analysis screens 72 shown in the lower left or lower right of FIG. 10 is displayed according to the contents of the incident.
  • the incident cause analysis screen 72 is used by the field maintenance staff 109 to perform the cause analysis of the incident.
  • the incident cause analysis screen 72 displays a drop-down list for selecting a device in which an incident has occurred (referred to as “target device”).
  • target device a device in which an incident has occurred
  • the field maintenance worker 109 selects the target device 721-1 from the drop-down list
  • one of the incident transition areas 721-2 and 722-2 is displayed on the incident cause analysis screen 72.
  • Which of the incident transition areas 721-2 and 722-2 is displayed on the incident cause analysis screen 72 depends on the actually occurring incident, in this example, the attack.
  • the security monitoring device 105 instructs the security device 104 to deal with the incident.
  • the incident transition area 721-2 shows how the target device attacks the same network.
  • the target device attacks the same network when the controller 1 of the subsystem 10a illustrated in FIG. 3 attacks the controller 2 connected to the same subnetwork 108a1.
  • the controller 1 indicates that 16 incidents have occurred.
  • a device that is connected to the subnetwork 108a1 to which the controller 1 is connected and is under attack is indicated by the same circle icon as the controller 1.
  • the field maintenance worker 109 takes action by clicking the button 721-3 for disconnecting the cause device.
  • the device that caused the incident (referred to as “cause device”) is disconnected from the network, and the cause device can prevent attacks on other devices in the same network.
  • the incident transition area 722-2 shows a state in which the target device attacks another network. That the target device attacks another network is, for example, that the controller 1 of the subsystem 10a illustrated in FIG. 3 attacks the controller 4 connected to the subnetwork 108a2 of the other subsystem 10b. A device that is connected to a subnetwork different from the subnetwork 108a1 to which the controller 1 is connected and is under attack is indicated by a square icon different from that of the controller 1.
  • the field maintenance worker 109 takes action by clicking the button 721-4 for isolating the network.
  • the security device 104 isolates the network targeted by the causal device and prevents the causal device from attacking other networks.
  • FIG. 11 is a flowchart showing the procedures of incident analysis and incident handling of the security monitoring apparatus 105. 11, the security device 104 is coupled to the connector A illustrated in FIG. 7, and the security monitoring device 105 is coupled to the connector D illustrated in FIG.
  • the field maintenance worker 109 operates the security monitoring device 105 to start a security monitoring screen (not shown) (S21) and displays the incident list screen 71 (S22).
  • the incident list screen 71 is a screen that is displayed on the security monitoring apparatus 105 after transitioning from the security monitoring screen.
  • the field maintenance worker 109 checks whether or not a serious incident has occurred according to the incident level displayed on the incident list screen 71 (S23).
  • a serious incident is, for example, an incident with a high incident level (“3”).
  • the site maintenance staff 109 determines that no serious incident has occurred (NO in S23)
  • the site maintenance staff 109 returns to step S22 and continues monitoring the incident list screen 71.
  • the cause maintenance button 711 is clicked to display the incident cause analysis screen 72 (S24).
  • the field maintenance worker 109 checks on the incident cause analysis screen 72 whether or not the cause of the incident is in the specific device (S25).
  • the specific device is, for example, a device in the control system 10 that is considered to have a high possibility of causing an incident when the security monitoring device 105 detects the occurrence of an incident. At the time of step S25, it is unknown whether the specific device is the cause device.
  • the security monitoring device 105 checks whether or not the attack is in the same network (S26). When it is determined that the attack is not within the same network (NO in S26), the process proceeds to step S29. On the other hand, if the attack is in the same network (YES in S26), the field maintenance staff 109 determines whether or not there is an impact on the business by disconnecting the specific device that caused the incident, that is, the cause device from the network. Confirm (S27).
  • the field maintenance worker 109 can determine that the controller 1 can be disconnected if the operation is not affected even if the controller 1 is disconnected. On the other hand, if the field maintenance worker 109 determines that disconnecting the controller 1 has an effect on the business, it can determine that the controller 1 is not disconnected from the network 2.
  • the present process is terminated without disconnecting the cause device.
  • the field maintenance staff 109 instructs the security device 104 to disconnect the cause device from the security monitoring device 105 (S28).
  • the cause device disconnection instruction is performed when the field maintenance staff 109 clicks the button 721-3 for disconnecting the cause device shown in FIG.
  • the security device 104 then disconnects the cause device in accordance with the instruction from the security monitoring device 105 (S33). As a result, an attack on the other device cannot be performed from the cause device.
  • step S26 If it is determined in step S26 that the security monitoring apparatus 105 is not an attack within the same network (NO in S26), the field maintenance staff 109 checks whether or not the attack is on another network (S29). If the attack is on another network (YES in S29), the field maintenance staff 109 determines whether or not the isolation of the other network that is the attack target has an effect on the business (S30). If isolation of another network has an effect on the business (YES in S30), this process is terminated without isolating the other network.
  • the field maintenance staff 109 issues an instruction to the security device 104 to isolate the other network attacked by the cause device (S31).
  • the instruction to isolate the other network is made when the field maintenance staff 109 clicks the button 721-4 for isolating the network shown in FIG.
  • the security device 104 isolates the other network in accordance with the instruction from the security monitoring device 105 (S34). Thereby, other networks can be protected from attacks.
  • the field maintenance worker 109 terminates a security monitoring screen (S32).
  • FIG. 12 is a flowchart illustrating a procedure in which the security monitoring apparatus 105 transmits alert, abnormality data 1055, and history data 1060-1 to the incident management server 201 of the monitoring center 20.
  • the alert notification unit 1058 of the security monitoring device 105 acquires an alert from the alert storage unit 1052.
  • the abnormality notification unit 1057 acquires the abnormality data 1055 and acquires the history data 1060-1 from the history data storage unit 1060 (S41). Then, the alert notification unit 1058 checks whether or not there is an untransmitted alert in the monitoring center 20, and the abnormality notification unit 1057 determines whether the monitoring center 20 has untransmitted abnormality data 1055 and history data 1060-1. It is checked whether or not (S42).
  • the alert notification unit 1058 of the security monitoring device 105 reads the alert stored in the alert storage unit 1052, and transmits the alert to the one-way relay device 106.
  • the abnormality notification unit 1057 transmits the abnormality data 1055 and history data 1060-1 to the one-way relay device 106 (S43).
  • the process returns to step S41, and the alert notification unit 1058 and the abnormal notification unit 1057 wait for data transmission.
  • the alert, abnormality data 1055, and history data 1060-1 transmitted from the security monitoring device 105 are relayed to the field data management server 107 by the one-way relay device 106 (S44).
  • Alerts, abnormality data 1055 and history data 1060-1 relayed from the one-way relay device 106 are stored in the field data management server 107 (S45).
  • the incident management server 201 of the monitoring center 20 determines whether it is time to acquire the alert, abnormality data 1055, and history data 1060-1 from the site data management server 107 (S46).
  • the time at which the alert, abnormal data 1055, and history data 1060-1 are acquired may be, for example, regular time or every 30 minutes.
  • the incident management server 201 sends the alert, abnormality data 1055 and Queries the presence / absence of history data 1060-1. Then, the incident management server 201 acquires alert, abnormality data 1055, and history data 1060-1 from the site data management server 107 (S47). At this time, the incident management server 201 confirms whether the unacquired alert, abnormality data 1055, and history data 1060-1 are accumulated in the site data management server 107, and the unacquired alert, abnormality data 1055, and history data 1060- 1 is acquired from the field data management server 107. Then, the incident management server 201 stores the alert, abnormal data 1055, and history data 1060-1 in a storage unit (not shown) provided in the incident management server 201 (S48).
  • the incident management server 201 will again acquire the alert, abnormal data 1055, and history data 1060-1. Wait until acquisition.
  • the incident management server 201 receives the alert, abnormality data 1055 and history data 1060-1 from the field data management server 107 immediately after the alert, abnormality data 1055 and history data 1060-1 are accumulated in the field data management server 107. You may get it.
  • the security monitoring system 1 not only enables incident analysis and response by the security monitoring device 105, but also enables fundamental analysis and examination of root countermeasures by the security expert 202 using the incident management server 201.
  • the incident management server 201 not only stores alerts, abnormality data 1055, and history data 1060-1 acquired from the security monitoring apparatus 105 over a long period of time, but also stores data of other control systems 10.
  • the security expert 202 can use the incident management server 201 to examine a wide range, detailed analysis, and countermeasures for the incident that has occurred, using the knowledge and know-how possessed by the security expert 202 itself. It becomes.
  • the incident analysis screen used in order to perform the fundamental analysis performed by the security expert 202 of the monitoring center 20 and examination of a fundamental countermeasure is demonstrated.
  • FIG. 13 is an explanatory diagram showing a display example of an incident analysis screen displayed on the incident management server 201.
  • the incident analysis screen 1001 is displayed on the incident management server 201 when the security expert 202 activates the execution program in the incident management server 201.
  • the incident analysis screen 1001 is used by the security expert 202 to analyze an incident. First, on the incident analysis screen 1001, only the site name 1002 and the target device 1003 are displayed.
  • a site name (customer name) uniquely given to the control system 10 is displayed.
  • “customer 1” is displayed as the site name.
  • information for specifying a device (target device) for which the security expert 202 intends to analyze an incident is displayed.
  • information for specifying the target device for example, there are an IP address and a device name which are dynamically given to the device.
  • the incident list 1004 and the incident transition area 1005 are displayed on the incident analysis screen 1001 as information related to the incident that occurred in the target device 1003 selected by the security expert 202 to confirm the contents of the incident.
  • the incident list 1004 displays a list of incidents that have occurred in the control system 10. For example, incidents that have occurred in the control server selected by the target device 1003 are shown.
  • the incident list 1004 the time when the incident occurred in the apparatus selected by the security expert 202 in the target apparatus 1003, the incident level, and the contents of the incident are displayed. From the incident list 1004, for example, it is understood that the content of the incident whose incident level is “3” at the time “January 10, 2017 12:35:40” “a large number of packets have been transmitted from the specific device”.
  • the incident level displayed in the incident list 1004 and the number of incidents are displayed.
  • the arrows in the figure indicate the incident origin and that another incident has occurred due to the influence of the origin. Due to the incident transition area 1005, one incident with the incident level “1” has occurred in the control server, and 16 incidents with the incident level “3” have occurred due to the influence of the incident with the incident level “1”. Is shown.
  • an incident transition area 1006 (displayed by the origin) that visualizes the transition of the incident is displayed. Is done. It can be seen from the incident transition area 1006 that the source of the incident that occurred in the control server is the maintenance terminal. The incident transition area 1006 causes one maintenance terminal to generate one incident with an incident level of “1” and 10 incidents with an incident level of “3”. It is shown that it became the origin of
  • the root countermeasure setting screen 1008 is used to set information on an incident source and a root countermeasure to the incident origin.
  • the root countermeasure setting screen 1008 displays a drop-down list in which information about the target device, root cause, root countermeasure, etc. can be set.
  • the security expert 202 refers to the incident transition area 1005 and the incident transition area (displayed by the source) 1006, and clicks a setting button 1008-1 on the root countermeasure setting screen 1008, whereby the target device, root cause, and root countermeasure are selected. Set. For example, since the root cause of the incident that occurred in the maintenance terminal is a virus infection, a setting is made so that virus removal is the root countermeasure.
  • Similar root cause search results 1009-1 are displayed under the incident transition area 1006.
  • the similar root cause search result 1009-1 displays the root causes of incidents that occurred in the past that are similar to the root cause of the incident that occurred this time. Then, information indicating what root cause has been adopted in the past and set on the root countermeasure setting screen 1008 is shown. Similar root cause search results 1009-1 indicate that “the target device was infected with a virus” in the past was adopted and set 10 times as the root cause.
  • FIG. 14 is an explanatory diagram showing a display example of the history data display result 1009-2.
  • history data 1060-1 near the time of the incident list 1004 is displayed based on the history data 1060-1 acquired from the physical security server 401 of the physical security system 40. That is, the history data display result 1009-2 displays the result of searching the history data 1060-1 with the incident occurrence time displayed in the incident list 1004.
  • the engineer 112 who was near the device in which the incident occurred is displayed.
  • the security expert 202 can determine whether or not there has been an internal attack by analyzing the history data and the incident occurrence history.
  • a report output result 1010 is output.
  • the report output result 1010 is not only displayed in the incident analysis screen 1001 but may be printed on paper or the like.
  • the report output result 1010 displays an incident countermeasure report indicating how to deal with the incident.
  • the on-site maintenance staff 109 at the local site can know the root cause and the countermeasure of the incident examined by the security expert 202. Then, the field maintenance worker 109 can take measures to remove the virus from the maintenance terminal, for example, according to the report output result 1010.
  • FIG. 15 is a flowchart showing a procedure of fundamental analysis and examination of fundamental countermeasures performed by the security expert 202. The following processing is performed when the security specialist 202 operates the incident management server 201.
  • the security expert 202 in the monitoring center 20 inputs basic information (S51).
  • the basic information is, for example, information on devices constituting the control system 10.
  • the incident management server 201 displays the incident analysis screen 1001 (FIG. 13) (S52). Then, the security expert 202 uses the incident analysis screen 1001 to examine the cause of the incident and a countermeasure (S53).
  • the security expert 202 inputs the cause of the incident on the incident analysis screen 1001 (S54), and presses the report output button 1008-2 to output a report (S55).
  • the field maintenance staff 109 actually takes action by the control system 10 provided at the site based on the output report (S56).
  • the security expert 202 determines whether or not the countermeasure has been completed at the local site (S57). If the security expert 202 determines that the countermeasure has been completed (YES in S57), the process ends. On the other hand, if it is determined that the countermeasure has not been completed (NO in S57), the security expert 202 returns to step S51 and analyzes the incident again.
  • FIG. 16 is a flowchart showing a procedure for fundamental countermeasure examination by fundamental analysis and utilization of countermeasure examples carried out by the security expert 202 of the monitoring center 20. The following processing is also performed by operating the incident management server 201 by the security expert 202. Steps S61 and S62 shown in FIG. 16 are the same processes as S51 and S52 shown in FIG.
  • the incident analysis screen 1001 displayed in step S62 displays incidents that occurred in the past similar to the incident that occurred this time and countermeasures that have been taken in the past (S63). Then, the security expert 202 examines the cause and countermeasure of the incident based on the display content of the incident analysis screen 1001 (S64), and outputs a report (S65). The field maintenance staff 109 actually takes action by the control system 10 provided at the site based on the output report (S66).
  • step S57 in FIG. 15 the security expert 202 determines whether or not the countermeasure has been completed at the local site (S67). If the countermeasure has been completed, the processing is terminated and the countermeasure is completed. If not, the process returns to step S61 to analyze the incident again.
  • the control device 102 and the security device 104 send an alert to the security monitoring device 105.
  • history data 1060-1 is transmitted from the physical security server 401 to the security monitoring apparatus 105.
  • the security monitoring device 105 compares the alert collected from the control device 102 and the security device 104 and the history data 1060-1 collected from the physical security server 401 with the abnormal scenario 1053, and detects the presence or absence of an incident. If the incident is related to the control device 102, the system monitoring device 103 is instructed to deal with the incident. If the incident is related to security, the security device 104 is instructed to deal with the incident.
  • the field maintenance staff 109 can quickly handle the incident using the control system 10 that is familiar to the user.
  • incidents that cannot be dealt with by the field maintenance staff 109 alone are analyzed by the security specialist 202 who operates the incident management server 201 based on dealing with incidents that have been made in the past.
  • the field maintenance staff 109 and the security expert 202 can share the alert, the abnormality data 1055, and the history data 1060-1.
  • effective countermeasures are instructed from the security specialist 202 to the field maintenance staff 109.
  • the countermeasure instructed by the security specialist 202 is the same as or similar to the existing system monitoring method performed in the control system 10 operated by the field maintenance staff 109. For this reason, the field maintenance worker 109 can quickly deal with the incident by the method instructed by the security expert 202. In this way, the field maintenance staff 109 and the security specialist 202 can cooperate to deal with the incident.
  • the incident management server 201 and the site data management server 107 are connected by a secure network N such as VPN.
  • a one-way relay device 106 provided between the security monitoring device 105 and the field data management server 107 prevents unauthorized access from outside the control system 10. For this reason, it is possible to prevent an unauthorized process from being performed on each device in the control system 10 by a third party.
  • control system 10 may not include the one-way relay device 106 and the on-site data management server 107.
  • security monitoring apparatus 105 may transmit the alarm and abnormality data 1055 and the history data 1060-1 to the incident management server 201 every time an alarm occurs.

Abstract

A security monitoring device transmits anomaly data to a system monitoring device upon sensing an incident occurrence in a control system. The system monitoring device analyzes the anomaly data, carries out a response to the incident, and instructs the security monitoring device to respond to incidents which the system monitoring device cannot respond to. An incident management server instructs an onsite maintenance worker to respond to incidents which neither the system monitoring device nor the security monitoring device could adequately respond to.

