CN109756483A - A kind of safety protecting method for MELSEC agreement - Google Patents
A kind of safety protecting method for MELSEC agreement Download PDFInfo
- Publication number
- CN109756483A CN109756483A CN201811514480.8A CN201811514480A CN109756483A CN 109756483 A CN109756483 A CN 109756483A CN 201811514480 A CN201811514480 A CN 201811514480A CN 109756483 A CN109756483 A CN 109756483A
- Authority
- CN
- China
- Prior art keywords
- data
- request
- safety
- agreement
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of safety protecting methods for MELSEC agreement, it is characterized in that, by allowing to access the filtering of object preset rules, the value for extracting the control object that control operating process includes is compared with the corresponding range for allowing controlling value, it is analyzed by protocol depth, it is filtered using preset rules, the present invention effectively prevents the unauthorized access of unauthorized external equipment by introducing the filtering of TCP/UDP layer protocol and the filtering of external equipment IP address, and then ensure that the safety of user network.The integrity checking for passing through MC protocol frame in present embodiment is effectively prevented from and is continued to initiate communication request to system and device using non-MC protocol massages, the situation for causing system performance to decline.The present invention is by being monitored the data packet of MC protocol session, the unauthorized access of unauthorized external equipment can be effectively prevented and camouflage information, illegal transactions access instruction can be intercepted, while the write-in of illegal value can also be prevented to ensure the safety of production scene.
Description
Technical field
The invention belongs to data security arts more particularly to a kind of safety protecting methods for MELSEC agreement.
Background technique
Currently, with information-based and industrialization depth integration fast development, industrial control system uses more and more
Standard, the communication protocol of opening, security risk present in communication protocol become increasingly conspicuous.Wherein MELSEC agreement (MC agreement) is made
It is field device for a kind of industrial ethernet protocol, automatically controls application and provide open, unified standard interface, and
MELSEC agreement (MC agreement) has obtained wide application in control field.But as (MC is assisted MELSEC agreement
View) it is widely used, the safety problem of MELSEC agreement (MC agreement) is also more and more widely paid close attention to.
In the prior art, during carrying out security protection to MELSEC agreement (MC agreement), not to illegal outside
When equipment accesses programmable controller progress security protection, i.e. illegal external device access programmable controller, it may will affect
Field device even results in system crash when serious, lead to work safety accident.The patent Shen of Publication No. CN105245555A
One kind please be disclose for electric power serial server communication protocol security protection system, turn serial port protocol and serial ports in network interface agreement
Agreement turns to provide the security protection system of a protocol data in network interface agreement, any agreement number for being sent to network interface and serial ports
According to and access request all can safety certification and detection Jing Guo this security protection system, it is characterised in that: the security protection
System is made of following three parts: the parsing reduction of communication protocol data and formatting processing module, protocol data analysis inspection
Examining system, communication protocol data business model security strategy define system, and the present invention efficiently solves existing electric power serial port service
Device does not have the drawbacks of function of safety protection of communications protocol layers to all kinds of electric power industrial control equipments of access, soft in serial server
One layer of protective layer to energy communication service agreement is provided in protocol conversion layer in part control system, for preventing attacker sharp
Illegal operation and attack with illegal instruction and data to all kinds of electric control appliances in access electric power serial server.
Currently, in the prior art, deep analysis is not carried out to protocol data, so the crucial thing initiated external equipment
Part, for example field device is carried out write operation and resetted to be monitored, cause some illegal external equipments to field device
Exceptional value is resetted or write, equipment working state is deliberately changed, causes field device operation abnormal, even results in serious safety
Accident.
