WO2021084567A1 - 情報処理装置、表示方法、及び非一時的なコンピュータ可読媒体 - Google Patents
情報処理装置、表示方法、及び非一時的なコンピュータ可読媒体 Download PDFInfo
- Publication number
- WO2021084567A1 WO2021084567A1 PCT/JP2019/042097 JP2019042097W WO2021084567A1 WO 2021084567 A1 WO2021084567 A1 WO 2021084567A1 JP 2019042097 W JP2019042097 W JP 2019042097W WO 2021084567 A1 WO2021084567 A1 WO 2021084567A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- event
- abnormality
- condition
- attack
- determination
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 230000010365 information processing Effects 0.000 title claims abstract description 48
- 230000005856 abnormality Effects 0.000 claims abstract description 203
- 238000000605 extraction Methods 0.000 claims abstract description 127
- 238000012806 monitoring device Methods 0.000 claims abstract description 42
- 238000010586 diagram Methods 0.000 claims description 40
- 239000000284 extract Substances 0.000 claims description 7
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 30
- 230000001010 compromised effect Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 5
- 241000406668 Loxodonta cyclotis Species 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 239000004065 semiconductor Substances 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 125000002066 L-histidyl group Chemical group [H]N1C([H])=NC(C([H])([H])[C@](C(=O)[*])([H])N([H])[H])=C1[H] 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Definitions
- the present invention relates to an information processing device and a display method for maintaining the safety of a control system, and further to a program for executing these.
- Such a control system generally includes a PLC (Programmable Logic Controller), an engineering workstation (management device) that manages and maintains the PLC, and a terminal device that provides an HMI (Human Machine Interface) to the operator. ..
- PLC Process Control Controller
- HMI Human Machine Interface
- the PLC operates the actuator and the like based on the sensor data from the sensors arranged in each part of the equipment.
- the PLC operates according to the control program provided by the engineering workstation. Further, since the value of the sensor data, the operating state of the actuator, and the like are displayed on the HMI, the operator can monitor the operating status of the equipment through the HMI.
- Patent Document 1 discloses a technique for solving the problem that it takes time to find the cause when a process abnormality occurs (especially when a trouble cause occurs at a place slightly away from the process data collection point). Has been done. This technology displays time-series screens such as trend display, alarm history display, operation / operation history display, and operator diary display on the process flow screen, and the playback function links all of these display screens to the playback time. To display.
- Patent Document 2 discloses a technique for providing a data analysis support device, a data analysis support method, a computer program, and a recording medium that can easily obtain appropriate analysis data without omission in the event of an operation abnormality.
- the operation record data that is considered to be related to the operation abnormality is selected in advance, and the operation abnormality item and one or more related data items related thereto (designation of the related operation record data item) are set as a set. Is recorded.
- monitoring devices for monitoring various abnormalities.
- Examples of monitoring devices include devices that monitor tampering with software installed in devices such as sensors and actuators, devices that monitor abnormalities in messages flowing through the network, and processes based on the reading status of sensors and the operating status of actuators. There are devices that monitor abnormalities.
- the only information given to the operation manager first is this abnormality.
- the operation manager must estimate (A) the circumstances leading to the occurrence of the abnormality and (B) the expected course after the occurrence of the abnormality based on the knowledge and experience of the operation manager himself / herself. Furthermore, the operation manager must comprehensively judge the degree of risk that is actually occurring in the control system based on (A) and (B) above. If the risk is determined to be more than acceptable, the manager should immediately take action to avoid or mitigate the risk.
- Patent Documents 1 and 2 efficiently presents the process data acquired in the past from the control system targeted for abnormality monitoring to the person in charge of operation, and the circumstances leading to the occurrence of the abnormality.
- the expected course after the occurrence of an abnormality must be estimated by the operation manager based on his / her own knowledge and experience.
- An example of an object of an embodiment disclosed herein is to provide an information processing device, a display method, and a program for solving the above problems and maintaining the safety of a control system.
- the information processing device is Anomaly receiving means for receiving anomalies detected by a monitoring device installed in the control system, The first determination is made to determine whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality receives the abnormality from the abnormality receiving means, and determines whether or not the abnormality matches the abnormality.
- a second determination is made to determine whether or not the event included in each of the predefined attack procedures matches the matching condition determined to match, and the second determination is performed. If the judgment matches, a collation means for identifying the attack procedure including the above event and An extraction means for extracting an event that matches a predetermined extraction condition from the specified attack procedure, and an extraction means. Have.
- the first determination is made to determine whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality is matched with the abnormality, and the first determination is made. If the determination is matched, a second determination is made to determine whether or not the event included in each of the predefined attack procedures matches the matching condition determined to match, and the second determination is performed. If the judgment matches, identify the attack procedure including the above event and (C) An event that matches a predetermined extraction condition is extracted from the specified attack procedure.
- the non-transitory computer-readable medium is By computer (A) A step of receiving an abnormality detected by a monitoring device installed in the control system, and (B) Upon receiving the received abnormality, the first determination is made to determine whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality is matched with the abnormality, and the first determination is made. If the determination is matched, a second determination is made to determine whether or not the event included in each of the predefined attack procedures matches the matching condition determined to match, and the second determination is performed. If the judgment matches, the step of identifying the attack procedure including the above event and the step (C) A step of extracting an event that matches a predetermined extraction condition from the specified attack procedure, and Contains a program that contains instructions to execute.
- the background to the occurrence of the abnormality or (B) the expected progress after the occurrence of the abnormality is automatically presented to the operation manager. Can be done.
- FIG. 1 is a block diagram showing a schematic configuration of an information processing apparatus according to an embodiment of the present invention.
- FIG. 2 is a configuration diagram showing an example of the configuration of a plant that is the target of abnormality monitoring and risk display in the embodiment of the present invention.
- FIG. 3 is a block diagram showing a relationship between the information processing apparatus according to the embodiment of the present invention and the control system of the plant shown in FIG.
- FIG. 4 is a block diagram showing a more specific configuration of the information processing apparatus according to the embodiment of the present invention.
- FIG. 5A is a diagram showing an example of an abnormality received from the monitoring device by the abnormality receiving means according to the embodiment of the present invention.
- FIG. 5B is a diagram showing an example of an abnormality received from the monitoring device by the abnormality receiving means according to the embodiment of the present invention.
- FIG. 6A is a diagram showing an example of an attack path stored in the risk storage means according to the embodiment of the present invention.
- FIG. 6B is a diagram showing an example of an attack path stored in the risk storage means according to the embodiment of the present invention.
- FIG. 6C is a diagram showing an example of an attack path stored in the risk storage means according to the embodiment of the present invention.
- FIG. 6D is a diagram showing an example of an attack path stored in the risk storage means according to the embodiment of the present invention.
- FIG. 7 is a diagram showing an example of collation conditions stored in the collation condition storage means according to the embodiment of the present invention.
- FIG. 8 is a diagram showing an example of extraction conditions stored in the extraction condition storage means according to the embodiment of the present invention.
- FIG. 9 is a diagram showing an example of information regarding an event presented to the user by the display means according to the embodiment of the present invention.
- FIG. 10 is a diagram showing an example of information regarding an event presented to the user by the display means according to the embodiment of the present invention.
- FIG. 11 is a diagram showing an example of information regarding an event presented to the user by the display means according to the embodiment of the present invention.
- FIG. 12 is a diagram showing an example of information regarding an event presented to the user by the display means according to the embodiment of the present invention.
- FIG. 13 is a diagram showing an example of information regarding an event presented to the user by the display means according to the embodiment of the present invention.
- FIG. 14 is a diagram showing an example of information regarding an event presented to the user by the display means according to the embodiment of the present invention.
- FIG. 15 is a flow chart showing the operation of the information processing apparatus 10 according to the present embodiment.