Description

セキュリティ監視システム及びセキュリティ監視方法Security monitoring system and security monitoring method
 本発明は、セキュリティ監視システム及びセキュリティ監視方法に関する。 The present invention relates to a security monitoring system and a security monitoring method.
 近年、ポンプやバルブ等の設備を監視及び制御する制御システムが、ネットワークを介して保守拠点や他システムと接続されるようになっている。そして、保守拠点に設けられる監視センターが制御システムの動作を遠隔監視するO&M(Operation & Maintenance)を利用することが多くなっている。しかし、制御システムは、長期保守の結果、新旧の装置が混在して構築されている。また、ネットワークに接続された制御システムの装置を標的とする高度化、巧妙化したウィルス、マルウェア、不正アクセス等(以下、「外部からの攻撃」と呼ぶ)により、制御システムを完全に事前防御することが困難な状況が生じていた。また、外部からの攻撃のみならず、制御システム内の機器のプログラム更新、又は機器の異常時におけるデータを機器から収集するために制御システム内に出入りする現場保守員やエンジニアによる不正操作やウィルス感染済み外部媒体の利用(以下、「内部での攻撃」と呼ぶ)に対処するため、入退管理装置や監視カメラ装置等のフィジカルセキュリティシステムの導入が進んでいる。しかし、制御システムがネットワークに接続されること、現場保守員やエンジニアによる不正操作等が実施されることに伴い、セキュリティインシデントの発生可能性が顕在化しつつある。制御システム等に予測しえない影響を与える事象がインシデントと呼ばれ、特に制御システムのセキュリティに対する脅威となるインシデントはセキュリティインシデントと呼ばれる。以下の説明では、セキュリティインシデントを「インシデント」とも呼ぶ。 In recent years, control systems that monitor and control equipment such as pumps and valves have been connected to maintenance bases and other systems via a network. And, a monitoring center provided at a maintenance base is increasingly using O & M (Operation & Maintenance) that remotely monitors the operation of a control system. However, as a result of long-term maintenance, the control system is constructed by mixing old and new devices. In addition, the control system is fully protected in advance by sophisticated, sophisticated viruses, malware, unauthorized access, etc. (hereinafter referred to as “attack from the outside”) that target control system devices connected to the network. It was a difficult situation. Moreover, not only external attacks, but also program updates of equipment in the control system, or unauthorized operation and virus infection by field maintenance personnel and engineers who enter and exit the control system to collect data from the equipment when the equipment is abnormal In order to deal with the use of existing external media (hereinafter referred to as “internal attacks”), physical security systems such as entrance / exit management devices and surveillance camera devices are being introduced. However, the possibility of a security incident is becoming apparent as the control system is connected to the network, and unauthorized operations are performed by field maintenance personnel and engineers. An event that has an unpredictable effect on a control system or the like is called an incident, and particularly an incident that is a threat to the security of the control system is called a security incident. In the following description, a security incident is also referred to as an “incident”.
 インシデントに対応するための製品として、例えば、SIEM(Security Information and Event Management)がある。SIEMは、制御システム内の装置、機器のログを収集し、インシデントの有無を解析する機能を有している。インシデントの発生を検知したり、インシデントが制御システムに与える影響の有無を解析したり、解析結果による対処を行ったりする(以下、これらの対応を「インシデント対応」と呼ぶ)ためには、解析担当者に高度なセキュリティ知識が必要である。そして、制御システムにおいて、SIEMを使ったインシデント対応は、制御システムの監視及び制御を担当している現場保守員が行うことが想定されている。 For example, SIEM (Security Information and Event Management) is a product for responding to incidents. The SIEM has a function of collecting logs of devices and devices in the control system and analyzing the presence or absence of incidents. Analyst in order to detect the occurrence of an incident, analyze whether the incident has an effect on the control system, or take action based on the analysis result (hereinafter referred to as “incident response”). Need advanced security knowledge. In the control system, incident response using SIEM is assumed to be performed by field maintenance personnel who are in charge of monitoring and control of the control system.
 しかし、現場保守員は、必ずしも十分なセキュリティ知識を有していないため、発生したインシデントの内容を理解したり、システム異常とインシデントを区別したり、制御システム稼動への影響の有無を判断したりする作業に時間を要していた。また、現場保守員は、従来のマニュアルと異なる操作が必要となるSIEMを使いこなせないことも多かった。結果的に、現場保守員だけでは、インシデント対応に時間がかかり、誤って対応することもあった。また、SIEMは、主に外部からの攻撃に起因するインシデントのみ対応しており、内部での攻撃の分析には対応していない。このため、SIEMを用いることで制御システム内の特定の装置、機器が原因ということは判明するものの、例えば、制御システム内での現場保守員やエンジニアの不正操作に起因するインシデントは特定することが困難であった。 However, field maintenance personnel do not necessarily have sufficient security knowledge, so they can understand the details of incidents that have occurred, distinguish between system abnormalities and incidents, and determine whether there is an impact on control system operation. It took time to work. In addition, field maintenance personnel often cannot use SIEM, which requires different operations from conventional manuals. As a result, the field maintenance staff alone took time to respond to incidents and sometimes responded incorrectly. In addition, SIEM deals only with incidents mainly caused by external attacks, and does not support analysis of internal attacks. For this reason, although it is clear that a specific device or device in the control system is caused by using SIEM, for example, an incident caused by an unauthorized operation of a field maintenance worker or engineer in the control system can be specified. It was difficult.
 そこで、セキュリティ知識が少ない現場保守員が制御システムのインシデント対応をするための技術として、制御システムと、セキュリティ専門家が常駐している監視センターとをネットワークで接続する方法が特許文献1に開示されている。この特許文献1には、監視対象システムからのイベントを予測する局所予測モデルを用いて、監視対象システムの異常状態を検知し、その異常状態に至る過程を分析し、その分析結果を保守員やエンジニアに提示するイベント分析システムについて開示されている。 Therefore, Patent Document 1 discloses a method for connecting a control system and a monitoring center in which security specialists are stationed as a technique for field maintenance personnel with little security knowledge to deal with incidents in the control system. ing. This patent document 1 uses a local prediction model that predicts an event from a monitored system, detects an abnormal state of the monitored system, analyzes the process leading to the abnormal state, An event analysis system to be presented to an engineer is disclosed.
特開2016-99938号公報JP 2016-99938 A
 現場保守員がインシデントに対処する際、現地サイトの設備毎に予め用意されたマニュアルの手順通りに行われることが求められる。一方、保守拠点にいるエンジニアがインシデントに対処する方法は、マニュアルの手順と異なることが多い。この結果、特許文献1に開示されたイベント分析システムによる分析結果を現場保守員に提示するだけでは、現場保守員によるインシデントへの対処が完了するまでには時間がかかっていた。 When field maintenance personnel handle incidents, it is required to follow the procedures in the manual prepared in advance for each facility on the site. On the other hand, the method of handling an incident by an engineer at a maintenance site is often different from the manual procedure. As a result, simply presenting the analysis result by the event analysis system disclosed in Patent Document 1 to the field maintenance staff takes time to complete the handling of the incident by the field maintenance staff.
 本発明はこのような状況に鑑みて成されたものであり、例えば、現場保守員が使い慣れた制御システムにより、検知したインシデントに対処することを目的とする。 The present invention has been made in view of such a situation. For example, an object of the present invention is to deal with detected incidents by using a control system familiar to field maintenance personnel.
 本発明に係るセキュリティ監視システムは、設備の動作を制御する制御システムと、制御システムに接続され、制御システムを利用する現場保守員の制御システム内への入退場を監視及び制御するフィジカルセキュリティシステムと、制御システムにネットワークで接続され、制御システムを利用する現場保守員の制御システム内への入退場を監視・制御するフィジカルセキュリティシステムと、制御システムにネットワークで接続され、制御システムにて発生するインシデントを管理するインシデント管理サーバと、を備える。
 制御システムは、設備にて発生するアラートを検知する制御装置と、制御システムにて発生するアラートを検知するセキュリティ機器と、制御システムを監視し、制御システムに発生したインシデントに対処するシステム監視装置と、制御装置又はセキュリティ機器から収集したアラートを異常シナリオと比較し、制御システムにてインシデントが発生したことを検知すると、インシデントの内容を含む異常データをシステム監視装置に送信するセキュリティ監視装置と、を備える。
 フィジカルセキュリティシステムは、入退管理装置や監視カメラ装置と、そのフィジカルセキュリティ履歴データを管理するフィジカルセキュリティサーバを備える。
 システム監視装置は、異常データを解析して、システム監視装置で対処可能なインシデントについて対処を行い、システム監視装置で対処不能なインシデントについてセキュリティ監視装置に対処を指示する。セキュリティ監視装置は、システム監視装置からの指示に従って分析したインシデントについて対処を行う。
 インシデント管理サーバは、セキュリティ監視装置を通じて収集するアラート、異常データ及びフィジカルセキュリティ履歴データを分析して、現場保守員に対し、システム監視装置及びセキュリティ監視装置にて対処しきれなかったインシデントへの対処を指示する。 A security monitoring system according to the present invention includes a control system that controls the operation of equipment, and a physical security system that is connected to the control system and that monitors and controls entry / exit of a field maintenance worker using the control system into the control system, , A physical security system that monitors and controls the entry and exit of the field maintenance personnel who use the control system via the network and the control system, and incidents that occur in the control system via the network connected to the control system An incident management server for managing
The control system includes a control device that detects an alert generated in the facility, a security device that detects an alert generated in the control system, a system monitoring device that monitors the control system and responds to an incident that occurs in the control system, and The security monitoring device that compares the alert collected from the control device or the security device with an abnormal scenario and detects that an incident has occurred in the control system, and transmits abnormal data including the contents of the incident to the system monitoring device. Prepare.
The physical security system includes an entrance / exit management device, a monitoring camera device, and a physical security server that manages the physical security history data.
The system monitoring apparatus analyzes the abnormal data, handles incidents that can be handled by the system monitoring apparatus, and instructs the security monitoring apparatus to handle incidents that cannot be handled by the system monitoring apparatus. The security monitoring apparatus deals with incidents analyzed in accordance with instructions from the system monitoring apparatus.
The incident management server analyzes alerts, abnormal data, and physical security history data collected through the security monitoring device, and deals with incidents that cannot be handled by the system monitoring device and security monitoring device for field maintenance personnel. Instruct.
 本発明によれば、現場保守員は、制御システムでインシデントに対処するだけでなく、制御システムで対処しきれなかったインシデントであっても、インシデント管理サーバにより指示された対処に従って短時間で対処することが可能となる。
 上記した以外の課題、構成及び効果は、以下の実施の形態の説明により明らかにされる。 According to the present invention, the field maintenance staff not only deal with incidents with the control system, but also deal with incidents that could not be dealt with in the control system in a short time according to the actions instructed by the incident management server. It becomes possible.
Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.
本発明の一実施の形態に係るセキュリティ監視システムの全体構成例を示すブロック図である。It is a block diagram which shows the example of whole structure of the security monitoring system which concerns on one embodiment of this invention. 本発明の一実施の形態に係る制御システムを構成する各装置の内部構成例を示すブロック図である。It is a block diagram which shows the internal structural example of each apparatus which comprises the control system which concerns on one embodiment of this invention. 本発明の一実施の形態に係るサブシステムの構成例を示すネットワーク構成図である。It is a network block diagram which shows the structural example of the subsystem which concerns on one embodiment of this invention. 本発明の一実施の形態に係る計算機のハードウェア構成例を示すブロック図である。It is a block diagram which shows the hardware structural example of the computer which concerns on one embodiment of this invention. 本発明の一実施の形態に係るセキュリティ監視装置が有する異常データの構成例を示す説明図である。It is explanatory drawing which shows the structural example of the abnormal data which the security monitoring apparatus which concerns on one embodiment of this invention has. 本発明の一実施の形態に係るセキュリティ監視装置が有する履歴データの構成例を示す説明図である。It is explanatory drawing which shows the structural example of the historical data which the security monitoring apparatus which concerns on one embodiment of this invention has. 本発明の一実施の形態に係るセキュリティ監視装置が、制御装置及びセキュリティ機器からアラートを収集し、フィジカルセキュリティサーバから履歴データを収集し、システム監視装置に異常データを通知する手順を示すフローチャートである。6 is a flowchart showing a procedure in which a security monitoring apparatus according to an embodiment of the present invention collects alerts from a control device and a security device, collects history data from a physical security server, and notifies the system monitoring apparatus of abnormal data. . 本発明の一実施の形態に係るシステム監視装置のデータ表示・操作部に表示されるシステム監視画面の表示例を示す説明図である。It is explanatory drawing which shows the example of a display of the system monitoring screen displayed on the data display and operation part of the system monitoring apparatus which concerns on one embodiment of this invention. 本発明の一実施の形態に係るシステム監視装置が、セキュリティ監視装置から受信した異常データを解析する手順を示すフローチャートである。It is a flowchart which shows the procedure in which the system monitoring apparatus which concerns on one embodiment of this invention analyzes the abnormal data received from the security monitoring apparatus. 本発明の一実施の形態に係る現場保守員がセキュリティ監視装置を操作して実施する原因分析とその対処を行うためのインシデント一覧画面とインシデント原因分析画面の表示例を示す説明図である。It is explanatory drawing which shows the display example of the incident list screen and the incident cause analysis screen for performing the cause analysis which the field maintenance worker which concerns on one embodiment of this invention operates and implements a security monitoring apparatus, and the countermeasure. 本発明の一実施の形態に係るセキュリティ監視装置のインシデント分析、インシデント対処の手順を示すフローチャートである。It is a flowchart which shows the procedure of the incident analysis of the security monitoring apparatus which concerns on one embodiment of this invention, and incident response. 本発明の一実施の形態に係るセキュリティ監視装置が、アラート、異常データ及びフィジカルセキュリティ履歴データを、監視センターのインシデント管理サーバに送信する手順を示すフローチャートである。It is a flowchart which shows the procedure in which the security monitoring apparatus which concerns on one embodiment of this invention transmits an alert, abnormality data, and physical security historical data to the incident management server of a monitoring center. 本発明の一実施の形態に係るインシデント管理サーバにて表示されるインシデント分析画面の表示例を示す説明図である。It is explanatory drawing which shows the example of a display of the incident analysis screen displayed with the incident management server which concerns on one embodiment of this invention. 本発明の一実施の形態に係る履歴データ表示結果の表示例を示す説明図である。It is explanatory drawing which shows the example of a display of the historical data display result which concerns on one embodiment of this invention. 本発明の一実施の形態に係るセキュリティ専門家が実施する根本分析、根本対処策検討の手順を示すフローチャートである。It is a flowchart which shows the procedure of the fundamental analysis and the fundamental countermeasure examination which the security expert which concerns on one embodiment of this invention implements. 本発明の一実施の形態に係るセキュリティ専門家が実施する根本分析、対処策事例活用による根本対処策検討の手順を示すフローチャートである。It is a flowchart which shows the procedure of the fundamental countermeasure examination by the fundamental analysis and countermeasure example utilization which the security expert which concerns on one embodiment of this invention implements.
 以下、本発明を実施するための形態例について、添付図面を参照して説明する。本明細書及び図面において、実質的に同一の機能又は構成を有する構成要素については、同一の符号を付することにより重複する説明を省略する。 Hereinafter, embodiments for carrying out the present invention will be described with reference to the accompanying drawings. In the present specification and drawings, components having substantially the same function or configuration are denoted by the same reference numerals, and redundant description is omitted.
 図1は、セキュリティ監視システム1の全体構成例を示すブロック図である。本実施の形態では、現地サイトに構築され、設備101の動作を制御する制御システム10と、保守拠点に構築された監視センター20のインシデント管理サーバ201とがインターネット等のネットワークNで接続され、制御システム10と、フィジカルセキュリティシステム40のフィジカルセキュリティサーバ401とがネットワーク108で接続されている。ここで、制御システム10と監視センター20を接続する場合には、VPN(Virtual Private Network)装置を利用することで、情報漏洩を防止することが可能となる。 FIG. 1 is a block diagram showing an example of the overall configuration of the security monitoring system 1. In this embodiment, a control system 10 that is constructed at a local site and controls the operation of the equipment 101 and an incident management server 201 of the monitoring center 20 that is constructed at a maintenance base are connected by a network N such as the Internet, and control is performed. The system 10 and a physical security server 401 of the physical security system 40 are connected by a network 108. Here, when connecting the control system 10 and the monitoring center 20, it is possible to prevent information leakage by using a VPN (Virtual Private Network) device.
 フィジカルセキュリティシステム40は、制御システム10にネットワーク113で接続され、現場保守員109やエンジニア112の制御システム10内への入退場を監視及び制御する。フィジカルセキュリティシステム40が備えるフィジカルセキュリティサーバ401は、入退管理装置110、監視カメラ111から取得したフィジカルセキュリティ履歴データ(以下、「履歴データ」と呼ぶ。)を管理する。 The physical security system 40 is connected to the control system 10 via the network 113, and monitors and controls the entrance and exit of the on-site maintenance staff 109 and the engineer 112 into the control system 10. A physical security server 401 included in the physical security system 40 manages physical security history data (hereinafter referred to as “history data”) acquired from the entrance / exit management device 110 and the monitoring camera 111.
 制御システム10は、設備101、制御装置102、システム監視装置103、セキュリティ機器104、セキュリティ監視装置105、一方向中継装置106、現場データ管理サーバ107を備える。設備101、制御装置102、システム監視装置103、セキュリティ機器104、セキュリティ監視装置105は、ネットワーク108で接続されている。 The control system 10 includes a facility 101, a control device 102, a system monitoring device 103, a security device 104, a security monitoring device 105, a one-way relay device 106, and a field data management server 107. The equipment 101, the control device 102, the system monitoring device 103, the security device 104, and the security monitoring device 105 are connected via a network 108.
 設備101は、例えば、水処理場のポンプやバルブ、発電所のタービンである。
 制御装置102は、設備101を監視し、設備101の動作を制御するコントローラ、制御サーバ、保守端末等を総称した装置である。制御装置102は、設備101にて発生したアラートを検知すると、アラートログを含むアラートをセキュリティ監視装置105に送信する。 The facility 101 is, for example, a water treatment plant pump or valve, or a power plant turbine.
The control device 102 is a device that generically refers to a controller, a control server, a maintenance terminal, and the like that monitor the equipment 101 and control the operation of the equipment 101. When the control device 102 detects an alert generated in the facility 101, the control device 102 transmits an alert including an alert log to the security monitoring device 105.
 システム監視装置103は、制御システム10を監視し、制御システム10に発生したインシデントに対処する。このため、システム監視装置103は、制御装置102とネットワーク108の状態(異常発生中、稼動中など)を収集し、制御装置102とネットワーク108の状態を、後述する図8に示すシステム監視画面30に表示する。例えば、制御システム10を利用する現場保守員109は、システム監視装置103を操作して制御システム10の状態を監視及び制御することで、制御システム10の稼動を維持している。そして、現場保守員109は、設備101等に発生したインシデントに対し、マニュアル等を参照して対処する。一方、現場保守員109だけでは対処できないインシデントが発生していれば、現場保守員109は、監視センター20にいるセキュリティ専門家202にインシデントの対処を依頼し、セキュリティ専門家202により指示される対処を行う。 The system monitoring device 103 monitors the control system 10 and deals with incidents occurring in the control system 10. For this reason, the system monitoring apparatus 103 collects the statuses of the control apparatus 102 and the network 108 (abnormality, operating, etc.), and displays the statuses of the control apparatus 102 and the network 108 in the system monitoring screen 30 shown in FIG. To display. For example, the field maintenance person 109 who uses the control system 10 maintains the operation of the control system 10 by operating the system monitoring device 103 to monitor and control the state of the control system 10. The field maintenance staff 109 then deals with incidents occurring in the equipment 101 etc. by referring to the manual or the like. On the other hand, if an incident that cannot be dealt with by the field maintenance person 109 alone has occurred, the field maintenance person 109 requests the security expert 202 in the monitoring center 20 to deal with the incident, and a countermeasure instructed by the security expert 202. I do.
 セキュリティ機器104は、制御システム10にて発生するセキュリティ上のアラートを検知し、制御システム10に発生し得るインシデントを事前に防御する。セキュリティ機器104がセキュリティ上のアラートを検知すると、アラートログを含むアラートをセキュリティ監視装置105に送信する。セキュリティ機器104として、例えば、ファイアウォール、侵入検知システム(IDS:Intrusion Detection System)、侵入防御システム(IPS:Intrusion Prevention System)が用いられる。セキュリティ機器104により、外部からの不正アクセスの多くを検知し、遮断することが可能である。 The security device 104 detects a security alert generated in the control system 10 and protects an incident that may occur in the control system 10 in advance. When the security device 104 detects a security alert, it transmits an alert including an alert log to the security monitoring device 105. As the security device 104, for example, a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is used. The security device 104 can detect and block many unauthorized accesses from outside.
