CN108989265A

CN108989265A - access control method, device and system

Info

Publication number: CN108989265A
Application number: CN201710400324.8A
Authority: CN
Inventors: 唐文
Original assignee: Siemens AG
Current assignee: Siemens AG
Priority date: 2017-05-31
Filing date: 2017-05-31
Publication date: 2018-12-11

Abstract

The present invention relates to industrial network and field of information security technology more particularly to a kind of access control methods, gateway and system, to guarantee the network security of industrial control system.In access control system (1000), industrial host (101) includes the message (30) to the access request (40) of the control equipment (200) in industrial control system (10) for control equipment (200) transmission one in industrial control system (10)；Access control gateway (20) relevant first sub-information of the layer that is applied for depth analysis message (30), and access request (40) are determined whether based on the first sub-information.In the case where control equipment does not have or have lower security protection ability, the network security of industrial control system is improved.Due to carrying out depth analysis to message, accessed control based on application layer relevant information, compared with traditional firewall, the granularity of access control is finer, and security protection is more effective.

Description

Access control method, device and system

Technical field

The present invention relates to industrial network and field of information security technology more particularly to a kind of access control method, device and System.

Background technique

Industrial control system (Industrial Control System, ICS) is for realizing the automatic control of industrial process System.One industrial control system can be a wind generator system, an automobile manufacture workshop, a pharmaceutical factory, a city The sewage disposal system etc. in city.

Traditional industrial control system be it is closed, external attack is difficult to the industrial control unit (ICU) etc. in industrial control system Key equipment causes security threat, therefore requirement of traditional industrial control system for network security be not high.Modern work Industry control system largely uses network technology and commercial component, can come with other network connections including internet The control flow that industrial control unit (ICU) may be distorted from external network attack, causes the damage of industrial equipment, seriously affects work The normal operation of industry control system.

Design, exploitation and the configuration of modern industrial control system can not be resisted effectively using network to industrial control system In the unauthorized access of control equipment, the network attacks such as distort.An effective means for resisting above-mentioned network attack is controlled in industry Internal system processed realizes the access control to control equipment, then the characteristics of how being directed to industrial control system realizes access control A problem of a urgent need to resolve in industrial control system network security procedures is realized with regard to becoming.

Summary of the invention

In view of this, the present invention provides a kind of access control method, device and system, Industry Control system is directed to realize The effective access control of system.

In a first aspect, providing the access control method of an industrial control system, comprising:

An industrial host in the industrial control system is set to the control of at least one of described industrial control system Preparation send a message, includes at least one described control equipment in the application layer protocol data cell PDU in the message An access request.After one access control gateway of the industrial control system receives the message, to the message into Relevant first sub-information of the application layer of the message obtained from row depth analysis.The access control gateway is based on described the One information determines whether the access request, wherein the first information includes first sub-information；If allowing, The message is forwarded to the control equipment by the access control gateway.Wherein, optionally, under first sub-information includes At least one of in column information: the type of the application layer PDU of the message；The operational order or function code of the access request； The operation object of the access request；The data processing type of the access request.

Wherein, the access control in industrial control system is realized by individual access control gateway, avoided based on work The access control that owner's machine is realized is easy the problem of being bypassed, and is not only restricted to the control limited resource of equipment, can be to different confessions The equipment and application for answering quotient realize effective access control.

It accesses control in addition, access control gateway is based on the relevant information of the obtained application layer of deep analysis message System, access control result is more acurrate, and the access control policy of realization is richer.

Optionally, before industrial host sends message, industrial host establishes a secure connection, and the secure connection is used Secure communication between the industrial host and the access control gateway.Optionally, the secure connection has following function At least one of in energy: integrity protection；Confidentiality protection.Industrial host sends message by the secure connection.

In this way, realizing the safe transmission of message, it can effectively avoid monitoring, be inserted into and distort.

Optionally, the first information may also include the second sub-information, and second sub-information includes in following message At least one of: initiate the authentication information of the user of the access request；Initiate the authentication letter of the user of the access request Breath.The access control gateway is before determining whether the access request, to the industrial host request described second Sub-information, the user that the access request is initiated in the industrial host prompt provide second sub-information, and will be described in initiation Second sub-information that the user of access request provides is back to the access control gateway.The access control gateway receives Second sub-information that the industry host returns.

In this way, access control gateway can authentication information based on user and/or authentication information access control Judgement, further realizes accurate access control.

Optionally, the access control gateway, can be according at least one peace when determining whether the access request Full strategy determines whether the access request, wherein at least one security strategy is used for the initiation access request User carry out identification, authentication and authorization.

Optionally, at least one security strategy is stored in a security policy database of the access control gateway, The access control gateway can obtain updated at least one security strategy from a long-range authentication server, and The security policy database is updated according to updated at least one security strategy.

Alternatively, optionally, the access control gateway determines the access request after receiving the message, and from institute It states and obtains at least one security strategy at remote authentication server, for judging the access request.

Wherein, Design of security policy is to carry out identification, authentication vs. authorization to the user for initiating access request, effectively real The authentication and authentication to visitor are showed, the communication protocol compensated in current industrial control system is set in network security The deficiency of meter.

Second aspect provides the access control system of an industrial control system, comprising:

An industrial host in the industrial control system, for being controlled at least one of described industrial control system Control equipment sends a message, includes one to the control equipment in the application layer protocol data cell PDU in the message A access request；

One access control gateway, the application layer relevant for the message obtained from message described in depth analysis One sub-information, and the access request is determined whether based on the first information, wherein the first information includes described The message is forwarded to the control equipment if allowing by the first sub-information.

Optionally, the access control gateway, it is described specifically for being determined whether according at least one security strategy Access request, wherein at least one security strategy is used to carry out identification, mirror to the user for initiating the access request Power and authorization.

The access control system further includes a remote authentication server, for updating in the access control gateway At least one security strategy of storage, or for providing at least one safe plan to the access control gateway Slightly.

Optionally, the industrial host in access control system provided by second aspect can be used for realizing first aspect or The transmission message of industrial host in any possible implementation of one side establishes secure connection, provides user identity and test Demonstrate,prove the function of information, authentication information etc..

Optionally, the access control gateway in access control system provided by second aspect can be used for realizing first aspect Or the access control gateway in any possible implementation of first aspect accesses the function of control to access request, Such as: depth analysis is carried out to message, the control that accesses based at least one security strategy, updates at least one security strategy Deng.

Optionally, the various remote authentication server of access control system provided by second aspect can be used for realizing first The security strategy of remote authentication server in any possible implementation of aspect or first aspect is updated, is controlled to access Gateway processed provides the functions such as security strategy.

The third aspect, provides an access control gateway of an industrial control system, which can be used for Realize that access control gateway accesses to access request in any possible implementation of first aspect or first aspect The function of control.

Optionally, access control gateway a can include: deep message detects DPI engine, is used for: depth analysis one Relevant above-mentioned first sub-information of the application layer of the message obtained from message, and it is based on the first information, judge whether Allow the access request, wherein the first information includes first sub-information；If allowing, the message is forwarded to The control equipment.

Optionally, the first information further includes the second sub-information above-mentioned.The DPI engine, is also used to: being in judgement Before the no permission access request, second sub-information is requested to the industrial host, and receives the industrial host and returns Second sub-information returned.