- FIG. 16 is a block diagram showing an example of a computer that realizes the information processing apparatus 10 according to the embodiment of the present invention.
- FIG. 1 is a block diagram showing a schematic configuration of an information processing apparatus according to an embodiment of the present invention.
- the information processing device 10 in the present embodiment shown in FIG. 1 predicts (A) the background of the occurrence of the abnormality or (B) the abnormality detected by the monitoring device installed in the control system. It is a device for automatically extracting the progress of information processing and assisting in determining the degree of risk that is actually occurring in the control system.
- the information processing apparatus 10 includes an abnormality receiving means 11, a collating means 12, and an extracting means 13.
- the abnormality receiving means 11 receives the abnormality detected by the monitoring device.
- the collating means 12 receives an abnormality from the abnormality receiving means 11, and determines whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality matches the abnormality. Do. Further, when the collation means 12 matches in the first determination, the collation means 12 further determines whether or not the event included in each of the predefined attack procedures matches the collation condition determined to match. Make the second judgment. If the collation means 12 matches in the second determination, the collation means 12 identifies an attack procedure including the event and passes it to the extraction means 13. The extraction means 13 receives the specified attack procedure including the event that matches the collation condition from the collation means 12, and extracts the event that matches the predetermined extraction condition from the attack procedure.
- the information processing device 10 in the present embodiment automatically determines (A) the process of occurrence of the abnormality and (B) the expected process after the occurrence of the abnormality with respect to the abnormality detected by the monitoring device. Can be extracted to.
- FIG. 2 is a configuration diagram showing an example of the configuration of a plant that is the target of abnormality monitoring and risk display in the embodiment of the present invention.
- FIG. 3 is a block diagram showing a relationship between the information processing apparatus according to the embodiment of the present invention and the control system of the plant shown in FIG.
- FIG. 4 is a block diagram showing a more specific configuration of the information processing apparatus according to the embodiment of the present invention.
- the plant 20 includes a water storage tank 21, a water level sensor (LIT101) 22, a supply line 23, a drainage line 24, a pump (PMP101) 25, and a valve (MV101). ) 26 and. Further, the plant 20 includes a PLC (PLC1) 30 that executes a control program as a control device.
- LIT101 water level sensor
- PMP101 pump
- MV101 valve
- PLC PLC
- the water level sensor 22 measures the water level of the water stored in the water storage tank 21 in four stages (HH, H, L, LL) and outputs sensor data indicating the measured water level.
- the supply line 23 is a line for supplying water to the water storage tank 21.
- the pump 25 is provided on the supply line 23.
- the drainage line 24 is a line for draining the water of the water storage tank 21.
- the valve 26 is provided on the drainage line 24.
- the PLC 30 adjusts the water level by operating the pump 25 or opening and closing the valve 26 according to the sensor data output from the water level sensor 22.
- the PLC 30 enables data communication between the engineering workstation 33 and the terminal device 31 used by the operator via the network switch 32 and the control network (NW_c1). It is connected. Further, the PLC 30 is also connected to the information processing device 10 via the network switch 32 and the control network (NW_c1).
- a monitoring device 40 capable of detecting tampering with software mounted on each of the water level sensor 22, the pump 25, and the valve 26 is connected.
- a monitoring device 40 capable of detecting an abnormality in a message flowing through the network is connected to the network switch 32.
- the terminal device 31 provides the HMI to the operator.
- the operator operates on the HMI of the terminal device 31.
- the engineering workstation 33 manages the operating state of each PLC and further holds a control program thereof. Further, the engineering workstation 33 updates the control program in response to an instruction from the operator or the like.
- the PLC 30 is connected to the water level sensor 22, the pump 25, and the valve 26 via the field network (NW_f1).
- the plant 20 that is the target of abnormality monitoring and risk display in the present embodiment includes a PLC that executes a control program, and a network that connects the PLC and other devices.
- a signal for transmitting the state of the manufacturing process or the like received from the sensor or the like by the PLC 30 is written in a place corresponding to the signal in the storage device included in the PLC. Further, the signal for operating or stopping the actuator or the like transmitted to the actuator or the like by the PLC is read out from a place corresponding to the signal in the storage device provided in the PLC. Further, the place in the storage device is generally called a variable, a tag, a register, or the like, and in the present embodiment, it is called a tag.
- the information processing apparatus 10 includes the abnormality receiving means 11, the collating means 12, the extracting means 13, the collating condition storage means 14, and the risk storage means 15 shown in FIG.
- the extraction condition storage means 16 and the display means 17 are provided.
- the abnormality receiving means 11 receives the abnormality detected by these devices from the monitoring device 40 shown in FIG. 5A and 5B show an example of an abnormality received by the abnormality receiving means 11 from the monitoring device 40 in the embodiment of the present invention.
- Anomalies consist of one or more key / value pairs.
- the abnormality (1) in FIG. 5A is an example of an abnormality transmitted when the monitoring device 40 detects tampering with the software mounted on the valve 26 to be monitored.
- the key "Anomaly-Type” indicates the type of abnormality, and the value “TAPPER_DETECDATE” indicates that the software installed in the monitored device has been tampered with. Further, the value "MV101" of the key “Equipment-Name” indicates that the software mounted on the valve (MV101) 26 has been tampered with.
- the abnormality (2) in FIG. 5B is an example of an abnormality transmitted when the monitoring device 40 detects a suspicious message flowing through the control network (NW_c1) to be monitored.
- the key "Anomaly-Type” indicates the type of abnormality, and the value “UNUSUAL_MESSAGE” indicates that a suspicious message has been detected in the monitored network.
- the value "Write-Tag-Value” of the key "Message-Class” indicates that this suspicious message is a message requesting rewriting of the tag value.
- the value "LIT101" of the key “Equipment-Name” and the value "L” of the key “Value” indicate that the value of the tag related to the water level sensor (LIT101) 22 is rewritten to "L".
- the risk storage means 15 stores risks that may occur in the plant 20.
- the risk in this embodiment is described as an attack path. That is, in the present embodiment, the attack procedure is described as an attack path.
- the attack path is information in which events that can occur when the plant 20 receives a cyber attack are arranged in chronological order.
- a security and control system expert investigates the vulnerabilities of each device in the plant 20 and examines all possibilities of exploiting the vulnerabilities to cause damage to the plant 20. It was created by doing.
- 6A to 6D show an example of the attack path stored in the risk storage means 15.
- the attack path contains events arranged in chronological order.
- An event consists of one or more key / value pairs.
- the value of the key "Event-Number” indicates the number of the event that occurs in the attack path.
- the value of the key “Event-Type” indicates the type of the event.
- the value of the key "Label” stores a sentence explaining the event.
- the event type "COMPROMISED” indicates an event in which an attacker can freely control the device, and the details of the event can be described by the following keys.
- the value of the key "Target” includes the identifying name of the device that the attacker can freely control.
- the event type "PASSWORD_STORLEN” indicates an event in which an attacker steals user authentication information such as a password from a device, and the details of the event can be described by the following key.
- the value of the key "Target” includes the identification name of the device in which the attacker stolen the user authentication information such as a password.
- the event type "LOGIN_BY_ATTACKER” indicates the event in which the attacker logged in to the device, and the details of the event can be described by the following key.
- the value of the key "Target” includes the identifying name of the device that the attacker logged in to.
- the event type "TAG_CHANGE_BY_ATTACKER” indicates an event in which the attacker changed the tag value, and the details of the event can be described by the following key.
- the value of the key "Target” includes the identification name of the device corresponding to the tag whose value was changed by the attacker. That is, the value of the key "Target” means for which device the attacker changed the value of the tag.
- the tag may also have multiple values, and the value of the key "Reporting-State” includes the sensor read report value written by the attacker.
- the event type "SEND_COMMAND” indicates an event in which one device sends a command to another device, and the details of the event can be described by the following key.