 セキュリティ監視装置105は、制御装置102又はセキュリティ機器104から収集したアラートを、インシデントの振る舞いを表す異常シナリオ1053(後述する図2を参照)と比較する。セキュリティ監視装置105は、制御システム10にてインシデントが発生したことを検知すると、インシデントの内容を含む異常データ1055(後述する図2を参照)をシステム監視装置103に送信する。 The security monitoring device 105 compares the alert collected from the control device 102 or the security device 104 with an abnormal scenario 1053 (refer to FIG. 2 described later) representing the behavior of the incident. When the security monitoring apparatus 105 detects that an incident has occurred in the control system 10, it transmits abnormal data 1055 (see FIG. 2 described later) including the contents of the incident to the system monitoring apparatus 103.
 システム監視装置103は、異常データ1055を解析して、システム監視装置103で対処可能なインシデントについて対処を行う。システム監視装置103は、後述する図8に示すシステム監視画面30を表示する。このため、現場保守員109は、システム監視装置103を操作して、マニュアル等に従って制御システム10に発生したインシデントに対処することが可能である。ただし、システム監視装置103は、システム監視装置103で対処不能なインシデントについてセキュリティ監視装置105に対処を指示する。 The system monitoring apparatus 103 analyzes the abnormal data 1055 and deals with incidents that can be handled by the system monitoring apparatus 103. The system monitoring apparatus 103 displays a system monitoring screen 30 shown in FIG. For this reason, the field maintenance staff 109 can operate the system monitoring apparatus 103 to deal with an incident that has occurred in the control system 10 according to a manual or the like. However, the system monitoring apparatus 103 instructs the security monitoring apparatus 105 to deal with incidents that cannot be handled by the system monitoring apparatus 103.
 上述したようにフィジカルセキュリティシステム40は、制御システム10の出入口に設置された入退管理装置110及び監視カメラ111から履歴データを収集・管理するフィジカルセキュリティサーバ401を備えている。入退管理装置110は、カードリーダ、生体認証などにより制御システム10への現場保守員109やエンジニア112の入出を制御することが可能である。監視カメラ111は、制御システム10に入出する現場保守員109やエンジニア112の様子を撮影する。フィジカルセキュリティシステム40は、制御システム10の構成により、制御システム10とは別に構成されてもよいし、制御システム10内に含めて構成されてもよい。 As described above, the physical security system 40 includes the physical security server 401 that collects and manages history data from the entrance / exit management device 110 and the monitoring camera 111 installed at the entrance of the control system 10. The entrance / exit management device 110 can control entry / exit of the field maintenance staff 109 and the engineer 112 to / from the control system 10 by a card reader, biometric authentication, or the like. The monitoring camera 111 captures the scenes of the field maintenance staff 109 and the engineer 112 entering and leaving the control system 10. The physical security system 40 may be configured separately from the control system 10 depending on the configuration of the control system 10, or may be included in the control system 10.
 セキュリティ監視装置105は、システム監視装置103からの指示に従って分析したインシデントについて対処を行う。セキュリティ監視装置105は、後述する図10に示すインシデント一覧画面71、インシデント原因分析画面72を表示する。このため、現場保守員109は、セキュリティ監視装置105を操作して、マニュアル等に従って制御システム10に発生したセキュリティ上のインシデントに対処することが可能である。 The security monitoring device 105 deals with the incident analyzed according to the instruction from the system monitoring device 103. The security monitoring apparatus 105 displays an incident list screen 71 and an incident cause analysis screen 72 shown in FIG. For this reason, the field maintenance staff 109 can operate the security monitoring apparatus 105 to deal with a security incident that has occurred in the control system 10 according to a manual or the like.
 一方向中継装置106は、制御システム10からインシデント管理サーバ201に向けて送信されるデータの中継を許可し、インシデント管理サーバ201から制御システム10に向けて送信されるデータの中継を不許可とする。つまり、一方向中継装置106は、制御システム10の内部から外部に向けて一方向に送信されるデータだけを監視センター20に中継可能とする。一方向中継装置106として、例えば、ルータ、ファイアウォール等が用いられる。一方向中継装置106により、ネットワークNを通じて行われる制御システム10内への不正アクセスを防ぐことができる。 The one-way relay device 106 permits relaying of data transmitted from the control system 10 toward the incident management server 201, and disallows relaying of data transmitted from the incident management server 201 toward the control system 10. . In other words, the one-way relay device 106 can relay only data transmitted in one direction from the inside of the control system 10 to the outside to the monitoring center 20. As the one-way relay device 106, for example, a router, a firewall, or the like is used. The one-way relay device 106 can prevent unauthorized access to the control system 10 through the network N.
 現場データ管理サーバ107は、インシデント管理サーバ201がアクセス可能な位置に設けられ、アラート、異常データ1055(後述する図2を参照)及び履歴データ1060-1(後述する図6を参照)を蓄積する。異常データ1055には、インシデント(アラート)の発生時刻、インシデントが発生した装置、インシデントレベル、インシデントの内容等が含まれる。履歴データ1060-1には、入出時刻、退出時刻、利用者ID、氏名等が含まれる。現場データ管理サーバ107は、セキュリティ監視装置105の送信プログラムにより、セキュリティ監視装置105が収集したアラート等の現場データを一方向中継装置106を介して受信する。現場データ管理サーバ107が管理する現場データとは、例えば、制御システム10にて発生したアラート、異常データ1055及び履歴データ1060-1を総称したものである。 The field data management server 107 is provided at a location accessible by the incident management server 201, and accumulates alerts, abnormality data 1055 (see FIG. 2 described later), and history data 1060-1 (see FIG. 6 described later). . The anomaly data 1055 includes the occurrence time of an incident (alert), the device in which the incident occurred, the incident level, the content of the incident, and the like. The history data 1060-1 includes entry / exit time, exit time, user ID, name, and the like. The field data management server 107 receives field data such as alerts collected by the security monitoring apparatus 105 via the one-way relay apparatus 106 according to the transmission program of the security monitoring apparatus 105. The on-site data managed by the on-site data management server 107 is a generic term for alerts, abnormality data 1055, and history data 1060-1 generated in the control system 10, for example.
 ここで、制御システム10は、監視及び制御する設備101の数が増えると、設備101、制御装置102、システム監視装置103、セキュリティ機器104のセット(以下、「サブシステム」と呼ぶ)を含む場合がある。この場合には、このサブシステム毎にセキュリティ監視装置105を設置してもよいし、複数のサブシステムを統合してセキュリティ監視装置105を設置してもよい。 Here, when the number of facilities 101 to be monitored and controlled increases, the control system 10 includes a set of facilities 101, a control device 102, a system monitoring device 103, and a security device 104 (hereinafter referred to as “subsystem”). There is. In this case, the security monitoring device 105 may be installed for each subsystem, or the security monitoring device 105 may be installed by integrating a plurality of subsystems.
 監視センター20は、制御システム10にて発生するインシデントを管理するインシデント管理サーバ201を備える。監視センター20に常駐しているセキュリティ専門家202によりインシデント管理サーバ201が操作される。インシデント管理サーバ201は、専用プログラムにより、セキュリティ監視装置105を通じて現場データ管理サーバ107に蓄積されたアラート、異常データ及び履歴データ1060-1を収集する。また、インシデント管理サーバ201は、図1に示した制御システム10とは別の制御システムで発生したインシデント、及びインシデントへの対処策を蓄積する。そして、セキュリティ専門家202は、現場データ管理サーバ107から収集したアラート、異常データ及び履歴データ1060-1だけでなく、別の制御システムで発生したインシデント、及びインシデントへの対処策等に基づいて、インシデントを分析することができる。 The monitoring center 20 includes an incident management server 201 that manages incidents that occur in the control system 10. The incident management server 201 is operated by a security expert 202 resident in the monitoring center 20. The incident management server 201 collects alerts, abnormality data, and history data 1060-1 accumulated in the field data management server 107 through the security monitoring apparatus 105 by a dedicated program. In addition, the incident management server 201 accumulates incidents generated in a control system different from the control system 10 illustrated in FIG. 1 and countermeasures against the incidents. And the security expert 202 is based on not only the alerts collected from the field data management server 107, abnormal data and history data 1060-1, but also incidents occurring in other control systems, countermeasures for incidents, etc. The incident can be analyzed.
 そして、セキュリティ専門家202により分析された、インシデントの分析結果に基づいてインシデントの根本対処がインシデント管理サーバ201に設定される。その後、セキュリティ専門家202は、インシデントの分析結果に基づき、現場保守員109に対し、システム監視装置103及びセキュリティ監視装置105にて対処しきれなかったインシデントへの対処を指示する。対処しきれなかったインシデントには、例えば、システム監視装置103及びセキュリティ監視装置105では検出できなかったインシデントも含まれる。このため、セキュリティ専門家202は、インシデント管理サーバ201を操作して、アラート及びインシデントを分析することにより顕在したインシデントだけでなく、潜在しているインシデントについても検出し、現場保守員109に対処を指示できる。 Then, based on the analysis result of the incident analyzed by the security expert 202, the incident countermeasures are set in the incident management server 201. After that, the security specialist 202 instructs the field maintenance staff 109 to deal with the incident that the system monitoring device 103 and the security monitoring device 105 could not handle, based on the analysis result of the incident. Incidents that could not be dealt with include incidents that could not be detected by the system monitoring device 103 and the security monitoring device 105, for example. For this reason, the security expert 202 operates the incident management server 201 to detect not only incidents that have been revealed by analyzing alerts and incidents, but also detect potential incidents, and deal with field maintenance personnel 109. I can tell you.
 なお、一方向中継装置106により、データの送信方向が制御システム10の内側から外側に制限される。このため、インシデント管理サーバ201は、後述する図13に示すインシデント対策レポートを現場保守員109に送ることで、現場保守員109にインシデントへの対処を指示する。なお、インシデント対策レポートは、例えば、電話、FAX、電子メール、ネットワークNとは別の経路から現場保守員109に送られる。 It should be noted that the data transmission direction is restricted from the inside to the outside of the control system 10 by the one-way relay device 106. For this reason, the incident management server 201 sends an incident countermeasure report shown in FIG. 13 to be described later to the field maintenance staff 109 to instruct the field maintenance staff 109 to deal with the incident. The incident countermeasure report is sent to the field maintenance staff 109 through a route different from, for example, telephone, FAX, electronic mail, and network N.
 図2は、制御システム10を構成する各装置の内部構成例を示すブロック図である。図2では、設備101の記載を省略する。 FIG. 2 is a block diagram showing an example of the internal configuration of each device constituting the control system 10. In FIG. 2, the description of the equipment 101 is omitted.
 制御装置102は、データ収集・解析部1021、アラート記憶部1022、アラート送信部1023を有している。
 データ収集・解析部1021は、設備101で発生したアラートを取得する。制御装置102で発生するアラートは、例えば、制御システム10の他装置より制御装置102に対してログイン処理を何度も試みていること、特定のポートにパケットを送信し続けられていること等を現場保守員109に報知するものである。
 アラート記憶部1022は、データ収集・解析部1021により取得されたアラートを記憶する。
 アラート送信部1023は、アラート記憶部1022に記憶されたアラートをセキュリティ監視装置105に送信する。 The control device 102 includes a data collection / analysis unit 1021, an alert storage unit 1022, and an alert transmission unit 1023.
The data collection / analysis unit 1021 acquires an alert generated in the facility 101. The alert generated in the control device 102 indicates that, for example, another device of the control system 10 has tried to log in to the control device 102 many times, continues to send packets to a specific port, etc. This is to notify the field maintenance staff 109.
The alert storage unit 1022 stores the alert acquired by the data collection / analysis unit 1021.
The alert transmission unit 1023 transmits the alert stored in the alert storage unit 1022 to the security monitoring device 105.
 システム監視装置103は、データ受信・解析部1031、異常判断部1032、アラート記憶部1033、データ表示・操作部1034を有している。
 データ受信・解析部1031は、セキュリティ監視装置105から通知された異常データ1055を解析する。
 異常判断部1032は、セキュリティ監視装置105から通知された異常データ1055の解析結果に基づいて制御システム10に発生したインシデントが、システム異常又はセキュリティ異常のいずれであるかを判断する。
 アラート記憶部1033は、異常判断部1032が異常を検知したことにより発生したアラートを記憶する。
 データ表示・操作部1034は、後述する図8に示すシステム監視画面30を表示し、現場保守員109による操作を受け付ける。 The system monitoring apparatus 103 includes a data reception / analysis unit 1031, an abnormality determination unit 1032, an alert storage unit 1033, and a data display / operation unit 1034.
The data reception / analysis unit 1031 analyzes the abnormal data 1055 notified from the security monitoring apparatus 105.
The abnormality determination unit 1032 determines whether the incident that has occurred in the control system 10 is a system abnormality or a security abnormality based on the analysis result of the abnormality data 1055 notified from the security monitoring apparatus 105.
The alert storage unit 1033 stores an alert generated when the abnormality determination unit 1032 detects an abnormality.
The data display / operation unit 1034 displays a system monitoring screen 30 shown in FIG.
 セキュリティ機器104は、データ送受信部1041、異常検知部1042、アラート記憶部1043、コマンド送信部1044を有している。
 データ送受信部1041は、制御システム10にて発生したセキュリティ上のアラートをセキュリティ監視装置105に送信する。また、データ送受信部1041は、セキュリティ監視装置105からインシデントに対処するための指示(後述する図11に示す原因装置の切り離し指示、攻撃対象のネットワーク隔離指示等)を受信する。
 異常検知部1042は、制御システム10にて発生したセキュリティ上の異常を検知し、アラートを発生する。 The security device 104 includes a data transmission / reception unit 1041, an abnormality detection unit 1042, an alert storage unit 1043, and a command transmission unit 1044.
The data transmission / reception unit 1041 transmits a security alert generated in the control system 10 to the security monitoring apparatus 105. In addition, the data transmission / reception unit 1041 receives from the security monitoring device 105 an instruction for dealing with the incident (an instruction to isolate the cause device, an instruction to isolate the attack target network, etc. shown in FIG. 11 described later).
The abnormality detection unit 1042 detects a security abnormality that has occurred in the control system 10 and generates an alert.
 アラート記憶部1043は、異常検知部1042が異常を検知して発生したアラートを記憶する。セキュリティ機器104が発生するアラートは、例えば、制御システム10内の装置により不正なパケットの送受信が行われたこと、不正な機器(不揮発メモリ等)が制御装置102に接続されたこと等を現場保守員109に報知するものである。
 コマンド送信部1044は、例えば、セキュリティ監視装置105により指示された装置又はネットワークに対して、原因装置の切り離し、又はネットワークの隔離のためのコマンドを送信する。
 フィジカルセキュリティサーバ401は、データ収集部4011、データ記憶部4012、データ送信部4013を有している。
 データ収集部4011は、入退管理装置110及び監視カメラ111から履歴データを収集する。
 データ記憶部4012は、データ収集部4011が取得した履歴データを記憶する。
 データ送信部4013は、データ記憶部4012に記憶された履歴データをセキュリティ監視装置105に送信する。 The alert storage unit 1043 stores an alert generated when the abnormality detection unit 1042 detects an abnormality. The alert generated by the security device 104 is, for example, on-site maintenance that an unauthorized packet is transmitted / received by a device in the control system 10 or that an unauthorized device (non-volatile memory or the like) is connected to the control device 102. This is to notify the member 109.
The command transmission unit 1044 transmits, for example, a command for disconnecting the cause device or isolating the network to the device or network instructed by the security monitoring device 105.
The physical security server 401 includes a data collection unit 4011, a data storage unit 4012, and a data transmission unit 4013.
The data collection unit 4011 collects history data from the entrance / exit management device 110 and the monitoring camera 111.
The data storage unit 4012 stores the history data acquired by the data collection unit 4011.
The data transmission unit 4013 transmits the history data stored in the data storage unit 4012 to the security monitoring device 105.
 セキュリティ監視装置105は、データ送受信部1051、アラート記憶部1052、履歴データ記憶部1060、アラート解析・判断部1054、異常シナリオ1053、データ表示・操作部1056、異常通知部1057、アラート通知部1058、対処指示部1059を有している。 The security monitoring apparatus 105 includes a data transmission / reception unit 1051, an alert storage unit 1052, a history data storage unit 1060, an alert analysis / determination unit 1054, an abnormal scenario 1053, a data display / operation unit 1056, an abnormality notification unit 1057, an alert notification unit 1058, A handling instruction unit 1059 is included.
 データ送受信部1051は、制御装置102、システム監視装置103、セキュリティ機器104及びフィジカルセキュリティサーバ401との間で各種のデータを送受信する。そして、データ送受信部1051は、制御装置102及びセキュリティ機器104からアラートを受信する。
 アラート記憶部1052は、データ送受信部1051が制御装置102から受信したアラートを記憶する。 The data transmission / reception unit 1051 transmits / receives various data to / from the control device 102, the system monitoring device 103, the security device 104, and the physical security server 401. The data transmission / reception unit 1051 receives an alert from the control device 102 and the security device 104.
The alert storage unit 1052 stores the alert received by the data transmission / reception unit 1051 from the control device 102.
 異常シナリオ1053は、インシデントの前兆となる制御システム10内の装置のふるまいを示すデータである。例えば、制御システム10内の装置に対して、不正アクセス、不正な攻撃が行われたり、ウィルスが感染したりすると、装置が停止する前に、インシデントの前兆となる特定の動きをすることがある。このような装置に生じる特定の動きが異常シナリオ1053として保存されている。 The abnormal scenario 1053 is data indicating the behavior of the device in the control system 10 that is a precursor of an incident. For example, when an unauthorized access, an unauthorized attack is performed on a device in the control system 10 or a virus is infected, a specific movement that is a precursor of an incident may occur before the device stops. . The specific movement that occurs in such a device is stored as an abnormal scenario 1053.
 アラート解析・判断部1054は、データ送受信部1051により収集され、アラート記憶部1052に記憶されるアラートを解析する。この際、アラート解析・判断部1054は、異常シナリオ1053を参照し、アラートと、異常シナリオ1053を比較する。そして、アラートと、異常シナリオ1053が一致した場合に、アラート解析・判断部1054は、インシデントが発生したことを判断することができる。 The alert analysis / determination unit 1054 analyzes the alerts collected by the data transmission / reception unit 1051 and stored in the alert storage unit 1052. At this time, the alert analysis / determination unit 1054 refers to the abnormal scenario 1053 and compares the alert with the abnormal scenario 1053. When the alert and the abnormal scenario 1053 match, the alert analysis / determination unit 1054 can determine that an incident has occurred.
 異常データ1055は、アラート解析・判断部1054により解析されたアラートの解析結果を示すデータである。この異常データ1055は、後述する図7に示すようにアラート(インシデント)の発生時刻、対象装置、インシデントレベル、インシデント説明により構成される。 The abnormal data 1055 is data indicating the analysis result of the alert analyzed by the alert analysis / determination unit 1054. The abnormal data 1055 includes an alert (incident) occurrence time, a target device, an incident level, and an incident description as shown in FIG.
 データ表示・操作部1056は、後述する図10に示すインシデント一覧画面71、インシデント原因分析画面72に、異常データ1055の内容等を表示すると共に、インシデント発生時は、セキュリティ機器104に対し対処指示を送信する。 The data display / operation unit 1056 displays the contents of the abnormal data 1055 on the incident list screen 71 and the incident cause analysis screen 72 shown in FIG. 10 to be described later, and instructs the security device 104 to deal with the incident when an incident occurs. Send.
 異常通知部1057は、アラート解析・判断部1054によりインシデントが発生したと判断された場合に、システム監視装置103に異常データ1055、及び履歴データ記憶部1060から読出した履歴データ1060-1(後述する図6を参照)を通知する。
 アラート通知部1058は、現場データ管理サーバ107にアラートを通知する。このアラートは、現場データ管理サーバ107に蓄積される。
 対処指示部1059は、データ送受信部1051を通して、セキュリティ機器104に対処指示を送信する。 When the alert analysis / determination unit 1054 determines that an incident has occurred, the abnormality notification unit 1057 stores the abnormality data 1055 in the system monitoring device 103 and history data 1060-1 read from the history data storage unit 1060 (described later) (See FIG. 6).
The alert notification unit 1058 notifies the site data management server 107 of the alert. This alert is accumulated in the site data management server 107.
The handling instruction unit 1059 transmits a handling instruction to the security device 104 through the data transmission / reception unit 1051.
 履歴データ記憶部1060は、上述した履歴データ1060-1を記憶する。 The history data storage unit 1060 stores the history data 1060-1 described above.
 現場データ管理サーバ107は、アラート受信部1071、アラート記憶部1072を有している。
 アラート受信部1071は、一方向中継装置106によりセキュリティ監視装置105から中継されたアラートを受信する。
 アラート記憶部1072は、アラート受信部1071が受信したアラートを記憶する。 The site data management server 107 includes an alert receiving unit 1071 and an alert storage unit 1072.
The alert receiving unit 1071 receives the alert relayed from the security monitoring device 105 by the one-way relay device 106.
The alert storage unit 1072 stores the alert received by the alert receiving unit 1071.
 図3は、サブシステムの構成例を示すネットワーク構成図である。
 上述したように制御システム10には、設備101、制御装置102及びセキュリティ機器104をセットとしたサブシステムが構成される場合がある。図3に示すサブシステム10a,10bは、ネットワーク108に接続されている。例えば、サブシステム10a,10bの稼働時間は、9時から17時までとし、システム監視装置103によるシステム監視時間は、24時間であるとする。 FIG. 3 is a network configuration diagram illustrating a configuration example of the subsystem.
As described above, the control system 10 may include a subsystem including the equipment 101, the control device 102, and the security device 104 as a set. Subsystems 10 a and 10 b shown in FIG. 3 are connected to a network 108. For example, it is assumed that the operating time of the subsystems 10a and 10b is from 9:00 to 17:00, and the system monitoring time by the system monitoring device 103 is 24 hours.
 サブシステム10aには、サブネットワーク108a1に、制御サーバ101a1、コントローラ101b1,101b2、セキュリティ機器104a1が接続されている。図中ではコントローラ101b1,101b2を、それぞれ「コントローラ1」、「コントローラ2」と表記しており、以下の説明においても「コントローラ1」、「コントローラ2」として説明する。 In the subsystem 10a, a control server 101a1, controllers 101b1 and 101b2, and a security device 104a1 are connected to a subnetwork 108a1. In the figure, the controllers 101b1 and 101b2 are represented as “controller 1” and “controller 2”, respectively, and will be described as “controller 1” and “controller 2” in the following description.