Optionally, the DPI engine is specifically used for: when determining whether the access request according at least one Security strategy determines whether the access request, wherein at least one security strategy is used to ask the initiation access The user asked carries out identification, authentication and authorization.

Optionally, the access control gateway further include: a security policy database, for storing at least one safety Strategy and a telesecurity policy interface, for obtained from a long-range authentication server it is updated it is described to A few security strategy, and the security policy database is updated according to updated at least one security strategy.

Alternatively, optionally, the access control gateway further includes a telesecurity policy interface, the DPI engine exists It before determining whether the access request, is also used to: being taken by a telesecurity policy interface to a remote authentication Device request be engaged at least one security strategy；It is received by the telesecurity policy interface and comes from the remote authentication At least one security strategy of server.

Optionally, the access control gateway further includes a firewall, for establishing a peace with the industrial host Full connection, the secure connection is for the secure communication between the access control gateway and the industrial host, by described Secure connection receives the message from the industrial host.

Fourth aspect provides one in an industrial control system industrial host, can be used for realizing first aspect or the The transmission message of industry host provided by any possible implementation of one side establishes secure connection, obtains user The function of authentication information, authentication information etc..

Optionally, the industrial host may include an access control agency, for one with the industrial control system A access control gateway establishes a secure connection, and safety of the secure connection between the access control gateway is logical Letter, the control equipment that the access control gateway is used to be sent to the industrial host in the industrial control system One access request accesses control；A message, the message are sent to the control equipment by the secure connection In application layer protocol data cell PDU in include the access request.

Optionally, the secure connection has at least one in following function: integrity protection；Confidentiality protection.

The safe transmission of message has can be achieved in the foundation of secure connection, can effectively avoid monitoring, has been inserted into and distorts.

Optionally, the access control agency, is also used to receive the second sub-information from the access control gateway Request, wherein second sub-information include initiate the authentication information of the user of the access request, and/or initiate described in The authentication information of the user of access request；The user that the access request is initiated in prompt provides second sub-information；It will initiate Second sub-information that the user of the access request provides is back to the access control gateway.

5th aspect, provides a kind of remote authentication server, the remote authentication server can be used for realizing first aspect Or the function of the offer security strategy of the remote authentication server in any possible implementation of first aspect.

Optionally, the remote authentication server can include:

One security policy database, for storing at least one security strategy, at least one security strategy is for judging The access that an industrial host in one industrial control system accesses a control equipment in the industrial control system is asked Seeking Truth is no to be allowed to；

One security strategy interface, is used for: using at least one security strategy stored in the security policy database, Update a security policy database in an access control gateway in the industrial control system, or to the access control Gateway provides at least one security strategy.

6th aspect, provides the access control apparatus of an industrial control system, including at least one processor, for depositing Machine readable code is stored up, at least one processor executes first aspect or first aspect for calling the machine readable code Any possible implementation in industrial host, security control performed by access control gateway or remote authentication server Method.

7th aspect, provides a kind of machine readable media, is stored with machine readable code, the machine readable code is located When managing device calling, industrial host, access control net in any possible implementation of first aspect or first aspect are executed Method of controlling security performed by pass or remote authentication server.

In conjunction with any possible implementation of any of the above-described aspect or any aspect, the access control gateway position Between a supervisory layers and a control layer in the industrial control system, wherein the supervisory layers include the industry Industrial host in control system, the control layer include the control equipment in the industrial control system.

Alternatively, the access control gateway is located at a control unit in the supervisory layers and the industrial control system Between, wherein described control unit includes the control equipment.

Detailed description of the invention

Fig. 1 is a kind of structural schematic diagram of current typical industrial control system.

Fig. 2A and Fig. 2 B illustrates for the connection relationship that the embodiment of the present invention provides access control gateway and industrial control system Figure.

Fig. 3 is the structural schematic diagram of access control system provided in an embodiment of the present invention.

Fig. 4 is the flow chart of access control method provided in an embodiment of the present invention.

Fig. 5 is the flow chart of a typical process of industrial host access control apparatus in current industrial control system.

Fig. 6 be using the embodiment of the present invention after, the process of industrial host access control apparatus in an industrial control system Flow chart.

Fig. 7 is a kind of structural schematic diagram of access control apparatus provided in an embodiment of the present invention.

Reference signs list:

10: industrial control system 1: supervisory layers 2: control layer

100: industrial host 100A: engineer station 100B: man-machine interface

100C: operator station 100D: server

200: control equipment 205: control unit 205A: distributed input and output

205B: field device

20: access control gateway 1000: access control system 50: remote authentication server

202: deep message detecting and alarm 201: firewall 203: security policy database

204: telesecurity policy interface

30: message 40: access request 80: security strategy

70: secure connection

1001: access control agency 1002: control is using 1003: secure authenticated information

501: security policy database 502: security strategy interface

S401: it establishes 70 S402 of secure connection: sending 40 S403 of access request: depth analysis message 30

S404: obtain 80 S405 of security strategy: authentication request S406: prompt user inputs authentication letter Breath

S407: it sends authentication information S408: access control S409: E-Packeting 30

S410: dropping packets 30

S501: TCP connection S502:COTP connection request S503:COTP connection confirmation is established

S504:S7Comm establishes communication S505:S7Comm confirmation type setting communication

S506: access PLC

S601: configuration access controls 20 S602 of gateway: installation access control acts on behalf of 1001 S603: establishing secure connection 70

S604: access request 40 is sent

S605: depth analysis message 30 obtains security strategy 80, determines whether access request 40

S606: E-Packet 30 S607: 30 S608 of dropping packets: authentication request

S609: it returns to authentication information S610: determining whether access request 40

701: at least one processor 702: at least one processor

Specific embodiment

As previously described, because traditional industrial control system uses closed design, external network attack is difficult to biography The industrial control system of system causes security threat.And modern design, exploitation and configuration of industrial control system etc. is in the presence of as follows Many weakness can not effectively resist such as hacker, Malware, advanced constant threat (Advanced Persistent Threat, APT) etc. network attacks.

1, the control device resource in industrial control system is limited.

Control equipment in industrial control system usually may include programmable logic controller (PLC) (Programmable Logic Controller, PLC), dcs (Distributed Control System, DCS) controller, remote terminal Unit (Remote Terminal Unit, RTU) etc. optionally may also include the input and output or distribution of these control equipment Formula input/output interface.These control equipment generally use dedicated Implementation of Embedded System, and hardware processing capability calculates energy Power, storage capacity, power supply supply and network bandwidth are limited.

In order to ensure physical world operates normally under effective control, it is necessary first to guarantee the control operation of control equipment In real time, it reliably and efficiently executes, in this way, control equipment is used to execute the resource of identification, authentication and authorization with regard to seldom. In view of the actual application environment of cost and market, Innovation Input is improved to realize that control equipment itself has effectively access control Function processed is difficult to realize in the short term.

2, the non-planned network security function of communication protocol

In industrial control system, control command needs to be communicated between devices to realize process control.For excessively program-controlled The communication protocol of system includes but is not limited to: object connection and insertion (Object Linking and Embedding, OLE for Process control, OPC), process-field network (Process Field Net, PROFINET), odbus/ transmission control Agreement (Transmission Control Protocol, TCP), Ethernet/Internet protocol (Ethernet/IP), Control protocols such as PowerLink/CC etc..It include S7Comm agreement for controlling the agreement communicated between equipment and industrial host Deng.These agreements consider the problems of network security being designed without, therefore there are following network security weakness:

1) without the function of identification and authentication.Any control that can be accessed per capita by network in industrial control system Control equipment or industrial host, send control command or data to target of attack.