- the value of the key "Subject” includes the identification name of the device that sent the instruction.
- the value of the key “Target” includes the identification name of the device that received the command.
- the value of the key "Command” includes the distinguished name of the transmitted instruction.
- the event type "FUNCTIONED” indicates an event in which a certain device normally functions by a command, and the details of the event can be described by the following key.
- the value of the key “Subject” includes the identification name of the device that has functioned normally by the instruction.
- the value of the key “Command” includes the distinguished name of the instruction.
- the value of the key “Physical-State” includes the identification name of the physical state of the device that has functioned normally by the instruction.
- the value of the key “Reporting-State” includes the sensor reading report value of the device that functioned normally by the command.
- the event type "PHYSICALLY_CHANGE” indicates an event in which the physical state of the equipment has changed, and the details of the event can be described by the following keys.
- the value of the key “Subject” includes the identifying name of the equipment whose physical state has changed.
- the value of the key “Physical-State” includes the physical state value of the equipment.
- the event type "PHYSICALLY_ACCESSED” indicates an event in which an attacker can physically access the device, and the details of the event can be described by the following key.
- the value of the key "Target” includes the identifying name of the device that the attacker has gained physical access to.
- the event type "MALFUNCTIONED” indicates an event in which the device does not function normally, and the details of the event can be described by the following keys.
- the value of the key “Subject” includes the identifying name of the device that is not functioning properly.
- the value of the key “Physical-State” includes the physical state value of the device that does not operate normally.
- the value of the key “Reporting-State” includes the sensor reading report value of the device that does not operate normally.
- the event type "MALICOUS_HOST_JOINED” indicates an event in which a malicious device is connected to the network.
- the attack path "AP1" shown in FIG. 6A is information indicating that the following events can occur in the plant 20.
- a first event occurs that allows an attacker to freely control the engineering workstation (EWS) 33.
- a second event occurs in which an attacker steals user authentication information from the engineering workstation (EWS) 33.
- a third event occurs in which the attacker logs in to the terminal device (HMI) 31.
- a fourth event occurs in which the attacker changes the sensor reading report value of the water level sensor (LIT101) 22 to “L”.
- a fifth event occurs in which the PLC 30 transmits the instruction "START" to the pump (PMP101) 25.
- the instruction "START” causes a sixth event in which the physical state of the pump (PMP101) 25 becomes “RUNNING” and the sensor read report value also becomes “RUNNING".
- a seventh event occurs in which the physical state of the water storage tank 21 changes to "HH”.
- an eighth event occurs in which the physical state of the water storage tank 21 changes to "OVERFLOW".
- the attack path "AP2" shown in FIG. 6B is information indicating that the following events can occur in the plant 20.
- a first event occurs that allows the attacker to physically access the valve (MV101) 26.
- a second event occurs that allows the attacker to freely control the valve (MV101) 26.
- a third event occurs in which the valve (MV101) 26 does not function normally and the physical state of the valve is "OPEN", while the sensor read report value of the valve is "CLOSED”.
- a fourth event occurs in which the physical state of the water storage tank 21 changes to "LL”.
- a fifth event occurs in which the physical state of the water storage tank 21 changes to "EMPTY".
- the attack path "AP3" shown in FIG. 6C is information indicating that the following events can occur in the plant 20.
- a first event occurs in which a malicious device is connected to the control network (NW_c1).
- a second event occurs in which the attacker changes the sensor reading report value of the water level sensor (LIT101) 22 to "H”.
- a third event occurs in which the PLC 30 transmits a command "OPEN” to the valve (MV101) 26.
- the instruction "OPEN” causes a fourth event in which the physical state of the valve (MV101) 26 becomes “OPEN” and the sensor read report value also becomes “OPEN”.
- a fifth event occurs in which the physical state of the water storage tank 21 changes to "LL”.
- a sixth event occurs in which the physical state of the water storage tank 21 changes to "EMPTY".
- the attack path "AP4" shown in FIG. 6D is information indicating that the following events can occur in the plant 20.
- a first event occurs that allows an attacker to freely control the engineering workstation (EWS) 33.
- a second event occurs in which an attacker steals user authentication information from the engineering workstation (EWS) 33.
- a third event occurs in which the attacker logs in to the terminal device (HMI) 31.
- a fourth event occurs in which the attacker changes the sensor reading report value of the water level sensor (LIT101) 22 to "H”.
- a fifth event occurs in which the PLC 30 transmits a command "OPEN" to the valve (MV101) 26.
- the instruction "OPEN” causes a sixth event in which the physical state of the valve (MV101) 26 becomes “OPEN” and the sensor read report value also becomes “OPEN”.
- a seventh event occurs in which the physical state of the water storage tank 21 changes to "LL”.
- an eighth event occurs in which the physical state of the water storage tank 21 changes to "EMPTY”.
- the collation condition storage means 14 stores a collation condition that defines the relationship between the abnormality received by the abnormality receiving means 11 and the event included in each attack path stored in the risk storage means 15. There is. That is, the collation condition is a condition for collating the event included in the attack procedure with the abnormality.
- FIG. 7 shows an example of the collation condition stored in the collation condition storage means 14.
- the collation condition in the present embodiment includes a collation condition ID, an abnormality collation condition expression, and an event collation condition expression.
- the collation condition ID is an identifier for identifying the collation condition.
- the abnormality collation conditional expression includes a conditional expression related to the abnormality received by the abnormality receiving means 11.
- the event matching conditional expression includes a conditional expression related to the risk stored in the risk storage means 15.
- the collation condition “CC1” includes an anomaly collation condition expression that matches an abnormality in which the value of the key “Anomaly-Type” is “UNUSUAL_MESSAGE” and the value of the key “Target” is “$ X”. Further, the collation condition “CC1” includes an event collation conditional expression that matches an event in which the value of the key “Event-Type” is "TAG_CHANGE_BY_ATTACKER” and the value of the key “Target” is "$ X”. The “$ X” indicates an arbitrary value, but this value must be the same for the abnormality and the event.
- the collation condition “CC2" includes an abnormality collation condition expression that matches an abnormality in which the value of the key “Anomaly-Type” is “UNUSUAL_LOGIN” and the value of the key “Target” is “$ X”. Further, the collation condition “CC2” includes an event collation conditional expression that matches an event in which the value of the key “Event-Type” is "LOGIN_BY_ATTACKER” and the value of the key “Target” is "$ X”.
- the collation condition "CC3" includes an anomaly collation conditional expression that matches an abnormality in which the value of the key "Anomaly-Type” is “TAPPER_DECTED” and the value of the key “Equipment-Name” is “$ X”. Further, the collation condition “CC3” includes an event collation conditional expression that matches an event in which the value of the key “Event-Type” is "COMPROMISED” and the value of the key "Target” is "$ X”.
- the collation means 12 receives an abnormality from the abnormality receiving means 11.
- the collation means 12 determines whether or not the abnormality collation condition expression included in each collation condition stored in the collation condition storage means 14 matches the abnormality. If they match, it is further determined whether or not the event included in each attack path stored in the risk storage means 15 matches the event matching conditional expression included in the matching condition. If they match, the attack path including the matched event is passed to the extraction means 13.
- the anomaly matching conditional expression is the anomaly (1). It is determined that they match.
- the matching means 12 further includes an event included in each attack path stored in the risk storage means 15 and an event matching conditional expression included in the matching condition determined to match. Determine if they match.
- the risk storage means 15 stores the four attack paths shown in FIGS. 6A to 6D.
- the first term in the elephant matching conditional expression matches the above-mentioned event.