 また、サブシステム10bには、サブネットワーク108a2に、制御サーバ101a2、コントローラ101b3,101b4、セキュリティ機器104a2が接続されている。図中ではコントローラ101b3,101b4を、それぞれ「コントローラ3」、「コントローラ4」と表記しており、以下の説明においても「コントローラ3」、「コントローラ4」として説明する。 In addition, the control server 101a2, the controllers 101b3 and 101b4, and the security device 104a2 are connected to the sub network 108a2 in the sub system 10b. In the figure, the controllers 101b3 and 101b4 are referred to as “controller 3” and “controller 4”, respectively, and will be described as “controller 3” and “controller 4” in the following description.
 現場保守員109は、システム監視装置103を通じて、ネットワーク108に接続されたサブシステム10a,10b内の装置、サブネットワーク108a1,108a2の状況を監視している。例えば、コントローラ1にインシデントが発生して、サブシステム10a内の装置を攻撃したり、サブシステム10b内の装置を攻撃する場合がある。このとき、システム監視装置103には、攻撃を行っていたり、不審な動作を行っていたりする装置と、この装置が含まれるサブシステムの状況が表示される。そして、システム監視装置103を操作する現場保守員109は、インシデントの発生元である装置をサブシステムから切り離す制御を行うことが可能となる。 The field maintenance staff 109 monitors the status of the devices in the subsystems 10a and 10b and the sub networks 108a1 and 108a2 connected to the network 108 through the system monitoring device 103. For example, an incident may occur in the controller 1 to attack a device in the subsystem 10a or a device in the subsystem 10b. At this time, the system monitoring device 103 displays a device that is attacking or performing a suspicious operation and the status of the subsystem that includes the device. Then, the field maintenance staff 109 who operates the system monitoring apparatus 103 can perform control to disconnect the apparatus that is the source of the incident from the subsystem.
 次に、セキュリティ監視システム1の各装置を構成する計算機Cのハードウェア構成を説明する。
 図4は、計算機Cのハードウェア構成例を示すブロック図である。 Next, the hardware configuration of the computer C configuring each device of the security monitoring system 1 will be described.
FIG. 4 is a block diagram illustrating a hardware configuration example of the computer C.
 計算機Cは、いわゆるコンピュータとして用いられるハードウェアである。計算機Cは、バスC4にそれぞれ接続されたCPU(Central Processing Unit:中央処理装置)C1、ROM(Read Only Memory)C2、RAM(Random-access Memory)C3を備える。さらに、計算機Cは、表示部C5、操作部C6、不揮発性ストレージC7、ネットワークインターフェイスC8を備える。 The computer C is hardware used as a so-called computer. The computer C includes a CPU (Central Processing Unit) C1, a ROM (Read Only Memory) C2, and a RAM (Random-access Memory) C3 connected to the bus C4. Further, the computer C includes a display unit C5, an operation unit C6, a nonvolatile storage C7, and a network interface C8.
 CPU C1は、本実施の形態例に係る各機能を実現するソフトウェアのプログラムコードをROM C2から読み出して実行する。RAM C3には、演算処理の途中に発生した変数やパラメーター等が一時的に書き込まれる。表示部C5は、例えば、液晶ディスプレイモニタであり、計算機Cで行われる処理の結果等を表示する。操作部C6には、例えば、キーボード、マウス等が用いられ、現場保守員109又はセキュリティ専門家202が所定の操作入力、指示を行うことが可能である。システム監視装置103、セキュリティ監視装置105及びインシデント管理サーバ201には、表示部C5及び操作部C6が設けられる。しかし、制御装置102、セキュリティ機器104、一方向中継装置106及び現場データ管理サーバ107及びフィジカルセキュリティサーバ401には、表示部C5及び操作部C6が設けられなくてもよい。 The CPU C1 reads the program code of software that realizes each function according to the present embodiment from the ROM C2, and executes it. In the RAM C3, variables, parameters, and the like generated during the arithmetic processing are temporarily written. The display unit C5 is, for example, a liquid crystal display monitor, and displays a result of processing performed by the computer C. For example, a keyboard, a mouse, or the like is used for the operation unit C6, and the field maintenance staff 109 or the security specialist 202 can perform predetermined operation input and instructions. The system monitoring device 103, the security monitoring device 105, and the incident management server 201 are provided with a display unit C5 and an operation unit C6. However, the control unit 102, the security device 104, the one-way relay device 106, the field data management server 107, and the physical security server 401 may not include the display unit C5 and the operation unit C6.
 不揮発性ストレージC7としては、例えば、HDD(Hard Disk Drive)、SSD(Solid State Drive)、フレキシブルディスク、光ディスク、光磁気ディスク、CD-ROM、CD-R、磁気テープ、不揮発性のメモリ等が用いられる。この不揮発性ストレージC7には、OS(Operating System)、各種のパラメーターの他に、計算機Cを機能させるためのプログラムが記録されている。ROM C2、不揮発性ストレージC7は、CPU C1が動作するために必要なプログラムやデータ等を記録しており、計算機Cによって実行されるプログラムを格納したコンピュータ読取可能な非一過性の記録媒体の一例として用いられる。このため、ROM C2、不揮発性ストレージC7には、このプログラムが永続的に格納される。 As the non-volatile storage C7, for example, HDD (Hard Disk Drive), SSD (Solid State Drive), flexible disk, optical disk, magneto-optical disk, CD-ROM, CD-R, magnetic tape, nonvolatile memory, etc. are used. It is done. In addition to the OS (Operating System) and various parameters, a program for causing the computer C to function is recorded in the nonvolatile storage C7. The ROM C2 and the non-volatile storage C7 record programs and data necessary for the operation of the CPU C1, and are computer-readable non-transitory recording media that store programs executed by the computer C. Used as an example. Therefore, this program is permanently stored in the ROM C2 and the non-volatile storage C7.
 ネットワークインターフェイスC8には、例えば、NIC(Network Interface Card)等が用いられ、端子が接続されたLAN(Local-area Network)、専用線等を介して各種のデータを装置間で送受信することが可能である。 As the network interface C8, for example, a NIC (Network Interface Card) is used, and various data can be transmitted and received between devices via a LAN (Local-area Network) connected to a terminal, a dedicated line, etc. It is.
 図5は、セキュリティ監視装置105が有する異常データ1055の構成例を示す説明図である。
 図5の上に示す異常データ1055は、時刻1055-1、対象装置1055-2、インシデントレベル1055-3、インシデント説明1055-4により構成される。 FIG. 5 is an explanatory diagram showing a configuration example of the abnormal data 1055 that the security monitoring apparatus 105 has.
The abnormal data 1055 shown in the upper part of FIG. 5 includes a time 1055-1, a target device 1055-2, an incident level 1055-3, and an incident description 1055-4.
 時刻1055-1は、制御装置102及びセキュリティ機器104から送信されたアラートの発生時刻、すなわちインシデントの発生時刻を格納する。対象装置1055-2は、インシデントの発生元のIP(Internet Protocol)アドレスを格納する。インシデントレベル1055-3は、インシデントの深刻度により決めたレベルを格納する。インシデント説明1055-4は、インシデントの説明文を格納する。 The time 1055-1 stores the alert occurrence time transmitted from the control device 102 and the security device 104, that is, the incident occurrence time. The target device 1055-2 stores the IP (Internet Protocol) address of the incident occurrence source. The incident level 1055-3 stores a level determined by the severity of the incident. The incident description 1055-4 stores the description of the incident.
 異常データ1055により、例えば、アラートの発生時刻が「2017年1月30日15時30分50秒」の時に、IPアドレスとして「192.168.1.55」が付与された装置に対して、インシデントレベルが「3」のインシデントが発生したことが示される。そして、このインシデントの内容は、IPアドレスとして「192.168.1.55」が付与された装置に不正装置が接続されたことを示している。 For example, when the alert occurrence time is “January 30, 2017 15:30:50” by the abnormal data 1055, for an apparatus assigned “192.168.1.55” as an IP address, It indicates that an incident with an incident level of “3” has occurred. The content of the incident indicates that an unauthorized device is connected to a device assigned with “192.168.1.55” as an IP address.
 図5の下に示すインシデントレベル定義データは、インシデントレベル毎にインシデントの内容と、定義を格納したものである。このインシデントレベル定義データは、例えば、システム監視装置103のデータ受信・解析部1031に格納されている。インシデントレベル定義データは、インシデントレベル1055-3、インシデント1055-3-1、システムとしての定義1055-3-2により構成される。 The incident level definition data shown at the bottom of FIG. 5 stores the contents and definition of incidents for each incident level. The incident level definition data is stored in, for example, the data reception / analysis unit 1031 of the system monitoring apparatus 103. The incident level definition data includes an incident level 1055-3, an incident 1055-3-1, and a system definition 1055-3-2.
 インシデントレベル1055-3は、異常シナリオ1053と、制御装置102又はセキュリティ機器104から取得され、アラート記憶部1052に格納されたアラートとを比較して導出されるインシデント1055-3-1により一意に決定される。例えば、インシデントレベル「1」は、軽いインシデント(軽故障)であることを示し、インシデントレベル「2」、「3」は、より重いインシデント(重故障)であることを示す。また、本実施の形態では、インシデントレベルとして「1」~「3」の3種類を定義したが、さらに多くの種類のインシデントレベルが定義されてもよい。 Incident level 1055-3 is uniquely determined by incident 1055-3-1 obtained by comparing abnormal scenario 1053 with the alert acquired from control device 102 or security device 104 and stored in alert storage unit 1052. Is done. For example, incident level “1” indicates a minor incident (minor failure), and incident levels “2” and “3” indicate a heavier incident (major failure). In the present embodiment, three types of incident levels “1” to “3” are defined, but more types of incident levels may be defined.
 システムとしての定義1055-3-2は、セキュリティ監視装置105からシステム監視装置103に送信される異常データ1055をシステム監視装置103で認識するためのデータである。システムとしての定義1055-3-2には、例えば、「警告」、「異常」等が格納される。 The system definition 1055-3-2 is data for the system monitoring apparatus 103 to recognize the abnormal data 1055 transmitted from the security monitoring apparatus 105 to the system monitoring apparatus 103. For example, “warning”, “abnormal”, and the like are stored in the system definition 1055-3-2.
 図6は、セキュリティ監視装置105が有する履歴データ1060-1の構成例を示す説明図である。
 履歴データ1060-1は、入出時刻1060-1-1、退出時刻1060-1-2、利用者ID1060-1-3、氏名1060-1-4により構成される。
 入出時刻1060-1-1は、現場保守員109及びエンジニア112が制御システム10に入出した時刻であり、退出時刻1060-1-2は、現場保守員109及びエンジニア112が制御システム10から退出した時刻である。利用者ID1060-1-3は、現場保守員109及びエンジニア112に一意に貸与されたIDカードのIDであり、氏名1060-1-4は、そのIDカード又はIDに対応付けられたユーザの氏名である。 FIG. 6 is an explanatory diagram showing a configuration example of history data 1060-1 included in the security monitoring apparatus 105.
The history data 1060-1 includes an entry / exit time 1060-1-1, an exit time 1060-1-2, a user ID 1060-1-3, and a name 1060-1-4.
The entry / exit time 1060-1-1 is the time when the on-site maintenance staff 109 and the engineer 112 entered / exited the control system 10, and the exit time 1060-1-2 was the exit of the on-site maintenance staff 109 / engineer 112 from the control system 10. It's time. The user ID 1060-1-3 is the ID of the ID card uniquely lent to the field maintenance staff 109 and the engineer 112, and the name 1060-1-4 is the name of the user associated with the ID card or ID. It is.
 図7は、セキュリティ監視装置105が、制御装置102、セキュリティ機器104からアラートを収集し、フィジカルセキュリティサーバ401から履歴データ1060-1を収集し、システム監視装置103に異常データ1055を通知する手順を示すフローチャートである。なお、制御装置102、セキュリティ機器104及びフィジカルセキュリティサーバ401は、セキュリティ監視装置105に対して、同様の手順でアラート、履歴データ1060-1を送信する。ここでは、制御装置102がアラートを送信し、フィジカルセキュリティサーバ401が履歴データ1060-1を送信する処理について説明し、セキュリティ機器104がアラートを送信する処理の説明は省略する。 7 shows a procedure in which the security monitoring device 105 collects alerts from the control device 102 and the security device 104, collects history data 1060-1 from the physical security server 401, and notifies the system monitoring device 103 of abnormal data 1055. It is a flowchart to show. The control device 102, the security device 104, and the physical security server 401 transmit alerts and history data 1060-1 to the security monitoring device 105 in the same procedure. Here, a process in which the control apparatus 102 transmits an alert and the physical security server 401 transmits history data 1060-1 will be described, and a description of a process in which the security device 104 transmits an alert will be omitted.
 まず、制御装置102のデータ収集・解析部1021において、アラートを取得し、フィジカルセキュリティサーバ401のデータ収集部4011にて履歴データ1060-1を収集する(S1)。次に、制御装置102のデータ収集・解析部1021は、セキュリティ監視装置105に未送信のアラートが有るかどうかをチェックする。フィジカルセキュリティサーバ401においても、データ送信部4013は、セキュリティ監視装置105に未送信の履歴データ1060-1が有るかどうかをチェックする(S2)。未送信のアラートが有れば(S2のYES)、アラート送信部1023がセキュリティ監視装置105にアラートを送信する(S3)。また、未送信の履歴データ1060-1が有れば(S2のYES)、データ送信部4013がセキュリティ監視装置105に履歴データ1060-1を送信する(S3)。未送信のアラート及び履歴データ1060-1が無ければ(S2のNO)、データ収集・解析部1021は、再度、アラートの取得を待ち、データ収集部4011は、再度、履歴データ1060-1の取得を待つ。 First, an alert is acquired in the data collection / analysis unit 1021 of the control device 102, and history data 1060-1 is collected in the data collection unit 4011 of the physical security server 401 (S1). Next, the data collection / analysis unit 1021 of the control device 102 checks whether there is an untransmitted alert in the security monitoring device 105. Also in the physical security server 401, the data transmission unit 4013 checks whether there is untransmitted history data 1060-1 in the security monitoring apparatus 105 (S2). If there is an untransmitted alert (YES in S2), the alert transmitter 1023 transmits an alert to the security monitoring device 105 (S3). If there is untransmitted history data 1060-1 (YES in S2), the data transmission unit 4013 transmits the history data 1060-1 to the security monitoring device 105 (S3). If there is no unsent alert and history data 1060-1 (NO in S2), the data collection / analysis unit 1021 again waits for the acquisition of the alert, and the data collection unit 4011 again obtains the history data 1060-1. Wait for.
 次に、セキュリティ監視装置105のアラート解析・判断部1054において、制御装置102から送信されたアラート、フィジカルセキュリティサーバ401から送信された履歴データ1060-1を取得・解析する(S4)。そして、アラート解析・判断部1054は、アラート及び履歴データ1060-1を異常シナリオ1053と比較し、インシデントが有るか否かをチェックする(S5)。アラート及び履歴データ1060-1を異常シナリオ1053と比較する方法は、例えば、アラート及び履歴データ1060-1の変化が、異常シナリオ1053に規定されている変化と一致するか否かにより行われる。 Next, the alert analysis / determination unit 1054 of the security monitoring apparatus 105 acquires and analyzes the alert transmitted from the control apparatus 102 and the history data 1060-1 transmitted from the physical security server 401 (S4). Then, the alert analysis / determination unit 1054 compares the alert and history data 1060-1 with the abnormal scenario 1053, and checks whether there is an incident (S5). The method of comparing the alert and history data 1060-1 with the abnormal scenario 1053 is performed, for example, depending on whether or not the change in the alert and history data 1060-1 matches the change defined in the abnormal scenario 1053.
 アラート解析・判断部1054は、インシデントが無いと判断すると(S5のNO)、再度アラート及び履歴データ1060-1の取得を待つ。一方、アラート解析・判断部1054は、インシデントが有ると判断すると(S5のYES)、異常通知部1057は、システム監視装置103に異常データ1055を通知する(S6)。 When the alert analysis / determination unit 1054 determines that there is no incident (NO in S5), it waits for the acquisition of the alert and history data 1060-1 again. On the other hand, when the alert analysis / determination unit 1054 determines that there is an incident (YES in S5), the abnormality notification unit 1057 notifies the system monitoring device 103 of the abnormality data 1055 (S6).
 図8は、システム監視装置103のデータ表示・操作部1034に表示されるシステム監視画面30の表示例を示す説明図である。システム監視画面30は、システム監視装置103のデータ表示・操作部1034の一機能として実装される。 FIG. 8 is an explanatory diagram showing a display example of the system monitoring screen 30 displayed on the data display / operation unit 1034 of the system monitoring apparatus 103. The system monitoring screen 30 is implemented as one function of the data display / operation unit 1034 of the system monitoring apparatus 103.
 システム監視画面30は、表示時刻31、凡例情報32、システム監視領域33などを表示する。システム監視領域33には、監視・操作端末、保守端末、システム監視装置がネットワーク1(図3に示したネットワーク108)に接続される様子が示される。また、システム監視領域33には、制御サーバとコントローラ1、コントローラ2、セキュリティ機器104がネットワーク2(図3に示したサブネットワーク108a1)に接続される様子が示される。なお、システム監視領域33に表示される、監視・操作端末、保守端末、制御サーバ、コントローラ1,2は、いずれも図1に示した制御装置102の一例である。そして、システム監視装置103は、監視・操作端末、保守端末、制御サーバ、コントローラ1,2、セキュリティ機器104から発生する各種のアラート、入退管理装置110等から発生する履歴データ等に基づく異常データを収集し、各装置の状態(重故障、軽故障、ネットワーク異常、その他異常など)をシステム監視画面30に表示する。 The system monitoring screen 30 displays a display time 31, legend information 32, a system monitoring area 33, and the like. The system monitoring area 33 shows a state in which a monitoring / operation terminal, a maintenance terminal, and a system monitoring device are connected to the network 1 (network 108 shown in FIG. 3). In the system monitoring area 33, the control server, the controller 1, the controller 2, and the security device 104 are shown connected to the network 2 (subnetwork 108a1 shown in FIG. 3). Note that the monitoring / operation terminal, the maintenance terminal, the control server, and the controllers 1 and 2 displayed in the system monitoring area 33 are all examples of the control device 102 shown in FIG. The system monitoring device 103 is a monitoring / operation terminal, maintenance terminal, control server, controllers 1 and 2, various alerts generated from the security device 104, abnormal data based on history data generated from the entrance / exit management device 110, etc. And the status of each device (major failure, minor failure, network abnormality, other abnormality, etc.) is displayed on the system monitoring screen 30.
 システム監視装置103を操作する現場保守員109は、システム監視画面30を見て、アラートが発生した装置にどのような異常が生じているか確認する。そして、現場保守員109が、例えば、制御サーバを示すアイコンをクリックすると、図8の下に示す詳細情報34が表示される。以下の説明において、あるアイコンをクリックしたことにより、画面が表示される様子を破線矢印で表す。詳細情報34には、異常の種類、異常が発生した装置名、異常の内容が表示される。これにより、現場保守員109は、異常の詳細を知ることができ、異常に対処することができる。 The field maintenance person 109 who operates the system monitoring device 103 looks at the system monitoring screen 30 and confirms what kind of abnormality has occurred in the device in which the alert has occurred. Then, when the field maintenance worker 109 clicks an icon indicating a control server, for example, detailed information 34 shown at the bottom of FIG. 8 is displayed. In the following description, a state in which a screen is displayed when a certain icon is clicked is represented by a dashed arrow. The detailed information 34 displays the type of abnormality, the name of the device in which the abnormality has occurred, and the content of the abnormality. Thereby, the field maintenance staff 109 can know the details of the abnormality and can deal with the abnormality.
 図9は、システム監視装置103が、セキュリティ監視装置105から受信した異常データ1055を解析する手順を示すフローチャートである。図9において、セキュリティ監視装置105は、図7に示した結合子Bに結合され、システム監視装置103は、図7に示した結合子Cに結合されている。 FIG. 9 is a flowchart illustrating a procedure in which the system monitoring apparatus 103 analyzes the abnormal data 1055 received from the security monitoring apparatus 105. In FIG. 9, the security monitoring apparatus 105 is coupled to the connector B shown in FIG. 7, and the system monitoring apparatus 103 is coupled to the connector C shown in FIG.
 まず、システム監視装置103において、データ受信・解析部1031は、セキュリティ監視装置105から通知された異常データ1055を解析する。そして、データ受信・解析部1031は、インシデントレベル定義データを参照し、異常データ1055のインシデントレベル1055-3に応じて、異常データ1055に、システム監視装置103の異常を示す情報を割当てる(S11)。システム監視装置103の異常を示す情報として、例えば、軽故障、重故障がある。 First, in the system monitoring apparatus 103, the data reception / analysis unit 1031 analyzes the abnormal data 1055 notified from the security monitoring apparatus 105. Then, the data receiving / analyzing unit 1031 refers to the incident level definition data, and assigns information indicating an abnormality of the system monitoring apparatus 103 to the abnormality data 1055 according to the incident level 1055-3 of the abnormality data 1055 (S11). . Examples of information indicating an abnormality of the system monitoring apparatus 103 include a minor failure and a major failure.
 次に、データ表示・操作部1034は、異常を示す情報が割当てられた異常データ1055に基づいて、システム監視画面30の表示内容を更新する(S12)。これにより、各装置のアイコンに、各装置で検知された異常を示す情報(例えば、凡例情報32)が表示される。 Next, the data display / operation unit 1034 updates the display content of the system monitoring screen 30 based on the abnormality data 1055 to which information indicating abnormality is assigned (S12). Thereby, information (for example, legend information 32) indicating an abnormality detected by each device is displayed on the icon of each device.
 そして、現場保守員109は、システム監視画面30の表示内容に基づいて制御システム10にシステム異常が発生したか否かを判断する(S13)。ここで、制御システム10に発生する異常を「システム異常」と呼ぶ。システム異常は、例えば、設備101で発生したインシデントを表しており、現場保守員109がマニュアル等を用いて従来通りに対処することが可能な異常である。現場保守員109は、システム異常が発生したと判断した場合(S13のYES)、システム監視画面30を通じてシステム異常への対処を行う(S14)。 Then, the field maintenance worker 109 determines whether a system abnormality has occurred in the control system 10 based on the display content of the system monitoring screen 30 (S13). Here, an abnormality occurring in the control system 10 is referred to as a “system abnormality”. The system abnormality represents, for example, an incident that has occurred in the facility 101, and is an abnormality that can be dealt with as usual by the field maintenance staff 109 using a manual or the like. When the field maintenance person 109 determines that a system abnormality has occurred (YES in S13), the field maintenance person 109 deals with the system abnormality through the system monitoring screen 30 (S14).
 一方、現場保守員109は、システム異常以外の異常、すなわちセキュリティ異常が発生したと判断した場合(S13のNO)、セキュリティ監視装置105での対処を行う。セキュリティ異常とは、セキュリティ監視装置105による対処が必要とされる異常である。このため、現場保守員109は、後述する図11に示すようにセキュリティ監視装置105にてセキュリティ異常への対処を行う。 On the other hand, if the field maintenance worker 109 determines that an abnormality other than a system abnormality, that is, a security abnormality has occurred (NO in S13), the security monitoring device 105 takes action. The security abnormality is an abnormality that needs to be dealt with by the security monitoring apparatus 105. For this reason, the field maintenance staff 109 takes measures against the security abnormality in the security monitoring apparatus 105 as shown in FIG.