2) without suitable licensing scheme.Key operation for control protocol, such as: stop central processing unit Industrial equipment is re-set as factory configuration, restarts industrial equipment, rises by the operation of (Central Processing Unit) Grade firmware etc., there is presently no effective method of controlling security for preventing malicious entities from sending above-mentioned control command.

3) there is no session control and integrity protection mechanism, or only simple mechanism, cannot achieve effective safety Control.Network attack can interfere control process by deleting the means such as message, duplicate message, insertion infected information.

4) there is no Confidentiality protection.It controls data and order is sent in the form of plaintext, may be eavesdropped by network attack person.

3, the access control based on industrial host is easy to be bypassed.

Industrial host in industrial control system, such as: man-machine interface (Human Machine Interface, HMI), Work station (Engineer Station, ES), station (Operator Station, OS), server etc., it is usually used Windows operating system.Although windows operating system and Industry Control Application, which are capable of providing, such as logs in control, based on angle The access controls such as the access control (Role Based Access Control, RBAC) of color, but since industrial host is set with control Communication between standby is usually open, and without any safety precautions, or only very limited safeguard protection is arranged It applies, therefore the access control based on industrial host is easy to be bypassed.

In addition, usually there are the different Industry Control systems that different suppliers provide in the digital factory of same client System.Also, industrial control system is also the system of a long-play.In view of the above-mentioned weakness and fortune of industrial control system Actual conditions in row feature and digital factory, the embodiment of the present invention provide a kind of access control method and access control net It closes, to meet requirement of the industrial control system to network security, one kind is provided under open communication environment, from different confessions Answer the equipment of quotient and the access control of application.

In the embodiment of the present invention, the access control in industrial control system is realized by individual access control gateway, is kept away Exempt from the above-mentioned access control realized based on industrial host and be easy the problem of being bypassed, is not only restricted to the control limited money of equipment Source, can equipment to different suppliers and application realize effective access control.

The access control can realize that Design of security policy is to carry out body to the user for initiating access request based on security strategy Part identification, authentication vs. authorization, effectively realize the authentication and authentication to visitor, compensate in current industrial control system The deficiency that is designed in network security of communication protocol.

In addition, between industrial host and access control gateway, and industrial host and control equipment by secure connection into Row communication, the secure connection can have the function of integrity protection and Confidentiality protection, reduce message in industrial control system It the risks such as is deleted, distorts, attacker is effectively prevent to eavesdrop.

Method and apparatus provided in an embodiment of the present invention is described in detail with reference to the accompanying drawing.

As shown in Figure 1, the industrial control system 10 may include but be not limited to following equipment:

1, at least one control equipment 200

As previously mentioned, these control equipment 200 may include but be not limited to PLC, DCS controller, RTU etc..Optionally, may be used also Input and output (Input/Output, I/O) 205A or distributed I/O 205A including these control equipment 200.Optionally, also It may include field device (Field Device) 205B that these control equipment 200 connect.

At present in industrial control system, most control equipment uses dedicated Implementation of Embedded System, these insertions Formula system may include but be not limited to: VxWorks, built-in Linux, embedded OS (Embedded Operation System, EOS), ucLinux.Control hardware processing capability, computing capability, storage capacity, power supply supply and the Netowrk tape of equipment It is wide limited.And the main target for controlling equipment design is to lack access control (identification, mirror to realize control operation Power and authorization) etc. security functions, do not have the anti-ability distorted very much.

In the embodiment of the present invention, one or more control equipment 200 constitutes a control unit 205, commonly used in real If now one of control process or dry run relatively independent in entire industrial process.Optionally, the control in industrial control system 10 Control equipment 200 includes in the control layer 2 of industrial control system 10, wherein optionally, all control equipment 200 all includes In control layer 2.

2, at least one industrial host 100

Industrial host 100 may include based on PC (Personal Computer, PC) realize various work stations or The host computers such as server.Than engineer station 100A, operator station 100C, server 100D etc. as shown in figure 1.Industrial host 100 It may also include man-machine interface (Human Machine Interface, HMI) 100B.In one industrial control system, an industry Host by Industrial Ethernet monitor and control control equipment, such as: from field device read data (such as from sensor read The state parameter of enchashment field device), it stores data into historical data base, according to the instruction of operator or according to preset control Processing procedure sequence or logic send control command etc. to control equipment.Wherein, engineer station can also configure control equipment.

Optionally, in the embodiment of the present invention, the industrial host 100 in industrial control system 10 is included in industrial control system In 10 supervisory layers 1, optionally, all industry hosts 100 are included in the supervisory layers 1.

3, industrial control network

Industrial control network is for connecting control equipment and industrial host.In the embodiment of the present invention, industrial control network is used In connection control equipment 200 and industrial host 100.Currently, more and more industrial control networks are realized based on Industrial Ethernet. Industrial host and control equipment between communication can based on transmission control protocol (Transmission Control Protocol, TCP), User Datagram Protocol (User Datagram Protocol, UDP), Internet protocol (Internet Protocol, IP it), or directly transmits over ethernet.

Industrial control network can be, but not limited to: using router or interchanger as the star network of central node or The more loop network etc. of reliability.

As Information and Communication Technology (Information and communication Technology, ICT) technology is fast Speed incorporates industrial automation, and industrial control system is that standard is widely used by the system evolution of traditional closing and isolation The open system of information technology (Information Technology, IT) uses Ethernet/IP as the foundation frame of communication Structure.Therefore, the demand for being subject to security protection to the computer environment of industrial control system is increasingly significant.

The development of automatic manufacture and process control technology, IT technology are widely used, the evolution of open system, joint, conjunction The increase of the commercial activities such as work, outsourcing, the increase of smart machine, with other equipment, the software even internuncial increasing of external equipment By force, more and more network intrusion events, hacker, Malware etc., all of these factors taken together lead to increasingly increased Cyberthreat, A possibility that network attack occurs is increasing.Therefore, the demand day of industrial automation and the safety precaution of industrial control system It is beneficial urgent.

As previously mentioned, demand of the current industrial control system due to not considering safety precaution in design, this is resulted in The relevant design of access control is insufficient, and there are biggish Network Security Vulnerabilities.And the design of traditional IT firewall can not Solve the problems, such as application layer.

In one embodiment of the present of invention, in conjunction with deep packet inspection (Deep Packet Inspection, DPI), void Quasi- private network (Virtual Private Network, VPN), client authentication and authorization technique, provide a kind of access control net Close 20.The access control gateway 20 can provide the security function of additional access control for industrial control system 10, to user into Row identification, authentication and authorization.The access control gateway 20 can serve the industrial control system 10 of a systems provider, The complicated industrial control system 10 including different multiple systems providers can also be served.

Fig. 2A and Fig. 2 B provides the connection relationship of access control gateway 20 Yu industrial control system 10 for the embodiment of the present invention Schematic diagram.In Fig. 2A, access control gateway 20 is located at the supervisory layers 1 in industrial control system 10 and between control layer 2.Fig. 2 B In, access control gateway 20 is located between a control unit 205 in supervisory layers 1 and industrial control system 10.

Fig. 3 is the structural schematic diagram of access control system 1000 provided in an embodiment of the present invention.The access control system It may include access control gateway 20, industrial host 100 and remote authentication server 50 in 1000.

Firstly, introducing access control gateway 20 provided in an embodiment of the present invention.As shown in figure 3, the access control gateway 20 Can include:

1, DPI engine 202

2, firewall 201

3, security policy database 203

4, telesecurity policy interface 204

In the following, being illustrated respectively to aforementioned four component part.It, can foundation when implementing access control gateway 20 The all or part of above-mentioned each component part is realized in actual functional requirement, selection.

The industrial host 100 of one from industrial control system 10 that DPI engine 202 receives access control gateway 20 Message 30 carry out depth analysis, parse relevant first sub-information of application layer of the message 30.

1, DPI engine 202

Wherein, the message 30 is quasi- is forwarded at least one of industrial control system 10 control equipment 200.Such as: the report Text 30 is sent to a control equipment 200 or the message 30 is sent to multiple control equipment 200, then the message 30 transmission A control equipment 200 into a control unit 205, then the message 30 be sent in a control unit 205 Multiple control equipment 200, then the message 30 be sent to multiple control equipment 200 in multiple control units 205.Message 30 In application layer protocol data cell (Protocol Data Unit, PDU) in include to this at least one control equipment 200 One access request 40.

Wherein, the first sub-information can include:

The type of the application layer PDU of message 30；

The operational order or function code of access request 40；

The operation object (such as: variable, address, registration table etc.) of access request 40；

The data processing type of access request 40.

Optionally, DPI engine 202 can also request the second sub-information to the industrial host 100 for sending the access request 40, than Such as: requesting second sub-information by sending an authentication request message.Second sub-information may include initiating access request 40 User authentication information and/or initiate access request 40 user authentication information.DPI engine 202 receives industrial master The second sub-information that machine 100 returns.

DPI engine 202 can both can also judge according to the first sub-information or according to the second sub-information only in accordance with the first sub-information Whether allow access request 40, if allowing, message 30 is forwarded to control equipment 200.

In addition, DPI engine 202 can also be according at least one security strategy 80 to determine whether allowing access request 40.Peace The further explanation of full strategy 80 can refer to the description to security policy database 203.

2, firewall 201

Optionally, access control gateway 20 may also include firewall 201.Firewall 201 receives report from industrial host 100 Text 30 carries out the filtering of network layer and/or transport layer to message 30.Wherein, message 30 can for ethernet frame, IP layers of message, The message of the port TCP/UDP.Firewall 201 can judge whether message 30 is filtered through according to the security strategy of itself, and mistake It filters the message 30 passed through and is sent to DPI engine 202.

Optionally, DPI engine 202 is if it is determined that permission access request 40, please indicate that message 30 is forwarded to control by firewall 201 Message 30 is then forwarded to control equipment 200 according to the instruction of DPI engine 202 by control equipment 200, firewall 201.If DPI engine 202 do not allow access request 40, then can indicate that firewall 201 refuses the access request 40 or dropping packets 30.

Firewall 201 and DPI engine 202 can be implemented separately as shown in Figure 3, or also combinable realization.Firewall 201 can It is realized using a part as DPI engine 202 or the module of DPI engine 202 as an extension of firewall 201 is realized.

In addition, firewall 201 can also establish a secure connection 70 with industrial host 100 before receiving message 30, peace Full connection 70 is for the communication between access control gateway 20 and industrial host 100, and optionally, which can also be used in Communication between industrial host 100 and control equipment 200.The adoptable technology of secure connection 70 includes but is not limited to virtual special With network (Virtual Private Network, VPN) technology, such as: internet protocol security (Internet Protocol Security, IPSec) technology, Open V PN (OpenVPN) technology etc..Secure connection 70 realizes access control Secure communication between secure communication between gateway 20 and industrial host 100, and industrial host 100 and control equipment 200, It effectively prevent eavesdropping.

Optionally, which is transparent for the various applications including controlling using 1002, is not needed It modifies to each control application in industrial host 100.

Optionally, which has integrity protection and/or Confidentiality protection function.Such as: if without secret Property protection require, then can realize the peace merely with Authentication Header (Authentication Header, AH) mode of such as IPSec The integrity protection function of full connection 70.If desired Confidentiality protection is carried out, then using the encapsulating security payload of such as IPSec (Encapsulating Security Payload, ESP) mode carries out Confidentiality protection.

Optionally, DPI engine 202 is if it is determined that permission access request 40, then save the second sub-information, in secure connection 70 Or session duration of existence, the second son letter is reused when the Client-initiated to access request 40 other access requests judge Breath.But if the user initiates the access of other objects to other control equipment 200 or same control equipment 200, DPI Engine 202 can refuse the access according to corresponding security strategy.Optionally, the process of above-mentioned subscription authentication is re-executed, it is desirable that Obtain the authentication information and/or authentication information of new (or with higher permission) user.

3, security policy database 203

Optionally, access control gateway 20 may include the security policy database 203 of a local, for storing access control The security strategy 80 of (such as: identification, authentication and authorization).DPI engine 202, can when determining whether access control Judged according at least one security strategy 80 in security policy database 203.Security strategy 80 realize model may include But it is not limited to: RBAC, forced symmetric centralization (Mandatory Access Control), discretionary access control (Discretionary Access Control) etc..

The mode that white list can be used in access control is realized, i.e., is permitted by the clearly defined access request 40 of security strategy 80 Perhaps.Or access control can also be used the mode of blacklist and realize, i.e., not by the clearly defined access request 40 of security strategy 80 It is allowed to.

Following varigrained access control can be realized by the way that different security strategies 80 is arranged:

Granularity one,

A specific user whether is allowed to access a specific control equipment 200 or a specific control unit 205。

Granularity two,

Whether allow a specific user in specific time or sends specific command (message 30) extremely under certain circumstances One specific control equipment 200 is to execute specific operation.Such as: stop, the centre in one control equipment 200 of starting Reason unit (Central Processing Unit, CPU) operation restarts a control equipment 200, restores a control equipment 200 one default setting, update firmware controlled in equipment 200 etc..

Granularity three,

A specific user whether is allowed to configure the application in a specific control equipment 200 or the control equipment 200.

Granularity four,

A specific user whether is allowed to access the data object given in a control equipment 200, data block, registration table Or the data space with particular address.

Security strategy 80 can store in the following manner: database, text file, extensible markup language (eXtensible Markup Language, XML) file etc..

4, telesecurity policy interface 204

The telesecurity policy interface 204 can be there are two types of different realization purposes:

1) for updating local security policy database 203

2) for obtaining the security strategy 80 in remote authentication server 50

It is illustrated separately below.

For 1)

There are a remote authentication server 50, and Saving Safe Strategy 80 in the remote authentication server 50 (such as: storage In the security policy database 501 being shown in FIG. 3), it is communicated by security strategy interface 502 with access control gateway 20 to realize and visit Ask the update of the local security policy database 203 in control gateway 20.

Such as: when newly-increased security strategy 80, remote authentication server 50 can will be newly-increased by security strategy interface 502 Security strategy 80 is sent to access control gateway 20, and it is new that the telesecurity policy interface 204 in access control gateway 20 receives this The security strategy 80 of increasing is simultaneously stored in security policy database 203.For another example: when modifying a security strategy 80, remote authentication The instruction information modified this security strategy 80 is sent to access control gateway by security strategy interface 502 by server 50 20, the telesecurity policy interface 204 in access control gateway 20 modifies security policy database 203 according to the instruction information of the modification In this security strategy 80.

For 2)

Local security policy database 203 may not be present in access control gateway 20.DPI engine 202 is determining whether When access request 40, at least one security strategy 80 is requested to remote authentication server 50 by telesecurity policy interface 204, And at least one security strategy 80 from remote authentication server 50 is received by telesecurity policy interface 204.Optionally, Telesecurity policy interface 204 can be according to the authentication information and/or authentication information that user provides, to remote authentication server The security strategy 80 that 50 inquiries need.

For 1) or 2)

Access control gateway 20 can be based on security protocol to remote authentication server by telesecurity policy interface 204 50 query safe strategies 80.These security protocols include but is not limited to: Kerberos, remote authentication Dial-In User Service (Remote Authentication Dial In User Service, RADIUS), Rights Management infrastructure (Privilege Management Infrastructure, PMI), Secure Socket Layer (Secure Sockets Layer, SSL)/secure transfer protocol (Transport Layer Security Protocol, TLS) etc..

Next, introducing industrial host 100 provided in an embodiment of the present invention.As shown in figure 3, the industry host 100 can wrap It includes:

1, access control agency 1001

2, control applies 1002

In the following, being illustrated respectively to above-mentioned each component part.It, can be according to reality when implementing industrial host 100 Functional requirement, selection realizes all or part of above-mentioned each component part.

1, access control agency 1001

Access control agency 1001 can interact with access control gateway 20, realize the access control to access request 40 The function of system.

Optionally, access control agency 1001 can visit after the starting of industrial host 100, or in control using 1002 requests Before asking control equipment 200, secure connection 70 above-mentioned is established with access control gateway 20.Also, access control agency 1001 can Message 30 above-mentioned is sent to control equipment 200 by secure connection 70, the safe transmission of message 30 is realized, effectively prevents It monitors, be inserted into and distort.

In addition, industrial host 100 can also answer the request of access control gateway 20 to send the second sub-information above-mentioned, that is, initiate The authentication information and/or authentication information of the user of access request 40.For example receiving the mirror from access control gateway 20 After weighing request message, user is prompted to input the information 1003 of safety certification in the user interface of industrial host 100, such as: it uses The authentication information (such as user identifier) at family and/or the authentication information of user.

The authentication information of user may include but be not limited to one or more in following message:

Username and password；

Based on security token smart card and its personal identification number (Personal Identification Number, PIN) code；

Public Key Infrastructure (Public Key Infrastructure, PKI) certificate；

Disposable password.

Access control agency 1001 can be realized by the combination of software, hardware or software and hardware.

2, control applies 1002

Control can be the application program on industrial host 100 for realizing Industry Control using 1002.Access request 40 can It is issued by the control using 1002, encapsulates to form message 30 by network protocol.

Finally, introducing remote authentication server 50 provided in an embodiment of the present invention.As shown in figure 3, the remote authentication Server 50 can include:

1, security policy database 501

2, security strategy interface 502

In the following, being illustrated respectively to above-mentioned each component part.It, can foundation when implementing remote authentication server 50 The all or part of above-mentioned each component part is realized in actual functional requirement, selection.

1, security policy database 501

For storing security strategy 80 above-mentioned.

2, security strategy interface 502

Corresponding to two different optional realization purposes of 20 medium-long range security strategy interface 204 of access control gateway, peace Full policy interface 502 also has different realization purposes respectively.

1) security policy database 203 in access control gateway 20 is updated

Wherein, security strategy interface 502 updates access control using the security strategy 80 stored in security policy database 501 Security policy database 203 in gateway 20.

Optionally, there are at least two access control gateways 20 in industrial control system 10, remote authentication server 50 can The security strategy 80 in all access control gateways 20 is updated by the security strategy interface 502, so that different access controls net The security strategy 80 closed in 20 is consistent.

2) security strategy 80 is provided to access control gateway 20

Remote authentication server 50 can provide security strategy 80 to access control gateway 20 by security strategy interface 502.

Optionally, above-mentioned industrial host 100, access control gateway 20 and remote authentication service provided in an embodiment of the present invention Device 50 constitutes an access control system 1000.

Fig. 4 is the flow chart of access control method provided in an embodiment of the present invention.As shown in figure 4, this method may include as Lower step:

S401: industrial host 100 establishes secure connection 70 with access control gateway 20.

In the step, the access control in industrial host 100 acts on behalf of 1001 meetings in the starting of industrial host 100, or in work Before control in owner's machine 100 requests access to control equipment 200 using 1002, the safety is established with access control gateway 20 and is connected Connect 70.Communication between industrial host 100 and control equipment 200 will be completed based on the secure connection 70.

S402: industrial host 100 sends access request 40, requests access to control equipment 200.

As previously mentioned, secure connection 70 can be transparent using 1002 for control, control can be configured using 1002 according to itself It is communicated with control equipment 200 (or control unit 205), requests access to control equipment 200, i.e., sent to control equipment 200 Access request 40.In the following, illustrating several application scenarios that access request 40 is sent:

Scene one,

Engineer station 100A is equipped with the control software of industrial control system 10, such as: STEP7 software, Unity Prol Software etc., the control software is for configuring control equipment 200.The control software sends access request 40 to configure control equipment 200。

Scene two,

HMI 100B, such as: the HMI realized based on form control centre (Windows Control Center, WinCC) Or the HMI realized based on factory's dialogue (Factory Talk), access control apparatus 200 is wanted according to its configuration.Such as: read control The parameter or state of process processed read the state of control equipment 200 itself, demonstrate each control equipment 200 on HMI 100B Deng.HMI 100B completes aforesaid operations by sending access request 40 to control equipment 200.

Scene three,

The state and parameter of operator station 100C monitoring control equipment 200 and operating process.Wherein, operator can lead to The parameter of state of a control, operation, process is modified in the operation crossed on operator station 100C, or even sends life to control equipment 200 It enables.The operation that operator executes on operator station 100C can send access to control equipment 200 by operator station 100C and ask 40 are asked to realize.

Scene four,

Server 100D, for example a database server 100D is by sending access request to a control equipment 200 40 to obtain creation data from the control equipment 200.

Wherein, access request 40 can be placed in message 30 as application layer load and sent by industrial host 100.Due to visiting Ask that control gateway 20 is located between industrial host 100 and control equipment 200, message 30 can not be sent directly to control equipment 200, but received first by access control gateway 20.

S403: the DPI engine 202 in access control gateway 20 carries out depth point to the message 30 received using DPI technology Analysis, parses relevant first sub-information of 30 application layer of message.

S404: the security policy database 203 that access control gateway 20 can be local according to the first sub-information inquiry parsed, or Person requests security strategy 80 to remote authentication server 50.Wherein, the operation for obtaining security strategy 80 can also be in step S408 It executes.If access control gateway 20 needs to obtain the authentication information and/or authentication letter for the user for initiating access request 40 Breath, thens follow the steps S405, otherwise directly executes step S407.

S405: access control gateway 20 sends authentication request message to industrial host 100, and the access request 40 is initiated in request User authentication information and/or authentication information.

S406: industrial host 100 prompts user to input authentication information and/or mirror after receiving authentication request message Weigh information.

S407: industrial host 100 establishes the authentication information that user inputs and/or authentication information by step S401 Secure connection 70 be sent to access control gateway 20.

Wherein, the internet safety protocol and Key Management Protocol (Internet of SSL/TLS, IPSec can be used Security and key management protocol, ISAKMP) or other authentication protocols, to guarantee entire subscription authentication The safety of process.

S408: access control gateway 20 determines whether access request 40.If allowing, S407 is thened follow the steps, if not Allow to then follow the steps S410.

Wherein, the DPI engine 202 in access control gateway 20 can be according to the subscriber authentication information and/or mirror received Information is weighed, and the security strategy 80 based on acquisition determines whether access request 40.

S409: message 30 is forwarded to control equipment 200 by access control gateway 20.

S410: access control gateway 20 abandons the message 30, or industrial host 100 access request 40 is notified to be rejected.

Optionally, it access control gateway 20 and can be interacted by step S411 with remote authentication server 50, update access Control the security policy database 203 of gateway 20.

In above-mentioned process, since the communication between access control gateway 20 and access control agency 1001 has used safety to connect 70 are connect, and only authorized user just allows access control apparatus 200, therefore, network attack person is difficult illegally to be usurped Change, replicate operation of the legitimate user to control equipment 200.It is executed finely in addition, access control gateway 20 may be based on DPI technology The access control of granularity guarantees that user can only execute authorized operation, prevents unauthorized access.

In the following, illustrating access control scheme provided in an embodiment of the present invention with a specific example.In the example:

1, industrial control system 10 are realized based on SIMATIC.In the industrial control system 10, industrial host 100 The typical way of access control apparatus 200 mainly includes following two:

1) engineer uses the SIMATIC being equipped at the engineer station 100A configuration control scene of SIMATIC STEP7 The PLC 200 of S7.

2) operator is controlled at scene using SIMATIC WinCC HMI 100B monitoring of the configuration at operator station The state parameter of the PLC200 of SIMATIC S7 modifies control process or modifies the state parameter of PLC200, and to PLC200 Send control command.

2, according to used different communication protocol is communicated between industrial host 100 and PLC200, it is two that PLC200, which is divided to, Seed type:

1) for 400 series of 200 series of S7,300 series of S7 and S7, (traditional STEP7 and WinCC) is applied in control Proprietary communication protocol between PLC 20 is S7Comm.

2) for 1500 series of the series of S7 1200 and S7, control application (WinCC of STEP7 and TIA portal) and Proprietary communication protocol between PLC 20 is OMS+.

Accordingly, in the example mainly illustratively two kinds of configurations:

1) application on industrial host 100 is traditional SIMATIC STEP7 and WinCC, and the PLC 200 for controlling scene is 400 series of 200 series of S7,300 series of S7 and S7.

2) application on industrial host 100 is the WinCC of SIMATIC STEP7 and TIA portal, controls the PLC at scene For 1500 series of 1200 series of S7 and S7.

Wherein, S7Comm is communicated using 102 ports of TCP, and application layer protocol is encapsulated into International Organization for standardization Transmission service on (International Organization for Standardization, ISO) TCP (Transport Service on top of the TCP, TPKT) agreement and connection-oriented transport protocol (Connection-Oriented Transport Protocol, COTP).

Fig. 5 is the flow chart of a typical process of industrial host access control apparatus in current industrial control system.It should In process, control application is as follows with the S7Comm protocol interaction process between PLC:

S501: the control in operator station uses the TCP three-way handshake mechanism of standard and the TCP of PLC500B using 500A TCP connection is established in port 102.

S502: control is reported using 500A using the COTP connection request (Connect Request) being encapsulated on TPKT Text request connection.

S503: when receiving connection request, S7 PLC500B can reply COTP connection confirmation (Connect Confirm) message To establish COTP connection.

S504: control establishes communication (Setup using the S7Comm being encapsulated on COTP using 500A Communication connection is established in) PDU, request on the application layer.

S505:PLC500B communicates (Ack type Set Communication) using the confirmation type setting of S7Comm PDU confirms that the connection has been established.

S506: the control application 500A in operator station uses block list (List of Blocks), read/write variable Parameter on the S7Comm command access such as (Read/Write Var) PLC500B.Alternatively, the control application 500A on engineer station Using request downloading (Request Download), downloading block (Download Block) etc. S7Comm order under PLC500B Carry configuration parameter.

Fig. 6 is the stream of the process of industrial host access control apparatus in an industrial control system in the embodiment of the present invention Cheng Tu.As shown in fig. 6, the process may include following steps:

The browsing process may include following steps:

S601: access control gateway 20 be configured in supervisory layers 1 industrial host 100 (such as: STEP7 engineer station Or WinCC operator station) and control layer 2 in control equipment 200 (such as: between S7 PLC).

S602: industrial host 100 is mounted access control agency 1001, and access control agency 1001 can be industrial host The service run in 100 is resident in memory.

S603: after industrial host 100 starts, access control agency 1001 is used based on open Virtual Private Network (OpenVPN) SSL/TLS and the authentication of access control gateway 20 (unidirectional authentication or bi-directional authentification), interactive/safety-related ginseng Several and code key, establishes secure connection 70 between industrial host 100 and access control gateway 20.

S604: when engineer using STEP7 engineer station configure S7 PLC, or when operator use WinCC operator Stand monitoring S7 PLC when, use secure connection 70 as the STEP7 engineer station of industrial host 100 or WinCC operator station Access request 40 is sent, wherein the access request 40 is included in message 30 as application layer load.

S605: after receiving message 30, access control gateway 20 to message 30 carry out depth analysis (such as: by above-mentioned DPI engine 202 carries out depth analysis), application layer load is parsed, the first sub-information above-mentioned is obtained.Based on first sub-information And at least one security strategy 80, DPI engine 202 can judge following access request 40:

TCP connection request (synchronous SYN)；

COTP connection request；

S7Comm establishes communication request.

First sub-information of the access control gateway 20 based on acquisition determines a promoter (such as spy for access request 40 Fixed engineer), the object of the operation to be performed operation of CPU (for example stop) and operation (such as: one on S7 PLC CPU).Access control gateway 20 can inquire local security policy database 203, or be inquired remotely using Kerberos authentication protocol Authentication server 50, to obtain security strategy 80.

At least one security strategy 80 of the access control gateway 20 based on acquisition, determines whether the access request 40. Wherein, if judgement allows the access request 40, S606 is thened follow the steps；If judgement does not allow the access request 40, step is executed Rapid S607；If judgement needs to authenticate user, S608 is thened follow the steps.

S606: message 30 is forwarded to control equipment 200 by access control gateway 20, i.e., the S7 PLC in this example.

S607: 20 dropping packets 30 of access control gateway optionally can also notify industrial access request of host 100 40 are rejected.

S608: access control gateway 20 sends authentication request message to industrial host 100.

S609: after industrial host 100 receives the authentication request message, user's input can be prompted in the user interface of itself Username and password (information 1003 of safety certification i.e. above-mentioned), and the user name for being inputted user by secure connection 70 Access control gateway 20 is returned to password.

S610: after access control gateway 20 has received username and password, the security strategy found based on step S605 80 determine whether the access request 40.If allowing, S606 is thened follow the steps, otherwise, executes step S607.

Wherein, optionally, the security strategy 80 obtained in step S605 can be used for judging whether needing through step S608 The information of the safety certification of user is obtained with step S609, the security strategy 80 that step S610 is obtained can be used for the peace based on user The information of full certification determines whether access request 40.

Certainly, when another optional implementation, the security strategy 80 that step S605 is obtained can both be used to judge whether The information for needing to obtain the safety certification of user, the information for being also used for the safety certification based on user determine whether to access 40 are requested, is then not necessarily to obtain security strategy 80 again in such step S610.

In industrial host 100 and control equipment 200, i.e., the S7 PLC in this example establish above-mentioned secure connection 70 it Afterwards, industrial host 100 may be sent including at least two messages in the above process to control equipment 200.Such as: WinCC Operator station can send S7Comm message and carry out read/write operation, execution functional block etc. to the data of S7 PLC.For another example: STEP7 Engineer station can initiate S7Comm request, upload control program to STEP7 to S7 PLC download control program or order S7 PLC Engineer station.

Access control gateway 20 provided in an embodiment of the present invention can use the above method, carry out depth analysis to these messages (if desired, can after being classified to message category carry out depth analysis to message), obtains the crucial letter in message Breath, i.e., the first sub-information above-mentioned.

In this example, RBAC model can be used to access control for access control gateway 20, based on local security strategy Security strategy 80 in library 203 or the security strategy 80 obtained from remote authentication server 50, according to the access of access request 40 The information such as type and the object of access determine whether the access request 40.Such as: role belonging to inquiry user checks Whether user is the permitted operation of the role to the object operation to be performed of access.

According to the security strategy based on RBAC, if role belonging to user is not allowed to, access request 40 is rejected；If Role belonging to user is allowed to, then access request 40 can be forwarded to requested S7 PLC by access control gateway 20.

Fig. 7 is a kind of structural schematic diagram of access control apparatus provided in an embodiment of the present invention.The access control apparatus can For access control gateway 20 above-mentioned, industrial host 100 or remote authentication server 50.As shown in fig. 7, the access control apparatus It may include at least one processor 701, for storing machine readable code；At least one processor 702, for calling the machine Device readable code, any access control method provided by the embodiment of the present invention.

Machine readable instructions are stored on machine readable media provided in an embodiment of the present invention, the machine readable instructions are in quilt When processor executes, processor is made to execute any method above-mentioned.Specifically, it can provide and be equipped with machine readable media System or device store the software program for realizing the function of any embodiment in above-described embodiment on the machine readable media Code, and the computer of the system or device or processor is made to read and execute the machine being stored in the machine readable media Readable instruction.

In this case, it can be achieved any one in above-described embodiment from the program code itself that machine readable media is read The function of embodiment, thus the machine readable media of machine readable code and storage machine readable code constitute it is of the invention A part.

The embodiment of machine readable media include floppy disk, hard disk, magneto-optic disk, CD (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), tape, non-volatile memory card and ROM.It selectively, can be by communication network Network download program code from server computer or on cloud.

It should be noted that step and module not all in above-mentioned each process and each system construction drawing is all necessary , certain steps or module can be ignored according to the actual needs.Each step execution sequence be not it is fixed, can be according to need It is adjusted.System structure described in the various embodiments described above can be physical structure, be also possible to logical construction, that is, have A little modules may be realized by same physical entity, be realized alternatively, some modules may divide by multiple physical entities, alternatively, can be with It is realized jointly by certain components in multiple autonomous devices.

In the above various embodiments, hardware cell mechanically or can be realized electrically.For example, a hardware list Member may include permanent dedicated circuit or logic (such as special processor, FPGA or ASIC) to complete corresponding operating.Firmly Part unit can also include programmable logic or circuit (such as general processor or other programmable processors), can by software into The interim setting of row is to complete corresponding operating.Concrete implementation mode (mechanical system or dedicated permanent circuit or is faced When the circuit that is arranged) can be determined based on cost and temporal consideration.

Detailed displaying and explanation carried out to the present invention above by attached drawing and preferred embodiment, however the present invention is not limited to These embodiments having revealed that, base could be aware that with above-mentioned multiple embodiment those skilled in the art, can combine above-mentioned difference Code audit means in embodiment obtain the more embodiments of the present invention, these embodiments also protection scope of the present invention it It is interior.

To sum up, the embodiment of the invention provides a kind of access control methods, device and system.Wherein, access control gateway Between the industrial host that can be deployed in an industrial control system and control equipment, the access control from industrial host is set Standby access request accesses control, solves current control equipment and does not have security protection ability or security protection The lower problem of ability, improves the network security of industrial control system.

Using scheme provided in an embodiment of the present invention, without changing to the control equipment in current industrial control system It makes, without the control application and control protocol being transformed in current industrial control system, and can be realized to industrial control system Effective security protection.

Wherein, access control gateway can carry out depth analysis to the message from an industrial host, parse the message The relevant key message of application layer, such as: the access request for including in application layer PDU type, the application of electronic report layer load Operational order, function code, operation object and data processing type etc..And determine whether that the access is asked according to these information It asks.Optionally, access control gateway can also further obtain the authentication information of user according to security strategy from industrial host, from And the access request is determined whether based on authentication information and by the above-mentioned key message that depth analysis obtains.With tradition Firewall carry out security protection, be only able to achieve the filtering based on IP layers and/or transport layer and compare, the embodiment of the present invention can be right The relevant information of application layer is parsed, carry out the granularity of security protection it is thinner, it can be achieved that security strategy it is richer, safety is anti- The result of shield is more effective.

Also, the mechanism due in scheme provided in an embodiment of the present invention, realizing access control is independent of specific control Agreement processed, control application carry out depth analysis to the network message of a standard, are based on independent of any control association View or the security strategy of application, therefore can realize that the industrial control system provided different providers, the safety of control equipment are anti- Shield.

Wherein, current industrial host can be transformed, by matching in one access control agency of industrial host deployments The function that access control gateway realizes access control is closed, for example the authentication information etc. of user is provided.Access control agency can be Secure connection is established between industrial host and access control gateway, and before industrial host and control equipment, so that thereon Communication has more safety, and without changing current communication protocol, can effectively avoid communication and be ravesdropping, distort.

Wherein, remote authentication server can provide security strategy to access control gateway, judge for access control gateway Use when whether allowing access request.Optionally, remote authentication server can also synchronize the safe plan of at least two industrial hosts It omits, to guarantee the consistency of the security strategy of each industrial host.

In the embodiment of the present invention, access control gateway, optionally may also include industrial host, remote authentication server, can An access control system is formed, which can be integrated in industrial control system, the access control as industrial control system Mechanism is realized.

Claims

1. an access control gateway (20) of an industrial control system (10) characterized by comprising a deep message It detects DPI engine (202), is used for:

Relevant first sub-information of application layer of the message (30) obtained from one message (30) of depth analysis, wherein institute Stating message (30) is the access control gateway (20) at an industrial host (100) in the industrial control system (10) It receives and quasi- at least one of the described industrial control system (10) that is forwarded to controls equipment (200), in the message (30) Application layer protocol data cell PDU in include to it is described at least one control equipment (200) an access request (40)；

Based on the first information, the access request (40) are determined whether, wherein the first information includes described One sub-information；

If allowing, the message (30) is forwarded to the control equipment (200).

2. access control gateway (20) as described in claim 1, which is characterized in that first sub-information includes following message At least one of in:

The type of the application layer PDU of the message (30)；

The operational order or function code of the access request (40)；

The operation object of the access request (40)；

The data processing type of the access request (40).

3. access control gateway (20) as claimed in claim 1 or 2, which is characterized in that

The first information further includes the second sub-information, and second sub-information includes at least one in following message:

Initiate the authentication information of the user of the access request (40)；

The DPI engine (202), is also used to: before determining whether the access request (40), to the industrial host (100) second sub-information is requested, and receives second sub-information that the industrial host (100) returns.

4. access control gateway (20) as claimed in any one of claims 1 to 3, which is characterized in that the DPI engine (202) When determining whether the access request (40), it is specifically used for:

The access request (40) are determined whether according at least one security strategy (80), wherein at least one safety Tactful (80) are used to carry out identification, authentication and authorization to the user for initiating the access request (40).

5. access control gateway (20) as claimed in claim 4, which is characterized in that the access control gateway (20) is also wrapped It includes:

One security policy database (203), for storing at least one security strategy (80), and

One telesecurity policy interface (204), for obtaining updated institute at a long-range authentication server (50) It states at least one security strategy (80), and updates the security strategy according to updated at least one security strategy (80) Library (203).

6. access control gateway (20) as claimed in any one of claims 1 to 5, which is characterized in that the access control gateway (20) further include a firewall (201), be used for:

A secure connection (70) is established with the industrial host (100), the secure connection (70) is used for the access control Secure communication between gateway (20) and the industrial host (100)；

The message (30) is received at the industrial host (100) by the secure connection (70).

7. access control gateway (20) as described in any one of claims 1 to 6, which is characterized in that

The access control gateway (20) is located at a supervisory layers (1) and a control layer in the industrial control system (10) (2) between, wherein the supervisory layers (1) include the industrial host in the industrial control system (10), the control layer (2) Including the control equipment in the industrial control system (10), alternatively,

It is single that the access control gateway (20) is located at a control in the supervisory layers (1) and the industrial control system (10) Between first (205), wherein described control unit (205) includes the control equipment (200).

8. an industrial host (100) in an industrial control system (10) characterized by comprising an access control It acts on behalf of (1001), is used for:

A secure connection (70), the safety are established with an access control gateway (20) of the industrial control system (10) (70) are connected for the secure communication between the access control gateway (20), the access control gateway (20) is used for institute State an access request of control equipment (200) that industrial host (100) is sent in the industrial control system (10) (40) access control；

A message (30) is sent to the control equipment (200) by the secure connection (70), in the message (30) Include in application layer protocol data cell PDU the access request (40).

9. remote authentication server (50) characterized by comprising

One security policy database (501), for storing at least one security strategy (80), at least one security strategy (80) For judging that one in an industrial control system (10) industrial host (100) accesses in the industrial control system (10) Whether the access request (40) of one control equipment (200) is allowed to；

One security strategy interface (502), is used for:

Using at least one security strategy (80) stored in the security policy database (401), the Industry Control is updated A security policy database (203) in an access control gateway (20) in system (10), or

At least one security strategy (80) is provided to the access control gateway 20.

10. the access control system (1000) of an industrial control system (10) characterized by comprising

An industrial host (101) in the industrial control system (10), for in the industrial control system (10) At least one control equipment (200) sends a message (30), in the application layer protocol data cell PDU in the message (30) Including an access request (40) at least one control equipment (200)；

One access control gateway (20), the application layer for the message (30) obtained from message (30) described in depth analysis Relevant first sub-information, and the access request (40) are determined whether based on the first information, wherein described first Information includes first sub-information, if allowing, the message (30) is forwarded to the control equipment (200).

11. the access control method of an industrial control system (10) characterized by comprising

Institute obtained from one message (30) of access control gateway (20) depth analysis of the industrial control system (10) State relevant first sub-information of application layer of message (30), wherein the message (30) be the access control gateway (20) from It is received at an industrial host (100) in the industrial control system (10) and intends being forwarded to the industrial control system At least one of (10) control equipment (200) includes to institute in the application layer protocol data cell PDU in the message (30) State an access request (40) of at least one control equipment (200)；

The access control gateway (20) is based on the first information, determines whether the access request (40), wherein institute Stating the first information includes first sub-information；

If allowing, the message (30) is forwarded to the control equipment (200) by the access control gateway (20).

12. method as claimed in claim 11, which is characterized in that first sub-information includes at least one in following message :

The type of the application layer PDU of the message (30)；

The operational order or function code of the access request (40)；

The operation object of the access request (40)；

The data processing type of the access request (40).

13. the method as described in claim 11 or 12, which is characterized in that

Before the access control gateway (20) determines whether the access request (40), further includes: the access control Gateway (20) processed requests second sub-information to the industrial host (100), and receives what the industrial host (100) returned Second sub-information.

14. such as the described in any item methods of claim 11~13, which is characterized in that access control gateway (20) judgement is It is no to allow the access request (40), comprising:

The access control gateway (20) determines whether the access request (40) according at least one security strategy (80), Wherein at least one security strategy (80) is used to carry out identification, authentication to the user for initiating the access request (40) And authorization.

15. method as claimed in claim 14, which is characterized in that at least one security strategy (80) is stored in the visit In a security policy database (203) for asking control gateway (20), the method also includes: the access control gateways (20) from one Updated at least one security strategy (80) is obtained at a long-range authentication server (50), and according to updated institute It states at least one security strategy (80) and updates the security policy database (203).

16. such as the described in any item methods of claim 11~15, which is characterized in that in the access control gateway (20) depth Before parsing the message (30), further includes:

The access control gateway (20) and the industrial host (100) establish a secure connection (70), the secure connection (70) for the secure communication between the access control gateway (20) and the industrial host (100)；

The access control gateway (20) receives the message at the industrial host (100) by the secure connection (70) (30)。

17. such as the described in any item methods of claim 11~16, which is characterized in that

18. the access control method of an industrial control system (10) characterized by comprising

One access of an industrial host (100) and the industrial control system (10) in the industrial control system (10) A secure connection (70) is established in control gateway (20), the secure connection (70) for the industrial host (100) with it is described Secure communication between access control gateway (20), the access control gateway (20) are used to send out the industrial host (100) One into the industrial control system (10) access request (40) for controlling equipment (200) is sent to access control；

The industry host (100) sends a message (30) to the control equipment (200) by the secure connection (70), Include in application layer protocol data cell PDU in the message (30) access request (40).

19. the access control method of an industrial control system (10) characterized by comprising

One remote authentication server (50) of the industrial control system (10) stores at least one security strategy (80), described At least one security strategy (80) is used to judge described in industrial host (100) access in an industrial control system (10) Whether the access request (40) of control equipment (200) in industrial control system (10) is allowed to；

The remote authentication server (50) updates the Industry Control using at least one security strategy (80) of storage A security policy database (203) in an access control gateway (20) in system (10), or

The remote authentication server (50) provides at least one security strategy (80) to the access control gateway 20.

20. the access control apparatus of an industrial control system (10) characterized by comprising

At least one processor (701), for storing machine readable code；

At least one processor (702) is executed for calling the machine readable code such as any one of claim 11~19 institute The method stated.

21. machine readable media is stored with machine readable code, which is characterized in that the machine readable code is by processor tune Used time executes such as the described in any item methods of claim 11~19.