- the value of "$ X" is fixed to "MV101" in the above. Therefore, the second term in the anomaly matching conditional expression does not match the above-mentioned event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the second term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the values of the keys "Event-Type” included in the second to eighth events in the attack path are "PASSWORD_STORLEN” and " Since it is any one of "LOGIN_BY_ATTACKER", “TAG_CHANGE_BY_ATTACKER”, “SEND_COMMAND”, "FUNCTIONED”, and "PHYSICALLY_CHANGED”
- the first term in the event matching conditional expression does not match the event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the first term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the first term in the elephant matching conditional expression does not match the above-mentioned event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the first term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the first term in the elephant matching conditional expression matches the above-mentioned event.
- the value of "$ X" is fixed to "MV101" in the above. Therefore, the second term in the anomaly matching conditional expression matches the above-mentioned event.
- the first term and the second term in the event matching conditional expression are combined by "and", since both of them match the event, it is determined that the event matching conditional expression matches the event. Will be done.
- the values of the keys "Event-Type” included in the third to fifth events in the attack path are "MALFUNCTIONED” and “MALFUNCTIONED”. Since it is one of "PHYSICALLY_CHANGE", the first term in the event matching conditional expression does not match the event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the first term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the values of the keys "Event-Type” included in the first to sixth events in the attack path are "MALICOUS_HOST_JOINED” and ". Since it is any one of "TAG_CHANGE_BY_ATTACKER”, “SEND_COMMAND”, “FUNCTIONED”, and "PHYSICALLY_CHANGED", the first term in the event matching conditional expression does not match the event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the first term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the first term in the elephant matching conditional expression matches the above-mentioned event.
- the value of "$ X" is fixed to "MV101" in the above. Therefore, the second term in the anomaly matching conditional expression does not match the above-mentioned event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the second term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the values of the keys "Event-Type” included in the second to eighth events in the attack path are "PASSWORD_STORLEN” and " Since it is any one of "LOGIN_BY_ATTACKER", “TAG_CHANGE_BY_ATTACKER”, “SEND_COMMAND”, "FUNCTIONED”, and "PHYSICALLY_CHANGED”
- the first term in the event matching conditional expression does not match the event.
- the first term and the second term in the event matching conditional expression are combined by "and", but since the first term does not match the event, the event matching conditional expression matches the event. It is judged not to.
- the collation means 12 passes the attack path “AP2” including the matched event to the extraction means 13.
- Extraction conditions are stored in the extraction condition storage means 16.
- FIG. 8 shows an example of the extraction conditions stored in the extraction condition storage means 16.
- the extraction condition in the present embodiment includes an extraction condition ID, an event extraction condition expression, and a label.
- the extraction condition ID is an identifier for identifying the extraction condition.
- the event extraction conditional expression includes a conditional expression related to the event extracted from the attack path.
- the label contains a sentence explaining what kind of event is extracted by this extraction condition.
- the extraction condition "EC1" includes an event extraction conditional expression for extracting an event in which the value of the key “Event-Number” in the event is less than "@MATCHED_EVENT_NUMBER".
- the "@MATCHED_EVENT_NUMBER” is the value of the key "Event-Number” of the event for which the collation conditions are matched. That is, the event extraction conditional expression matches all the events that occur before the event for which the matching condition is matched in the attack path.
- the extraction condition "EC2" includes an event extraction conditional expression for extracting an event in which the value of the key "Event-Number” in the event exceeds "@MATCHED_EVENT_NUMBER". That is, the event extraction conditional expression matches all the events that occur after the event for which the matching condition is matched in the attack path.
- the extraction means 13 receives an attack path including an event that matches the collation condition from the collation means 12. Further, the extraction means 13 receives the extraction condition ID specified by the user from an input means (not shown) such as a mouse or a keyboard. Further, the extraction means 13 acquires the extraction condition identified by the extraction condition ID from the extraction condition storage means 16. Further, the extraction means 13 extracts an event that matches the acquired extraction condition from the received attack path, and passes the extracted event to the display means 17.
- the extraction means 13 has the attack path “AP2” shown in FIG. 6B and the key of the event that matches the matching condition in the attack path as an attack path including the event that matches the matching condition from the matching means 12. It is assumed that the value "2" of "Event-Number” is received. Further, it is assumed that the extraction condition ID "EC1" is received from the input means (not shown). In this case, the extraction means 13 first stores the value "2" of the key "Event-Number” of the event that matches the collation condition in the attack path in an internal storage area (not shown). Next, the extraction condition “EC1” shown in FIG.
- the extraction means 13 has the attack path “AP2” shown in FIG. 6B as an attack path including an event that matches the matching condition from the matching means 12, and an event that matches the matching condition in the attack path. It is assumed that the value "2" of the key “Event-Number” of the above is received. Further, it is assumed that the extraction condition ID "EC2" is received from the input means (not shown). In this case, the extraction means 13 first stores the value "2" of the key “Event-Number” of the event that matches the collation condition in the attack path in an internal storage area (not shown). Next, the extraction condition “EC2” shown in FIG. 8, which is identified by the extraction condition ID “EC2”, is acquired from the extraction condition storage means 16.
- the display means 17 receives an event that matches the collation condition and an event that matches the extraction condition from the extraction means 13, and presents the received event to the user via a display device such as an organic EL display or a liquid crystal display.
- the display means 17 can present the screen shown in FIG. 9 to the user as an example.
- the abnormality 50 can be displayed based on the abnormality information acquired by the display means 17 from the abnormality receiving means 11.
- the event 51 that matches the abnormality based on the collation condition and the event 52 extracted based on the extraction condition can display the character string stored as the value of the key "Label" included in each event. it can.
- the explanatory label 53 can be displayed by using the explanatory label included in the extraction conditions.
- the display means 17 can present the screen shown in FIG. 10 to the user as an example.
- the expected progress after the occurrence of the abnormality can be automatically presented to the operation manager.
- the abnormality (2) is received by the abnormality receiving means 11, and the matching means 12 receives the abnormality, the fourth event in the attack path “AP1”, and the fourth event in the attack path “AP3” according to the matching condition “CC1”. It is assumed that it is determined that the second event and the fourth event in the attack path "AP4" match.
- the extraction means 13 according to the extraction condition "EC1" specified by the user, the first to third events of the attack path "AP1", the first event of the attack path "AP3”, and the attack. It is assumed that the first to third events of the path "AP4" are extracted.
- the display means 17 can present the screen shown in FIG. 11 to the user as an example.
- the abnormality (2) is received by the abnormality receiving means 11, and the matching means 12 receives the abnormality, the fourth event in the attack path “AP1”, and the fourth event in the attack path “AP3” according to the matching condition “CC1”. It is assumed that it is determined that the second event and the fourth event in the attack path "AP4" match. Further, in the extraction means 13, the events from the fifth to the eighth of the attack path "AP1” and the events from the third to the sixth of the attack path "AP3" are determined by the extraction condition "EC2" specified by the user. And the fifth to eighth events of the attack path "AP4" are extracted. In this case, the display means 17 can present the screen shown in FIG. 12 to the user as an example. As a result, for the abnormality detected by the monitoring device, (B) the expected progress after the occurrence of the abnormality can be automatically presented to the operation manager.
- the abnormality (2) is received by the abnormality receiving means 11, and the matching means 12 receives the abnormality, the fourth event in the attack path “AP1”, and the fourth event in the attack path “AP3” according to the matching condition “CC1”. It is assumed that it is determined that the second event and the fourth event in the attack path "AP4" match. Further, in the extraction means 13, according to the extraction condition "EC1" specified by the user, the first to third events of the attack path "AP1", the first event of the attack path "AP3”, and the attack. It is assumed that the first to third events of the path "AP4" are extracted. In this case, the display means 17 can present the screen shown in FIG. 13 to the user as an example.
- the display means 17 displays a configuration diagram of each device and network in the plant 20. For each event received by the display means 17 from the extraction means 13, the identification name of the device in which the event occurred in the plant 20 is indicated as the value of the key “Where”.
- the display means 17 draws a symbol (for example, a symbol such as an arrow) indicating the order from the device in which the nth (n is a positive integer) event occurs to the device in which the n + 1 event occurs in the configuration diagram. ..