Summary of the invention
The purpose of the present invention is to provide one kind, and the safety for MELSEC agreement of above-mentioned technical problem can be overcome anti-
Maintaining method, the MELSEC agreement, that is, MC agreement;The method of the invention the following steps are included:
Step 1 presets MC safety inspection rule, and including legal outside access equipment, the critical event of permission is grasped
The data value size of work and legal write operation;
Step 1.1, according to the actual situation, is arranged legal outside access equipment Regulation list, and single rule includes outside
Access equipment information, IP address and MAC Address and accessed IP address of equipment, port numbers;
Step 1.2, the critical event operation rules list allowed according to the setting of practical safety precaution demand, single rule packet
The IP address for including outside access equipment and accessed equipment, the critical event being allowed to include the write operation of soft element, label
Write operation, buffer storage write operation, module control operation and file operation;
Step 1.3, according to the actual situation, is arranged the legitimate value ambit rule of associated writes, and single rule includes outside
The IP address of access equipment and accessed equipment, the accessed path of object, the instruction of write operation, sub-instructions, write operation value
Range;
Step 2 parses the TCP/UDP message from external equipment, determines whether IP address is permission in message
Outside access equipment and message whether be TCP/UDP message protocol type;
Step 2.1, when the protocol type is TCP/UDP agreement, judge the external equipment IP address and the mesh
Port numbers whether in default rule;
Step 2.2, when the IP address and destination slogan do not meet safety regulation, message is dropped, external equipment
Access request will fail, while generate log recording, generate warning information;
Step 2.3, when the IP address and destination slogan meet safety regulation, protocol massages will then be carried out further
Deep analysis;
Step 3, meet above-mentioned steps safety regulation message, carry out data frame integrality, legal compliance inspection;
Data frame integrality, legal compliance inspection specifically includes the following steps:
Application layer data in step 3.1, the extraction TCP/UDP message;
Step 3.2 meets MC protocol definition according to the frame structure parsing data packet of MC protocol definition to determine in data packet
Format characteristic, it is determined whether be MC agreement 4E, 3E or 1E frame, while confirm data transmission mode be ASCII
Code format or binary format;
Step 3.3, when data frame is not that request of data frame and data response frame or data length are wrong, data message
It will be dropped in order to avoid not conforming to conventions data request causes unknown influence, while record log to equipment, and generate warning information;
Step 3.4 is advised when data frame closes, and data will be done further deep analysis;
Step 4, for MC agreement security protection it is specifically further comprising the steps of:
Step 4.1, by the data packet of frame integrity checking include at least to network numbering, programmable controller number,
The rule-based filtering of request target module I O number and request module station number;
Step 4.2, the header information for extracting the request of data frame, including network numbering, programmable controller are numbered,
Request target module I O number and request module station number, and according to preset rules check data packet in characteristic whether
Match, when meeting, is then shown to be legal request, otherwise data are abandoned, and record log;
Step 5, for MC agreement security protection it is specifically further comprising the steps of:
Step 5.1, the instruction/sub-instructions for extracting request of data frame, including the instruction of soft element access instruction, tag access,
Buffer memory access instruction, module control instruction and file access instruction, and carried out with default critical event safety regulation
Compare;
Step 5.2 judges dependent instruction whether in the safety regulation list of permission, when the safety inspection that hit allows is advised
Then, then show request to allow the critical event operated, otherwise packet discard, abort operation request, and record log, generate
Alarm;
Step 6, for MC agreement security protection it is specifically further comprising the steps of:
Step 6.1 judges that whether concrete operations value corresponding to instruction/sub-instructions is in pre-set safety in data packet
In numberical range;
Step 6.2, when meeting, then it is assumed that request of data is effective, clearance data message, allows operation requests, otherwise logarithm
It is abandoned according to packet, refusal requests operation in order to avoid damaging to field device, while record log, generates alarm.
Superior effect of the invention is can be effectively protected control system by allowing to access the filtering of object preset rules
The secret of significant data is illegally accessed to avoid system data, by the value for extracting the control object that control operating process includes
It is compared with the corresponding range for allowing controlling value, the legitimacy and correctness of control operation can be effectively protected.This hair
It is bright to be analyzed by protocol depth, the security protection of MC agreement is filtered and realized using preset rules;By introducing TCP/UDP
Layer protocol filtering and the filtering of external equipment IP address effectively prevent the unauthorized access of unauthorized external equipment and ensure that use
The safety of family network;It can be effectively prevented from by the integrity checking of MC protocol frame and be continued using non-MC protocol massages to being
Bulk cargo, which is set, initiates the situation that communication request declines so as to cause system performance.It is right when receiving MC agreement Ethernet data bag
The legitimacy of preset multiple tuple informations of data packet transport layer is checked;The conjunction of detection data packet application layer data format
Method;It is instructed in detection data packet, the legitimacy of sub-instructions;The legitimacy of the access data of detection data packet, by being assisted to MC
The data packet of view conversational communication is monitored, and can be effectively prevented the unauthorized access of unauthorized external equipment and can be intercepted camouflage
Information, illegal transactions access instruction, while the write-in of illegal value can also be prevented to ensure the safety of production scene.
Detailed description of the invention
Fig. 1 is the flow diagram of the method for the invention;
Data frame integrality and legal compliance check process schematic diagram of the Fig. 2 for the method for the invention;
Fig. 3 is the flow diagram of an embodiment of the method for the invention.
Specific embodiment
Embodiments of the present invention are described in detail with reference to the accompanying drawing.The method of the invention includes following step
It is rapid:
Step 1 presets MC safety inspection rule, and including legal outside access equipment, the critical event of permission is grasped
The data value size of work and legal write operation;
Step 1.1, according to the actual situation, is arranged legal outside access equipment Regulation list, and single rule includes outside
Access equipment information, IP address and MAC Address and accessed IP address of equipment, port numbers;
Step 1.2, the critical event operation rules list allowed according to the setting of practical safety precaution demand, single rule packet
The IP address for including outside access equipment and accessed equipment, the critical event being allowed to include the write operation of soft element, label
Write operation, buffer storage write operation, module control operation and file operation;
Step 1.3, according to the actual situation, is arranged the legitimate value ambit rule of associated writes, and single rule includes outside
The IP address of access equipment and accessed equipment, the accessed path of object, the instruction of write operation, sub-instructions, write operation value
Range;
Step 2 parses the TCP/UDP message from external equipment, determines whether IP address is permission in message
Outside access equipment and message whether be TCP/UDP message protocol type;
Step 2.1, when the protocol type is TCP/UDP agreement, judge the external equipment IP address and the mesh
Port numbers whether in default rule;
Step 2.2, when the IP address and destination slogan do not meet safety regulation, message is dropped, external equipment
Access request will fail, while generate log recording, generate warning information;
Step 2.3, when the IP address and destination slogan meet safety regulation, protocol massages will then be carried out further
Deep analysis;
Step 3, meet above-mentioned steps safety regulation message, carry out data frame integrality, legal compliance inspection, number
According to frame integrality, legal compliance inspection specifically includes the following steps:
Application layer data in step 3.1, the extraction TCP/UDP message;
Step 3.2 meets MC protocol definition according to the frame structure parsing data packet of MC protocol definition to determine in data packet
Format characteristic, it is determined whether be MC agreement 4E, 3E or 1E frame, while confirm data transmission mode be ASCII
Code format or binary format;
Step 3.3, when data frame is not that request of data frame and data response frame or data length are wrong, data message
It will be dropped, and in order to avoid not conforming to conventions data request causes unknown influence, while record log to equipment, generate warning information;
Step 3.4 is advised when data frame closes, and data will be done further deep analysis;
Step 4, for MC agreement security protection it is specifically further comprising the steps of:
Step 4.1, by the data packet of frame integrity checking include at least to network numbering, programmable controller number,
The rule-based filtering of request target module I O number and request module station number;
Step 4.2, the header information for extracting the request of data frame, including network numbering, programmable controller are numbered,
Request target module I O number and request module station number, and according to preset rules check data packet in characteristic whether
Match, when meeting, is then shown to be legal request, otherwise data are abandoned, and record log;
Step 5, for MC agreement security protection it is specifically further comprising the steps of:
Step 5.1, the instruction/sub-instructions for extracting request of data frame, including the instruction of soft element access instruction, tag access,
Buffer memory access instruction, module control instruction and file access instruction, and carried out with default critical event safety regulation
Compare;
Step 5.2 judges dependent instruction whether in the safety regulation list of permission, when the safety inspection that hit allows is advised
Then, then show request to allow the critical event operated, otherwise packet discard, abort operation request, and record log, generate
Alarm;
Step 6, for MC agreement security protection it is specifically further comprising the steps of:
Step 6.1 judges that whether concrete operations value corresponding to instruction/sub-instructions is in pre-set safety in data packet
In numberical range;
Step 6.2, when meeting, then it is assumed that request of data is effective, clearance data message, allows operation requests, otherwise logarithm
It is abandoned according to packet, refusal requests operation in order to avoid damaging to field device, while record log, generates alarm.
As shown in Figure 1, the method for the invention the following steps are included:
S101, default MC protocol security rule, including legal external equipment, legal access data;
S102, when receiving MC agreement Ethernet data bag, to preset multiple tuple informations of data packet transport layer
Legitimacy checked;
The legitimacy of S103, detection data packet application layer data format;In detection data packet instruction, sub-instructions it is legal
Property;The legitimacy of the access data of detection data packet;
S104, the operation note log to default safety regulation is violated, alarm abandon message or are handled.
As shown in Fig. 2, the data frame integrality of the method for the invention and legal compliance inspection the following steps are included:
S201, protocol application data in TCP/UDP data packet are extracted, according to MELSEC agreement, that is, MC agreement agreement
Feature is determined using whether data are protocol data;
S202, when be agreement data then further analysis protocol header data and determine data integrality and data
For request data or response data;
S203, when protocol data completely then the characteristic of further deep analysis protocol definition to judge whether data are disobeyed
Carry on the back predefined rule;
S204, according to regular comparison result, message abandon or clearance is handled, and records event.
As shown in figure 3, in embodiments, for the safety protecting method of MC agreement, protective device is deployed in outside
Protective action is provided between access equipment and user network, comprising:
S301. outside access equipment;
S302. the protective device that the method for the invention is related to;
S303. the user network protected is needed.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In range disclosed by the invention, the change or replacement that can be readily occurred in should all be contained those familiar with the art
Lid is within the scope of the invention as claimed.
Claims (4)
1. a kind of safety protecting method for MELSEC agreement, which comprises the following steps:
Step 1 presets MC safety inspection rule, including legal outside access equipment, the critical event operation of permission with
And the data value size of legal write operation;
Step 2 parses the TCP/UDP message from external equipment, determines whether IP address is the outer of permission in message
Portion's access equipment and message whether be TCP/UDP message protocol type;
Step 3, meet above-mentioned steps safety regulation message, carry out data frame integrality, legal compliance inspection;
Step 4.1 is included at least by the data packet of frame integrity checking to network numbering, programmable controller number, request
The rule-based filtering of object module IO number and request module station number;
Step 4.2, the header information for extracting the request of data frame, including to network numbering, programmable controller number, request
Object module IO number and request module station number, and check whether the characteristic in data packet matches according to preset rules, when
Meet, is then shown to be legal request, otherwise data are abandoned, and record log;
Step 5.1, the instruction/sub-instructions for extracting request of data frame, including the instruction of soft element access instruction, tag access, caching
Memory reference instruction, module control instruction and file access instruction, and be compared with default critical event safety regulation;
Step 5.2, judge dependent instruction whether in the safety regulation list of permission, when hit allow safety inspection rule,
Show request then to allow the critical event operated, otherwise packet discard, abort operation request, and record log, generate and accuse
It is alert;
Step 6.1 judges that whether concrete operations value corresponding to instruction/sub-instructions is in pre-set security value (s) in data packet
In range;
Step 6.2, when meeting, then it is assumed that request of data is effective, clearance data message, allows operation requests, otherwise to data packet
It abandons, refusal requests operation in order to avoid damaging to field device, while record log, generates alarm.
2. a kind of safety protecting method for MELSEC agreement according to claim 1, which is characterized in that the step
1 the following steps are included:
Step 1.1, according to the actual situation, is arranged legal outside access equipment Regulation list, single rule includes outside access
Facility information, IP address and MAC Address and accessed IP address of equipment, port numbers;
Step 1.2, the critical event operation rules list allowed according to the setting of practical safety precaution demand, single rule include outer
The IP address of portion's access equipment and accessed equipment, the critical event being allowed to include the write operation of soft element, and label is write
Enter operation, buffer storage write operation, module control operation and file operation;
Step 1.3, according to the actual situation, is arranged the legitimate value ambit rule of associated writes, single rule includes outside access
The IP address of equipment and accessed equipment, the accessed path of object, the instruction of write operation, sub-instructions, write operation value range.
3. a kind of safety protecting method for MELSEC agreement according to claim 1, which is characterized in that the step
2 the following steps are included:
Step 2.1, when the protocol type is TCP/UDP agreement, judge the external equipment IP address and the destination
Whether slogan is in default rule;
Step 2.2, when the IP address and destination slogan do not meet safety regulation, message is dropped, the access of external equipment
Request will fail, while generate log recording, generate warning information;
Step 2.3, when the IP address and destination slogan meet safety regulation, protocol massages will then be carried out further depth
Parsing.
4. a kind of safety protecting method for MELSEC agreement according to claim 1, which is characterized in that the step
3 the following steps are included:
Application layer data in step 3.1, the extraction TCP/UDP message;
Step 3.2 parses data packet according to the frame structure of MC protocol definition to determine the lattice for meeting MC protocol definition in data packet
The characteristic of formula, it is determined whether be 4E, 3E or the 1E frame of MC agreement, while confirming that the mode of data transmission is ASCII character lattice
Formula or binary format;
Step 3.3, when data frame is not that request of data frame and data response frame or data length are wrong, data message will be by
It abandons in order to avoid not conforming to conventions data request causes unknown influence, while record log to equipment, generates warning information;
Step 3.4 is advised when data frame closes, and data will be done further deep analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811514480.8A CN109756483B (en) | 2018-12-12 | 2018-12-12 | Safety protection method aiming at MELASEC protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811514480.8A CN109756483B (en) | 2018-12-12 | 2018-12-12 | Safety protection method aiming at MELASEC protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109756483A true CN109756483A (en) | 2019-05-14 |
| CN109756483B CN109756483B (en) | 2021-05-25 |
Family
ID=66403704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811514480.8A Active CN109756483B (en) | 2018-12-12 | 2018-12-12 | Safety protection method aiming at MELASEC protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109756483B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111835793A (en) * | 2020-08-05 | 2020-10-27 | 天津美腾科技股份有限公司 | Communication method and device for Internet of things access, electronic equipment and storage medium |
| CN111935325A (en) * | 2020-10-15 | 2020-11-13 | 广州汽车集团股份有限公司 | OTA (over the air) upgrading method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003167606A (en) * | 2001-11-30 | 2003-06-13 | Omron Corp | Programmable controller or programmable display unit and its user authentication method |
| CN101196854A (en) * | 2006-12-07 | 2008-06-11 | 国际商业机器公司 | Method and system for programmable memory device security |
| CN102156840A (en) * | 2010-02-12 | 2011-08-17 | 三菱电机株式会社 | Controller and managing device thereof |
| CN105847251A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Security protection method and system for industrial control system using S7 protocol |
| WO2018052435A1 (en) * | 2016-09-16 | 2018-03-22 | Siemens Aktiengesellschaft | Cyberattack-resilient control system design |
| CN108712369A (en) * | 2018-03-29 | 2018-10-26 | 中国工程物理研究院计算机应用研究所 | A kind of more attribute constraint access control decision system and method for industrial control network |
-
2018
- 2018-12-12 CN CN201811514480.8A patent/CN109756483B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003167606A (en) * | 2001-11-30 | 2003-06-13 | Omron Corp | Programmable controller or programmable display unit and its user authentication method |
| CN101196854A (en) * | 2006-12-07 | 2008-06-11 | 国际商业机器公司 | Method and system for programmable memory device security |
| CN102156840A (en) * | 2010-02-12 | 2011-08-17 | 三菱电机株式会社 | Controller and managing device thereof |
| CN105847251A (en) * | 2016-03-22 | 2016-08-10 | 英赛克科技(北京)有限公司 | Security protection method and system for industrial control system using S7 protocol |
| WO2018052435A1 (en) * | 2016-09-16 | 2018-03-22 | Siemens Aktiengesellschaft | Cyberattack-resilient control system design |
| CN108712369A (en) * | 2018-03-29 | 2018-10-26 | 中国工程物理研究院计算机应用研究所 | A kind of more attribute constraint access control decision system and method for industrial control network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111835793A (en) * | 2020-08-05 | 2020-10-27 | 天津美腾科技股份有限公司 | Communication method and device for Internet of things access, electronic equipment and storage medium |
| CN111935325A (en) * | 2020-10-15 | 2020-11-13 | 广州汽车集团股份有限公司 | OTA (over the air) upgrading method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109756483B (en) | 2021-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2980033C (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| US9100437B2 (en) | Methods, apparatus, and articles of manufacture to provide firewalls for process control systems | |
| KR101977731B1 (en) | Apparatus and method for detecting anomaly in a controller system | |
| CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
| CN106060003A (en) | Network boundary unidirectional isolated transmission device | |
| CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
| CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
| CN107070907A (en) | Intranet and extranet data unidirectional transmission method and system | |
| CN106302328A (en) | Sensitive user data processing system and method | |
| KR20200118887A (en) | Network probes and methods for handling messages | |
| CN112511494B (en) | Safety protection system and method suitable for electric power intelligent terminal equipment | |
| CN109739203A (en) | A kind of industrial network Border Protection system | |
| CN108173856A (en) | Vehicle communication data safety detection method, device and car-mounted terminal | |
| EP3675455B1 (en) | Bi-directional data security for supervisor control and data acquisition networks | |
| CN103168458A (en) | Method for managing keys in a manipulation-proof manner | |
| CN105847249A (en) | Safety protection system and method for Modbus network | |
| CN109756483A (en) | A kind of safety protecting method for MELSEC agreement | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
| CN111338297B (en) | Industrial control safety framework system based on industrial cloud | |
| CN114238967A (en) | Security enhancement processing method for embedded security module | |
| CN113783722A (en) | Remote modification fixed value control method and device, computer equipment and storage medium | |
| CN116886423B (en) | Method, system, storage medium and equipment for detecting server security abnormality | |
| CN105577704B (en) | For the safety protecting method and system of IEC60870-5-101 agreements | |
| CN109922058A (en) | A kind of interior network protection method preventing unauthorized access Intranet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |