CN108989265A - access control method, device and system - Google Patents
access control method, device and system Download PDFInfo
- Publication number
- CN108989265A CN108989265A CN201710400324.8A CN201710400324A CN108989265A CN 108989265 A CN108989265 A CN 108989265A CN 201710400324 A CN201710400324 A CN 201710400324A CN 108989265 A CN108989265 A CN 108989265A
- Authority
- CN
- China
- Prior art keywords
- industrial
- control
- access
- access control
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to industrial network and field of information security technology more particularly to a kind of access control methods, gateway and system, to guarantee the network security of industrial control system.In access control system (1000), industrial host (101) includes the message (30) to the access request (40) of the control equipment (200) in industrial control system (10) for control equipment (200) transmission one in industrial control system (10);Access control gateway (20) relevant first sub-information of the layer that is applied for depth analysis message (30), and access request (40) are determined whether based on the first sub-information.In the case where control equipment does not have or have lower security protection ability, the network security of industrial control system is improved.Due to carrying out depth analysis to message, accessed control based on application layer relevant information, compared with traditional firewall, the granularity of access control is finer, and security protection is more effective.
Description
Technical field
The present invention relates to industrial network and field of information security technology more particularly to a kind of access control method, device and
System.
Background technique
Industrial control system (Industrial Control System, ICS) is for realizing the automatic control of industrial process
System.One industrial control system can be a wind generator system, an automobile manufacture workshop, a pharmaceutical factory, a city
The sewage disposal system etc. in city.
Traditional industrial control system be it is closed, external attack is difficult to the industrial control unit (ICU) etc. in industrial control system
Key equipment causes security threat, therefore requirement of traditional industrial control system for network security be not high.Modern work
Industry control system largely uses network technology and commercial component, can come with other network connections including internet
The control flow that industrial control unit (ICU) may be distorted from external network attack, causes the damage of industrial equipment, seriously affects work
The normal operation of industry control system.
Design, exploitation and the configuration of modern industrial control system can not be resisted effectively using network to industrial control system
In the unauthorized access of control equipment, the network attacks such as distort.An effective means for resisting above-mentioned network attack is controlled in industry
Internal system processed realizes the access control to control equipment, then the characteristics of how being directed to industrial control system realizes access control
A problem of a urgent need to resolve in industrial control system network security procedures is realized with regard to becoming.
Summary of the invention
In view of this, the present invention provides a kind of access control method, device and system, Industry Control system is directed to realize
The effective access control of system.
In a first aspect, providing the access control method of an industrial control system, comprising:
An industrial host in the industrial control system is set to the control of at least one of described industrial control system
Preparation send a message, includes at least one described control equipment in the application layer protocol data cell PDU in the message
An access request.After one access control gateway of the industrial control system receives the message, to the message into
Relevant first sub-information of the application layer of the message obtained from row depth analysis.The access control gateway is based on described the
One information determines whether the access request, wherein the first information includes first sub-information;If allowing,
The message is forwarded to the control equipment by the access control gateway.Wherein, optionally, under first sub-information includes
At least one of in column information: the type of the application layer PDU of the message;The operational order or function code of the access request;
The operation object of the access request;The data processing type of the access request.
Wherein, the access control in industrial control system is realized by individual access control gateway, avoided based on work
The access control that owner's machine is realized is easy the problem of being bypassed, and is not only restricted to the control limited resource of equipment, can be to different confessions
The equipment and application for answering quotient realize effective access control.
It accesses control in addition, access control gateway is based on the relevant information of the obtained application layer of deep analysis message
System, access control result is more acurrate, and the access control policy of realization is richer.
Optionally, before industrial host sends message, industrial host establishes a secure connection, and the secure connection is used
Secure communication between the industrial host and the access control gateway.Optionally, the secure connection has following function
At least one of in energy: integrity protection;Confidentiality protection.Industrial host sends message by the secure connection.
In this way, realizing the safe transmission of message, it can effectively avoid monitoring, be inserted into and distort.
Optionally, the first information may also include the second sub-information, and second sub-information includes in following message
At least one of: initiate the authentication information of the user of the access request;Initiate the authentication letter of the user of the access request
Breath.The access control gateway is before determining whether the access request, to the industrial host request described second
Sub-information, the user that the access request is initiated in the industrial host prompt provide second sub-information, and will be described in initiation
Second sub-information that the user of access request provides is back to the access control gateway.The access control gateway receives
Second sub-information that the industry host returns.
In this way, access control gateway can authentication information based on user and/or authentication information access control
Judgement, further realizes accurate access control.
Optionally, the access control gateway, can be according at least one peace when determining whether the access request
Full strategy determines whether the access request, wherein at least one security strategy is used for the initiation access request
User carry out identification, authentication and authorization.
Optionally, at least one security strategy is stored in a security policy database of the access control gateway,
The access control gateway can obtain updated at least one security strategy from a long-range authentication server, and
The security policy database is updated according to updated at least one security strategy.
Alternatively, optionally, the access control gateway determines the access request after receiving the message, and from institute
It states and obtains at least one security strategy at remote authentication server, for judging the access request.
Wherein, Design of security policy is to carry out identification, authentication vs. authorization to the user for initiating access request, effectively real
The authentication and authentication to visitor are showed, the communication protocol compensated in current industrial control system is set in network security
The deficiency of meter.
Second aspect provides the access control system of an industrial control system, comprising:
An industrial host in the industrial control system, for being controlled at least one of described industrial control system
Control equipment sends a message, includes one to the control equipment in the application layer protocol data cell PDU in the message
A access request;
One access control gateway, the application layer relevant for the message obtained from message described in depth analysis
One sub-information, and the access request is determined whether based on the first information, wherein the first information includes described
The message is forwarded to the control equipment if allowing by the first sub-information.
Wherein, the access control in industrial control system is realized by individual access control gateway, avoided based on work
The access control that owner's machine is realized is easy the problem of being bypassed, and is not only restricted to the control limited resource of equipment, can be to different confessions
The equipment and application for answering quotient realize effective access control.
It accesses control in addition, access control gateway is based on the relevant information of the obtained application layer of deep analysis message
System, access control result is more acurrate, and the access control policy of realization is richer.
Optionally, the access control gateway, it is described specifically for being determined whether according at least one security strategy
Access request, wherein at least one security strategy is used to carry out identification, mirror to the user for initiating the access request
Power and authorization.
The access control system further includes a remote authentication server, for updating in the access control gateway
At least one security strategy of storage, or for providing at least one safe plan to the access control gateway
Slightly.
Wherein, Design of security policy is to carry out identification, authentication vs. authorization to the user for initiating access request, effectively real
The authentication and authentication to visitor are showed, the communication protocol compensated in current industrial control system is set in network security
The deficiency of meter.
Optionally, the industrial host in access control system provided by second aspect can be used for realizing first aspect or
The transmission message of industrial host in any possible implementation of one side establishes secure connection, provides user identity and test
Demonstrate,prove the function of information, authentication information etc..
Optionally, the access control gateway in access control system provided by second aspect can be used for realizing first aspect
Or the access control gateway in any possible implementation of first aspect accesses the function of control to access request,
Such as: depth analysis is carried out to message, the control that accesses based at least one security strategy, updates at least one security strategy
Deng.
Optionally, the various remote authentication server of access control system provided by second aspect can be used for realizing first
The security strategy of remote authentication server in any possible implementation of aspect or first aspect is updated, is controlled to access
Gateway processed provides the functions such as security strategy.
The third aspect, provides an access control gateway of an industrial control system, which can be used for
Realize that access control gateway accesses to access request in any possible implementation of first aspect or first aspect
The function of control.
Optionally, access control gateway a can include: deep message detects DPI engine, is used for: depth analysis one
Relevant above-mentioned first sub-information of the application layer of the message obtained from message, and it is based on the first information, judge whether
Allow the access request, wherein the first information includes first sub-information;If allowing, the message is forwarded to
The control equipment.
Wherein, the access control in industrial control system is realized by individual access control gateway, avoided based on work
The access control that owner's machine is realized is easy the problem of being bypassed, and is not only restricted to the control limited resource of equipment, can be to different confessions
The equipment and application for answering quotient realize effective access control.
It accesses control in addition, access control gateway is based on the relevant information of the obtained application layer of deep analysis message
System, access control result is more acurrate, and the access control policy of realization is richer.
Optionally, the first information further includes the second sub-information above-mentioned.The DPI engine, is also used to: being in judgement
Before the no permission access request, second sub-information is requested to the industrial host, and receives the industrial host and returns
Second sub-information returned.
In this way, access control gateway can authentication information based on user and/or authentication information access control
Judgement, further realizes accurate access control.
Optionally, the DPI engine is specifically used for: when determining whether the access request according at least one
Security strategy determines whether the access request, wherein at least one security strategy is used to ask the initiation access
The user asked carries out identification, authentication and authorization.
Optionally, the access control gateway further include: a security policy database, for storing at least one safety
Strategy and a telesecurity policy interface, for obtained from a long-range authentication server it is updated it is described to
A few security strategy, and the security policy database is updated according to updated at least one security strategy.
Alternatively, optionally, the access control gateway further includes a telesecurity policy interface, the DPI engine exists
It before determining whether the access request, is also used to: being taken by a telesecurity policy interface to a remote authentication
Device request be engaged at least one security strategy;It is received by the telesecurity policy interface and comes from the remote authentication
At least one security strategy of server.
Wherein, Design of security policy is to carry out identification, authentication vs. authorization to the user for initiating access request, effectively real
The authentication and authentication to visitor are showed, the communication protocol compensated in current industrial control system is set in network security
The deficiency of meter.
Optionally, the access control gateway further includes a firewall, for establishing a peace with the industrial host
Full connection, the secure connection is for the secure communication between the access control gateway and the industrial host, by described
Secure connection receives the message from the industrial host.
In this way, realizing the safe transmission of message, it can effectively avoid monitoring, be inserted into and distort.
Fourth aspect provides one in an industrial control system industrial host, can be used for realizing first aspect or the
The transmission message of industry host provided by any possible implementation of one side establishes secure connection, obtains user
The function of authentication information, authentication information etc..
Optionally, the industrial host may include an access control agency, for one with the industrial control system
A access control gateway establishes a secure connection, and safety of the secure connection between the access control gateway is logical
Letter, the control equipment that the access control gateway is used to be sent to the industrial host in the industrial control system
One access request accesses control;A message, the message are sent to the control equipment by the secure connection
In application layer protocol data cell PDU in include the access request.
Optionally, the secure connection has at least one in following function: integrity protection;Confidentiality protection.
Wherein, the access control in industrial control system is realized by individual access control gateway, avoided based on work
The access control that owner's machine is realized is easy the problem of being bypassed, and is not only restricted to the control limited resource of equipment, can be to different confessions
The equipment and application for answering quotient realize effective access control.
The safe transmission of message has can be achieved in the foundation of secure connection, can effectively avoid monitoring, has been inserted into and distorts.
Optionally, the access control agency, is also used to receive the second sub-information from the access control gateway
Request, wherein second sub-information include initiate the authentication information of the user of the access request, and/or initiate described in
The authentication information of the user of access request;The user that the access request is initiated in prompt provides second sub-information;It will initiate
Second sub-information that the user of the access request provides is back to the access control gateway.
In this way, access control gateway can authentication information based on user and/or authentication information access control
Judgement, further realizes accurate access control.
5th aspect, provides a kind of remote authentication server, the remote authentication server can be used for realizing first aspect
Or the function of the offer security strategy of the remote authentication server in any possible implementation of first aspect.
Optionally, the remote authentication server can include:
One security policy database, for storing at least one security strategy, at least one security strategy is for judging
The access that an industrial host in one industrial control system accesses a control equipment in the industrial control system is asked
Seeking Truth is no to be allowed to;
One security strategy interface, is used for: using at least one security strategy stored in the security policy database,
Update a security policy database in an access control gateway in the industrial control system, or to the access control
Gateway provides at least one security strategy.
Wherein, Design of security policy is to carry out identification, authentication vs. authorization to the user for initiating access request, effectively real
The authentication and authentication to visitor are showed, the communication protocol compensated in current industrial control system is set in network security
The deficiency of meter.
6th aspect, provides the access control apparatus of an industrial control system, including at least one processor, for depositing
Machine readable code is stored up, at least one processor executes first aspect or first aspect for calling the machine readable code
Any possible implementation in industrial host, security control performed by access control gateway or remote authentication server
Method.
7th aspect, provides a kind of machine readable media, is stored with machine readable code, the machine readable code is located
When managing device calling, industrial host, access control net in any possible implementation of first aspect or first aspect are executed
Method of controlling security performed by pass or remote authentication server.
In conjunction with any possible implementation of any of the above-described aspect or any aspect, the access control gateway position
Between a supervisory layers and a control layer in the industrial control system, wherein the supervisory layers include the industry
Industrial host in control system, the control layer include the control equipment in the industrial control system.
Alternatively, the access control gateway is located at a control unit in the supervisory layers and the industrial control system
Between, wherein described control unit includes the control equipment.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram of current typical industrial control system.
Fig. 2A and Fig. 2 B illustrates for the connection relationship that the embodiment of the present invention provides access control gateway and industrial control system
Figure.
Fig. 3 is the structural schematic diagram of access control system provided in an embodiment of the present invention.
Fig. 4 is the flow chart of access control method provided in an embodiment of the present invention.
Fig. 5 is the flow chart of a typical process of industrial host access control apparatus in current industrial control system.
Fig. 6 be using the embodiment of the present invention after, the process of industrial host access control apparatus in an industrial control system
Flow chart.
Fig. 7 is a kind of structural schematic diagram of access control apparatus provided in an embodiment of the present invention.
Reference signs list:
10: industrial control system 1: supervisory layers 2: control layer
100: industrial host 100A: engineer station 100B: man-machine interface
100C: operator station 100D: server
200: control equipment 205: control unit 205A: distributed input and output
205B: field device
20: access control gateway 1000: access control system 50: remote authentication server
202: deep message detecting and alarm 201: firewall 203: security policy database
204: telesecurity policy interface
30: message 40: access request 80: security strategy
70: secure connection
1001: access control agency 1002: control is using 1003: secure authenticated information
501: security policy database 502: security strategy interface
S401: it establishes 70 S402 of secure connection: sending 40 S403 of access request: depth analysis message 30
S404: obtain 80 S405 of security strategy: authentication request S406: prompt user inputs authentication letter
Breath
S407: it sends authentication information S408: access control S409: E-Packeting 30
S410: dropping packets 30
S501: TCP connection S502:COTP connection request S503:COTP connection confirmation is established
S504:S7Comm establishes communication S505:S7Comm confirmation type setting communication
S506: access PLC
S601: configuration access controls 20 S602 of gateway: installation access control acts on behalf of 1001 S603: establishing secure connection 70
S604: access request 40 is sent
S605: depth analysis message 30 obtains security strategy 80, determines whether access request 40
S606: E-Packet 30 S607: 30 S608 of dropping packets: authentication request
S609: it returns to authentication information S610: determining whether access request 40
701: at least one processor 702: at least one processor
Specific embodiment
As previously described, because traditional industrial control system uses closed design, external network attack is difficult to biography
The industrial control system of system causes security threat.And modern design, exploitation and configuration of industrial control system etc. is in the presence of as follows
Many weakness can not effectively resist such as hacker, Malware, advanced constant threat (Advanced Persistent
Threat, APT) etc. network attacks.
1, the control device resource in industrial control system is limited.
Control equipment in industrial control system usually may include programmable logic controller (PLC) (Programmable Logic
Controller, PLC), dcs (Distributed Control System, DCS) controller, remote terminal
Unit (Remote Terminal Unit, RTU) etc. optionally may also include the input and output or distribution of these control equipment
Formula input/output interface.These control equipment generally use dedicated Implementation of Embedded System, and hardware processing capability calculates energy
Power, storage capacity, power supply supply and network bandwidth are limited.
In order to ensure physical world operates normally under effective control, it is necessary first to guarantee the control operation of control equipment
In real time, it reliably and efficiently executes, in this way, control equipment is used to execute the resource of identification, authentication and authorization with regard to seldom.
In view of the actual application environment of cost and market, Innovation Input is improved to realize that control equipment itself has effectively access control
Function processed is difficult to realize in the short term.
2, the non-planned network security function of communication protocol
In industrial control system, control command needs to be communicated between devices to realize process control.For excessively program-controlled
The communication protocol of system includes but is not limited to: object connection and insertion (Object Linking and Embedding, OLE for
Process control, OPC), process-field network (Process Field Net, PROFINET), odbus/ transmission control
Agreement (Transmission Control Protocol, TCP), Ethernet/Internet protocol (Ethernet/IP),
Control protocols such as PowerLink/CC etc..It include S7Comm agreement for controlling the agreement communicated between equipment and industrial host
Deng.These agreements consider the problems of network security being designed without, therefore there are following network security weakness:
1) without the function of identification and authentication.Any control that can be accessed per capita by network in industrial control system
Control equipment or industrial host, send control command or data to target of attack.