- a symbol for example, a symbol such as an arrow
- the circumstances leading to the occurrence of the abnormality can be automatically presented to the operation manager, and the effect of the attack by the attacker is from device to device. It is possible to visually present to the operation manager how it propagates.
- the abnormality (2) is received by the abnormality receiving means 11, and the matching means 12 receives the abnormality, the fourth event in the attack path “AP1”, and the fourth event in the attack path “AP3” according to the matching condition “CC1”. It is assumed that it is determined that the second event and the fourth event in the attack path "AP4" match. Further, in the extraction means 13, the events from the fifth to the eighth of the attack path "AP1" and the events from the third to the sixth of the attack path "AP3" are determined by the extraction condition "EC2" specified by the user. And the fifth to eighth events of the attack path "AP4" are extracted. In this case, the display means 17 can present the screen shown in FIG. 14 to the user as an example.
- the display means 17 displays a configuration diagram of each device and network in the plant 20. For each event received by the display means 17 from the extraction means 13, the identification name of the device in which the event occurred in the plant 20 is indicated as the value of the key “Where”.
- the display means 17 draws a symbol (for example, an arrow) indicating the order from the device in which the nth event occurs to the device in which the n + 1 event occurs in the configuration diagram.
- the display means 17 passes the number of abnormalities received by the abnormal receiving means and the extraction means 13 as shown in the upper part of FIGS. 13 and 14.
- the number of attack paths to which the event belongs (the left side of "abnormality" for the extraction condition EC1 and the right side of "abnormality” for the extraction condition EC2), the number of first events in the attack path (entrance), and It is also possible to display the number of last events (damages) in the attack path.
- FIG. 15 is a flowchart showing the operation of the information processing apparatus according to the embodiment of the present invention.
- FIGS. 1 to 14 will be referred to as appropriate.
- the display method is implemented by operating the information processing device 10. Therefore, the description of the display method in the present embodiment is replaced with the following description of the operation of the information processing device 10.
- the abnormality receiving means 11 receives the abnormality detected by the monitoring device 40, and passes the received abnormality to the collating means. (Step A1)
- the collation means 12 determines whether or not the passed abnormality and each collation condition acquired from the collation condition storage means 14 match. (Step A2)
- the collation means 12 determines whether or not there is a collation condition determined to match the abnormality in the previous step A2. If there is a collation condition determined to match the abnormality as a result of the determination, the next step A4 is executed. If there is no collation condition determined to match the abnormality, step A1 is executed. (Step A3)
- the collation means 12 determines whether or not the collation condition determined to match the abnormality and each event in each attack path acquired from the risk storage means 15 match. (Step A4)
- the collation means 12 determines whether or not there is an attack path including an event determined to match the collation condition in the previous step A4. If there is an attack path including an event determined to match the collation condition as a result of the determination, the attack path including the matching event is passed to the extraction means 13, and the next step A6 is executed. If there is no attack path including the event determined to match the collation condition, step A1 is executed. (Step A5)
- the extraction means 13 receives an attack path including an event that matches the matching conditions. Further, the extraction condition ID specified by the user is received from an input means (not shown) such as a mouse or a keyboard. Further, the extraction condition identified by the extraction condition ID is acquired from the extraction condition storage means 16. Then, an event that matches the acquired extraction condition is extracted from the received attack path, and the extracted event is passed to the display means 17. (Step A6)
- the display means 17 receives from the extraction means 13 an event that matches the collation condition and an event that matches the extraction condition, and sends the received event to the user via a display device such as an organic EL display or a liquid crystal display. Present. (Step A7)
- step A6 determines whether or not another extraction condition is selected by the user. If another extraction condition is selected as a result of the determination, step A6 is executed. If no other extraction condition is selected, the next step A9 is executed. (Step A8)
- the abnormality receiving means 11 determines whether or not a new abnormality has been received from the monitoring device 40. If a new abnormality is received from the monitoring device 40 as a result of the determination, step A1 is executed. If no new abnormality has been received from the monitoring device 40, the next step A10 is executed. (Step A9)
- step A10 the display means 17 determines whether or not the end has been requested by the user. If termination is requested as a result of the above determination, this operation flow is terminated. If termination is not required, step A8 is performed. (Step A10)
- the operation manager can determine the degree of risk that is actually occurring in the control system in a shorter time than before, and further makes an erroneous judgment. You can also reduce the chances.
- the program in this embodiment may be any program that causes a computer to execute steps A1 to A10 shown in FIG. By installing this program on a computer and executing it, the information processing device and the display method according to the present embodiment can be realized.
- the processor of the computer functions as the abnormal receiving means 11, the collating means 12, the extracting means 13, and the display means 17, and performs processing.
- the collation condition storage means 14, the risk storage means 15, and the extraction condition storage means 16 each store data files of the collation condition, the attack path, and the extraction condition in a storage device such as a hard disk provided in the computer. Realized by.
- the program in the present embodiment may be executed by a computer system constructed by a plurality of computers.
- each computer may function as any of the abnormal receiving means 11, the collating means 12, the extracting means 13, and the displaying means 17, respectively.
- the collation condition storage means 14, the risk storage means 15, and the extraction condition storage means 16 may be constructed on a computer different from the computer that executes the program in the present embodiment.
- FIG. 16 is a block diagram showing an example of a computer that realizes the information processing apparatus 10 according to the embodiment of the present invention.
- the computer 110 includes a CPU (Central Processing Unit) 111, a main memory 112, a storage device 113, an input interface 114, a display controller 115, a data reader / writer 116, and a communication interface 117. And. Each of these parts is connected to each other via a bus 121 so as to be capable of data communication.
- the computer 110 may include a GPU (Graphics Processing Unit) or an FPGA (Field-Programmable Gate Array) in addition to the CPU 111 or in place of the CPU 111.
- the CPU 111 expands the programs (codes) of the present embodiment stored in the storage device 113 into the main memory 112 and executes them in a predetermined order to perform various operations.
- the main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory).
- the program according to the present embodiment is provided in a state of being stored in a computer-readable recording medium 120.
- the program in the present embodiment may be distributed on the Internet connected via the communication interface 117.
- Non-transitory computer-readable media include various types of tangible storage media (tangible storage media).
- Examples of non-temporary computer-readable media include magnetic recording media (eg, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg, magneto-optical disks), Compact Disc Read Only Memory (CD-ROM), CD- Includes R, CD-R / W, and semiconductor memory (eg, mask ROM, Programmable ROM (PROM), Erasable PROM (EPROM), flash ROM, Random Access Memory (RAM)).
- the program may also be supplied to the computer by various types of temporary computer-readable media.
- Examples of temporary computer-readable media include electrical, optical, and electromagnetic waves.
- the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
- the storage device 113 include a semiconductor storage device such as a flash memory in addition to a hard disk drive.
- the input interface 114 mediates data transmission between the CPU 111 and an input device 118 such as a keyboard and mouse.
- the display controller 115 is connected to the display device 119 and controls the display on the display device 119.
- the data reader / writer 116 mediates the data transmission between the CPU 111 and the recording medium 120, reads the program from the recording medium 120, and writes the processing result in the computer 110 to the recording medium 120.
- the communication interface 117 mediates data transmission between the CPU 111 and another computer.
- the recording medium 120 include a general-purpose semiconductor storage device such as CF (CompactFlash (registered trademark)) and SD (SecureDigital), a magnetic recording medium such as a flexible disk, or a CD-.
- CF CompactFlash (registered trademark)
- SD Secure Digital
- magnetic recording medium such as a flexible disk
- CD- CompactDiskReadOnlyMemory
- optical recording media such as ROM (CompactDiskReadOnlyMemory).
- the information processing device 10 in the present embodiment can also be realized by using hardware corresponding to each part instead of the computer in which the program is installed. Further, the information processing apparatus 10 may be partially realized by a program and the rest may be realized by hardware.
- the risk storage means 15 stores risks that may occur in the plant 20.
- the risks in this embodiment are described as a fault tree. That is, in the present embodiment, the attack procedure is described as a fault tree.
- the fault tree is information arranged according to the relationship between cause and effect of events that can occur when the plant 20 is subjected to a cyber attack.
- a security and control system expert investigates the vulnerabilities of each device in the plant 20 and examines all possibilities of exploiting the vulnerabilities to cause damage to the plant 20. It was created by doing.
- Each event in the fault tree has the identification number "300" of the event as the value of the key "Event-Number". Further, as the value of the key "Cause”, the identification number “298” of the event that caused the event can be held. When the cause of the event is the sum or product of a plurality of events, it can be described as “297 and 299” or the like, “297 or 299” or the like. Further, as the value of the key "Consequence”, the identification number "301" of the event that occurs as a result of the occurrence of the event can be held.
- the collation means 12 receives an abnormality from the abnormality receiving means 11. It is determined whether or not the abnormality collation conditional expression included in each collation condition stored in the collation condition storage means 14 matches the abnormality. If they match, it is further determined whether or not the event included in each fault tree stored in the risk storage means 15 matches the event matching conditional expression included in the matching condition. If they match, the fault tree containing the matched events is passed to the extraction means 13.
- Extraction conditions are stored in the extraction condition storage means 16.
- the event extraction conditional expression in the extraction condition includes the conditional expression related to the event to be extracted from the fault tree.
- the event extraction conditional expression for extracting the event of the circumstances leading to the occurrence of the abnormality can be described as, for example, "@MATCHED_EVENT_NUMBER in Consequence".
- “@MATCHED_EVENT_NUMBER in Consequence” indicates whether or not the value of the key "Consequence” includes the value specified by "@MATCHED_EVENT_NUMBER”.
- the event extraction conditional expression for extracting the event of the expected course after the occurrence of the abnormality can be described as, for example, “@MATCHED_EVENT_NUMBER in Case”.
- “@MATCHED_EVENT_NUMBER in Case” indicates whether or not the value of the key "Cause” includes the value specified by "@MATCHED_EVENT_NUMBER”.
- the extraction means extracts an event that matches the extraction conditions from the fault tree.
- Appendix 1 Anomaly receiving means for receiving anomalies detected by a monitoring device installed in the control system, The first determination is made to determine whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality receives the abnormality from the abnormality receiving means, and determines whether or not the abnormality matches the abnormality. In the case of matching in the determination of, further, a second determination is made to determine whether or not the event included in each of the predefined attack procedures matches the matching condition determined to match, and the second determination is performed.
- a collation means for identifying the attack procedure including the above event and An extraction means for extracting an event that matches a predetermined extraction condition from the specified attack procedure, and an extraction means.
- Information processing device with. The extraction condition is a condition for extracting an event that occurs before the event corresponding to the abnormality in the attack procedure, or a condition for extracting an event that occurs after the event corresponding to the abnormality in the attack procedure. Including, The information processing device according to Appendix 1. (Appendix 3) Further, it has a display means for presenting the extracted event to the user. The information processing device according to Appendix 1 or 2.
- the display means displays a configuration diagram showing a device and a network in the control system, and is further extracted from the device in which the extracted nth event occurs on the configuration diagram. The symbols representing the order are overlaid and drawn up to the device where the n + 1th event occurs.
- the information processing device according to Appendix 3. (Appendix 5) The information processing device according to any one of Supplementary note 1 to 4, wherein the attack procedure is an attack path. (Appendix 6) The information processing device according to any one of Supplementary note 1 to 4, wherein the attack procedure is a fault tree.
- (Appendix 7) (A) Upon receiving an abnormality detected by the monitoring device installed in the control system, (B) Upon receiving the received abnormality, the first determination is made to determine whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality is matched with the abnormality, and the first determination is made. If the determination is matched, a second determination is made to determine whether or not the event included in each of the predefined attack procedures matches the matching condition determined to match, and the second determination is performed. If the judgment matches, identify the attack procedure including the above event and (C) Extract an event that matches a predetermined extraction condition from the specified attack procedure. Display method.
- the extraction condition is a condition for extracting an event that occurs before the event corresponding to the abnormality in the attack procedure, or a condition for extracting an event that occurs after the event corresponding to the abnormality in the attack procedure.
- the display method described in Appendix 7. (Appendix 9) Further, (d) presenting the extracted event to the user.
- the display method according to Appendix 7 or 8. (Appendix 10)
- a configuration diagram showing the devices and networks in the control system is displayed, and further, from the device in which the extracted nth event occurs on the configuration diagram, the above.
- the symbols representing the order are overlaid and drawn up to the device where the extracted n + 1th event occurs.
- (Appendix 11) The display method according to any one of Appendix 7 to 10, wherein the attack procedure is an attack path.
- (Appendix 12) The display method according to any one of Appendix 7 to 10, wherein the attack procedure is a fault tree.
- (Appendix 13) By computer (A) A step of receiving an abnormality detected by a monitoring device installed in the control system, and (B) Upon receiving the received abnormality, the first determination is made to determine whether or not each predetermined collation condition for collating the event included in the attack procedure with the abnormality is matched with the abnormality, and the first determination is made. If the determination is matched, a second determination is made to determine whether or not the event included in each of the predefined attack procedures matches the matching condition determined to match, and the second determination is performed.
- the step of identifying the attack procedure including the above event and the step (C) A step of extracting an event that matches a predetermined extraction condition from the specified attack procedure, and A non-transitory computer-readable medium containing a program that contains instructions to execute.
- the extraction condition is a condition for extracting an event that occurs before the event corresponding to the abnormality in the attack procedure, or a condition for extracting an event that occurs after the event corresponding to the abnormality in the attack procedure. Including, The non-transitory computer-readable medium according to Appendix 13.
- (Appendix 15) Further, (d) a step of presenting the extracted event to the user, A non-transitory computer-readable medium according to Appendix 13 or 14, wherein the program is stored, including an instruction to execute the program.
- Appendix 16 In the step (d), a configuration diagram showing the devices and networks in the control system is displayed, and further, from the device in which the extracted nth event occurs on the configuration diagram, the above. The symbols representing the order are overlaid and drawn up to the device where the extracted n + 1th event occurs.
- (Appendix 17) The non-transitory computer-readable medium according to any one of Appendix 13 to 16, wherein the attack procedure is an attack path.
- Appendix 18 The non-transitory computer-readable medium according to any one of Appendix 13 to 16, wherein the attack procedure is a fault tree.
- the operation manager who is trying to determine the degree of risk that is about to occur in the control system is supported. be able to.
- the present invention is useful in various plants in which a monitoring device has been introduced.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
制御システムに設置された監視装置が検知した異常を受信する異常受信手段と、
前記異常受信手段から異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定する照合手段と、
特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出する抽出手段と、
を有する。
(a)制御システムに設置された監視装置が検知した異常を受信し、
(b)受信した異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定し、
(c)特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出する。
コンピュータによって、
(a)制御システムに設置された監視装置が検知した異常を受信するステップと、
(b)受信した異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定するステップと、
(c)特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出するステップと、
を実行する命令を含む、プログラムが格納されている。
以下、本発明の実施の形態における、情報処理装置、表示方法、及びプログラムについて、図を参照しながら説明する。
最初に、図1を用いて、本実施の形態における情報処理装置の概略構成について説明する。図1は、本発明の実施の形態における情報処理装置の概略構成を示すブロック図である。
次に、本実施の形態における情報処理装置10の動作について図15を用いて説明する。図15は、本発明の実施の形態における情報処理装置の動作を示すフローチャートである。以下の説明においては、適宜図1~図14を参照する。また、本実施の形態では、情報処理装置10を動作させることによって、表示方法が実施される。よって、本実施の形態における表示方法の説明は、以下の情報処理装置10の動作説明に代える。
本実施の形態におけるプログラムは、コンピュータに、図15に示すステップA1~A10を実行させるプログラムであれば良い。このプログラムをコンピュータにインストールし、実行することによって、本実施の形態における情報処理装置と表示方法とを実現することができる。この場合、コンピュータのプロセッサは、異常受信手段11、照合手段12、抽出手段13、及び表示手段17として機能し、処理を行なう。また、照合条件記憶手段14、リスク記憶手段15、及び抽出条件記憶手段16は、それぞれ、コンピュータに備えられたハードディスク等の記憶装置に、照合条件、攻撃パス、抽出条件のデータファイルを格納することによって実現される。
本発明の第2の実施の形態における、情報処理装置について説明する。本発明の第2の実施の形態における情報処理装置の具体的な構成は、図4に示したものと同じである。以下、本発明の第2の実施の形態における、情報処理装置10が、これまでに説明した本発明の実施の形態と異なる点について説明する。
(付記1)
制御システムに設置された監視装置が検知した異常を受信する異常受信手段と、
前記異常受信手段から異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定する照合手段と、
特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出する抽出手段と、
を有する情報処理装置。
(付記2)
前記抽出条件は、前記攻撃手順における前記異常と対応する事象よりも前に発生する事象を抽出する条件、又は、前記攻撃手順における前記異常と対応する事象よりも後に発生する事象を抽出する条件を含む、
付記1に記載の情報処理装置。
(付記3)
さらに、前記抽出された事象をユーザに提示する表示手段、を有する、
付記1または2に記載の情報処理装置。
(付記4)
前記表示手段は、前記制御システムにおける機器及びネットワークが示された構成図を表示し、さらに、前記構成図の上に、前記抽出された第n番目の事象が発生する機器から、前記抽出された第n+1番目の事象が発生する機器まで、順序を表すシンボルを重ねて描画する、
付記3に記載の情報処理装置。
(付記5)
前記攻撃手順が攻撃パスである
付記1乃至4のいずれか1項に記載の情報処理装置。
(付記6)
前記攻撃手順がフォルトツリーである
付記1乃至4のいずれか1項に記載の情報処理装置。
(付記7)
(a)制御システムに設置された監視装置が検知した異常を受信し、
(b)受信した異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定し、
(c)特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出する、
表示方法。
(付記8)
前記抽出条件は、前記攻撃手順における前記異常と対応する事象よりも前に発生する事象を抽出する条件、又は、前記攻撃手順における前記異常と対応する事象よりも後に発生する事象を抽出する条件を含む、
付記7に記載の表示方法。
(付記9)
さらに、(d)前記抽出された事象をユーザに提示する、
付記7または8に記載の表示方法。
(付記10)
前記(d)のステップでは、前記制御システムにおける機器及びネットワークが示された構成図を表示し、さらに、前記構成図の上に、前記抽出された第n番目の事象が発生する機器から、前記抽出された第n+1番目の事象が発生する機器まで、順序を表すシンボルを重ねて描画する、
付記9に記載の表示方法。
(付記11)
前記攻撃手順が攻撃パスである
付記7乃至10のいずれか1項に記載の表示方法。
(付記12)
前記攻撃手順がフォルトツリーである
付記7乃至10のいずれか1項に記載の表示方法。
(付記13)
コンピュータによって、
(a)制御システムに設置された監視装置が検知した異常を受信するステップと、
(b)受信した異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定するステップと、
(c)特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出するステップと、
を実行する命令を含む、プログラムが格納された非一時的なコンピュータ可読媒体。
(付記14)
前記抽出条件は、前記攻撃手順における前記異常と対応する事象よりも前に発生する事象を抽出する条件、又は、前記攻撃手順における前記異常と対応する事象よりも後に発生する事象を抽出する条件を含む、
付記13に記載の非一時的なコンピュータ可読媒体。
(付記15)
さらに、(d)前記抽出された事象をユーザに提示するステップ、
を実行する命令を含む、プログラムが格納された付記13または14に記載の非一時的なコンピュータ可読媒体。
(付記16)
前記(d)のステップでは、前記制御システムにおける機器及びネットワークが示された構成図を表示し、さらに、前記構成図の上に、前記抽出された第n番目の事象が発生する機器から、前記抽出された第n+1番目の事象が発生する機器まで、順序を表すシンボルを重ねて描画する、
付記15に記載の非一時的なコンピュータ可読媒体。
(付記17)
前記攻撃手順が攻撃パスである
付記13乃至16のいずれか1項に記載の非一時的なコンピュータ可読媒体。
(付記18)
前記攻撃手順がフォルトツリーである
付記13乃至16のいずれか1項に記載の非一時的なコンピュータ可読媒体。
11 異常受信手段
12 照合手段
13 抽出手段
14 照合条件記憶手段
15 リスク記憶手段
16 抽出条件記憶手段
17 表示手段
20 プラント
21 貯水タンク
22 水位センサ
23 供給ライン
24 排水ライン
25 ポンプ
26 バルブ
30 PLC
31 端末装置
32 ネットワークスイッチ
33 エンジニアリングワークステーション
40 監視装置
50 異常
51 照合条件にもとづいて異常と合致した事象
52 抽出条件にもとづいて抽出された事象
53 説明ラベル
110 コンピュータ
111 CPU
112 メインメモリ
113 記憶装置
114 入力インターフェイス
115 表示コントローラ
116 データリーダ/ライタ
117 通信インターフェイス
118 入力機器
119 ディスプレイ装置
120 記録媒体
121 バス
Claims (18)
- 制御システムに設置された監視装置が検知した異常を受信する異常受信手段と、
前記異常受信手段から異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定する照合手段と、
特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出する抽出手段と、
を有する情報処理装置。 - 前記抽出条件は、前記攻撃手順における前記異常と対応する事象よりも前に発生する事象を抽出する条件、又は、前記攻撃手順における前記異常と対応する事象よりも後に発生する事象を抽出する条件を含む、
請求項1に記載の情報処理装置。 - さらに、前記抽出された事象をユーザに提示する表示手段、を有する、
請求項1または2に記載の情報処理装置。 - 前記表示手段は、前記制御システムにおける機器及びネットワークが示された構成図を表示し、さらに、前記構成図の上に、前記抽出された第n番目の事象が発生する機器から、前記抽出された第n+1番目の事象が発生する機器まで、順序を表すシンボルを重ねて描画する、
請求項3に記載の情報処理装置。 - 前記攻撃手順が攻撃パスである
請求項1乃至4のいずれか1項に記載の情報処理装置。 - 前記攻撃手順がフォルトツリーである
請求項1乃至4のいずれか1項に記載の情報処理装置。 - (a)制御システムに設置された監視装置が検知した異常を受信し、
(b)受信した異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定し、
(c)特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出する、
表示方法。 - 前記抽出条件は、前記攻撃手順における前記異常と対応する事象よりも前に発生する事象を抽出する条件、又は、前記攻撃手順における前記異常と対応する事象よりも後に発生する事象を抽出する条件を含む、
請求項7に記載の表示方法。 - さらに、(d)前記抽出された事象をユーザに提示する、
請求項7または8に記載の表示方法。 - 前記(d)のステップでは、前記制御システムにおける機器及びネットワークが示された構成図を表示し、さらに、前記構成図の上に、前記抽出された第n番目の事象が発生する機器から、前記抽出された第n+1番目の事象が発生する機器まで、順序を表すシンボルを重ねて描画する、
請求項9に記載の表示方法。 - 前記攻撃手順が攻撃パスである
請求項7乃至10のいずれか1項に記載の表示方法。 - 前記攻撃手順がフォルトツリーである
請求項7乃至10のいずれか1項に記載の表示方法。 - コンピュータによって、
(a)制御システムに設置された監視装置が検知した異常を受信するステップと、
(b)受信した異常を受け取り、攻撃手順に含まれる事象と前記異常とを照合するための所定の各照合条件が前記異常と合致するかどうかを判定する第一の判定を行い、前記第一の判定で合致する場合は、さらに、予め定義された各攻撃手順が含んでいる事象が前記合致すると判定された照合条件と合致するかどうかを判定する第二の判定を行い、前記第二の判定で合致する場合は、前記事象を含む攻撃手順を特定するステップと、
(c)特定された前記攻撃手順から所定の抽出条件に合致する事象を抽出するステップと、
を実行する命令を含む、プログラムが格納された非一時的なコンピュータ可読媒体。 - 前記抽出条件は、前記攻撃手順における前記異常と対応する事象よりも前に発生する事象を抽出する条件、又は、前記攻撃手順における前記異常と対応する事象よりも後に発生する事象を抽出する条件を含む、
請求項13に記載の非一時的なコンピュータ可読媒体。 - さらに、(d)前記抽出された事象をユーザに提示するステップ、
を実行する命令を含む、プログラムが格納された請求項13または14に記載の非一時的なコンピュータ可読媒体。 - 前記(d)のステップでは、前記制御システムにおける機器及びネットワークが示された構成図を表示し、さらに、前記構成図の上に、前記抽出された第n番目の事象が発生する機器から、前記抽出された第n+1番目の事象が発生する機器まで、順序を表すシンボルを重ねて描画する、
請求項15に記載の非一時的なコンピュータ可読媒体。 - 前記攻撃手順が攻撃パスである
請求項13乃至16のいずれか1項に記載の非一時的なコンピュータ可読媒体。 - 前記攻撃手順がフォルトツリーである
請求項13乃至16のいずれか1項に記載の非一時的なコンピュータ可読媒体。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2019/042097 WO2021084567A1 (ja) | 2019-10-28 | 2019-10-28 | 情報処理装置、表示方法、及び非一時的なコンピュータ可読媒体 |
US17/767,558 US20240086523A1 (en) | 2019-10-28 | 2019-10-28 | Information processing device, display method, and non-transitory computer readable medium |
JP2021553892A JP7287484B2 (ja) | 2019-10-28 | 2019-10-28 | 情報処理装置、表示方法、及びプログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2019/042097 WO2021084567A1 (ja) | 2019-10-28 | 2019-10-28 | 情報処理装置、表示方法、及び非一時的なコンピュータ可読媒体 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021084567A1 true WO2021084567A1 (ja) | 2021-05-06 |
Family
ID=75715867
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2019/042097 WO2021084567A1 (ja) | 2019-10-28 | 2019-10-28 | 情報処理装置、表示方法、及び非一時的なコンピュータ可読媒体 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20240086523A1 (ja) |
JP (1) | JP7287484B2 (ja) |
WO (1) | WO2021084567A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220221850A1 (en) * | 2020-08-05 | 2022-07-14 | Chiyoda Corporation | Method for managing plant, plant design device, and plant management device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014045827A1 (ja) * | 2012-09-19 | 2014-03-27 | 三菱電機株式会社 | 情報処理装置及び情報処理方法及びプログラム |
JP2015121968A (ja) * | 2013-12-24 | 2015-07-02 | 三菱電機株式会社 | ログ分析装置及びログ分析方法及びログ分析プログラム |
US20180330083A1 (en) * | 2017-05-15 | 2018-11-15 | General Electric Company | Anomaly forecasting and early warning generation |
JP2019046207A (ja) * | 2017-09-04 | 2019-03-22 | 三菱電機株式会社 | プラントのセキュリティ対処支援システム |
JP2019125344A (ja) * | 2018-01-12 | 2019-07-25 | パナソニックIpマネジメント株式会社 | 車両用システム及び制御方法 |
-
2019
- 2019-10-28 JP JP2021553892A patent/JP7287484B2/ja active Active
- 2019-10-28 US US17/767,558 patent/US20240086523A1/en active Pending
- 2019-10-28 WO PCT/JP2019/042097 patent/WO2021084567A1/ja active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014045827A1 (ja) * | 2012-09-19 | 2014-03-27 | 三菱電機株式会社 | 情報処理装置及び情報処理方法及びプログラム |
JP2015121968A (ja) * | 2013-12-24 | 2015-07-02 | 三菱電機株式会社 | ログ分析装置及びログ分析方法及びログ分析プログラム |
US20180330083A1 (en) * | 2017-05-15 | 2018-11-15 | General Electric Company | Anomaly forecasting and early warning generation |
JP2019046207A (ja) * | 2017-09-04 | 2019-03-22 | 三菱電機株式会社 | プラントのセキュリティ対処支援システム |
JP2019125344A (ja) * | 2018-01-12 | 2019-07-25 | パナソニックIpマネジメント株式会社 | 車両用システム及び制御方法 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220221850A1 (en) * | 2020-08-05 | 2022-07-14 | Chiyoda Corporation | Method for managing plant, plant design device, and plant management device |
US11665193B2 (en) * | 2020-08-05 | 2023-05-30 | Chiyoda Corporation | Method for managing plant, plant design device, and plant management device |
Also Published As
Publication number | Publication date |
---|---|
JP7287484B2 (ja) | 2023-06-06 |
JPWO2021084567A1 (ja) | 2021-05-06 |
US20240086523A1 (en) | 2024-03-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9197652B2 (en) | Method for detecting anomalies in a control network | |
EP3101581B1 (en) | Security system for industrial control infrastructure using dynamic signatures | |
JP6438011B2 (ja) | 不正検知ネットワークシステム及び、不正検知方法 | |
Green et al. | On the significance of process comprehension for conducting targeted ICS attacks | |
US8869133B2 (en) | Method and system for use in facilitating patch change management of industrial control systems | |
US8812466B2 (en) | Detecting and combating attack in protection system of an industrial control system | |
JP2019527877A (ja) | Plcの仮想的なパッチおよびセキュリティコンテキストの自動配信 | |
EP4022405B1 (en) | Systems and methods for enhancing data provenance by logging kernel-level events | |
JP6858676B2 (ja) | プラントのセキュリティ対処支援システム | |
WO2020205974A1 (en) | User behavorial analytics for security anomaly detection in industrial control systems | |
Serhane et al. | Programmable logic controllers based systems (PLC-BS): Vulnerabilities and threats | |
WO2021084567A1 (ja) | 情報処理装置、表示方法、及び非一時的なコンピュータ可読媒体 | |
CN114928462A (zh) | 一种基于用户行为识别的Web安全防护方法 | |
CN114266081A (zh) | 一种电力监控系统的运维电脑安全防护系统及方法 | |
WO2022115419A1 (en) | Method of detecting an anomaly in a system | |
US20190197452A1 (en) | Incident response assisting device | |
JP6437457B2 (ja) | 制御および調節ユニットのシステム状態の不正操作を識別する装置および該装置を含む核技術設備 | |
EP3879368A1 (en) | Data exchange tool | |
WO2018026303A1 (ru) | Способ и система выявления удаленного подключения при работе на страницах веб-ресурса | |
JP6972429B1 (ja) | プラント管理方法及びプラント設計装置 | |
EP3913486A1 (en) | Closed loop monitoring based privileged access control | |
US11368377B2 (en) | Closed loop monitoring based privileged access control | |
JP7031744B2 (ja) | プラント監視装置、プラント監視方法、プログラム | |
JP6958925B2 (ja) | 障害通知装置、システム、方法及びプログラム | |
EP4099656A1 (en) | Computer-implemented method and surveillance arrangement for identifying manipulations of cyber-physical-systems as well as computer-implemented-tool and cyber-physical-system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19951132 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021553892 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 17767558 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19951132 Country of ref document: EP Kind code of ref document: A1 |