 図10は、現場保守員109がセキュリティ監視装置105を操作して実施する原因分析とその対処を行うためのインシデント一覧画面71とインシデント原因分析画面72の表示例を示す説明図である。インシデント一覧画面71は、現場保守員109がセキュリティ監視装置105の実行プログラムを起動することで、表示される。 FIG. 10 is an explanatory view showing a display example of an incident list screen 71 and an incident cause analysis screen 72 for performing cause analysis performed by the field maintenance staff 109 by operating the security monitoring device 105 and coping with it. The incident list screen 71 is displayed when the field maintenance worker 109 starts the execution program of the security monitoring apparatus 105.
 図10の上に示すインシデント一覧画面71は、セキュリティ監視装置105が特定したインシデントの発生元と、インシデントが発生した範囲を表示する画面である。インシデント一覧画面71は、インシデント発生時刻を示す発生時刻、インシデント発生箇所を示す発生箇所、発生したインシデントのレベルを示すインシデントレベル、発生したインシデントの内容を表示する。インシデント発生時刻は、設備101又はセキュリティ機器104で発生したアラートの発生時刻に等しいが、異なる時刻としてもよい。 The incident list screen 71 shown in the upper part of FIG. 10 is a screen that displays the incident source identified by the security monitoring apparatus 105 and the range in which the incident occurred. The incident list screen 71 displays the occurrence time indicating the incident occurrence time, the occurrence location indicating the incident occurrence location, the incident level indicating the level of the incident that has occurred, and the content of the incident that has occurred. The incident occurrence time is equal to the alert occurrence time generated in the facility 101 or the security device 104, but may be a different time.
 また、インシデント一覧画面71の右上には、原因分析ボタン711が表示される。現場保守員109が原因分析ボタン711をクリックすると、インシデントの内容に応じて、図10の左下又は右下に示すインシデント原因分析画面72のいずれかが表示される。インシデント原因分析画面72は、現場保守員109がインシデントの原因分析を行うために用いられる。 Also, a cause analysis button 711 is displayed at the upper right of the incident list screen 71. When the field maintenance worker 109 clicks the cause analysis button 711, one of the incident cause analysis screens 72 shown in the lower left or lower right of FIG. 10 is displayed according to the contents of the incident. The incident cause analysis screen 72 is used by the field maintenance staff 109 to perform the cause analysis of the incident.
 インシデント原因分析画面72には、インシデントが発生した装置(「対象装置」と呼ぶ)を選択するためのドロップダウンリストが表示される。現場保守員109がドロップダウンリストから対象装置721-1を選択すると、インシデントの推移領域721-2、722-2のいずれかがインシデント原因分析画面72に表示される。インシデント原因分析画面72にインシデントの推移領域721-2,722-2のいずれが表示されるかは、実際に発生するインシデント、この例では攻撃によって異なる。そして、インシデント原因分析画面72を通じて行われるインシデントの原因分析の結果に基づいて、セキュリティ監視装置105からセキュリティ機器104にインシデントへの対処が指示される。 The incident cause analysis screen 72 displays a drop-down list for selecting a device in which an incident has occurred (referred to as “target device”). When the field maintenance worker 109 selects the target device 721-1 from the drop-down list, one of the incident transition areas 721-2 and 722-2 is displayed on the incident cause analysis screen 72. Which of the incident transition areas 721-2 and 722-2 is displayed on the incident cause analysis screen 72 depends on the actually occurring incident, in this example, the attack. Then, based on the result of the incident cause analysis performed through the incident cause analysis screen 72, the security monitoring device 105 instructs the security device 104 to deal with the incident.
 インシデントの推移領域721-2は、対象装置が同一ネットワークに攻撃する様子を示したものである。対象装置が同一ネットワークに攻撃するとは、例えば、図3に示したサブシステム10aのコントローラ1が、同一のサブネットワーク108a1に接続されたコントローラ2に攻撃することである。コントローラ1では、16件のインシデントが発生していることが示される。そして、コントローラ1が接続されるサブネットワーク108a1に接続され、攻撃されている装置は、コントローラ1と同じ丸アイコンで示される。インシデントの推移領域721-2が表示された場合、現場保守員109が原因装置を切り離すボタン721-3をクリックして対処する。これにより、セキュリティ機器104にて、インシデントが発生した原因となった装置(「原因装置」と呼ぶ)がネットワークから切り離され、原因装置による同一ネットワークの他装置への攻撃を防ぐことができる。 The incident transition area 721-2 shows how the target device attacks the same network. For example, the target device attacks the same network when the controller 1 of the subsystem 10a illustrated in FIG. 3 attacks the controller 2 connected to the same subnetwork 108a1. The controller 1 indicates that 16 incidents have occurred. A device that is connected to the subnetwork 108a1 to which the controller 1 is connected and is under attack is indicated by the same circle icon as the controller 1. When the incident transition area 721-2 is displayed, the field maintenance worker 109 takes action by clicking the button 721-3 for disconnecting the cause device. As a result, in the security device 104, the device that caused the incident (referred to as “cause device”) is disconnected from the network, and the cause device can prevent attacks on other devices in the same network.
 インシデントの推移領域722-2は、対象装置が他ネットワークに攻撃する様子を図示したものである。対象装置が他ネットワークに攻撃するとは、例えば、図3に示したサブシステム10aのコントローラ1が、他のサブシステム10bのサブネットワーク108a2に接続されたコントローラ4に攻撃することである。コントローラ1が接続されるサブネットワーク108a1とは異なるサブネットワークに接続され、攻撃されている装置は、コントローラ1とは異なる四角アイコンで示される。インシデントの推移領域722-2が表示された場合、現場保守員109がネットワークを隔離するボタン721-4をクリックして対処する。これによりセキュリティ機器104にて、原因装置が攻撃対象としているネットワークが隔離され、原因装置による他ネットワークへの攻撃を防ぐことができる。 The incident transition area 722-2 shows a state in which the target device attacks another network. That the target device attacks another network is, for example, that the controller 1 of the subsystem 10a illustrated in FIG. 3 attacks the controller 4 connected to the subnetwork 108a2 of the other subsystem 10b. A device that is connected to a subnetwork different from the subnetwork 108a1 to which the controller 1 is connected and is under attack is indicated by a square icon different from that of the controller 1. When the incident transition area 722-2 is displayed, the field maintenance worker 109 takes action by clicking the button 721-4 for isolating the network. As a result, the security device 104 isolates the network targeted by the causal device and prevents the causal device from attacking other networks.
 図11は、セキュリティ監視装置105のインシデント分析、インシデント対処の手順を示すフローチャートである。図11において、セキュリティ機器104は、図7に示した結合子Aに結合され、セキュリティ監視装置105は、図9に示した結合子Dに結合されている。 FIG. 11 is a flowchart showing the procedures of incident analysis and incident handling of the security monitoring apparatus 105. 11, the security device 104 is coupled to the connector A illustrated in FIG. 7, and the security monitoring device 105 is coupled to the connector D illustrated in FIG.
 まず、現場保守員109は、セキュリティ監視装置105を操作して、不図示のセキュリティ監視画面を起動し(S21)、インシデント一覧画面71を表示する(S22)。インシデント一覧画面71は、セキュリティ監視画面から遷移してセキュリティ監視装置105に表示される画面である。 First, the field maintenance worker 109 operates the security monitoring device 105 to start a security monitoring screen (not shown) (S21) and displays the incident list screen 71 (S22). The incident list screen 71 is a screen that is displayed on the security monitoring apparatus 105 after transitioning from the security monitoring screen.
 次に、現場保守員109は、インシデント一覧画面71に表示されているインシデントレベルにより、深刻なインシデントが発生しているか否かを確認する(S23)。深刻なインシデントとは、例えば、高いインシデントレベル(「3」)のインシデントである。 Next, the field maintenance worker 109 checks whether or not a serious incident has occurred according to the incident level displayed on the incident list screen 71 (S23). A serious incident is, for example, an incident with a high incident level (“3”).
 現場保守員109は、深刻なインシデントが発生していないと判断すると(S23のNO)、ステップS22に戻り、インシデント一覧画面71の監視を継続する。一方、現場保守員109は、深刻なインシデントが発生していると判断すると(S23のYES)、原因分析ボタン711をクリックし、インシデント原因分析画面72を表示する(S24)。 When the site maintenance staff 109 determines that no serious incident has occurred (NO in S23), the site maintenance staff 109 returns to step S22 and continues monitoring the incident list screen 71. On the other hand, if the field maintenance worker 109 determines that a serious incident has occurred (YES in S23), the cause maintenance button 711 is clicked to display the incident cause analysis screen 72 (S24).
 次に、現場保守員109は、インシデント原因分析画面72において、インシデント発生の原因が特定装置にあるか否かを確認する(S25)。特定装置とは、例えば、セキュリティ監視装置105によりインシデントの発生が検知されたときに、インシデントの発生原因の可能性が高いと考えられる制御システム10内の装置である。ステップS25の時点では、特定装置が原因装置であるかは不明である。 Next, the field maintenance worker 109 checks on the incident cause analysis screen 72 whether or not the cause of the incident is in the specific device (S25). The specific device is, for example, a device in the control system 10 that is considered to have a high possibility of causing an incident when the security monitoring device 105 detects the occurrence of an incident. At the time of step S25, it is unknown whether the specific device is the cause device.
 特定装置にインシデント発生の原因がある場合、以降の処理で特定装置をネットワーク108から切り離すか否かが判断される。一方、特定装置にインシデント発生の原因がない場合、例えば、ネットワーク108内を流れるデータに異常が生じただけである場合、以降の処理でネットワーク108から特定装置を切り離す必要はない。 If there is a cause of occurrence of an incident in the specific device, it is determined whether or not to disconnect the specific device from the network 108 in the subsequent processing. On the other hand, when there is no cause for the occurrence of the incident in the specific device, for example, when only an abnormality has occurred in the data flowing in the network 108, it is not necessary to disconnect the specific device from the network 108 in the subsequent processing.
 このため、現場保守員109は、インシデント発生の原因が特定装置にないと判断した場合(S25のNO)、本処理を終了する。なお、ステップS24に戻り、現場保守員109が、インシデント原因分析画面72の確認を継続してもよい。 For this reason, when the field maintenance worker 109 determines that the cause of the incident is not in the specific device (NO in S25), the process is terminated. In addition, it returns to step S24 and the field maintenance worker 109 may continue confirmation of the incident cause analysis screen 72. FIG.
 一方、現場保守員109は、インシデント発生の原因が特定装置にあると判断した場合(S25のYES)、セキュリティ監視装置105は、同一ネットワーク内への攻撃か否かを確認する(S26)。同一ネットワーク内への攻撃でないと判断した場合(S26のNO)、ステップS29に移る。一方、同一ネットワーク内の攻撃であれば(S26のYES)、現場保守員109は、インシデント発生の原因となった特定装置、すなわち原因装置をネットワークから切り離すことで業務に影響があるか否かを確認する(S27)。 On the other hand, when the field maintenance worker 109 determines that the cause of the incident is the specific device (YES in S25), the security monitoring device 105 checks whether or not the attack is in the same network (S26). When it is determined that the attack is not within the same network (NO in S26), the process proceeds to step S29. On the other hand, if the attack is in the same network (YES in S26), the field maintenance staff 109 determines whether or not there is an impact on the business by disconnecting the specific device that caused the incident, that is, the cause device from the network. Confirm (S27).
 例えば、図8のシステム監視領域33に示したように、コントローラ1~3がネットワーク2に接続されている場合に、ネットワーク2からコントローラ1を切り離してもコントローラ2,3により業務を継続できる場合がある。このため、現場保守員109は、コントローラ1を切り離しても業務に影響がなければ、このコントローラ1を切り離してよいと判断することができる。一方、現場保守員109は、コントローラ1を切り離すと業務に影響があると判断すれば、このコントローラ1をネットワーク2から切り離さないと判断することができる。 For example, as shown in the system monitoring area 33 of FIG. 8, when the controllers 1 to 3 are connected to the network 2, there are cases where the operations can be continued by the controllers 2 and 3 even if the controller 1 is disconnected from the network 2. is there. For this reason, the field maintenance worker 109 can determine that the controller 1 can be disconnected if the operation is not affected even if the controller 1 is disconnected. On the other hand, if the field maintenance worker 109 determines that disconnecting the controller 1 has an effect on the business, it can determine that the controller 1 is not disconnected from the network 2.
 そして、原因装置を切り離すことで業務に影響があれば(S27のYES)、原因装置を切り離すことなく本処理を終了する。一方、原因装置を切り離しても業務に影響がなければ(S27のNO)、現場保守員109は、セキュリティ監視装置105からセキュリティ機器104に原因装置の切離しを指示する(S28)。原因装置の切離し指示は、現場保守員109が、セキュリティ監視装置105に表示された、図10に示した原因装置を切り離すボタン721-3をクリックすることで行われる。そして、セキュリティ機器104は、セキュリティ監視装置105からの指示に従って原因装置の切離しを実行する(S33)。これにより、原因装置から他の装置に対する攻撃を行えなくする。 If there is an influence on the business by disconnecting the cause device (YES in S27), the present process is terminated without disconnecting the cause device. On the other hand, if the work is not affected even if the cause device is disconnected (NO in S27), the field maintenance staff 109 instructs the security device 104 to disconnect the cause device from the security monitoring device 105 (S28). The cause device disconnection instruction is performed when the field maintenance staff 109 clicks the button 721-3 for disconnecting the cause device shown in FIG. The security device 104 then disconnects the cause device in accordance with the instruction from the security monitoring device 105 (S33). As a result, an attack on the other device cannot be performed from the cause device.
 ステップS26にてセキュリティ監視装置105が同一ネットワーク内の攻撃でないと判断した場合(S26のNO)、現場保守員109は、他ネットワークへの攻撃か否かを確認する(S29)。他ネットワークへの攻撃であれば(S29のYES)、現場保守員109は、攻撃対象である他ネットワークを隔離することが業務に影響あるか否かを判断する(S30)。他ネットワークを隔離することが業務に影響があれば(S30のYES)、他ネットワークを隔離することなく本処理を終了する。 If it is determined in step S26 that the security monitoring apparatus 105 is not an attack within the same network (NO in S26), the field maintenance staff 109 checks whether or not the attack is on another network (S29). If the attack is on another network (YES in S29), the field maintenance staff 109 determines whether or not the isolation of the other network that is the attack target has an effect on the business (S30). If isolation of another network has an effect on the business (YES in S30), this process is terminated without isolating the other network.
 他ネットワークを隔離することが業務に影響なければ(S30のNO)、現場保守員109は、原因装置が攻撃している他ネットワークを隔離する指示をセキュリティ機器104に指示を出す(S31)。他ネットワークを隔離する指示は、現場保守員109が、セキュリティ監視装置105に表示された、図10に示したネットワークを隔離するボタン721-4をクリックすることで行われる。そして、セキュリティ機器104は、セキュリティ監視装置105からの指示に従って他ネットワークを隔離する(S34)。これにより、他ネットワークを攻撃から守ることができる。そして、ステップS31又はステップS29のNOの後、現場保守員109がセキュリティ監視画面を終了させる(S32)。 If isolation of another network does not affect the business (NO in S30), the field maintenance staff 109 issues an instruction to the security device 104 to isolate the other network attacked by the cause device (S31). The instruction to isolate the other network is made when the field maintenance staff 109 clicks the button 721-4 for isolating the network shown in FIG. Then, the security device 104 isolates the other network in accordance with the instruction from the security monitoring device 105 (S34). Thereby, other networks can be protected from attacks. And after NO of step S31 or step S29, the field maintenance worker 109 terminates a security monitoring screen (S32).
 図12は、セキュリティ監視装置105が、アラート、異常データ1055及び履歴データ1060-1を、監視センター20のインシデント管理サーバ201に送信する手順を示すフローチャートである。 FIG. 12 is a flowchart illustrating a procedure in which the security monitoring apparatus 105 transmits alert, abnormality data 1055, and history data 1060-1 to the incident management server 201 of the monitoring center 20.
 まず、セキュリティ監視装置105のアラート通知部1058は、アラート記憶部1052からアラートを取得する。異常通知部1057は、異常データ1055を取得し、履歴データ記憶部1060から履歴データ1060-1を取得する(S41)。そして、アラート通知部1058は、監視センター20に未送信のアラートがあるか否かをチェックし、異常通知部1057は、監視センター20に未送信の異常データ1055及び履歴データ1060-1が有るか否かをチェックする(S42)。 First, the alert notification unit 1058 of the security monitoring device 105 acquires an alert from the alert storage unit 1052. The abnormality notification unit 1057 acquires the abnormality data 1055 and acquires the history data 1060-1 from the history data storage unit 1060 (S41). Then, the alert notification unit 1058 checks whether or not there is an untransmitted alert in the monitoring center 20, and the abnormality notification unit 1057 determines whether the monitoring center 20 has untransmitted abnormality data 1055 and history data 1060-1. It is checked whether or not (S42).
 未送信のアラートがある場合(S42のYES)、セキュリティ監視装置105のアラート通知部1058が、アラート記憶部1052に記憶されているアラートを読込み、一方向中継装置106にアラートを送信する。また、未送信の異常データ1055及び履歴データ1060-1がある場合、異常通知部1057が一方向中継装置106に異常データ1055及び履歴データ1060-1を送信する(S43)。一方、未送信のアラート、異常データ1055及び履歴データ1060-1が無い場合には(S42のNO)、ステップS41に戻り、アラート通知部1058及び異常通知部1057は、データ送信待ちに入る。 If there is an unsent alert (YES in S42), the alert notification unit 1058 of the security monitoring device 105 reads the alert stored in the alert storage unit 1052, and transmits the alert to the one-way relay device 106. When there is unsent abnormality data 1055 and history data 1060-1, the abnormality notification unit 1057 transmits the abnormality data 1055 and history data 1060-1 to the one-way relay device 106 (S43). On the other hand, if there is no unsent alert, abnormal data 1055, and history data 1060-1 (NO in S42), the process returns to step S41, and the alert notification unit 1058 and the abnormal notification unit 1057 wait for data transmission.
 次に、セキュリティ監視装置105から送信されたアラート、異常データ1055及び履歴データ1060-1は、一方向中継装置106にて、現場データ管理サーバ107に中継される(S44)。一方向中継装置106から中継されたアラート、異常データ1055及び履歴データ1060-1は、現場データ管理サーバ107にて蓄積される(S45)。 Next, the alert, abnormality data 1055, and history data 1060-1 transmitted from the security monitoring device 105 are relayed to the field data management server 107 by the one-way relay device 106 (S44). Alerts, abnormality data 1055 and history data 1060-1 relayed from the one-way relay device 106 are stored in the field data management server 107 (S45).
 監視センター20のインシデント管理サーバ201は、現場データ管理サーバ107からアラート、異常データ1055及び履歴データ1060-1を取得する時刻か否かを判定する(S46)。アラート、異常データ1055及び履歴データ1060-1を取得する時刻とは、例えば、定時、又は30分ごとの時刻としてよい。 The incident management server 201 of the monitoring center 20 determines whether it is time to acquire the alert, abnormality data 1055, and history data 1060-1 from the site data management server 107 (S46). The time at which the alert, abnormal data 1055, and history data 1060-1 are acquired may be, for example, regular time or every 30 minutes.
 そして、現場データ管理サーバ107からアラート、異常データ1055及び履歴データ1060-1を取得する時刻であれば(S46のYES)、インシデント管理サーバ201は、現場データ管理サーバ107にアラート、異常データ1055及び履歴データ1060-1の有無を問合せる。そして、インシデント管理サーバ201は、現場データ管理サーバ107からアラート、異常データ1055及び履歴データ1060-1を取得する(S47)。このとき、インシデント管理サーバ201は、現場データ管理サーバ107に未取得のアラート、異常データ1055及び履歴データ1060-1が蓄積されているか確認し、未取得のアラート、異常データ1055及び履歴データ1060-1だけを現場データ管理サーバ107から取得する。そして、インシデント管理サーバ201は、自身が備える不図示の記憶部にアラート、異常データ1055及び履歴データ1060-1を格納する(S48)。 If it is time to acquire the alert, abnormality data 1055 and history data 1060-1 from the site data management server 107 (YES in S46), the incident management server 201 sends the alert, abnormality data 1055 and Queries the presence / absence of history data 1060-1. Then, the incident management server 201 acquires alert, abnormality data 1055, and history data 1060-1 from the site data management server 107 (S47). At this time, the incident management server 201 confirms whether the unacquired alert, abnormality data 1055, and history data 1060-1 are accumulated in the site data management server 107, and the unacquired alert, abnormality data 1055, and history data 1060- 1 is acquired from the field data management server 107. Then, the incident management server 201 stores the alert, abnormal data 1055, and history data 1060-1 in a storage unit (not shown) provided in the incident management server 201 (S48).
 一方、アラート、異常データ1055及び履歴データ1060-1を取得する時刻で無ければ(S46のNO)、インシデント管理サーバ201は、再びアラート、異常データ1055及び履歴データ1060-1を取得する時刻になるまで取得待ちに入る。なお、インシデント管理サーバ201は、現場データ管理サーバ107にアラート、異常データ1055及び履歴データ1060-1が蓄積された直後に、現場データ管理サーバ107からアラート、異常データ1055及び履歴データ1060-1を取得してもよい。 On the other hand, if it is not time to acquire the alert, abnormal data 1055, and history data 1060-1 (NO in S46), the incident management server 201 will again acquire the alert, abnormal data 1055, and history data 1060-1. Wait until acquisition. The incident management server 201 receives the alert, abnormality data 1055 and history data 1060-1 from the field data management server 107 immediately after the alert, abnormality data 1055 and history data 1060-1 are accumulated in the field data management server 107. You may get it.
 ここで、セキュリティ監視装置105とシステム監視装置103とセキュリティ機器104によりインシデントが発生する度にインシデントに対処しても、以下の(1)~(5)に列挙した事態になる可能性がある。
(1)最近、インシデント発生が多い。
(2)特定装置を起点とした攻撃が多い。
(3)特定装置が頻繁に攻撃対象とされている。
(4)特定の攻撃が多く行われている。
(5)他サイトでも特定の攻撃が多い。 Here, even if an incident is dealt with each time an incident occurs by the security monitoring apparatus 105, the system monitoring apparatus 103, and the security device 104, the following situations (1) to (5) may occur.
(1) Incidence has frequently occurred recently.
(2) There are many attacks originating from a specific device.
(3) A specific device is frequently targeted for attack.
(4) There are many specific attacks.
(5) There are many specific attacks at other sites.
 そのため、セキュリティ監視システム1では、セキュリティ監視装置105によるインシデント分析、対処を可能とするだけでなく、さらに、インシデント管理サーバ201を使ったセキュリティ専門家202による根本分析、根本対処策の検討をも可能とする。インシデント管理サーバ201は、セキュリティ監視装置105から取得したアラート、異常データ1055及び履歴データ1060-1を長期に渡り蓄積しているだけでなく、他の制御システム10のデータも蓄積している。このため、セキュリティ専門家202は、インシデント管理サーバ201を使用して、セキュリティ専門家202自身が有する知識・ノウハウを用いて、発生したインシデントに対する広範囲、詳細な分析、対処策を検討することが可能となる。以下に、監視センター20のセキュリティ専門家202で実施される根本分析、根本対処策検討を行うために用いるインシデント分析画面について説明する。 For this reason, the security monitoring system 1 not only enables incident analysis and response by the security monitoring device 105, but also enables fundamental analysis and examination of root countermeasures by the security expert 202 using the incident management server 201. And The incident management server 201 not only stores alerts, abnormality data 1055, and history data 1060-1 acquired from the security monitoring apparatus 105 over a long period of time, but also stores data of other control systems 10. For this reason, the security expert 202 can use the incident management server 201 to examine a wide range, detailed analysis, and countermeasures for the incident that has occurred, using the knowledge and know-how possessed by the security expert 202 itself. It becomes. Below, the incident analysis screen used in order to perform the fundamental analysis performed by the security expert 202 of the monitoring center 20 and examination of a fundamental countermeasure is demonstrated.
 図13は、インシデント管理サーバ201にて表示されるインシデント分析画面の表示例を示す説明図である。 FIG. 13 is an explanatory diagram showing a display example of an incident analysis screen displayed on the incident management server 201.
 インシデント分析画面1001は、セキュリティ専門家202がインシデント管理サーバ201内の実行プログラムを起動することで、インシデント管理サーバ201に表示される。インシデント分析画面1001は、セキュリティ専門家202がインシデントを分析するために用いられる。初めに、インシデント分析画面1001にはサイト名1002、対象装置1003だけが表示される。 The incident analysis screen 1001 is displayed on the incident management server 201 when the security expert 202 activates the execution program in the incident management server 201. The incident analysis screen 1001 is used by the security expert 202 to analyze an incident. First, on the incident analysis screen 1001, only the site name 1002 and the target device 1003 are displayed.
 サイト名1002には、制御システム10に一意に付与されるサイト名(顧客名)が表示される。この例では、サイト名として「顧客1」が表示されている。
 対象装置1003には、セキュリティ専門家202がインシデントを分析しようとする装置(対象装置)を特定するための情報が表示される。対象装置を特定する情報として、例えば、装置に動的に付与されるIPアドレス、装置名称がある。 In the site name 1002, a site name (customer name) uniquely given to the control system 10 is displayed. In this example, “customer 1” is displayed as the site name.
In the target device 1003, information for specifying a device (target device) for which the security expert 202 intends to analyze an incident is displayed. As information for specifying the target device, for example, there are an IP address and a device name which are dynamically given to the device.
 セキュリティ専門家202が、インシデントの内容を確認するために選択した対象装置1003に発生したインシデントに関する情報として、インシデント一覧1004、インシデント推移領域1005がインシデント分析画面1001に表示される。インシデント一覧1004は、制御システム10で発生したインシデントを一覧表示したものであり、例えば、対象装置1003で選択された制御サーバで発生したインシデントが示されている。 The incident list 1004 and the incident transition area 1005 are displayed on the incident analysis screen 1001 as information related to the incident that occurred in the target device 1003 selected by the security expert 202 to confirm the contents of the incident. The incident list 1004 displays a list of incidents that have occurred in the control system 10. For example, incidents that have occurred in the control server selected by the target device 1003 are shown.
 インシデント一覧1004には、セキュリティ専門家202が、対象装置1003にて選択した装置においてインシデントが発生した時刻、インシデントレベル、インシデントの内容が表示される。インシデント一覧1004により、例えば、時刻「2017年1月10日12時35分40秒」にインシデントレベルが「3」であるインシデントの内容が「特定装置から大量パケットが送信された」ことが分かる。 In the incident list 1004, the time when the incident occurred in the apparatus selected by the security expert 202 in the target apparatus 1003, the incident level, and the contents of the incident are displayed. From the incident list 1004, for example, it is understood that the content of the incident whose incident level is “3” at the time “January 10, 2017 12:35:40” “a large number of packets have been transmitted from the specific device”.
 インシデント推移領域1005には、インシデント一覧1004に表示されたインシデントレベルと、インシデントが発生した数とが表示される。図中の矢印は、インシデントの発生元と、発生元の影響によりさらに別のインシデントが発生したことを示す。インシデント推移領域1005により、制御サーバにはインシデントレベルが「1」であるインシデントが1個発生し、インシデントレベルが「1」のインシデントの影響によりインシデントレベルが「3」のインシデントが16個発生したことが示される。 In the incident transition area 1005, the incident level displayed in the incident list 1004 and the number of incidents are displayed. The arrows in the figure indicate the incident origin and that another incident has occurred due to the influence of the origin. Due to the incident transition area 1005, one incident with the incident level “1” has occurred in the control server, and 16 incidents with the incident level “3” have occurred due to the influence of the incident with the incident level “1”. Is shown.
 セキュリティ専門家202が、インシデント推移領域1005のインシデント発生元に付加される、発生元で表示ボタン1005-1をクリックすると、インシデントの推移を視覚化したインシデント推移領域1006(発生元で表示)が表示される。インシデント推移領域1006により、制御サーバに発生したインシデントの発生元が保守端末であることが分かる。そして、インシデント推移領域1006により、1台の保守端末において、インシデントレベルが「1」のインシデントが1件発生し、インシデントレベルが「3」のインシデントが10件発生したことにより、この保守端末がインシデントの発生元となったことが示されている。 When the security expert 202 clicks the display button 1005-1 at the origin that is added to the incident origin in the incident transition area 1005, an incident transition area 1006 (displayed by the origin) that visualizes the transition of the incident is displayed. Is done. It can be seen from the incident transition area 1006 that the source of the incident that occurred in the control server is the maintenance terminal. The incident transition area 1006 causes one maintenance terminal to generate one incident with an incident level of “1” and 10 incidents with an incident level of “3”. It is shown that it became the origin of
 そして、インシデント推移領域1006と共に、根本対処設定画面1008が表示される。根本対処設定画面1008は、インシデントの発生元に関する情報と、インシデントの発生元への根本対処を設定するために用いられる。根本対処設定画面1008には、対象機器、根本原因、根本対処等の情報を設定可能なドロップダウンリストが表示される。セキュリティ専門家202は、インシデント推移領域1005やインシデント推移領域(発生元で表示)1006を参照し、根本対処設定画面1008の設定ボタン1008-1をクリックすることで、対象機器、根本原因、根本対処を設定する。例えば、保守端末に発生したインシデントの根本原因がウィルス感染であるため、ウィルス駆除を根本対処とする設定が行われる。 Then, together with the incident transition area 1006, a fundamental countermeasure setting screen 1008 is displayed. The root countermeasure setting screen 1008 is used to set information on an incident source and a root countermeasure to the incident origin. The root countermeasure setting screen 1008 displays a drop-down list in which information about the target device, root cause, root countermeasure, etc. can be set. The security expert 202 refers to the incident transition area 1005 and the incident transition area (displayed by the source) 1006, and clicks a setting button 1008-1 on the root countermeasure setting screen 1008, whereby the target device, root cause, and root countermeasure are selected. Set. For example, since the root cause of the incident that occurred in the maintenance terminal is a virus infection, a setting is made so that virus removal is the root countermeasure.
 また、セキュリティ専門家202が、インシデント推移領域1006の右下にある事例検索ボタン1007-1をクリックすると、類似している根本原因検索結果1009-1がインシデント推移領域1006の下に表示される。類似している根本原因検索結果1009-1には、今回発生したインシデントの根本原因に類似する、過去に発生したインシデントの根本原因が表示される。そして、過去にどのような根本原因が採用され、根本対処設定画面1008にて設定されたかを示す情報が示される。類似している根本原因検索結果1009-1により、過去に「対象装置がウィルス感染していた」ことが根本原因として10回採用され、設定されたことが示される。 When the security expert 202 clicks the case search button 1007-1 at the lower right of the incident transition area 1006, similar root cause search results 1009-1 are displayed under the incident transition area 1006. The similar root cause search result 1009-1 displays the root causes of incidents that occurred in the past that are similar to the root cause of the incident that occurred this time. Then, information indicating what root cause has been adopted in the past and set on the root countermeasure setting screen 1008 is shown. Similar root cause search results 1009-1 indicate that “the target device was infected with a virus” in the past was adopted and set 10 times as the root cause.
 また、セキュリティ専門家202が、インシデント推移領域1006の右下にある履歴データ表示ボタン1007-2をクリックすると、図14に示す履歴データ表示結果1009-2が表示される。 When the security expert 202 clicks the history data display button 1007-2 at the lower right of the incident transition area 1006, a history data display result 1009-2 shown in FIG. 14 is displayed.
 図14は、履歴データ表示結果1009-2の表示例を示す説明図である。
 履歴データ表示結果1009-2には、フィジカルセキュリティシステム40のフィジカルセキュリティサーバ401から取得した履歴データ1060-1に基づいて、インシデント一覧1004の時刻に近い履歴データ1060-1が表示される。つまり、履歴データ表示結果1009-2には、インシデント一覧1004で表示されているインシデントの発生時刻で履歴データ1060-1を検索した結果が表示される。そして、履歴データ表示結果1009-2には、インシデントが発生した機器の近くに居たエンジニア112が表示される。セキュリティ専門家202は、履歴データとインシデント発生履歴を分析すれば、内部での攻撃があったかどうかが分かる。 FIG. 14 is an explanatory diagram showing a display example of the history data display result 1009-2.
In the history data display result 1009-2, history data 1060-1 near the time of the incident list 1004 is displayed based on the history data 1060-1 acquired from the physical security server 401 of the physical security system 40. That is, the history data display result 1009-2 displays the result of searching the history data 1060-1 with the incident occurrence time displayed in the incident list 1004. In the history data display result 1009-2, the engineer 112 who was near the device in which the incident occurred is displayed. The security expert 202 can determine whether or not there has been an internal attack by analyzing the history data and the incident occurrence history.
 また、セキュリティ専門家202が、根本対処設定画面1008にて根本対処を設定し、レポート出力ボタン1008-2をクリックすると、レポート出力結果1010が出力される。レポート出力結果1010は、インシデント分析画面1001内に表示されるだけでなく、紙等に印刷されてもよい。そして、レポート出力結果1010には、インシデントにどのように対処すべきかを示すインシデント対策レポートが表示される。これにより現地サイトの現場保守員109は、セキュリティ専門家202により検討されたインシデントの根本原因及び根本対処を知ることができる。そして、現場保守員109は、レポート出力結果1010に従って、例えば、保守端末からウィルスを駆除する対処を行うことができる。 In addition, when the security expert 202 sets the fundamental countermeasure on the fundamental countermeasure setting screen 1008 and clicks the report output button 1008-2, a report output result 1010 is output. The report output result 1010 is not only displayed in the incident analysis screen 1001 but may be printed on paper or the like. The report output result 1010 displays an incident countermeasure report indicating how to deal with the incident. As a result, the on-site maintenance staff 109 at the local site can know the root cause and the countermeasure of the incident examined by the security expert 202. Then, the field maintenance worker 109 can take measures to remove the virus from the maintenance terminal, for example, according to the report output result 1010.
 (根本分析、対処策事例作成)
 図15は、セキュリティ専門家202が実施する根本分析、根本対処策検討の手順を示すフローチャートである。以下の処理は、セキュリティ専門家202がインシデント管理サーバ201を操作することにより実施される。 (Basic analysis, preparation of countermeasure examples)
FIG. 15 is a flowchart showing a procedure of fundamental analysis and examination of fundamental countermeasures performed by the security expert 202. The following processing is performed when the security specialist 202 operates the incident management server 201.
 まず、監視センター20にいるセキュリティ専門家202が基本情報を入力する(S51)。基本情報とは、例えば、制御システム10を構成する装置の情報等である。 First, the security expert 202 in the monitoring center 20 inputs basic information (S51). The basic information is, for example, information on devices constituting the control system 10.
 次に、インシデント管理サーバ201は、インシデント分析画面1001(図13)を表示する(S52)。そして、セキュリティ専門家202は、インシデント分析画面1001を利用してインシデント原因と対処策を検討する(S53)。 Next, the incident management server 201 displays the incident analysis screen 1001 (FIG. 13) (S52). Then, the security expert 202 uses the incident analysis screen 1001 to examine the cause of the incident and a countermeasure (S53).
 次に、セキュリティ専門家202は、インシデント分析画面1001にインシデントの発生原因を入力し(S54)、レポート出力ボタン1008-2を押して、レポートを出力する(S55)。現場保守員109は、出力されたレポートに基づいて、現地サイトに設けられた制御システム10により実際に対処を行う(S56)。 Next, the security expert 202 inputs the cause of the incident on the incident analysis screen 1001 (S54), and presses the report output button 1008-2 to output a report (S55). The field maintenance staff 109 actually takes action by the control system 10 provided at the site based on the output report (S56).
 そして、セキュリティ専門家202は、現地サイトにて対処が完了したか否かを判断する(S57)。セキュリティ専門家202は、対処が完了したと判断すれば(S57のYES)、本処理を終了する。一方、セキュリティ専門家202は、対処が完了していないと判断すれば(S57のNO)、ステップS51に戻って再びインシデントを分析する。 Then, the security expert 202 determines whether or not the countermeasure has been completed at the local site (S57). If the security expert 202 determines that the countermeasure has been completed (YES in S57), the process ends. On the other hand, if it is determined that the countermeasure has not been completed (NO in S57), the security expert 202 returns to step S51 and analyzes the incident again.
 図16は、監視センター20のセキュリティ専門家202が実施する根本分析、対処策事例活用による根本対処策検討の手順を示すフローチャートである。以下の処理についても、セキュリティ専門家202がインシデント管理サーバ201を操作することにより実施される。図16に示すステップS61,S62は、上述した図15に示すS51,S52と同様の処理であるため、詳細な説明を省略する。 FIG. 16 is a flowchart showing a procedure for fundamental countermeasure examination by fundamental analysis and utilization of countermeasure examples carried out by the security expert 202 of the monitoring center 20. The following processing is also performed by operating the incident management server 201 by the security expert 202. Steps S61 and S62 shown in FIG. 16 are the same processes as S51 and S52 shown in FIG.
 ステップS62にて表示されたインシデント分析画面1001は、今回発生したインシデントに類似する過去に発生したインシデントと、過去に行われた対処策とを表示する(S63)。そして、セキュリティ専門家202は、インシデント分析画面1001の表示内容に基づいて、インシデントの発生原因と対処策を検討し(S64)、レポートを出力する(S65)。現場保守員109は、出力されたレポートに基づいて、現地サイトに設けられた制御システム10により実際に対処を行う(S66)。 The incident analysis screen 1001 displayed in step S62 displays incidents that occurred in the past similar to the incident that occurred this time and countermeasures that have been taken in the past (S63). Then, the security expert 202 examines the cause and countermeasure of the incident based on the display content of the incident analysis screen 1001 (S64), and outputs a report (S65). The field maintenance staff 109 actually takes action by the control system 10 provided at the site based on the output report (S66).
 その後、図15のステップS57と同様に、セキュリティ専門家202は現地サイトにて対処が完了したか否かを判断し(S67)、対処が完了していれば本処理を終了し、対処が完了していなければ、ステップS61に戻って再びインシデントを分析する。 After that, as in step S57 in FIG. 15, the security expert 202 determines whether or not the countermeasure has been completed at the local site (S67). If the countermeasure has been completed, the processing is terminated and the countermeasure is completed. If not, the process returns to step S61 to analyze the incident again.
 以上説明した一実施の形態に係るセキュリティ監視システム1では、制御システム10にてインシデントが発生すると、制御装置102及びセキュリティ機器104にてセキュリティ監視装置105にアラートが送信される。また、フィジカルセキュリティサーバ401からセキュリティ監視装置105に履歴データ1060-1が送信される。セキュリティ監視装置105は、制御装置102及びセキュリティ機器104から収集したアラートと、フィジカルセキュリティサーバ401から収集した履歴データ1060-1とを異常シナリオ1053と比較し、インシデントの有無を検知する。そして、制御装置102に関わるインシデントであれば、システム監視装置103にインシデントの対処を指示し、セキュリティに関わるインシデントであれば、セキュリティ機器104にインシデントの対処を指示する。このように現場保守員109が使い慣れた制御システム10で発生する他の異常検知と同様な手順でインシデントを検知することが可能となり、現場保守員109が制御システム10で発生したインシデントに速やかに対処することが可能となる。また、どの装置又は機器によりインシデントに対処すべきか分かるため、現場保守員109は、使い慣れた制御システム10を用いてインシデントに速やかに対処することができる。 In the security monitoring system 1 according to the embodiment described above, when an incident occurs in the control system 10, the control device 102 and the security device 104 send an alert to the security monitoring device 105. Further, history data 1060-1 is transmitted from the physical security server 401 to the security monitoring apparatus 105. The security monitoring device 105 compares the alert collected from the control device 102 and the security device 104 and the history data 1060-1 collected from the physical security server 401 with the abnormal scenario 1053, and detects the presence or absence of an incident. If the incident is related to the control device 102, the system monitoring device 103 is instructed to deal with the incident. If the incident is related to security, the security device 104 is instructed to deal with the incident. Thus, it becomes possible to detect an incident in the same procedure as other abnormality detection that occurs in the control system 10 that the field maintenance staff 109 is familiar with, and the field maintenance staff 109 promptly copes with the incident that occurred in the control system 10. It becomes possible to do. Further, since it is known which apparatus or device should handle the incident, the field maintenance staff 109 can quickly handle the incident using the control system 10 that is familiar to the user.
 また、現場保守員109だけでは対処しきれなかったインシデントは、インシデント管理サーバ201を操作するセキュリティ専門家202により、過去に行われたインシデントへの対処に基づいて、インシデントが分析される。このように現場保守員109及びセキュリティ専門家202は、アラート、異常データ1055及び履歴データ1060-1を共有することができる。そして、セキュリティ専門家202から現場保守員109に有効な対処が指示される。セキュリティ専門家202により指示される対処は、現場保守員109が運用する制御システム10にて行われる既存のシステム監視方法と同じか類似するものである。このため、現場保守員109は、セキュリティ専門家202により指示された方法により、インシデントに速やかに対処することができる。このように現場保守員109とセキュリティ専門家202が協調してインシデントに対処することが可能となる。 Further, incidents that cannot be dealt with by the field maintenance staff 109 alone are analyzed by the security specialist 202 who operates the incident management server 201 based on dealing with incidents that have been made in the past. As described above, the field maintenance staff 109 and the security expert 202 can share the alert, the abnormality data 1055, and the history data 1060-1. Then, effective countermeasures are instructed from the security specialist 202 to the field maintenance staff 109. The countermeasure instructed by the security specialist 202 is the same as or similar to the existing system monitoring method performed in the control system 10 operated by the field maintenance staff 109. For this reason, the field maintenance worker 109 can quickly deal with the incident by the method instructed by the security expert 202. In this way, the field maintenance staff 109 and the security specialist 202 can cooperate to deal with the incident.
 また、インシデント管理サーバ201と現場データ管理サーバ107との間は、VPN等のセキュアなネットワークNにより接続される。また、セキュリティ監視装置105と現場データ管理サーバ107との間に設けられた一方向中継装置106が、制御システム10外からの不正アクセスを防ぐ。このため、第三者から制御システム10内の各装置に対する不正な処理の実行を防止することができる。 Further, the incident management server 201 and the site data management server 107 are connected by a secure network N such as VPN. A one-way relay device 106 provided between the security monitoring device 105 and the field data management server 107 prevents unauthorized access from outside the control system 10. For this reason, it is possible to prevent an unauthorized process from being performed on each device in the control system 10 by a third party.
 なお、制御システム10は、一方向中継装置106、現場データ管理サーバ107を備えなくてもよい。この場合、セキュリティ監視装置105は、アラームと異常データ1055及び履歴データ1060-1を、アラームが発生する度にインシデント管理サーバ201に送信すればよい。 Note that the control system 10 may not include the one-way relay device 106 and the on-site data management server 107. In this case, the security monitoring apparatus 105 may transmit the alarm and abnormality data 1055 and the history data 1060-1 to the incident management server 201 every time an alarm occurs.
 そして、本発明は上述した実施の形態に限られるものではなく、特許請求の範囲に記載した本発明の要旨を逸脱しない限りその他種々の応用例、変形例を取り得ることは勿論である。
 例えば、上述した実施の形態は本発明を分かりやすく説明するために装置及びシステムの構成を詳細かつ具体的に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されない。また、ここで説明した実施の形態の構成の一部を他の実施の形態の構成に置き換えることは可能であり、さらにはある実施の形態の構成に他の実施の形態の構成を加えることも可能である。また、各実施の形態の構成の一部について、他の構成の追加、削除、置換をすることも可能である。
 また、制御線や情報線は説明上必要と考えられるものを示しており、製品上必ずしも全ての制御線や情報線を示しているとは限らない。実際には殆ど全ての構成が相互に接続されていると考えてもよい。 And this invention is not restricted to embodiment mentioned above, Of course, unless it deviates from the summary of this invention described in the claim, other various application examples and modifications can be taken.
For example, the above-described embodiment is a detailed and specific description of the configuration of the apparatus and the system in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to one having all the described configurations. In addition, a part of the configuration of the embodiment described here can be replaced with the configuration of the other embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Is possible. Moreover, it is also possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
 1…セキュリティ監視システム、10…制御システム、20…監視センター、30…システム監視画面、40…フィジカルセキュリティシステム、71…インシデント一覧画面、72…インシデント原因分析画面、101…設備、102…制御装置、103…システム監視装置、104…セキュリティ機器、105…セキュリティ監視装置、106…一方向中継装置、107…現場データ管理サーバ、108…ネットワーク、109…現場保守員、201…インシデント管理サーバ、202…セキュリティ専門家、401…フィジカルセキュリティサーバ、1001…インシデント分析画面 DESCRIPTION OF SYMBOLS 1 ... Security monitoring system, 10 ... Control system, 20 ... Monitoring center, 30 ... System monitoring screen, 40 ... Physical security system, 71 ... Incident list screen, 72 ... Incident cause analysis screen, 101 ... Equipment, 102 ... Control device, DESCRIPTION OF SYMBOLS 103 ... System monitoring apparatus, 104 ... Security apparatus, 105 ... Security monitoring apparatus, 106 ... One-way relay apparatus, 107 ... Field data management server, 108 ... Network, 109 ... Field maintenance worker, 201 ... Incident management server, 202 ... Security Expert, 401 ... physical security server, 1001 ... incident analysis screen

Claims (7)

  1.  設備の動作を制御する制御システムと、前記制御システムに接続され、前記制御システムを利用する現場保守員の前記制御システム内への入退場を監視及び制御するフィジカルセキュリティシステムと、前記制御システムにネットワークで接続され、前記制御システムにて発生するインシデントを管理するインシデント管理サーバと、を備え、
     前記制御システムは、
     前記設備にて発生するアラートを検知する制御装置と、
     前記制御システムにて発生する前記アラートを検知するセキュリティ機器と、
     前記制御システムを監視し、前記制御システムに発生した前記インシデントに対処するシステム監視装置と、
     前記制御装置又は前記セキュリティ機器から収集した前記アラートを、前記インシデントの振る舞いを表す異常シナリオと比較し、前記制御システムにて前記インシデントが発生したことを検知すると、前記インシデントの内容を含む異常データを前記システム監視装置に送信するセキュリティ監視装置と、を備え、
     前記フィジカルセキュリティシステムは、
     入退管理装置又は監視カメラ装置から取得されるフィジカルセキュリティ履歴データを管理するフィジカルセキュリティサーバを備え、
     前記システム監視装置は、前記異常データを解析して、前記システム監視装置で対処可能な前記インシデントについて対処を行い、前記システム監視装置で対処不能な前記インシデントについて前記セキュリティ監視装置に対処を指示し、
     前記セキュリティ監視装置は、前記システム監視装置からの指示に従って分析した前記インシデントについて対処を行い、
     前記インシデント管理サーバは、前記セキュリティ監視装置を通じて収集する前記アラート、前記異常データ及び前記フィジカルセキュリティ履歴データを分析して、前記現場保守員に対し、前記システム監視装置及び前記セキュリティ監視装置にて対処しきれなかった前記インシデントへの対処を指示する
     セキュリティ監視システム。     A control system that controls the operation of the facility; a physical security system that is connected to the control system and that monitors and controls entry and exit of the field maintenance personnel using the control system into the control system; and a network connected to the control system And an incident management server that manages incidents that occur in the control system.
    The control system includes:
    A control device for detecting an alert generated in the facility;
    A security device for detecting the alert generated in the control system;
    A system monitoring device that monitors the control system and handles the incident occurring in the control system;
    The alert collected from the control device or the security device is compared with an abnormal scenario representing the behavior of the incident, and when the control system detects that the incident has occurred, abnormal data including the content of the incident is obtained. A security monitoring device for transmitting to the system monitoring device,
    The physical security system is:
    A physical security server for managing physical security history data acquired from an entrance / exit management device or a monitoring camera device;
    The system monitoring device analyzes the abnormality data, handles the incident that can be handled by the system monitoring device, and instructs the security monitoring device to deal with the incident that cannot be handled by the system monitoring device,
    The security monitoring device deals with the incident analyzed according to instructions from the system monitoring device,
    The incident management server analyzes the alert, the abnormal data, and the physical security history data collected through the security monitoring device, and copes with the field maintenance staff by the system monitoring device and the security monitoring device. A security monitoring system for instructing the handling of the incident that could not be completed.
  2.  前記インシデント管理サーバは、前記制御システムとは別の制御システムで発生した前記インシデント、及び前記インシデントへの対処策を蓄積し、前記インシデント管理サーバを操作するセキュリティ専門家により分析された、前記インシデントの分析結果に基づいて前記インシデントへの対処を設定する
     請求項1に記載のセキュリティ監視システム。     The incident management server accumulates the incident generated in a control system different from the control system, and a countermeasure for the incident, and is analyzed by a security expert who operates the incident management server. The security monitoring system according to claim 1, wherein a response to the incident is set based on an analysis result.
  3.  さらに、前記制御システムから前記インシデント管理サーバに向けて送信されるデータの中継を許可し、前記インシデント管理サーバから前記制御システムに向けて送信されるデータの中継を不許可とする一方向中継装置を備える
     請求項2に記載のセキュリティ監視システム。     And a one-way relay device that permits relaying of data transmitted from the control system to the incident management server and disallows relaying of data transmitted from the incident management server to the control system. The security monitoring system according to claim 2.
  4.  さらに、前記制御システムは、前記インシデント管理サーバがアクセス可能な位置に設けられ、前記アラート及び前記異常データを蓄積する現場データ管理サーバを備え、
     前記インシデント管理サーバは、所定のタイミングで前記現場データ管理サーバから前記アラート及び前記異常データを取得する
     請求項3に記載のセキュリティ監視システム。     Further, the control system includes a site data management server that is provided at a location accessible by the incident management server and stores the alert and the abnormal data.
    The security monitoring system according to claim 3, wherein the incident management server acquires the alert and the abnormal data from the field data management server at a predetermined timing.
  5.  前記インシデント管理サーバは、セキュリティ専門家が前記インシデントを分析するためのインシデント分析画面を表示し、前記インシデント分析画面には、前記制御システムで発生した前記インシデントの一覧と共に、前記インシデントの遷移を表示する画面と、前記インシデントの発生元に関する情報と、前記インシデントの発生元への根本対処を設定する画面とが含まれる
     請求項4に記載のセキュリティ監視システム。     The incident management server displays an incident analysis screen for a security expert to analyze the incident, and the incident analysis screen displays a transition of the incident along with a list of the incidents generated in the control system. The security monitoring system according to claim 4, further comprising: a screen, information on the incident source, and a screen for setting a fundamental response to the incident source.
  6.  前記セキュリティ監視装置は、前記インシデントの発生元と、前記インシデントが発生した範囲を特定し、前記インシデントの発生元と、前記インシデントが発生した範囲をインシデント一覧画面に表示し、かつ前記インシデントの原因分析が行われるインシデント原因分析画面を表示し、
     前記インシデント原因分析画面を通じて行われる前記インシデントの原因分析の結果に基づいて、前記セキュリティ監視装置から前記セキュリティ機器に前記インシデントへの対処が指示される
     請求項4に記載のセキュリティ監視システム。     The security monitoring device identifies the source of the incident and the range in which the incident has occurred, displays the source of the incident and the range in which the incident has occurred on an incident list screen, and analyzes the cause of the incident Display the incident cause analysis screen where
    The security monitoring system according to claim 4, wherein the security monitoring apparatus instructs the security device to deal with the incident based on a result of the cause analysis of the incident performed through the incident cause analysis screen.
  7.  設備の動作を制御する制御システムと、前記制御システムに接続され、前記制御システムを利用する現場保守員の前記制御システム内への入退場を監視及び制御するフィジカルセキュリティシステムと、前記制御システムにネットワークで接続され、前記制御システムにて発生するインシデントを管理するインシデント管理サーバと、を備えるセキュリティ監視システムにより行われるセキュリティ監視方法であって、
     前記制御システムは、
     前記設備にて発生するアラートを検知する制御装置と、前記制御システムにて発生する前記アラートを検知するセキュリティ機器と、前記制御システムに発生する前記インシデントを監視し、前記インシデントに対処するシステム監視装置と、セキュリティ監視装置と、を備え、
     前記セキュリティ監視装置が、前記制御装置又は前記セキュリティ機器から収集した前記アラートを、前記インシデントの振る舞いを表す異常シナリオと比較し、前記制御システムにて前記インシデントが発生したことを検知すると、前記インシデントの内容を含む異常データを前記システム監視装置に送信するステップと、
     前記フィジカルセキュリティシステムが、入退管理装置又は監視カメラ装置から取得されるフィジカルセキュリティ履歴データを管理するステップと、
     前記システム監視装置が、前記異常データを解析して、前記システム監視装置で対処可能な前記インシデントについて対処を行い、前記システム監視装置で対処不能な前記インシデントについて前記セキュリティ監視装置に対処を指示するステップと、
     前記セキュリティ監視装置が、前記システム監視装置からの指示に従って分析した前記インシデントについて対処を行うステップと、
     前記インシデント管理サーバが、前記セキュリティ監視装置を通じて収集する前記アラート、前記異常データ及び前記フィジカルセキュリティ履歴データを分析して、前記現場保守員に対し、前記システム監視装置及び前記セキュリティ監視装置にて対処しきれなかった前記インシデントへの対処を指示するステップと、を含む
     セキュリティ監視方法。     A control system that controls the operation of the facility; a physical security system that is connected to the control system and that monitors and controls entry and exit of the field maintenance personnel using the control system into the control system; and a network connected to the control system A security monitoring method performed by a security monitoring system comprising: an incident management server connected to and managing an incident generated in the control system,
    The control system includes:
    A control device for detecting an alert generated in the facility, a security device for detecting the alert generated in the control system, a system monitoring device for monitoring the incident generated in the control system and dealing with the incident And a security monitoring device,
    When the security monitoring device compares the alert collected from the control device or the security device with an abnormal scenario representing the behavior of the incident, and detects that the incident has occurred in the control system, Transmitting abnormal data including contents to the system monitoring device;
    The physical security system managing physical security history data acquired from an entrance / exit management device or a monitoring camera device;
    The system monitoring device analyzes the abnormal data, takes action on the incident that can be handled by the system monitoring device, and instructs the security monitoring device to deal with the incident that cannot be handled by the system monitoring device When,
    The security monitoring device responding to the incident analyzed according to instructions from the system monitoring device;
    The incident management server analyzes the alert, the abnormality data, and the physical security history data collected through the security monitoring device, and copes with the system maintenance device and the security monitoring device with respect to the field maintenance staff. And a step of instructing a response to the incident that could not be completed.
PCT/JP2018/014842 2017-04-27 2018-04-09 Security monitoring system and security monitoring method WO2018198733A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017088099A JP2018185712A (en) 2017-04-27 2017-04-27 Security monitoring system and security monitoring method
JP2017-088099 2017-04-27

Publications (1)

Publication Number Publication Date
WO2018198733A1 true WO2018198733A1 (en) 2018-11-01

Family

ID=63918340

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/014842 WO2018198733A1 (en) 2017-04-27 2018-04-09 Security monitoring system and security monitoring method

Country Status (2)

Country Link
JP (1) JP2018185712A (en)
WO (1) WO2018198733A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109460835A (en) * 2018-11-12 2019-03-12 广州市雅天网络科技有限公司 Situ hardware managing and control system and method
CN113330381A (en) * 2019-02-14 2021-08-31 欧姆龙株式会社 Control system
JP2022529220A (en) * 2019-04-18 2022-06-20 キンドリル・インク Detection of exposure of sensitive data by logging

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7243326B2 (en) * 2019-03-15 2023-03-22 オムロン株式会社 controller system
JP7074104B2 (en) * 2019-03-29 2022-05-24 オムロン株式会社 Controller system
KR102062338B1 (en) * 2019-10-10 2020-01-03 김흥중 Closed home IoT service system with authentication and authorization tool for external control
JP7232205B2 (en) * 2020-01-07 2023-03-02 株式会社日立製作所 SECURITY MONITORING SYSTEM AND SECURITY MONITORING METHOD
JP7230146B1 (en) 2021-09-24 2023-02-28 エヌ・ティ・ティ・コミュニケーションズ株式会社 Vehicle security analysis device, method and program thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002118672A (en) * 2000-10-11 2002-04-19 Takenaka Komuten Co Ltd Fault monitoring system
JP2004326372A (en) * 2003-04-24 2004-11-18 Mitsubishi Electric Corp Maintenance system and maintenance method of plant control device
JP2014179074A (en) * 2013-03-13 2014-09-25 General Electric Co <Ge> Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
WO2015001594A1 (en) * 2013-07-01 2015-01-08 株式会社日立製作所 Control system, control method, and controller
JP2016149131A (en) * 2015-02-13 2016-08-18 フィッシャー−ローズマウント システムズ,インコーポレイテッド Method, apparatus and tangible computer readable storage medium for security event detection through virtual machine introspection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002118672A (en) * 2000-10-11 2002-04-19 Takenaka Komuten Co Ltd Fault monitoring system
JP2004326372A (en) * 2003-04-24 2004-11-18 Mitsubishi Electric Corp Maintenance system and maintenance method of plant control device
JP2014179074A (en) * 2013-03-13 2014-09-25 General Electric Co <Ge> Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
WO2015001594A1 (en) * 2013-07-01 2015-01-08 株式会社日立製作所 Control system, control method, and controller
JP2016149131A (en) * 2015-02-13 2016-08-18 フィッシャー−ローズマウント システムズ,インコーポレイテッド Method, apparatus and tangible computer readable storage medium for security event detection through virtual machine introspection

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109460835A (en) * 2018-11-12 2019-03-12 广州市雅天网络科技有限公司 Situ hardware managing and control system and method
CN113330381A (en) * 2019-02-14 2021-08-31 欧姆龙株式会社 Control system
JP2022529220A (en) * 2019-04-18 2022-06-20 キンドリル・インク Detection of exposure of sensitive data by logging

Also Published As

Publication number Publication date
JP2018185712A (en) 2018-11-22

Similar Documents

Publication Publication Date Title
WO2018198733A1 (en) Security monitoring system and security monitoring method
US10637888B2 (en) Automated lifecycle system operations for threat mitigation
WO2018218537A1 (en) Industrial control system and network security monitoring method therefor
US9197652B2 (en) Method for detecting anomalies in a control network
EP3151152B1 (en) Non-intrusive software agent for monitoring and detection of cyber security events and cyber-attacks in an industrial control system
AU2014205737A1 (en) Method, device and computer program for monitoring an industrial control system
CN214306527U (en) Gas pipe network scheduling monitoring network safety system
CN111193738A (en) Intrusion detection method of industrial control system
CN107809321B (en) Method for realizing safety risk evaluation and alarm generation
JP6831763B2 (en) Incident analyzer and its analysis method
US20170026341A1 (en) Automation network and method for monitoring the security of the transfer of data packets
KR101871406B1 (en) Method for securiting control system using whitelist and system for the same
RU2630415C2 (en) Method for detecting anomalous work of network server (options)
JP2006268167A (en) Security system, security method, and its program
CN111338297B (en) Industrial control safety framework system based on industrial cloud
CN114172881A (en) Network security verification method, device and system based on prediction
KR102145421B1 (en) Digital substation with smart gateway
CN114374528A (en) Data security detection method and device, electronic equipment and medium
CN113904920A (en) Network security defense method, device and system based on lost equipment
EP2911362B1 (en) Method and system for detecting intrusion in networks and systems based on business-process specification
TWI662436B (en) Method and system for managing computer sequences
Findrik et al. Trustworthy computer security incident response for nuclear facilities
US20230009270A1 (en) OPC UA-Based Anomaly Detection and Recovery System and Method
WO2019225232A1 (en) Monitoring device, monitoring system, and monitoring method
KR102160537B1 (en) Digital substation with smart gateway

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18790911

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18790911

Country of ref document: EP

Kind code of ref document: A1