2) without suitable licensing scheme.Key operation for control protocol, such as: stop central processing unit
Industrial equipment is re-set as factory configuration, restarts industrial equipment, rises by the operation of (Central Processing Unit)
Grade firmware etc., there is presently no effective method of controlling security for preventing malicious entities from sending above-mentioned control command.
3) there is no session control and integrity protection mechanism, or only simple mechanism, cannot achieve effective safety
Control.Network attack can interfere control process by deleting the means such as message, duplicate message, insertion infected information.
4) there is no Confidentiality protection.It controls data and order is sent in the form of plaintext, may be eavesdropped by network attack person.
3, the access control based on industrial host is easy to be bypassed.
Industrial host in industrial control system, such as: man-machine interface (Human Machine Interface, HMI),
Work station (Engineer Station, ES), station (Operator Station, OS), server etc., it is usually used
Windows operating system.Although windows operating system and Industry Control Application, which are capable of providing, such as logs in control, based on angle
The access controls such as the access control (Role Based Access Control, RBAC) of color, but since industrial host is set with control
Communication between standby is usually open, and without any safety precautions, or only very limited safeguard protection is arranged
It applies, therefore the access control based on industrial host is easy to be bypassed.
In addition, usually there are the different Industry Control systems that different suppliers provide in the digital factory of same client
System.Also, industrial control system is also the system of a long-play.In view of the above-mentioned weakness and fortune of industrial control system
Actual conditions in row feature and digital factory, the embodiment of the present invention provide a kind of access control method and access control net
It closes, to meet requirement of the industrial control system to network security, one kind is provided under open communication environment, from different confessions
Answer the equipment of quotient and the access control of application.
In the embodiment of the present invention, the access control in industrial control system is realized by individual access control gateway, is kept away
Exempt from the above-mentioned access control realized based on industrial host and be easy the problem of being bypassed, is not only restricted to the control limited money of equipment
Source, can equipment to different suppliers and application realize effective access control.
The access control can realize that Design of security policy is to carry out body to the user for initiating access request based on security strategy
Part identification, authentication vs. authorization, effectively realize the authentication and authentication to visitor, compensate in current industrial control system
The deficiency that is designed in network security of communication protocol.
In addition, between industrial host and access control gateway, and industrial host and control equipment by secure connection into
Row communication, the secure connection can have the function of integrity protection and Confidentiality protection, reduce message in industrial control system
It the risks such as is deleted, distorts, attacker is effectively prevent to eavesdrop.
Method and apparatus provided in an embodiment of the present invention is described in detail with reference to the accompanying drawing.
Fig. 1 is a kind of structural schematic diagram of current typical industrial control system.
As shown in Figure 1, the industrial control system 10 may include but be not limited to following equipment:
1, at least one control equipment 200
As previously mentioned, these control equipment 200 may include but be not limited to PLC, DCS controller, RTU etc..Optionally, may be used also
Input and output (Input/Output, I/O) 205A or distributed I/O 205A including these control equipment 200.Optionally, also
It may include field device (Field Device) 205B that these control equipment 200 connect.
At present in industrial control system, most control equipment uses dedicated Implementation of Embedded System, these insertions
Formula system may include but be not limited to: VxWorks, built-in Linux, embedded OS (Embedded Operation
System, EOS), ucLinux.Control hardware processing capability, computing capability, storage capacity, power supply supply and the Netowrk tape of equipment
It is wide limited.And the main target for controlling equipment design is to lack access control (identification, mirror to realize control operation
Power and authorization) etc. security functions, do not have the anti-ability distorted very much.
In the embodiment of the present invention, one or more control equipment 200 constitutes a control unit 205, commonly used in real
If now one of control process or dry run relatively independent in entire industrial process.Optionally, the control in industrial control system 10
Control equipment 200 includes in the control layer 2 of industrial control system 10, wherein optionally, all control equipment 200 all includes
In control layer 2.
2, at least one industrial host 100
Industrial host 100 may include based on PC (Personal Computer, PC) realize various work stations or
The host computers such as server.Than engineer station 100A, operator station 100C, server 100D etc. as shown in figure 1.Industrial host 100
It may also include man-machine interface (Human Machine Interface, HMI) 100B.In one industrial control system, an industry
Host by Industrial Ethernet monitor and control control equipment, such as: from field device read data (such as from sensor read
The state parameter of enchashment field device), it stores data into historical data base, according to the instruction of operator or according to preset control
Processing procedure sequence or logic send control command etc. to control equipment.Wherein, engineer station can also configure control equipment.
Optionally, in the embodiment of the present invention, the industrial host 100 in industrial control system 10 is included in industrial control system
In 10 supervisory layers 1, optionally, all industry hosts 100 are included in the supervisory layers 1.
3, industrial control network
Industrial control network is for connecting control equipment and industrial host.In the embodiment of the present invention, industrial control network is used
In connection control equipment 200 and industrial host 100.Currently, more and more industrial control networks are realized based on Industrial Ethernet.
Industrial host and control equipment between communication can based on transmission control protocol (Transmission Control Protocol,
TCP), User Datagram Protocol (User Datagram Protocol, UDP), Internet protocol (Internet Protocol,
IP it), or directly transmits over ethernet.
Industrial control network can be, but not limited to: using router or interchanger as the star network of central node or
The more loop network etc. of reliability.
As Information and Communication Technology (Information and communication Technology, ICT) technology is fast
Speed incorporates industrial automation, and industrial control system is that standard is widely used by the system evolution of traditional closing and isolation
The open system of information technology (Information Technology, IT) uses Ethernet/IP as the foundation frame of communication
Structure.Therefore, the demand for being subject to security protection to the computer environment of industrial control system is increasingly significant.
The development of automatic manufacture and process control technology, IT technology are widely used, the evolution of open system, joint, conjunction
The increase of the commercial activities such as work, outsourcing, the increase of smart machine, with other equipment, the software even internuncial increasing of external equipment
By force, more and more network intrusion events, hacker, Malware etc., all of these factors taken together lead to increasingly increased Cyberthreat,
A possibility that network attack occurs is increasing.Therefore, the demand day of industrial automation and the safety precaution of industrial control system
It is beneficial urgent.
As previously mentioned, demand of the current industrial control system due to not considering safety precaution in design, this is resulted in
The relevant design of access control is insufficient, and there are biggish Network Security Vulnerabilities.And the design of traditional IT firewall can not
Solve the problems, such as application layer.
In one embodiment of the present of invention, in conjunction with deep packet inspection (Deep Packet Inspection, DPI), void
Quasi- private network (Virtual Private Network, VPN), client authentication and authorization technique, provide a kind of access control net
Close 20.The access control gateway 20 can provide the security function of additional access control for industrial control system 10, to user into
Row identification, authentication and authorization.The access control gateway 20 can serve the industrial control system 10 of a systems provider,
The complicated industrial control system 10 including different multiple systems providers can also be served.
Fig. 2A and Fig. 2 B provides the connection relationship of access control gateway 20 Yu industrial control system 10 for the embodiment of the present invention
Schematic diagram.In Fig. 2A, access control gateway 20 is located at the supervisory layers 1 in industrial control system 10 and between control layer 2.Fig. 2 B
In, access control gateway 20 is located between a control unit 205 in supervisory layers 1 and industrial control system 10.
Fig. 3 is the structural schematic diagram of access control system 1000 provided in an embodiment of the present invention.The access control system
It may include access control gateway 20, industrial host 100 and remote authentication server 50 in 1000.
Firstly, introducing access control gateway 20 provided in an embodiment of the present invention.As shown in figure 3, the access control gateway 20
Can include:
1, DPI engine 202
2, firewall 201
3, security policy database 203
4, telesecurity policy interface 204
In the following, being illustrated respectively to aforementioned four component part.It, can foundation when implementing access control gateway 20
The all or part of above-mentioned each component part is realized in actual functional requirement, selection.
The industrial host 100 of one from industrial control system 10 that DPI engine 202 receives access control gateway 20
Message 30 carry out depth analysis, parse relevant first sub-information of application layer of the message 30.
1, DPI engine 202
Wherein, the message 30 is quasi- is forwarded at least one of industrial control system 10 control equipment 200.Such as: the report
Text 30 is sent to a control equipment 200 or the message 30 is sent to multiple control equipment 200, then the message 30 transmission
A control equipment 200 into a control unit 205, then the message 30 be sent in a control unit 205
Multiple control equipment 200, then the message 30 be sent to multiple control equipment 200 in multiple control units 205.Message 30
In application layer protocol data cell (Protocol Data Unit, PDU) in include to this at least one control equipment 200
One access request 40.
Wherein, the first sub-information can include:
The type of the application layer PDU of message 30;
The operational order or function code of access request 40;
The operation object (such as: variable, address, registration table etc.) of access request 40;
The data processing type of access request 40.
Optionally, DPI engine 202 can also request the second sub-information to the industrial host 100 for sending the access request 40, than
Such as: requesting second sub-information by sending an authentication request message.Second sub-information may include initiating access request 40
User authentication information and/or initiate access request 40 user authentication information.DPI engine 202 receives industrial master
The second sub-information that machine 100 returns.
DPI engine 202 can both can also judge according to the first sub-information or according to the second sub-information only in accordance with the first sub-information
Whether allow access request 40, if allowing, message 30 is forwarded to control equipment 200.
In addition, DPI engine 202 can also be according at least one security strategy 80 to determine whether allowing access request 40.Peace
The further explanation of full strategy 80 can refer to the description to security policy database 203.
2, firewall 201
Optionally, access control gateway 20 may also include firewall 201.Firewall 201 receives report from industrial host 100
Text 30 carries out the filtering of network layer and/or transport layer to message 30.Wherein, message 30 can for ethernet frame, IP layers of message,
The message of the port TCP/UDP.Firewall 201 can judge whether message 30 is filtered through according to the security strategy of itself, and mistake
It filters the message 30 passed through and is sent to DPI engine 202.
Optionally, DPI engine 202 is if it is determined that permission access request 40, please indicate that message 30 is forwarded to control by firewall 201
Message 30 is then forwarded to control equipment 200 according to the instruction of DPI engine 202 by control equipment 200, firewall 201.If DPI engine
202 do not allow access request 40, then can indicate that firewall 201 refuses the access request 40 or dropping packets 30.
Firewall 201 and DPI engine 202 can be implemented separately as shown in Figure 3, or also combinable realization.Firewall 201 can
It is realized using a part as DPI engine 202 or the module of DPI engine 202 as an extension of firewall 201 is realized.
In addition, firewall 201 can also establish a secure connection 70 with industrial host 100 before receiving message 30, peace
Full connection 70 is for the communication between access control gateway 20 and industrial host 100, and optionally, which can also be used in
Communication between industrial host 100 and control equipment 200.The adoptable technology of secure connection 70 includes but is not limited to virtual special
With network (Virtual Private Network, VPN) technology, such as: internet protocol security (Internet
Protocol Security, IPSec) technology, Open V PN (OpenVPN) technology etc..Secure connection 70 realizes access control
Secure communication between secure communication between gateway 20 and industrial host 100, and industrial host 100 and control equipment 200,
It effectively prevent eavesdropping.
Optionally, which is transparent for the various applications including controlling using 1002, is not needed
It modifies to each control application in industrial host 100.
Optionally, which has integrity protection and/or Confidentiality protection function.Such as: if without secret
Property protection require, then can realize the peace merely with Authentication Header (Authentication Header, AH) mode of such as IPSec
The integrity protection function of full connection 70.If desired Confidentiality protection is carried out, then using the encapsulating security payload of such as IPSec
(Encapsulating Security Payload, ESP) mode carries out Confidentiality protection.
Optionally, DPI engine 202 is if it is determined that permission access request 40, then save the second sub-information, in secure connection 70
Or session duration of existence, the second son letter is reused when the Client-initiated to access request 40 other access requests judge
Breath.But if the user initiates the access of other objects to other control equipment 200 or same control equipment 200, DPI
Engine 202 can refuse the access according to corresponding security strategy.Optionally, the process of above-mentioned subscription authentication is re-executed, it is desirable that
Obtain the authentication information and/or authentication information of new (or with higher permission) user.
3, security policy database 203
Optionally, access control gateway 20 may include the security policy database 203 of a local, for storing access control
The security strategy 80 of (such as: identification, authentication and authorization).DPI engine 202, can when determining whether access control
Judged according at least one security strategy 80 in security policy database 203.Security strategy 80 realize model may include
But it is not limited to: RBAC, forced symmetric centralization (Mandatory Access Control), discretionary access control
(Discretionary Access Control) etc..
The mode that white list can be used in access control is realized, i.e., is permitted by the clearly defined access request 40 of security strategy 80
Perhaps.Or access control can also be used the mode of blacklist and realize, i.e., not by the clearly defined access request 40 of security strategy 80
It is allowed to.
Following varigrained access control can be realized by the way that different security strategies 80 is arranged:
Granularity one,
A specific user whether is allowed to access a specific control equipment 200 or a specific control unit
205。
Granularity two,
Whether allow a specific user in specific time or sends specific command (message 30) extremely under certain circumstances
One specific control equipment 200 is to execute specific operation.Such as: stop, the centre in one control equipment 200 of starting
Reason unit (Central Processing Unit, CPU) operation restarts a control equipment 200, restores a control equipment
200 one default setting, update firmware controlled in equipment 200 etc..
Granularity three,
A specific user whether is allowed to configure the application in a specific control equipment 200 or the control equipment 200.
Granularity four,
A specific user whether is allowed to access the data object given in a control equipment 200, data block, registration table
Or the data space with particular address.
Security strategy 80 can store in the following manner: database, text file, extensible markup language (eXtensible
Markup Language, XML) file etc..
4, telesecurity policy interface 204
The telesecurity policy interface 204 can be there are two types of different realization purposes:
1) for updating local security policy database 203
2) for obtaining the security strategy 80 in remote authentication server 50
It is illustrated separately below.
For 1)
There are a remote authentication server 50, and Saving Safe Strategy 80 in the remote authentication server 50 (such as: storage
In the security policy database 501 being shown in FIG. 3), it is communicated by security strategy interface 502 with access control gateway 20 to realize and visit
Ask the update of the local security policy database 203 in control gateway 20.
Such as: when newly-increased security strategy 80, remote authentication server 50 can will be newly-increased by security strategy interface 502
Security strategy 80 is sent to access control gateway 20, and it is new that the telesecurity policy interface 204 in access control gateway 20 receives this
The security strategy 80 of increasing is simultaneously stored in security policy database 203.For another example: when modifying a security strategy 80, remote authentication
The instruction information modified this security strategy 80 is sent to access control gateway by security strategy interface 502 by server 50
20, the telesecurity policy interface 204 in access control gateway 20 modifies security policy database 203 according to the instruction information of the modification
In this security strategy 80.
For 2)
Local security policy database 203 may not be present in access control gateway 20.DPI engine 202 is determining whether
When access request 40, at least one security strategy 80 is requested to remote authentication server 50 by telesecurity policy interface 204,
And at least one security strategy 80 from remote authentication server 50 is received by telesecurity policy interface 204.Optionally,
Telesecurity policy interface 204 can be according to the authentication information and/or authentication information that user provides, to remote authentication server
The security strategy 80 that 50 inquiries need.
For 1) or 2)
Access control gateway 20 can be based on security protocol to remote authentication server by telesecurity policy interface 204
50 query safe strategies 80.These security protocols include but is not limited to: Kerberos, remote authentication Dial-In User Service
(Remote Authentication Dial In User Service, RADIUS), Rights Management infrastructure
(Privilege Management Infrastructure, PMI), Secure Socket Layer (Secure Sockets Layer,
SSL)/secure transfer protocol (Transport Layer Security Protocol, TLS) etc..
Next, introducing industrial host 100 provided in an embodiment of the present invention.As shown in figure 3, the industry host 100 can wrap
It includes:
1, access control agency 1001
2, control applies 1002
In the following, being illustrated respectively to above-mentioned each component part.It, can be according to reality when implementing industrial host 100
Functional requirement, selection realizes all or part of above-mentioned each component part.
1, access control agency 1001
Access control agency 1001 can interact with access control gateway 20, realize the access control to access request 40
The function of system.
Optionally, access control agency 1001 can visit after the starting of industrial host 100, or in control using 1002 requests
Before asking control equipment 200, secure connection 70 above-mentioned is established with access control gateway 20.Also, access control agency 1001 can
Message 30 above-mentioned is sent to control equipment 200 by secure connection 70, the safe transmission of message 30 is realized, effectively prevents
It monitors, be inserted into and distort.
In addition, industrial host 100 can also answer the request of access control gateway 20 to send the second sub-information above-mentioned, that is, initiate
The authentication information and/or authentication information of the user of access request 40.For example receiving the mirror from access control gateway 20
After weighing request message, user is prompted to input the information 1003 of safety certification in the user interface of industrial host 100, such as: it uses
The authentication information (such as user identifier) at family and/or the authentication information of user.
The authentication information of user may include but be not limited to one or more in following message:
Username and password;
Based on security token smart card and its personal identification number (Personal Identification Number,
PIN) code;
Public Key Infrastructure (Public Key Infrastructure, PKI) certificate;
Disposable password.
Access control agency 1001 can be realized by the combination of software, hardware or software and hardware.
2, control applies 1002
Control can be the application program on industrial host 100 for realizing Industry Control using 1002.Access request 40 can
It is issued by the control using 1002, encapsulates to form message 30 by network protocol.
Finally, introducing remote authentication server 50 provided in an embodiment of the present invention.As shown in figure 3, the remote authentication
Server 50 can include:
1, security policy database 501
2, security strategy interface 502
In the following, being illustrated respectively to above-mentioned each component part.It, can foundation when implementing remote authentication server 50
The all or part of above-mentioned each component part is realized in actual functional requirement, selection.
1, security policy database 501
For storing security strategy 80 above-mentioned.
2, security strategy interface 502
Corresponding to two different optional realization purposes of 20 medium-long range security strategy interface 204 of access control gateway, peace
Full policy interface 502 also has different realization purposes respectively.
1) security policy database 203 in access control gateway 20 is updated
Wherein, security strategy interface 502 updates access control using the security strategy 80 stored in security policy database 501
Security policy database 203 in gateway 20.
Optionally, there are at least two access control gateways 20 in industrial control system 10, remote authentication server 50 can
The security strategy 80 in all access control gateways 20 is updated by the security strategy interface 502, so that different access controls net
The security strategy 80 closed in 20 is consistent.
2) security strategy 80 is provided to access control gateway 20
Remote authentication server 50 can provide security strategy 80 to access control gateway 20 by security strategy interface 502.
Optionally, above-mentioned industrial host 100, access control gateway 20 and remote authentication service provided in an embodiment of the present invention
Device 50 constitutes an access control system 1000.
Fig. 4 is the flow chart of access control method provided in an embodiment of the present invention.As shown in figure 4, this method may include as
Lower step:
S401: industrial host 100 establishes secure connection 70 with access control gateway 20.
In the step, the access control in industrial host 100 acts on behalf of 1001 meetings in the starting of industrial host 100, or in work
Before control in owner's machine 100 requests access to control equipment 200 using 1002, the safety is established with access control gateway 20 and is connected
Connect 70.Communication between industrial host 100 and control equipment 200 will be completed based on the secure connection 70.
S402: industrial host 100 sends access request 40, requests access to control equipment 200.
As previously mentioned, secure connection 70 can be transparent using 1002 for control, control can be configured using 1002 according to itself
It is communicated with control equipment 200 (or control unit 205), requests access to control equipment 200, i.e., sent to control equipment 200
Access request 40.In the following, illustrating several application scenarios that access request 40 is sent:
Scene one,
Engineer station 100A is equipped with the control software of industrial control system 10, such as: STEP7 software, Unity Prol
Software etc., the control software is for configuring control equipment 200.The control software sends access request 40 to configure control equipment
200。
Scene two,
HMI 100B, such as: the HMI realized based on form control centre (Windows Control Center, WinCC)
Or the HMI realized based on factory's dialogue (Factory Talk), access control apparatus 200 is wanted according to its configuration.Such as: read control
The parameter or state of process processed read the state of control equipment 200 itself, demonstrate each control equipment 200 on HMI 100B
Deng.HMI 100B completes aforesaid operations by sending access request 40 to control equipment 200.
Scene three,
The state and parameter of operator station 100C monitoring control equipment 200 and operating process.Wherein, operator can lead to
The parameter of state of a control, operation, process is modified in the operation crossed on operator station 100C, or even sends life to control equipment 200
It enables.The operation that operator executes on operator station 100C can send access to control equipment 200 by operator station 100C and ask
40 are asked to realize.
Scene four,
Server 100D, for example a database server 100D is by sending access request to a control equipment 200
40 to obtain creation data from the control equipment 200.
Wherein, access request 40 can be placed in message 30 as application layer load and sent by industrial host 100.Due to visiting
Ask that control gateway 20 is located between industrial host 100 and control equipment 200, message 30 can not be sent directly to control equipment
200, but received first by access control gateway 20.
S403: the DPI engine 202 in access control gateway 20 carries out depth point to the message 30 received using DPI technology
Analysis, parses relevant first sub-information of 30 application layer of message.
S404: the security policy database 203 that access control gateway 20 can be local according to the first sub-information inquiry parsed, or
Person requests security strategy 80 to remote authentication server 50.Wherein, the operation for obtaining security strategy 80 can also be in step S408
It executes.If access control gateway 20 needs to obtain the authentication information and/or authentication letter for the user for initiating access request 40
Breath, thens follow the steps S405, otherwise directly executes step S407.
S405: access control gateway 20 sends authentication request message to industrial host 100, and the access request 40 is initiated in request
User authentication information and/or authentication information.
S406: industrial host 100 prompts user to input authentication information and/or mirror after receiving authentication request message
Weigh information.
S407: industrial host 100 establishes the authentication information that user inputs and/or authentication information by step S401
Secure connection 70 be sent to access control gateway 20.
Wherein, the internet safety protocol and Key Management Protocol (Internet of SSL/TLS, IPSec can be used
Security and key management protocol, ISAKMP) or other authentication protocols, to guarantee entire subscription authentication
The safety of process.
S408: access control gateway 20 determines whether access request 40.If allowing, S407 is thened follow the steps, if not
Allow to then follow the steps S410.
Wherein, the DPI engine 202 in access control gateway 20 can be according to the subscriber authentication information and/or mirror received
Information is weighed, and the security strategy 80 based on acquisition determines whether access request 40.
S409: message 30 is forwarded to control equipment 200 by access control gateway 20.
S410: access control gateway 20 abandons the message 30, or industrial host 100 access request 40 is notified to be rejected.
Optionally, it access control gateway 20 and can be interacted by step S411 with remote authentication server 50, update access
Control the security policy database 203 of gateway 20.
In above-mentioned process, since the communication between access control gateway 20 and access control agency 1001 has used safety to connect
70 are connect, and only authorized user just allows access control apparatus 200, therefore, network attack person is difficult illegally to be usurped
Change, replicate operation of the legitimate user to control equipment 200.It is executed finely in addition, access control gateway 20 may be based on DPI technology
The access control of granularity guarantees that user can only execute authorized operation, prevents unauthorized access.
In the following, illustrating access control scheme provided in an embodiment of the present invention with a specific example.In the example:
1, industrial control system 10 are realized based on SIMATIC.In the industrial control system 10, industrial host 100
The typical way of access control apparatus 200 mainly includes following two:
1) engineer uses the SIMATIC being equipped at the engineer station 100A configuration control scene of SIMATIC STEP7
The PLC 200 of S7.
2) operator is controlled at scene using SIMATIC WinCC HMI 100B monitoring of the configuration at operator station
The state parameter of the PLC200 of SIMATIC S7 modifies control process or modifies the state parameter of PLC200, and to PLC200
Send control command.
2, according to used different communication protocol is communicated between industrial host 100 and PLC200, it is two that PLC200, which is divided to,
Seed type:
1) for 400 series of 200 series of S7,300 series of S7 and S7, (traditional STEP7 and WinCC) is applied in control
Proprietary communication protocol between PLC 20 is S7Comm.
2) for 1500 series of the series of S7 1200 and S7, control application (WinCC of STEP7 and TIA portal) and
Proprietary communication protocol between PLC 20 is OMS+.
Accordingly, in the example mainly illustratively two kinds of configurations:
1) application on industrial host 100 is traditional SIMATIC STEP7 and WinCC, and the PLC 200 for controlling scene is
400 series of 200 series of S7,300 series of S7 and S7.
2) application on industrial host 100 is the WinCC of SIMATIC STEP7 and TIA portal, controls the PLC at scene
For 1500 series of 1200 series of S7 and S7.
Wherein, S7Comm is communicated using 102 ports of TCP, and application layer protocol is encapsulated into International Organization for standardization
Transmission service on (International Organization for Standardization, ISO) TCP
(Transport Service on top of the TCP, TPKT) agreement and connection-oriented transport protocol
(Connection-Oriented Transport Protocol, COTP).
Fig. 5 is the flow chart of a typical process of industrial host access control apparatus in current industrial control system.It should
In process, control application is as follows with the S7Comm protocol interaction process between PLC:
S501: the control in operator station uses the TCP three-way handshake mechanism of standard and the TCP of PLC500B using 500A
TCP connection is established in port 102.
S502: control is reported using 500A using the COTP connection request (Connect Request) being encapsulated on TPKT
Text request connection.
S503: when receiving connection request, S7 PLC500B can reply COTP connection confirmation (Connect Confirm) message
To establish COTP connection.
S504: control establishes communication (Setup using the S7Comm being encapsulated on COTP using 500A
Communication connection is established in) PDU, request on the application layer.
S505:PLC500B communicates (Ack type Set Communication) using the confirmation type setting of S7Comm
PDU confirms that the connection has been established.
S506: the control application 500A in operator station uses block list (List of Blocks), read/write variable
Parameter on the S7Comm command access such as (Read/Write Var) PLC500B.Alternatively, the control application 500A on engineer station
Using request downloading (Request Download), downloading block (Download Block) etc. S7Comm order under PLC500B
Carry configuration parameter.
Fig. 6 is the stream of the process of industrial host access control apparatus in an industrial control system in the embodiment of the present invention
Cheng Tu.As shown in fig. 6, the process may include following steps:
The browsing process may include following steps:
S601: access control gateway 20 be configured in supervisory layers 1 industrial host 100 (such as: STEP7 engineer station
Or WinCC operator station) and control layer 2 in control equipment 200 (such as: between S7 PLC).
S602: industrial host 100 is mounted access control agency 1001, and access control agency 1001 can be industrial host
The service run in 100 is resident in memory.
S603: after industrial host 100 starts, access control agency 1001 is used based on open Virtual Private Network
(OpenVPN) SSL/TLS and the authentication of access control gateway 20 (unidirectional authentication or bi-directional authentification), interactive/safety-related ginseng
Several and code key, establishes secure connection 70 between industrial host 100 and access control gateway 20.
S604: when engineer using STEP7 engineer station configure S7 PLC, or when operator use WinCC operator
Stand monitoring S7 PLC when, use secure connection 70 as the STEP7 engineer station of industrial host 100 or WinCC operator station
Access request 40 is sent, wherein the access request 40 is included in message 30 as application layer load.
S605: after receiving message 30, access control gateway 20 to message 30 carry out depth analysis (such as: by above-mentioned
DPI engine 202 carries out depth analysis), application layer load is parsed, the first sub-information above-mentioned is obtained.Based on first sub-information
And at least one security strategy 80, DPI engine 202 can judge following access request 40:
TCP connection request (synchronous SYN);
COTP connection request;
S7Comm establishes communication request.
First sub-information of the access control gateway 20 based on acquisition determines a promoter (such as spy for access request 40
Fixed engineer), the object of the operation to be performed operation of CPU (for example stop) and operation (such as: one on S7 PLC
CPU).Access control gateway 20 can inquire local security policy database 203, or be inquired remotely using Kerberos authentication protocol
Authentication server 50, to obtain security strategy 80.
At least one security strategy 80 of the access control gateway 20 based on acquisition, determines whether the access request 40.
Wherein, if judgement allows the access request 40, S606 is thened follow the steps;If judgement does not allow the access request 40, step is executed
Rapid S607;If judgement needs to authenticate user, S608 is thened follow the steps.
S606: message 30 is forwarded to control equipment 200 by access control gateway 20, i.e., the S7 PLC in this example.
S607: 20 dropping packets 30 of access control gateway optionally can also notify industrial access request of host 100
40 are rejected.
S608: access control gateway 20 sends authentication request message to industrial host 100.
S609: after industrial host 100 receives the authentication request message, user's input can be prompted in the user interface of itself
Username and password (information 1003 of safety certification i.e. above-mentioned), and the user name for being inputted user by secure connection 70
Access control gateway 20 is returned to password.
S610: after access control gateway 20 has received username and password, the security strategy found based on step S605
80 determine whether the access request 40.If allowing, S606 is thened follow the steps, otherwise, executes step S607.
Wherein, optionally, the security strategy 80 obtained in step S605 can be used for judging whether needing through step S608
The information of the safety certification of user is obtained with step S609, the security strategy 80 that step S610 is obtained can be used for the peace based on user
The information of full certification determines whether access request 40.
Certainly, when another optional implementation, the security strategy 80 that step S605 is obtained can both be used to judge whether
The information for needing to obtain the safety certification of user, the information for being also used for the safety certification based on user determine whether to access
40 are requested, is then not necessarily to obtain security strategy 80 again in such step S610.
In industrial host 100 and control equipment 200, i.e., the S7 PLC in this example establish above-mentioned secure connection 70 it
Afterwards, industrial host 100 may be sent including at least two messages in the above process to control equipment 200.Such as: WinCC
Operator station can send S7Comm message and carry out read/write operation, execution functional block etc. to the data of S7 PLC.For another example: STEP7
Engineer station can initiate S7Comm request, upload control program to STEP7 to S7 PLC download control program or order S7 PLC
Engineer station.
Access control gateway 20 provided in an embodiment of the present invention can use the above method, carry out depth analysis to these messages
(if desired, can after being classified to message category carry out depth analysis to message), obtains the crucial letter in message
Breath, i.e., the first sub-information above-mentioned.
In this example, RBAC model can be used to access control for access control gateway 20, based on local security strategy
Security strategy 80 in library 203 or the security strategy 80 obtained from remote authentication server 50, according to the access of access request 40
The information such as type and the object of access determine whether the access request 40.Such as: role belonging to inquiry user checks
Whether user is the permitted operation of the role to the object operation to be performed of access.
According to the security strategy based on RBAC, if role belonging to user is not allowed to, access request 40 is rejected;If
Role belonging to user is allowed to, then access request 40 can be forwarded to requested S7 PLC by access control gateway 20.
Fig. 7 is a kind of structural schematic diagram of access control apparatus provided in an embodiment of the present invention.The access control apparatus can
For access control gateway 20 above-mentioned, industrial host 100 or remote authentication server 50.As shown in fig. 7, the access control apparatus
It may include at least one processor 701, for storing machine readable code;At least one processor 702, for calling the machine
Device readable code, any access control method provided by the embodiment of the present invention.
Machine readable instructions are stored on machine readable media provided in an embodiment of the present invention, the machine readable instructions are in quilt
When processor executes, processor is made to execute any method above-mentioned.Specifically, it can provide and be equipped with machine readable media
System or device store the software program for realizing the function of any embodiment in above-described embodiment on the machine readable media
Code, and the computer of the system or device or processor is made to read and execute the machine being stored in the machine readable media
Readable instruction.
In this case, it can be achieved any one in above-described embodiment from the program code itself that machine readable media is read
The function of embodiment, thus the machine readable media of machine readable code and storage machine readable code constitute it is of the invention
A part.
The embodiment of machine readable media include floppy disk, hard disk, magneto-optic disk, CD (such as CD-ROM, CD-R, CD-RW,
DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), tape, non-volatile memory card and ROM.It selectively, can be by communication network
Network download program code from server computer or on cloud.
It should be noted that step and module not all in above-mentioned each process and each system construction drawing is all necessary
, certain steps or module can be ignored according to the actual needs.Each step execution sequence be not it is fixed, can be according to need
It is adjusted.System structure described in the various embodiments described above can be physical structure, be also possible to logical construction, that is, have
A little modules may be realized by same physical entity, be realized alternatively, some modules may divide by multiple physical entities, alternatively, can be with
It is realized jointly by certain components in multiple autonomous devices.
In the above various embodiments, hardware cell mechanically or can be realized electrically.For example, a hardware list
Member may include permanent dedicated circuit or logic (such as special processor, FPGA or ASIC) to complete corresponding operating.Firmly
Part unit can also include programmable logic or circuit (such as general processor or other programmable processors), can by software into
The interim setting of row is to complete corresponding operating.Concrete implementation mode (mechanical system or dedicated permanent circuit or is faced
When the circuit that is arranged) can be determined based on cost and temporal consideration.
Detailed displaying and explanation carried out to the present invention above by attached drawing and preferred embodiment, however the present invention is not limited to
These embodiments having revealed that, base could be aware that with above-mentioned multiple embodiment those skilled in the art, can combine above-mentioned difference
Code audit means in embodiment obtain the more embodiments of the present invention, these embodiments also protection scope of the present invention it
It is interior.
To sum up, the embodiment of the invention provides a kind of access control methods, device and system.Wherein, access control gateway
Between the industrial host that can be deployed in an industrial control system and control equipment, the access control from industrial host is set
Standby access request accesses control, solves current control equipment and does not have security protection ability or security protection
The lower problem of ability, improves the network security of industrial control system.
Using scheme provided in an embodiment of the present invention, without changing to the control equipment in current industrial control system
It makes, without the control application and control protocol being transformed in current industrial control system, and can be realized to industrial control system
Effective security protection.
Wherein, access control gateway can carry out depth analysis to the message from an industrial host, parse the message
The relevant key message of application layer, such as: the access request for including in application layer PDU type, the application of electronic report layer load
Operational order, function code, operation object and data processing type etc..And determine whether that the access is asked according to these information
It asks.Optionally, access control gateway can also further obtain the authentication information of user according to security strategy from industrial host, from
And the access request is determined whether based on authentication information and by the above-mentioned key message that depth analysis obtains.With tradition
Firewall carry out security protection, be only able to achieve the filtering based on IP layers and/or transport layer and compare, the embodiment of the present invention can be right
The relevant information of application layer is parsed, carry out the granularity of security protection it is thinner, it can be achieved that security strategy it is richer, safety is anti-
The result of shield is more effective.
Also, the mechanism due in scheme provided in an embodiment of the present invention, realizing access control is independent of specific control
Agreement processed, control application carry out depth analysis to the network message of a standard, are based on independent of any control association
View or the security strategy of application, therefore can realize that the industrial control system provided different providers, the safety of control equipment are anti-
Shield.
Wherein, current industrial host can be transformed, by matching in one access control agency of industrial host deployments
The function that access control gateway realizes access control is closed, for example the authentication information etc. of user is provided.Access control agency can be
Secure connection is established between industrial host and access control gateway, and before industrial host and control equipment, so that thereon
Communication has more safety, and without changing current communication protocol, can effectively avoid communication and be ravesdropping, distort.
Wherein, remote authentication server can provide security strategy to access control gateway, judge for access control gateway
Use when whether allowing access request.Optionally, remote authentication server can also synchronize the safe plan of at least two industrial hosts
It omits, to guarantee the consistency of the security strategy of each industrial host.
In the embodiment of the present invention, access control gateway, optionally may also include industrial host, remote authentication server, can
An access control system is formed, which can be integrated in industrial control system, the access control as industrial control system
Mechanism is realized.
Claims (21)
1. an access control gateway (20) of an industrial control system (10) characterized by comprising a deep message
It detects DPI engine (202), is used for:
Relevant first sub-information of application layer of the message (30) obtained from one message (30) of depth analysis, wherein institute
Stating message (30) is the access control gateway (20) at an industrial host (100) in the industrial control system (10)
It receives and quasi- at least one of the described industrial control system (10) that is forwarded to controls equipment (200), in the message (30)
Application layer protocol data cell PDU in include to it is described at least one control equipment (200) an access request (40);
Based on the first information, the access request (40) are determined whether, wherein the first information includes described
One sub-information;
If allowing, the message (30) is forwarded to the control equipment (200).
2. access control gateway (20) as described in claim 1, which is characterized in that first sub-information includes following message
At least one of in:
The type of the application layer PDU of the message (30);
The operational order or function code of the access request (40);
The operation object of the access request (40);
The data processing type of the access request (40).
3. access control gateway (20) as claimed in claim 1 or 2, which is characterized in that
The first information further includes the second sub-information, and second sub-information includes at least one in following message:
Initiate the authentication information of the user of the access request (40);
Initiate the authentication information of the user of the access request (40);
The DPI engine (202), is also used to: before determining whether the access request (40), to the industrial host
(100) second sub-information is requested, and receives second sub-information that the industrial host (100) returns.
4. access control gateway (20) as claimed in any one of claims 1 to 3, which is characterized in that the DPI engine (202)
When determining whether the access request (40), it is specifically used for:
The access request (40) are determined whether according at least one security strategy (80), wherein at least one safety
Tactful (80) are used to carry out identification, authentication and authorization to the user for initiating the access request (40).
5. access control gateway (20) as claimed in claim 4, which is characterized in that the access control gateway (20) is also wrapped
It includes:
One security policy database (203), for storing at least one security strategy (80), and
One telesecurity policy interface (204), for obtaining updated institute at a long-range authentication server (50)
It states at least one security strategy (80), and updates the security strategy according to updated at least one security strategy (80)
Library (203).
6. access control gateway (20) as claimed in any one of claims 1 to 5, which is characterized in that the access control gateway
(20) further include a firewall (201), be used for:
A secure connection (70) is established with the industrial host (100), the secure connection (70) is used for the access control
Secure communication between gateway (20) and the industrial host (100);
The message (30) is received at the industrial host (100) by the secure connection (70).
7. access control gateway (20) as described in any one of claims 1 to 6, which is characterized in that
The access control gateway (20) is located at a supervisory layers (1) and a control layer in the industrial control system (10)
(2) between, wherein the supervisory layers (1) include the industrial host in the industrial control system (10), the control layer (2)
Including the control equipment in the industrial control system (10), alternatively,
It is single that the access control gateway (20) is located at a control in the supervisory layers (1) and the industrial control system (10)
Between first (205), wherein described control unit (205) includes the control equipment (200).
8. an industrial host (100) in an industrial control system (10) characterized by comprising an access control
It acts on behalf of (1001), is used for:
A secure connection (70), the safety are established with an access control gateway (20) of the industrial control system (10)
(70) are connected for the secure communication between the access control gateway (20), the access control gateway (20) is used for institute
State an access request of control equipment (200) that industrial host (100) is sent in the industrial control system (10)
(40) access control;
A message (30) is sent to the control equipment (200) by the secure connection (70), in the message (30)
Include in application layer protocol data cell PDU the access request (40).
9. remote authentication server (50) characterized by comprising
One security policy database (501), for storing at least one security strategy (80), at least one security strategy (80)
For judging that one in an industrial control system (10) industrial host (100) accesses in the industrial control system (10)
Whether the access request (40) of one control equipment (200) is allowed to;
One security strategy interface (502), is used for:
Using at least one security strategy (80) stored in the security policy database (401), the Industry Control is updated
A security policy database (203) in an access control gateway (20) in system (10), or
At least one security strategy (80) is provided to the access control gateway 20.
10. the access control system (1000) of an industrial control system (10) characterized by comprising
An industrial host (101) in the industrial control system (10), for in the industrial control system (10)
At least one control equipment (200) sends a message (30), in the application layer protocol data cell PDU in the message (30)
Including an access request (40) at least one control equipment (200);
One access control gateway (20), the application layer for the message (30) obtained from message (30) described in depth analysis
Relevant first sub-information, and the access request (40) are determined whether based on the first information, wherein described first
Information includes first sub-information, if allowing, the message (30) is forwarded to the control equipment (200).
11. the access control method of an industrial control system (10) characterized by comprising
Institute obtained from one message (30) of access control gateway (20) depth analysis of the industrial control system (10)
State relevant first sub-information of application layer of message (30), wherein the message (30) be the access control gateway (20) from
It is received at an industrial host (100) in the industrial control system (10) and intends being forwarded to the industrial control system
At least one of (10) control equipment (200) includes to institute in the application layer protocol data cell PDU in the message (30)
State an access request (40) of at least one control equipment (200);
The access control gateway (20) is based on the first information, determines whether the access request (40), wherein institute
Stating the first information includes first sub-information;
If allowing, the message (30) is forwarded to the control equipment (200) by the access control gateway (20).
12. method as claimed in claim 11, which is characterized in that first sub-information includes at least one in following message
:
The type of the application layer PDU of the message (30);
The operational order or function code of the access request (40);
The operation object of the access request (40);
The data processing type of the access request (40).
13. the method as described in claim 11 or 12, which is characterized in that
The first information further includes the second sub-information, and second sub-information includes at least one in following message:
Initiate the authentication information of the user of the access request (40);
Initiate the authentication information of the user of the access request (40);
Before the access control gateway (20) determines whether the access request (40), further includes: the access control
Gateway (20) processed requests second sub-information to the industrial host (100), and receives what the industrial host (100) returned
Second sub-information.
14. such as the described in any item methods of claim 11~13, which is characterized in that access control gateway (20) judgement is
It is no to allow the access request (40), comprising:
The access control gateway (20) determines whether the access request (40) according at least one security strategy (80),
Wherein at least one security strategy (80) is used to carry out identification, authentication to the user for initiating the access request (40)
And authorization.
15. method as claimed in claim 14, which is characterized in that at least one security strategy (80) is stored in the visit
In a security policy database (203) for asking control gateway (20), the method also includes: the access control gateways (20) from one
Updated at least one security strategy (80) is obtained at a long-range authentication server (50), and according to updated institute
It states at least one security strategy (80) and updates the security policy database (203).
16. such as the described in any item methods of claim 11~15, which is characterized in that in the access control gateway (20) depth
Before parsing the message (30), further includes:
The access control gateway (20) and the industrial host (100) establish a secure connection (70), the secure connection
(70) for the secure communication between the access control gateway (20) and the industrial host (100);
The access control gateway (20) receives the message at the industrial host (100) by the secure connection (70)
(30)。
17. such as the described in any item methods of claim 11~16, which is characterized in that
The access control gateway (20) is located at a supervisory layers (1) and a control layer in the industrial control system (10)
(2) between, wherein the supervisory layers (1) include the industrial host in the industrial control system (10), the control layer (2)
Including the control equipment in the industrial control system (10), alternatively,
It is single that the access control gateway (20) is located at a control in the supervisory layers (1) and the industrial control system (10)
Between first (205), wherein described control unit (205) includes the control equipment (200).
18. the access control method of an industrial control system (10) characterized by comprising
One access of an industrial host (100) and the industrial control system (10) in the industrial control system (10)
A secure connection (70) is established in control gateway (20), the secure connection (70) for the industrial host (100) with it is described
Secure communication between access control gateway (20), the access control gateway (20) are used to send out the industrial host (100)
One into the industrial control system (10) access request (40) for controlling equipment (200) is sent to access control;
The industry host (100) sends a message (30) to the control equipment (200) by the secure connection (70),
Include in application layer protocol data cell PDU in the message (30) access request (40).
19. the access control method of an industrial control system (10) characterized by comprising
One remote authentication server (50) of the industrial control system (10) stores at least one security strategy (80), described
At least one security strategy (80) is used to judge described in industrial host (100) access in an industrial control system (10)
Whether the access request (40) of control equipment (200) in industrial control system (10) is allowed to;
The remote authentication server (50) updates the Industry Control using at least one security strategy (80) of storage
A security policy database (203) in an access control gateway (20) in system (10), or
The remote authentication server (50) provides at least one security strategy (80) to the access control gateway 20.
20. the access control apparatus of an industrial control system (10) characterized by comprising
At least one processor (701), for storing machine readable code;
At least one processor (702) is executed for calling the machine readable code such as any one of claim 11~19 institute
The method stated.
21. machine readable media is stored with machine readable code, which is characterized in that the machine readable code is by processor tune
Used time executes such as the described in any item methods of claim 11~19.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710400324.8A CN108989265A (en) | 2017-05-31 | 2017-05-31 | access control method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710400324.8A CN108989265A (en) | 2017-05-31 | 2017-05-31 | access control method, device and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108989265A true CN108989265A (en) | 2018-12-11 |
Family
ID=64502066
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710400324.8A Pending CN108989265A (en) | 2017-05-31 | 2017-05-31 | access control method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108989265A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107222508A (en) * | 2017-07-14 | 2017-09-29 | 国家计算机网络与信息安全管理中心 | Safety access control method, equipment and system |
CN109587151A (en) * | 2018-12-13 | 2019-04-05 | 泰康保险集团股份有限公司 | Access control method, device, equipment and computer readable storage medium |
CN110086872A (en) * | 2019-04-29 | 2019-08-02 | 新奥数能科技有限公司 | A kind of data processing method and system of SCADA system |
CN111464432A (en) * | 2020-03-19 | 2020-07-28 | 深圳市燃气集团股份有限公司 | Intelligent gateway for gas industry |
CN111562938A (en) * | 2020-04-20 | 2020-08-21 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
CN111885031A (en) * | 2020-07-13 | 2020-11-03 | 董鹏 | Fine-grained access control method and system based on session process |
CN112637143A (en) * | 2020-12-08 | 2021-04-09 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
CN112769850A (en) * | 2021-01-19 | 2021-05-07 | 英赛克科技(北京)有限公司 | Network message filtering method, electronic equipment and storage medium |
CN113115241A (en) * | 2021-04-07 | 2021-07-13 | 青岛容商天下网络有限公司 | Industrial Internet system based on industrial brain |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102023622A (en) * | 2009-09-09 | 2011-04-20 | 洛克威尔自动控制技术股份有限公司 | Diagnostic module for distributed industrial network including industrial control devices |
CN102377740A (en) * | 2010-08-12 | 2012-03-14 | 西门子公司 | Industrial access control method and device |
CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
US20160337359A1 (en) * | 2015-05-11 | 2016-11-17 | Honeywell Spol. S.R.O. | Securing a control system application layer protocol |
CN106559287A (en) * | 2016-11-11 | 2017-04-05 | 武汉烽火网络有限责任公司 | Hierarchy depth bag detecting system and method based on first engine |
-
2017
- 2017-05-31 CN CN201710400324.8A patent/CN108989265A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102023622A (en) * | 2009-09-09 | 2011-04-20 | 洛克威尔自动控制技术股份有限公司 | Diagnostic module for distributed industrial network including industrial control devices |
CN102377740A (en) * | 2010-08-12 | 2012-03-14 | 西门子公司 | Industrial access control method and device |
CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
US20160337359A1 (en) * | 2015-05-11 | 2016-11-17 | Honeywell Spol. S.R.O. | Securing a control system application layer protocol |
CN106559287A (en) * | 2016-11-11 | 2017-04-05 | 武汉烽火网络有限责任公司 | Hierarchy depth bag detecting system and method based on first engine |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107222508B (en) * | 2017-07-14 | 2020-08-25 | 国家计算机网络与信息安全管理中心 | Security access control method, device and system |
CN107222508A (en) * | 2017-07-14 | 2017-09-29 | 国家计算机网络与信息安全管理中心 | Safety access control method, equipment and system |
CN109587151A (en) * | 2018-12-13 | 2019-04-05 | 泰康保险集团股份有限公司 | Access control method, device, equipment and computer readable storage medium |
CN110086872A (en) * | 2019-04-29 | 2019-08-02 | 新奥数能科技有限公司 | A kind of data processing method and system of SCADA system |
CN111464432A (en) * | 2020-03-19 | 2020-07-28 | 深圳市燃气集团股份有限公司 | Intelligent gateway for gas industry |
CN111562938B (en) * | 2020-04-20 | 2024-05-24 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
CN111562938A (en) * | 2020-04-20 | 2020-08-21 | 杭州迪普科技股份有限公司 | Method and device for checking configuration information of PLC and computer equipment |
CN111885031A (en) * | 2020-07-13 | 2020-11-03 | 董鹏 | Fine-grained access control method and system based on session process |
CN111885031B (en) * | 2020-07-13 | 2023-03-31 | 董鹏 | Fine-grained access control method and system based on session process |
CN112637143B (en) * | 2020-12-08 | 2023-03-24 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
CN112637143A (en) * | 2020-12-08 | 2021-04-09 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
CN112769850A (en) * | 2021-01-19 | 2021-05-07 | 英赛克科技(北京)有限公司 | Network message filtering method, electronic equipment and storage medium |
CN112769850B (en) * | 2021-01-19 | 2022-11-22 | 英赛克科技(北京)有限公司 | Network message filtering method, electronic equipment and storage medium |
CN113115241A (en) * | 2021-04-07 | 2021-07-13 | 青岛容商天下网络有限公司 | Industrial Internet system based on industrial brain |
CN113115241B (en) * | 2021-04-07 | 2022-11-15 | 青岛容商天下网络有限公司 | Industrial Internet system based on industrial brain |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108989265A (en) | access control method, device and system | |
US10986133B1 (en) | Cloud over IP session layer network | |
US20200304999A1 (en) | Integrated physical and logical security management via a portable device | |
US9729514B2 (en) | Method and system of a secure access gateway | |
CA2868896C (en) | Secure mobile framework | |
US7536548B1 (en) | System and methodology providing multi-tier-security for network data exchange with industrial control components | |
US10938819B2 (en) | Poisoning protection for process control switches | |
US7685633B2 (en) | Providing consistent application aware firewall traversal | |
WO2019009928A1 (en) | Establishing connections between iot devices using authentication tokens | |
EP1414216A2 (en) | System and methodology providing automation security architecture in an industrial controller environment | |
EP3275123A1 (en) | Goal-driven provisioning in lot systems | |
US11362827B2 (en) | IOT security mechanisms for industrial applications | |
CN102045337A (en) | Apparatus and methods for managing network resources | |
CN116055254A (en) | Safe and trusted gateway system, control method, medium, equipment and terminal | |
Salman et al. | Software defined iot security framework | |
US7424736B2 (en) | Method for establishing directed circuits between parties with limited mutual trust | |
CN104767621A (en) | Single-point security certification method for having access to enterprise data through mobile application | |
US8793782B1 (en) | Enforcing a health policy in a local area network | |
US20230328047A1 (en) | Platform and Method for Automated Moving Target Defense | |
US11716626B2 (en) | Network access control system | |
US20220182229A1 (en) | Protected protocol for industrial control systems that fits large organizations | |
JP4972646B2 (en) | Providing consistent application-compatible firewall traversal | |
US9940116B2 (en) | System for performing remote services for a technical installation | |
EP3902231A1 (en) | Systems and methods for secure access smart hub for cyber-physical systems | |
Ulz et al. | Secured remote configuration approach for industrial cyber-physical systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181211 |
|
RJ01 | Rejection of invention patent application after publication |