CN105847251B - Using the industrial control system safety protecting method and system of S7 agreements - Google Patents
Using the industrial control system safety protecting method and system of S7 agreements Download PDFInfo
- Publication number
- CN105847251B CN105847251B CN201610165078.8A CN201610165078A CN105847251B CN 105847251 B CN105847251 B CN 105847251B CN 201610165078 A CN201610165078 A CN 201610165078A CN 105847251 B CN105847251 B CN 105847251B
- Authority
- CN
- China
- Prior art keywords
- access request
- frame
- exterior portion
- entire exterior
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of industrial control system safety protecting method using S7 agreements, including:TCP/IP layer protocol analysis is carried out to the outside access request from client, determines client ip address and port numbers to determine the legitimacy of the outside access request according to client address white list;It packages to outside access request, and detects the integrality of the frame of composition;The legitimacy of the outside access request is determined according to application function white list, and determines whether the application function of the outside access request is read-write capability;When the application function of outside access request is read-write capability, the legitimacy of the outside access request is determined according to the second default white list.The present invention also provides corresponding security protection systems.The present invention has carried out multilevel security protection in TCP/IP layer and application layer, can effectively resist the various attacks for industrial control equipment or system using S7 agreements, efficiently avoid not having security risk caused by safety precaution mechanism in the prior art.
Description
Technical field
The present invention relates to industrial information technology field, more particularly to a kind of industrial control system security protection side using S7 agreements
Method and system.
Background technology
Industry control communication protocol as a kind of important language linked up between industrial control equipment and application, equipment and equipment, if
It needs to realize that remote data monitoring just centainly be unable to do without communications protocol in industrial control system.With the development of the times, level of factory monitors
Real-time, reliability requirement increase, the continuous promotion of industrial communication bus communication rate, from RS232/485 to industrial ether
Net arrives industrial real-time ethernet again, Ethernet is largely introduced in industry control network, and after use TCP/IP or iso standard encapsulation
It is transmitted, because general industry control agreement all experienced prolonged develop and all not examined at the beginning of design with accumulation, agreement
Encryption, certification etc. are considered in the necessary authentication condition for ensureing user security now, so the peace of common industry control network agreement
Full property is not high always.In addition the characteristic of industry control agreement be towards order, towards function, poll response formula, attacker only needs
Agreement make is grasped, and is integrated into industry control network, the arbitrary data of target device can be carried out by agreement
It distorts.
The 1 common threat of Siemens's S7 agreements of table
It is based primarily upon ISO TCP (RFC1006) and Siemens when Siemens S7 series or CP modules are using ethernet communication
Own S7 protocol realizations.Since the S7 agreements of Siemens are underground agreements, but since SIEMENS PLC is widely used in industry control
Every field, while being also indirect aggression object of famous " shake net (Stuxnet) " virus, therefore, in protocol level pair
S7 series of PLC carries out security protection and necessitates, especially the S7 agreements under Ethernet environment.
Invention content
Embodiments of the present invention provide a kind of safety protecting method and system carrying S7 agreements based on RFC1006, use
Reliability is low when solving the problems, such as that the industrial control system based on S7 agreements communicates in the prior art.
According to an aspect of the invention, there is provided a kind of safety protecting method, the method includes:
TCP/IP layer protocol analysis is carried out to external access request, the outside access is determined according to the first default white list
Legitimate external access request in request;
It packages to the legitimate external access request and carries out frame integrity detection, visited with the determination legitimate external
Ask the frame entire exterior portion access request by frame integrity detection in request;
The legitimacy of the application function of the frame entire exterior portion access request is determined according to application function white list, and is determined
Whether the application function of the frame entire exterior portion access request is read-write capability;
When the application function of the frame entire exterior portion access request is not read-write capability, the frame entire exterior portion is allowed to visit
Request is asked according to ICP/IP protocol group packet and is forwarded to internal communication port;Otherwise
The read/write legitimacy of the frame entire exterior portion access request is determined according to the second default white list.
According to another aspect of the present invention, a kind of security protection system is additionally provided, including:
Access request receiving port, configuration are asked with receiving the outside access from client;
Parsing module, configuration determine the client to ask the outside access to carry out TCP/IP layer protocol analysis
IP address and access end slogan, and the legitimacy that the outside access is asked is determined according to the first default white list;
Group packet module, configuration is to package to outside access request;
Detection module, configuration is to detect the integrality for the frame that the outside access request forms;
Application function determining module, configuration according to application function white list to determine the legal of the outside access request
Property, and determine whether the application function of the outside access request is read-write capability;
Read/write legitimacy determining module, when configuring using the application function asked when the outside access as read-write capability, root
The read/write legitimacy of the outside access request is determined according to the second default white list.
The industrial control system safety protecting method and system using S7 agreements of embodiments of the present invention, in TCP/IP layer and
Application layer has carried out multilevel security protection, can effectively resist and be attacked for using the industrial control equipment or the various of system of S7 agreements
It hits, it is ensured that using confidentiality, integrality and the availability of the various industrial control equipments and system of S7 agreements, efficiently avoid tradition
Do not have security risk caused by safety precaution mechanism using the industrial control equipment or system of S7 agreements.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described.It is to be appreciated that the content described with reference to the accompanying drawings is only some embodiments of the present invention, this
Field those of ordinary skill according to these attached drawings and its can illustrate to obtain other embodiments.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention;
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 3 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention;
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention;
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
In the every other embodiment obtained without creative work, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the application can
To be combined with each other.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise", include not only those elements, but also
Including other elements that are not explicitly listed, or further include for this process, method, article or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including the element
There is also other identical elements in process, method, article or equipment.
Fig. 1 is the flow chart of the safety protecting method of an embodiment of the present invention.As shown in Figure 1, the implementation of the present invention
The safety protecting method of mode includes:
S11:TCP/IP layer protocol analysis is carried out to external access request, the outside is determined according to the first default white list
Legitimate external access request in access request;
S12:It packages to the legitimate external access request and carries out frame integrity detection, it is described legal outer with determination
Pass through the frame entire exterior portion access request of frame integrity detection in portion's access request;
S13:The legitimacy of the application function of the frame entire exterior portion access request is determined according to application function white list, and
Determine whether the application function of the frame entire exterior portion access request is read-write capability;
S14:When the application function of the frame entire exterior portion access request is not read-write capability, allow the frame completely outer
Portion's access request is according to ICP/IP protocol group packet and is forwarded to internal communication port;
S15:When the application function of the frame entire exterior portion access request is read-write capability, according to the second default white list
Determine the read/write legitimacy of the frame entire exterior portion access request.
In present embodiment, the first default white list is client address white list.Step S11 to external access request into
Row TCP/IP layer protocol analysis determines the legitimate external access request in the outside access request according to the first default white list
Including:
TCP/IP layer protocol analysis is carried out to the outside access request from client, determines the IP address of the client
With access end slogan.
It in embodiment of the present invention, is asked for the outside access received, such as network interface message, carries out TCP/IP layer association
View analysis, for non-Transmission Control Protocol or its client ip address and port numbers not in client address white list, then generates announcement
Alert and log recording, and the packet is abandoned, if TCP connection has been established, block the connection.
Safety protecting method in present embodiment has carried out multilevel security protection in TCP/IP layer and application layer, can be with
Effectively resist the various attacks for industrial control equipment or system using S7 agreements, it is ensured that set using the various industry controls of S7 agreements
Standby and system confidentiality, integrality and availability, efficiently avoid traditional industrial control equipment or system using S7 agreements
Do not have security risk caused by safety precaution mechanism.
Fig. 2 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in Fig. 2, in some embodiment party
It in formula, packages to outside access request, the integrality for detecting the frame of the outside access request composition includes:
S21:It is packaged according to the frame structure of RFC1006 protocol definitions to the legitimate external access request;
S22:Detect the integrality of the RFC1006 frames of the legitimate external access request composition;
S23:When the RFC1006 frames of legitimate external access request composition are imperfect, the legitimate external is blocked to visit
Ask the TCP/IP connections of request;
S24:Otherwise, reading cache data forms upper layer S7 data, detects the S7 of the legitimate external access request composition
The integrality of frame;
S25:When the S7 frames of legitimate external access request composition are imperfect, the legitimate external access request is blocked
TCP/IP connections.
Wherein, group packet/detection process in present embodiment can be as follows:
Step 1:It checks PDU type types, if it is non-DT and ED dictionaries, frame check is carried out according to corresponding format.It is no
Then enter step 2.
Step 2:It checks the fragment flag bit in frame, needs to cache upper layer data if it is 0, wait for next bag data,
Until fragment mark is 1, with buffered upper layer data group packet, the complete carrying data of formation enter step 3.Otherwise, judge
Whether buffer storage length crosses over range or caching packet number over range, is to generate alarm and log recording, abandons the packet, and block
TCP/IP connections.Otherwise wait for next bag data.
Step 3:For the packet checked by RFC1006 protocol frames, check whether the first symbol of S7 protocol frames is correct, frame class
Whether type is effective, and whether parameter length, data length field are consistent with data, and all of the above is then correctly legal whole frame,
Into next validity judgement step, it is otherwise erroneous frame, abandons and generate log recording.
Present embodiment can package to the frame structure of external access request according to RFC1006 agreements and S7 agreements,
For blocking filtering can not be carried out by frame check or the incomplete message of frame structure;It is soft that white list technology can resist malice
It part and targetedly attacks, because in default situations, any unauthorized software, tool and process all cannot be in endpoints
Upper operation.If Malware attempts in the endpoint installation for enabling white list, white list technology can determine whether this not and be it is credible into
Journey, and negate that it runs permission.
Present embodiment can be effectively prevented from and be continued using non-S7 protocol massages by the integrity checking of S7 protocol frames
Communication request is initiated to industrial control equipment or system and device, the situation for causing industrial control equipment and system performance to decline.
Further, it is also possible in the default white list for application layer, the filtering to external request is realized in application layer.
Fig. 3 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 3, this method includes:
S31:When the S7 frames of legitimate external access request composition are whole frame, extract the frame entire exterior portion and access
The frame type and designator that request includes determine answering for the frame entire exterior portion access request according to the application function white list
Whether it is the application function allowed with function;
S32:If the application function of the frame entire exterior portion access request is allowed application function, determine that the frame is complete
Whether the application function of outside access request is read-write capability;
S33:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked.
By carrying out white list filtering to access request in application layer in present embodiment, entire industry control is further ensured
The safety and reliability of grid;It is filtered by application function white list, can be effectively prevented to industrial control equipment or is
The availability of system is destroyed, such as illegally change unit address, illegal upload BLOCK files, illegal issue control operational order, from
And it ensure that the safety communicated between industrial control system.
Fig. 4 is the flow chart of the safety protecting method of another embodiment of the present invention.As shown in figure 4, wherein second is default
White list includes at least access information object white list and control object white list, this method include:
S411:Determine that the application function belonging to the frame entire exterior portion access request is to read function still to write function;
S421:Application function belonging to the frame entire exterior portion access request is that when reading function, it is complete to extract the frame
The corresponding information object address of reading function of outside access request, and together with client ip address, according to the access information
Whether object white list determines the information object address of the frame entire exterior portion access request in the range of allowing access;
S422:The information object address of the frame entire exterior portion access request is in the range of allowing access, by the frame
Entire exterior portion access request is by ICP/IP protocol group packet and is forwarded to internal communication port;
S423:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked;
S431:When application function belonging to the frame entire exterior portion access request is to write function, it is complete to extract the frame
Function corresponding control object information object address is write in outside access request, and together with client ip address, according to described
Control object white list determine the frame entire exterior portion access request control object and controlling value whether in the range of definition;
S432:If the control object and controlling value in the range of definition, allow the frame entire exterior portion access request
By ICP/IP protocol group packet and it is forwarded to internal communication port;
S433:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked.
In the above-described embodiment, described information object address include at least register type and offset address, described
Determine the information object address of the outside access request whether in the model for allowing to access according to the access information object white list
Include in enclosing:Determine the register whether in the range of allowing reading according to the access information object white list.
In the above-described embodiment, control object information object address includes at least register type and offset ground
Location, the control object white list include the process parameter control value range of pre-defined permission, if the control pair
As and controlling value in the range of definition, the outside access is asked by ICP/IP protocol group packet and to be forwarded to internal communication
Port includes:
S4321:According to pre-defined technological parameter and register correspondence and coding method, it is complete to parse the frame
The S7 frames of whole outside access request composition, obtain corresponding process parameter control value, according to the control object white list to institute
It states S7 frames to be filtered, determines the controlling value whether in allowed limits;
S4322:If the controlling value is in allowed limits, the frame entire exterior portion access request is allowed to be assisted by TCP/IP
View group packet is simultaneously forwarded to internal communication port;
S4323:Otherwise, the TCP/IP connections of the frame entire exterior portion access request are blocked.
Wherein, the correspondence of technological parameter and register can be that a technological parameter corresponds to one or more deposit
Device can also be one or several Bit that a technological parameter corresponds to a register, can also be multiple technological parameters
Share some register;The original coding of technological parameter can be Boolean type, have symbol integer, unsigned int, floating type or
BCD types;The length of technological parameter can be one or more bytes, for have symbol integer, unsigned int, floating type or
BCD types, technological parameter length at most can reach 8 bytes.For floating type, technological parameter length can be 4 bytes
Or 8 bytes.Transformational relation can be defined between the original value and engineering value of technological parameter, the transformational relation can be ratio
Relationship can also be technical coefficient relationship.
About technological parameter and register correspondence and coding method, 1) side of User Defined (configuration) can be used
Method allows the mapping relations of user word definition process control parameter and Modbus register models in configuration tool:
For analogue type process control parameter, mapping relations include the corresponding originating register address of process control parameter,
The byte length of start byte, data in a register, coding method, as shown in the table:
2 analogue type process control parameter of table and register mappings relationship
For boolean's property type process control parameter, mapping relations include the corresponding register address of process control parameter,
The positions Bit offset, Bit digits in register, as shown in the table:
Title | Function code | Address | Offset | Digit |
Process control parameter 3 | Coil exports | 1 | 0 | 1 |
Process control parameter 4 | Single register output | 100 | 6 | 1 |
Process control parameter 5 | Multiregister exports | 200 | 3 | 2 |
3 Boolean type process control parameter of table and register mappings relationship
2) the mapping relations configuration information of related process parameters is stored in configuration file, and initial runtime by this
A little configuration files are read in memory;
3) it for write order, according to the initial address and byte length of technological parameter, checks whether and matches the command frame
If corresponding data block, by coding method, is pressed coding method, is converted to technique by data block included in the command frame
The engineering value of parameter.
Present embodiment is filtered by access information object white list, can be effectively protected control system significant data
Secret avoids system data from being illegally accessed;The control object address and its controlling value that operating process includes are controlled by extraction,
And controlling value is compared with the corresponding range for allowing controlling value, the legitimacy and just of control operation can be effectively protected
True property.
In some embodiments, after the TCP/IP connections for blocking the outside access request, system log note is generated
Record and alarm output signal.
Fig. 5 is the flow chart of the safety protecting method of a further embodiment of this invention.As shown in figure 5, this method include with
Lower step:
S101:Data request packet is obtained from external network interface;
S102:TCP/CP protocol filterings are carried out to the data request packet;
S103:Determine whether to allow the client ip address accessed and port numbers;If so, executing step S104, otherwise
Execute step S122;
S104:To the data request packet for having carried out TCP/CP protocol filterings according to the frame knot of RFC1006 protocol definitions
Structure packages;
S105:Detect whether the data request packet forms complete RFC1006 frames;If so, executing step S106, otherwise hold
Row step S122;
S106:It checks the fragment flag bit in RFC1006 frames, determines whether the frame is last packet fragmentation;If it is not, holding
Row step S107, it is no to then follow the steps S109;
S107:Cache fragment packets;
S108:Judge whether that fragment packets buffer storage length overruns or cache packet number over range;If so, executing step
S122 otherwise waits for next data request packet;
S109:Reading cache data forms the upper layer S7 data completely carried with buffered upper layer data group packet;
S110:Detect whether upper layer S7 data are complete S7 frames;If so, executing step S111, otherwise, step is executed
S122;
S111:The frame type and designator that the S7 frames of extraction data request packet composition include, obtain the data request packet
Application function belonging to the S7 frames of composition;
S112:Whether the application function belonging to the S7 frames of the data request packet composition is determined according to application function white list
To allow the application function accessed, if so, step S113 is executed, it is no to then follow the steps S122;
S113:Determine whether the application function belonging to the S7 frames of the data request packet composition is read-write capability;If so, holding
Row step S114, it is no to then follow the steps S121;
S114:Determine whether the application function belonging to the S7 frames of the data request packet composition is to write function;If it is not, holding
Row step S115, it is no to then follow the steps S117;
S115:Extract the corresponding register range of read command of the S7 frames of the data request packet composition;
S116:Determine the register in step S115 whether in the range for allowing to read according to access information object white list
It is interior;If so, executing step S121, otherwise, step S122 is executed;
S117:Extract the corresponding register range of write order and data of the S7 frames of the data request packet composition;
S118:Determine the register in step S117 whether in the range of allowing to write according to control object white list;If
Within the allowable range, step S119 is executed, otherwise, executes step S122;
S119:According to the correspondence and coding of predefined register and technological parameter, the control of technological parameter is obtained
Value;
S120:Determine whether the controlling value in step S119 is allowing in opereating specification according to control object white list, if
Within the allowable range, execution step S121, it is no to then follow the steps S122;
S121:The data request packet according to ICP/IP protocol group and is forwarded to internal communication port;
S122:Block the TCP connection of the data request packet;
S123:Generate system log record and alarm output signal.
It is also needed to before the above embodiment:
1.1 pre-defined client address white lists:Establish the client address for allowing to access and access end slogan list;
1.3 pre-establish S7 agreements application function and frame type, the correspondence of designator;
1.4 pre-defined application function white lists:As unit of client ip address and application function title, pre-define
Client allows the application function collection accessed;
1.5 pre-defined access information object white lists:With client ip address, information object address (register type,
Offset address) it is unit, definition allows the information object address set that client accesses;
1.6 pre-defined control object white lists:With client ip address, control object information object address (register
Type, offset address) it is unit, defining client allows the range of the control object of operation and the controlling value of permission.
In the above embodiment, the communication request for being unsatisfactory for white list requirement is being detected, and implementing after communicating blocking, it will
Generation system log recording and alarm output, alarm output method include:Pass through device indicator light and the background monitoring of connection
Software.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of
Action merge, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because
According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know
It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
Fig. 6 is the structural schematic diagram of the security protection system of an embodiment of the present invention.As shown in fig. 6, the present invention is another
A aspect additionally provides a kind of security protection system, including:
Access request receiving port 1, for receiving the outside access request from client.
Parsing module 2 carries out TCP/IP layer protocol analysis for asking the outside access, determines the client ip
Address and access end slogan, and the legitimacy that the outside access is asked is determined according to the first default white list.
Group packet/detection module 3, for the outside access request to be packaged and detected to outside access request
Frame integrality.
Application function determining module 4, the legitimacy for determining the outside access request according to application function white list,
And determine whether the application function of the outside access request is read-write capability.
Read/write legitimacy determining module 5 is used for when the application function that the outside access is asked is read-write capability, root
The read/write legitimacy of the outside access request is determined according to the second default white list.
In some embodiments, the described first default white list is client address white list, and described second is default white
List includes at least access information object white list and control object white list, the system comprises:
Module 6 is blocked, the TCP/IP connections for blocking illegal outside access request.
Extraction module 7, for extracting the outside access with asking the frame type for including and designator and information object
Location.
Legitimacy determining module 5 includes:
Judging unit 51 is read and write, for determining that the application function belonging to the outside access request is to read function still to write work(
Energy.
Parsing module 2 is additionally operable to parse the S7 frames of the outside access request composition, obtains corresponding process parameter control
Value.
In some embodiments, system of the invention further includes warning module 8, described for being blocked in blocking module 6
After the TCP/IP connections of outside access request, system log record and alarm output signal are generated.
Embodiment of the method described above is only schematical, wherein the unit illustrated as separating component can
It is physically separated with being or may not be, the component shown as unit may or may not be physics list
Member, you can be located at a place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of module achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
It should be understood by those skilled in the art that, embodiments of the present invention can be provided as method, system or computer journey
Sequence product.Therefore, the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware side
The form of the embodiment in face.
The present invention is reference according to the method for embodiment of the present invention, the stream of equipment (system) and computer program product
Journey figure and/or block diagram describe.It should be understood that can be realized by computer program instructions each in flowchart and/or the block diagram
The combination of flow and/or box in flow and/or box and flowchart and/or the block diagram.These computer journeys can be provided
Sequence instruct to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with
Generate a machine so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for
Realize the dress for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes
It sets.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.These computer program instructions can also be loaded into computer or the processing of other programmable datas is set
It is standby upper so that series of operation steps are executed on a computer or other programmable device to generate computer implemented processing,
To which instruction executed on a computer or other programmable device is provided for realizing in one flow of flow chart or multiple streams
The step of function of being specified in one box of journey and/or block diagram or multiple boxes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used
With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features;
And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (9)
1. a kind of industrial control system safety protecting method using S7 agreements, including:
TCP/IP layer protocol analysis is carried out to external access request, determines that the outside access is asked according to the first default white list
In legitimate external access request;
It packages to the legitimate external access request and carries out frame integrity detection, asked with the determination legitimate external access
Pass through the frame entire exterior portion access request of frame integrity detection in asking;
The legitimacy of the application function of the frame entire exterior portion access request is determined according to application function white list, and described in determination
Whether the application function of frame entire exterior portion access request is read-write capability;
When the application function of the frame entire exterior portion access request is not read-write capability, the frame entire exterior portion access is allowed to ask
Rooting is according to ICP/IP protocol group packet and is forwarded to internal communication port;Otherwise
The read/write legitimacy of the frame entire exterior portion access request is determined according to the second default white list;Wherein
The first default white list is client address white list, and the second default white list includes at least access information pair
As white list and control object white list;
It packages to the legitimate external access request and carries out frame integrity detection and include:
It is packaged according to the frame structure of RFC1006 protocol definitions to the legitimate external access request;
Detect the integrality of the RFC1006 frames of the legitimate external access request composition;
When the RFC1006 frames of legitimate external access request composition are imperfect, the legitimate external access request is blocked
TCP/IP connections;Otherwise
Reading cache data forms upper layer S7 data, detects the integrality of the S7 frames of the legitimate external access request composition;
When the S7 frames of legitimate external access request composition are imperfect, the TCP/IP of the legitimate external access request is blocked
Connection.
2. safety protecting method according to claim 1, wherein described to carry out TCP/IP layer agreement to external access request
Parsing determines that the legitimate external access request in the outside access request includes according to the first default white list:
TCP/IP layer protocol analysis is carried out to the outside access request from client, determines IP address and the visit of the client
Ask port numbers.
3. safety protecting method according to claim 2, wherein described determine that the frame is complete according to application function white list
The legitimacy of the application function of whole outside access request, and determine the frame entire exterior portion access request application function whether be
Read-write capability includes:
When the S7 frames of legitimate external access request composition are whole frame, extracting the frame entire exterior portion access request includes
Frame type and designator, determine that the application function of the frame entire exterior portion access request is according to the application function white list
The no application function to allow;
If the application function of the frame entire exterior portion access request is allowed application function, determine that the frame entire exterior portion is visited
Ask whether the application function of request is read-write capability;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request.
4. safety protecting method according to claim 3, wherein described to determine that the frame is complete according to the second default white list
The read/write legitimacy of whole outside access request includes:
Determine that the application function belonging to the frame entire exterior portion access request is to read function still to write function;
Application function belonging to the frame entire exterior portion access request is to extract the frame entire exterior portion access when reading function and ask
The corresponding information object address of reading function asked, and together with client ip address, according to the access information object white list
Determine the information object address of the frame entire exterior portion access request whether in the range of allowing access:
If the information object address of the frame entire exterior portion access request allows the frame complete in the range of allowing access
Outside access request is by ICP/IP protocol group packet and is forwarded to internal communication port;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request;
When application function belonging to the frame entire exterior portion access request is to write function, extracts the frame entire exterior portion access and ask
That asks writes function corresponding control object information object address, and together with client ip address, white according to the control object
List determine the frame entire exterior portion access request control object and controlling value whether in the range of definition:
If the control object and controlling value in the range of definition, allow the frame entire exterior portion access request by TCP/IP
Protocol groups packet is simultaneously forwarded to internal communication port;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request.
5. safety protecting method according to claim 4, wherein described information object address include at least register type
And offset address, the information object that the frame entire exterior portion access request is determined according to the access information object white list
Address whether allow access in the range of include:
Determine the register whether in the range of allowing reading according to the access information object white list.
6. safety protecting method according to claim 4 is posted wherein control object information object address includes at least
Storage type and offset address, the control object white list include the process parameter control value range of pre-defined permission,
If the control object and controlling value in the range of definition, allow the frame entire exterior portion access request to be assisted by TCP/IP
View group packet is simultaneously forwarded to internal communication port and includes:
According to pre-defined technological parameter and register correspondence and coding method, parses the frame entire exterior portion and access
The S7 frames for asking composition, obtain corresponding process parameter control value, are carried out to the S7 frames according to the control object white list
In allowed limits whether filtering, determine the controlling value;
If the controlling value is in allowed limits, allow the frame entire exterior portion access request by ICP/IP protocol group Bao Bingzhuan
It is sent to internal communication port;Otherwise
Block the TCP/IP connections of the frame entire exterior portion access request.
7. according to the safety protecting method described in any one of claim 1-6, in the TCP/ for blocking the outside access request
After IP connections, system log record and alarm output signal are generated.
8. a kind of industrial control system security protection system using S7 agreements, the system comprises:
Access request receiving port, configuration are asked with receiving the outside access from client;
Parsing module, configuration is to ask the outside access to carry out TCP/IP layer protocol analysis, with determining the client ip
Location and access end slogan, and the legitimacy that the outside access is asked is determined according to the first default white list;
Group packet module, configures to package to the legitimate external access request;
Detection module is configured to detect the integrality for the frame that the legitimate external access request forms;
Application function determining module is configured to determine the legal of the frame entire exterior portion access request according to application function white list
Property, and determine whether the application function of the frame entire exterior portion access request is read-write capability;
Read/write legitimacy determining module, configuration using when the application function of the frame entire exterior portion access request is read-write capability,
The read/write legitimacy of the frame entire exterior portion access request is determined according to the second default white list;Wherein
The first default white list is client address white list, and the second default white list includes at least access information pair
As white list and control object white list;
To the legitimate external access request package including:
It is packaged according to the frame structure of RFC1006 protocol definitions to the legitimate external access request;
The integrality for detecting the frame of legitimate external access request composition includes:
Detect the integrality of the RFC1006 frames of the legitimate external access request composition;
When the RFC1006 frames of legitimate external access request composition are imperfect, the legitimate external access request is blocked
TCP/IP connections;Otherwise
Reading cache data forms upper layer S7 data, detects the integrality of the S7 frames of the legitimate external access request composition;
When the S7 frames of legitimate external access request composition are imperfect, the TCP/IP of the legitimate external access request is blocked
Connection.
9. security protection system according to claim 8, including:
Module is blocked, configuration is to block the TCP/IP connections of illegal outside access request;
Extraction module is configured to extract the frame type and designator and information object that the frame entire exterior portion access request includes
Address;
Warning module, configuration is after the TCP/IP connections of the illegal outside access request of the blocking module blocks, to generate system
Log recording and alarm output signal;
The read/write legitimacy determining module includes:
Judging unit is read and write, configuration is to read function still to write with the application function belonging to the determination frame entire exterior portion access request
Function;
The parsing module is also configured to parse the S7 frames that the legitimate external access request forms, and obtains corresponding technological parameter
Controlling value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610165078.8A CN105847251B (en) | 2016-03-22 | 2016-03-22 | Using the industrial control system safety protecting method and system of S7 agreements |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610165078.8A CN105847251B (en) | 2016-03-22 | 2016-03-22 | Using the industrial control system safety protecting method and system of S7 agreements |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105847251A CN105847251A (en) | 2016-08-10 |
CN105847251B true CN105847251B (en) | 2018-10-30 |
Family
ID=56588294
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610165078.8A Active CN105847251B (en) | 2016-03-22 | 2016-03-22 | Using the industrial control system safety protecting method and system of S7 agreements |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105847251B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277547A (en) * | 2018-12-05 | 2020-06-12 | 陕西思科锐迪网络安全技术有限责任公司 | Method for monitoring Siemens S7-PLC setting internal clock |
CN111277546A (en) * | 2018-12-05 | 2020-06-12 | 陕西思科锐迪网络安全技术有限责任公司 | Method for monitoring illegal reading and writing Siemens S7-PLC data |
CN111277617A (en) * | 2018-12-05 | 2020-06-12 | 陕西思科锐迪网络安全技术有限责任公司 | Method for monitoring Siemens S7-PLC uploading and downloading program block |
CN111277448A (en) * | 2018-12-05 | 2020-06-12 | 陕西思科锐迪网络安全技术有限责任公司 | Method for monitoring deletion of Siemens S7-PLC internal program block |
CN111277548A (en) * | 2018-12-05 | 2020-06-12 | 陕西思科锐迪网络安全技术有限责任公司 | Method for monitoring Siemens S7-PLC to set session password |
CN109756483B (en) * | 2018-12-12 | 2021-05-25 | 杭州华威信安科技有限公司 | Safety protection method aiming at MELASEC protocol |
CN115208593B (en) * | 2021-03-26 | 2023-08-18 | 南宁富联富桂精密工业有限公司 | Security monitoring method, terminal and computer readable storage medium |
CN115277885B (en) * | 2022-07-27 | 2024-07-02 | 北京天融信网络安全技术有限公司 | Data detection method, device, equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁***软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
CN103581159A (en) * | 2012-08-10 | 2014-02-12 | 俞晓鸿 | System and method for controlling Internet access through white list based on various terminals |
CN104092698A (en) * | 2014-07-21 | 2014-10-08 | 北京网秦天下科技有限公司 | Network resource access control method and device |
CN105337986A (en) * | 2015-11-20 | 2016-02-17 | 英赛克科技(北京)有限公司 | Credible protocol conversion method and credible protocol conversion system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9660808B2 (en) * | 2005-08-01 | 2017-05-23 | Schneider Electric It Corporation | Communication protocol and method for authenticating a system |
-
2016
- 2016-03-22 CN CN201610165078.8A patent/CN105847251B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882828A (en) * | 2011-07-11 | 2013-01-16 | 上海可鲁***软件有限公司 | Information safe transmission control method between inside network and outside network and gateway thereof |
CN103581159A (en) * | 2012-08-10 | 2014-02-12 | 俞晓鸿 | System and method for controlling Internet access through white list based on various terminals |
CN104092698A (en) * | 2014-07-21 | 2014-10-08 | 北京网秦天下科技有限公司 | Network resource access control method and device |
CN105337986A (en) * | 2015-11-20 | 2016-02-17 | 英赛克科技(北京)有限公司 | Credible protocol conversion method and credible protocol conversion system |
Also Published As
Publication number | Publication date |
---|---|
CN105847251A (en) | 2016-08-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
KR102414860B1 (en) | Network probes and methods for processing messages | |
CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
WO2017084535A1 (en) | Method for trusted protocol conversion and system | |
CN103905451A (en) | System and method for trapping network attack of embedded device of smart power grid | |
EP3232641A1 (en) | Locked down network interface | |
US20120124661A1 (en) | Method for detecting a web application attack | |
CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
CN109739203A (en) | A kind of industrial network Border Protection system | |
CN103647772A (en) | Method for carrying out trusted access controlling on network data package | |
RU2587542C2 (en) | Detection and prevention of penetration into network of process plant | |
CN105847249A (en) | Safety protection system and method for Modbus network | |
CN108259226A (en) | Security configuration and platform management are carried out using network is managed | |
US20140298008A1 (en) | Control System Security Appliance | |
US11349866B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
CN104519065A (en) | Implementation method of industrial control firewall supporting Modbus TCP protocol filtering | |
CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
CN110417739A (en) | It is a kind of based on block chain technology safety Netowrk tape in measurement method | |
EP3675455B1 (en) | Bi-directional data security for supervisor control and data acquisition networks | |
CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
CN1326365C (en) | Worm blocking system and method using hardware-based pattern matching | |
US11528284B2 (en) | Method for detecting an attack on a control device of a vehicle | |
CN104735043A (en) | Method for preventing suspicious data package from attacking PLC via industrial Ethernet | |
CN109756483B (en) | Safety protection method aiming at MELASEC protocol | |
CN113938312B (en) | Method and device for detecting violent cracking flow |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |