CN111464563B - Protection method of industrial control network and corresponding device - Google Patents

Protection method of industrial control network and corresponding device Download PDF

Info

Publication number
CN111464563B
CN111464563B CN202010381893.4A CN202010381893A CN111464563B CN 111464563 B CN111464563 B CN 111464563B CN 202010381893 A CN202010381893 A CN 202010381893A CN 111464563 B CN111464563 B CN 111464563B
Authority
CN
China
Prior art keywords
user
attribute
layer unit
field device
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010381893.4A
Other languages
Chinese (zh)
Other versions
CN111464563A (en
Inventor
娈靛浆
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202010381893.4A priority Critical patent/CN111464563B/en
Publication of CN111464563A publication Critical patent/CN111464563A/en
Application granted granted Critical
Publication of CN111464563B publication Critical patent/CN111464563B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a protection method of an industrial control network and a corresponding device, which define intranet resources as a field device safety layer, a network middle safety layer, a service safety layer and a virtual master station, and define a protection device as four parts of the field device safety layer, the network middle safety layer, the service safety layer and the virtual master station, thereby realizing the one-to-one correspondence of the protection device and the intranet resource network layers, dynamically adjusting the safety layers in real time according to the state of the field device, introducing a technical means of attribute encryption, and carrying out attribute encryption on transmission data based on attributes and attribute domains of different users, thereby better protecting the service data of different users.

Description

Protection method of industrial control network and corresponding device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a protection method for an industrial control network and a corresponding device.
Background
A large number of field terminal devices are weak in self protection, the environment is not controllable, and the problem that the safety of a main station is threatened due to malicious control exists; because the industrial control network service has high real-time requirement, part of special network transmission protocols have the problem of insufficient safety mechanism; the design of the industrial control system mainly focuses on the service function at the beginning, the network security is not fully considered, and the problem that the perception capability of the master station on the system network attack is not high exists. Existing network architecture hierarchies are not divided from the network security perspective, and are more divided from the network transmission perspective.
Therefore, a method for targeted security protection and a corresponding device are urgently needed.
Disclosure of Invention
The invention aims to provide a protection method and a corresponding device for an industrial control network, which solve the problem that the existing industrial control network is lack of network security design, and introduce a technical means of attribute encryption to better protect service data of different users.
In a first aspect, the present application provides a method for protecting an industrial control network, the method comprising:
defining industrial control network resources as a field device security layer, a network intermediate security layer, a service security layer and a virtual master station;
the field device security layer, comprising: acquiring the working state of field equipment in an industrial control network periodically, activating dormant field equipment, sleeping failed field equipment, and removing the dormant field equipment from a field equipment safety layer; establishing an authority list to ensure that only authorized users can modify the configuration parameters of the field equipment; establishing bidirectional identity authentication between the field device and the virtual master station, and monitoring the field device safety layer by the virtual master station; a hardware encryption chip configured in the field device, wherein a first encryption key is solidified in the chip;
the periodic learning of the working state of the field equipment in the industrial control network comprises periodic uploading of a working code of the field equipment, and if the working code accords with a fault code, judging that the field equipment has a fault and sleeping the field equipment with the fault;
the network intermediate security layer is divided into different attribute domains, and the boundaries of the different attribute domains are encrypted and isolated based on user attributes to realize internal and external network boundary access control; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the field device security layer; carrying out encryption processing on transmission data based on user attributes; performing credibility verification on configuration parameters of the field device and the gateway type node device, a system bootstrap program and a communication application program based on the credibility root;
the encryption setting based on the user attributes is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between the user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key which are randomly selected together to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting transmission data, sending a user identity identifier carried by the transmission data and an attribute domain identifier to which a user belongs to a cloud server, searching a corresponding attribute private key by the cloud server according to the user identity identifier and the attribute domain identifier, and encrypting the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the virtual master station;
the service security layer comprises service data packet integrity and correctness checking, service data packet encapsulation and decapsulation, and a packet header for indicating a service state is added; performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the virtual master station comprises the steps of registering the field equipment, issuing an instruction for acquiring the working state of the field equipment, issuing an instruction for sleeping the fault field equipment, issuing an instruction for dividing the attribute domain again, editing and online accessing a control strategy, responding to a service request, returning a result of the service request, interacting with a cloud server, and storing a key used in the encryption process.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the field device security layer, the network intermediate security layer, the service security layer, and the virtual master are deployed on the same device.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the network intermediate security layer further includes performing security audit on the important network node, the network boundary, and the remote access user behavior by using access control and intrusion detection, checking freshness of the field device authentication data by using a timestamp or a counter in combination with integrity check, and detecting whether the data is tampered.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the virtual master station further includes risk assessment, attack association analysis, and situation awareness, performs active defense, and cooperates with data mining and big data analysis in the cloud server to locate a network vulnerability and discover a potential threat and attack.
In a second aspect, the present application provides an apparatus of an industrial control network, the apparatus comprising: the system comprises a field device safety layer, a network middle safety layer, a service safety layer and a virtual master station, wherein the field device safety layer, the network middle safety layer, the service safety layer and the virtual master station respectively correspond to intranet resources defined as the field device safety layer, the network middle safety layer, the service safety layer and the virtual master station;
the field device security layer, comprising: acquiring the working state of field equipment in an industrial control network periodically, activating dormant field equipment, sleeping failed field equipment, and removing the dormant field equipment from a field equipment safety layer; establishing an authority list to ensure that only authorized users can modify the configuration parameters of the field equipment; establishing bidirectional identity authentication between the field device and the virtual master station, and monitoring the field device safety layer by the virtual master station; a hardware encryption chip configured in the field device, wherein a first encryption key is solidified in the chip;
the periodic learning of the working state of the field equipment in the industrial control network comprises periodic uploading of a working code of the field equipment, and if the working code accords with a fault code, judging that the field equipment has a fault and sleeping the field equipment with the fault;
the network intermediate security layer is divided into different attribute domains, and the boundaries of the different attribute domains are encrypted and isolated based on user attributes to realize internal and external network boundary access control; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the field device security layer; carrying out encryption processing on transmission data based on user attributes; performing credibility verification on configuration parameters of the field device and the gateway type node device, a system bootstrap program and a communication application program based on the credibility root;
the encryption setting based on the user attributes is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between the user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key which are randomly selected together to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting transmission data, sending a user identity identifier carried by the transmission data and an attribute domain identifier to which a user belongs to a cloud server, searching a corresponding attribute private key by the cloud server according to the user identity identifier and the attribute domain identifier, and encrypting the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the virtual master station;
the service security layer comprises service data packet integrity and correctness checking, service data packet encapsulation and decapsulation, and a packet header for indicating a service state is added; performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the virtual master station comprises the steps of registering the field equipment, issuing an instruction for acquiring the working state of the field equipment, issuing an instruction for sleeping the fault field equipment, issuing an instruction for dividing the attribute domain again, editing and online accessing a control strategy, responding to a service request, returning a result of the service request, interacting with a cloud server, and storing a key used in the encryption process.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the field device security layer, the network intermediate security layer, the service security layer, and the virtual master are deployed on the same device.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the network intermediate security layer further includes performing security audit on the important network node, the network boundary, and the remote access user behavior by using access control and intrusion detection, checking freshness of the field device authentication data by using a timestamp or a counter in combination with integrity check, and detecting whether the data is tampered.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the virtual master station further includes risk assessment, attack association analysis, and situational awareness, performs active defense, and cooperates with data mining and big data analysis in the cloud server to locate a network vulnerability and discover a potential threat and attack.
The invention provides a protection method of an industrial control network and a corresponding device, which define intranet resources as a field device safety layer, a network middle safety layer, a service safety layer and a virtual master station, and define a protection device as four parts of the field device safety layer, the network middle safety layer, the service safety layer and the virtual master station, thereby realizing the one-to-one correspondence of the protection device and the intranet resource network layers, dynamically adjusting the safety layers in real time according to the state of the field device, introducing a technical means of attribute encryption, and carrying out attribute encryption on transmission data based on attributes and attribute domains of different users, thereby better protecting the service data of different users.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a general flow diagram of a method of securing an industrial control network in accordance with the present invention;
fig. 2 is an architecture diagram of the devices of the industrial control network of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a general flowchart of a protection method of an industrial control network provided by the present application, the method including:
defining industrial control network resources as a field device security layer, a network intermediate security layer, a service security layer and a virtual master station;
the field device security layer, comprising: acquiring the working state of field equipment in an industrial control network periodically, activating dormant field equipment, sleeping failed field equipment, and removing the dormant field equipment from a field equipment safety layer; establishing an authority list to ensure that only authorized users can modify the configuration parameters of the field equipment; establishing bidirectional identity authentication between the field device and the virtual master station, and monitoring the field device safety layer by the virtual master station; a hardware encryption chip configured in the field device, wherein a first encryption key is solidified in the chip;
the periodic learning of the working state of the field equipment in the industrial control network comprises periodic uploading of a working code of the field equipment, and if the working code accords with a fault code, judging that the field equipment has a fault and sleeping the field equipment with the fault;
the network intermediate security layer is divided into different attribute domains, and the boundaries of the different attribute domains are encrypted and isolated based on user attributes to realize internal and external network boundary access control; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the field device security layer; carrying out encryption processing on transmission data based on user attributes; performing credibility verification on configuration parameters of the field device and the gateway type node device, a system bootstrap program and a communication application program based on the credibility root;
the encryption setting based on the user attributes is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between the user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key which are randomly selected together to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting transmission data, sending a user identity identifier carried by the transmission data and an attribute domain identifier to which a user belongs to a cloud server, searching a corresponding attribute private key by the cloud server according to the user identity identifier and the attribute domain identifier, and encrypting the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the virtual master station;
the service security layer comprises service data packet integrity and correctness checking, service data packet encapsulation and decapsulation, and a packet header for indicating a service state is added; performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the virtual master station comprises the steps of registering the field equipment, issuing an instruction for acquiring the working state of the field equipment, issuing an instruction for sleeping the fault field equipment, issuing an instruction for dividing the attribute domain again, editing and online accessing a control strategy, responding to a service request, returning a result of the service request, interacting with a cloud server, and storing a key used in the encryption process.
In some preferred embodiments, the field device security layer, the network intermediate security layer, the service security layer and the virtual master station are deployed on the same device.
The deployment is on the same device, and the deployment can be a firewall, a gateway device, or a security server.
In some preferred embodiments, the field device security layer, the network intermediate security layer, the service security layer and the virtual master station are deployed on different devices, and the devices cooperate with each other.
The deployment is on different devices, each security layer can be a device, and the different devices transmit through a special secure transmission protocol. The special secure transport protocol may be a special header added on the basis of a general transport protocol, and the header carries a field for indicating an encryption algorithm or a key.
The virtual master station is deployed on one network intermediate device, and different devices transmit through a special safe transmission protocol.
The virtual master station may not be fixed to one network intermediate device, and may be dynamically adjusted to other network intermediate devices according to the current load condition and service type of the network intermediate device.
The field device safety layer, the network intermediate safety layer, the service safety layer and the virtual master station can also be arranged in a dynamic adjusting mode according to conditions instead of a fixed arrangement mode. The situation described here may be network congestion, attack scope, etc.
The first encryption key solidified in the chip is to complete a first digital encryption in a hardware encryption chip of the field device, wherein the key is fixed and unchangeable.
In some preferred embodiments, the network intermediate security layer further comprises using access control and intrusion detection, performing security audit on important network nodes, network boundaries and remote access user behavior, checking the freshness of field device authentication data and detecting whether the data is tampered with by using a timestamp or a counter in combination with an integrity check.
In some preferred embodiments, the clustering algorithm that may be used for the data fusion includes a K-Means algorithm, a mean-shift clustering algorithm, a density-based clustering algorithm, or a agglomerative-level clustering algorithm.
In some preferred embodiments, the virtual master station further comprises risk assessment, attack association analysis and situation awareness, performs active defense, cooperates with data mining and big data analysis in the cloud server, locates network vulnerabilities and discovers potential threats and attacks.
Fig. 2 is an architecture diagram of a device of an industrial control network provided herein, the device comprising: the system comprises a field device safety layer, a network middle safety layer, a service safety layer and a virtual master station, wherein the field device safety layer, the network middle safety layer, the service safety layer and the virtual master station respectively correspond to intranet resources defined as the field device safety layer, the network middle safety layer, the service safety layer and the virtual master station;
the field device security layer, comprising: acquiring the working state of field equipment in an industrial control network periodically, activating dormant field equipment, sleeping failed field equipment, and removing the dormant field equipment from a field equipment safety layer; establishing an authority list to ensure that only authorized users can modify the configuration parameters of the field equipment; establishing bidirectional identity authentication between the field device and the virtual master station, and monitoring the field device safety layer by the virtual master station; a hardware encryption chip configured in the field device, wherein a first encryption key is solidified in the chip;
the periodic learning of the working state of the field equipment in the industrial control network comprises periodic uploading of a working code of the field equipment, and if the working code accords with a fault code, judging that the field equipment has a fault and sleeping the field equipment with the fault;
the network intermediate security layer is divided into different attribute domains, and the boundaries of the different attribute domains are encrypted and isolated based on user attributes to realize internal and external network boundary access control; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the field device security layer; carrying out encryption processing on transmission data based on user attributes; performing credibility verification on configuration parameters of the field device and the gateway type node device, a system bootstrap program and a communication application program based on the credibility root;
the encryption setting based on the user attributes is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between the user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key which are randomly selected together to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
inputting transmission data, sending a user identity identifier carried by the transmission data and an attribute domain identifier to which a user belongs to a cloud server, searching a corresponding attribute private key by the cloud server according to the user identity identifier and the attribute domain identifier, and encrypting the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to the virtual master station;
the service security layer comprises service data packet integrity and correctness checking, service data packet encapsulation and decapsulation, and a packet header for indicating a service state is added; performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the virtual master station comprises the steps of registering the field equipment, issuing an instruction for acquiring the working state of the field equipment, issuing an instruction for sleeping the fault field equipment, issuing an instruction for dividing the attribute domain again, editing and online accessing a control strategy, responding to a service request, returning a result of the service request, interacting with a cloud server, and storing a key used in the encryption process.
In some preferred embodiments, the field device security layer, the network intermediate security layer, the service security layer and the virtual master station are deployed on the same device.
In some preferred embodiments, the field device security layer, the network intermediate security layer, the service security layer and the virtual master station are deployed on different devices, and the devices cooperate with each other.
In some preferred embodiments, the network intermediate security layer further comprises using access control and intrusion detection, performing security audit on important network nodes, network boundaries and remote access user behavior, checking the freshness of field device authentication data and detecting whether the data is tampered with by using a timestamp or a counter in combination with an integrity check.
In some preferred embodiments, the clustering algorithm that may be used for the data fusion includes a K-Means algorithm, a mean-shift clustering algorithm, a density-based clustering algorithm, or a agglomerative-level clustering algorithm.
In some preferred embodiments, the virtual master station further comprises risk assessment, attack association analysis and situation awareness, performs active defense, cooperates with data mining and big data analysis in the cloud server, locates network vulnerabilities and discovers potential threats and attacks.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (8)

1. A method of safeguarding an industrial control network, the method comprising:
defining industrial control network resources as a field device safety layer unit, a network middle safety layer unit, a service safety layer unit and a virtual master station module;
the field device Security layer Unit comprises: acquiring the working state of field equipment in an industrial control network periodically, activating dormant field equipment, sleeping failed field equipment, and removing the dormant field equipment from a field equipment safety layer unit; establishing an authority list to ensure that only authorized users can modify the configuration parameters of the field equipment; establishing bidirectional identity authentication between the field device and the virtual master station module, and monitoring the field device safety layer unit by the virtual master station module; the method comprises the steps that a hardware encryption chip is configured in a field device, and a first encryption key is solidified in the hardware encryption chip;
the periodic learning of the working state of the field equipment in the industrial control network comprises periodic uploading of a working code of the field equipment, and if the working code accords with a fault code, judging that the field equipment has a fault and sleeping the field equipment with the fault;
the network intermediate security layer unit comprises different attribute domains, and the boundaries of the different attribute domains are encrypted and isolated based on user attributes, so that the access control of the internal and external network boundaries is realized; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the field device safety layer unit; carrying out encryption processing on transmission data based on user attributes; performing credibility verification on configuration parameters of the field device and the gateway type node device, a system bootstrap program and a communication application program based on the credibility root;
the encryption setting based on the user attributes is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between the user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key which are randomly selected together to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
encrypting based on the user attribute further comprises: inputting transmission data, sending a user identity identifier carried by the transmission data and an attribute domain identifier to which a user belongs to a cloud server, searching a corresponding attribute private key by the cloud server according to the user identity identifier and the attribute domain identifier, and encrypting the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to a virtual master station module;
the service security layer unit comprises service data packet integrity and correctness checking, service data packet encapsulation and decapsulation, and a packet header for indicating a service state is added; performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the virtual master station module comprises field device registration, issuing an instruction for acquiring the working state of the field device, issuing an instruction for sleeping the fault field device, issuing an instruction for dividing the attribute domain again, editing and online accessing a control strategy, responding to a service request, returning a result of the service request, interacting with a cloud server, and storing a key used in the encryption process.
2. The method of claim 1, wherein: the field device safety layer unit, the network intermediate safety layer unit, the service safety layer unit and the virtual master station module are deployed on the same device.
3. The method according to any one of claims 1-2, wherein: the network intermediate security layer unit also adopts access control and intrusion detection, uses a time stamp or a counter and combines integrity check to check the freshness of the authentication data of the field device and detect whether the data is tampered.
4. The method of claim 3, wherein: the virtual master station module further comprises risk assessment, attack association analysis and situation awareness, active defense is conducted, and the active defense is matched with data mining and big data analysis in the cloud server to locate network vulnerabilities and discover potential threats and attacks.
5. An apparatus of an industrial control network, the apparatus comprising: the system comprises a field device safety layer unit, a network intermediate safety layer unit, a service safety layer unit and a virtual master station module, wherein the field device safety layer unit, the network intermediate safety layer unit, the service safety layer unit and the virtual master station module respectively correspond to intranet resources defined as the field device safety layer unit, the network intermediate safety layer unit, the service safety layer unit and the virtual master station module;
the field device Security layer Unit is configured to perform: acquiring the working state of field equipment in an industrial control network periodically, activating dormant field equipment, sleeping failed field equipment, and removing the dormant field equipment from a field equipment safety layer unit; establishing an authority list to ensure that only authorized users can modify the configuration parameters of the field equipment; establishing bidirectional identity authentication between the field device and the virtual master station module, and monitoring the field device safety layer unit by the virtual master station module; the method comprises the steps that a hardware encryption chip is configured in a field device, and a first encryption key is solidified in the hardware encryption chip;
the periodic learning of the working state of the field equipment in the industrial control network comprises periodic uploading of a working code of the field equipment, and if the working code accords with a fault code, judging that the field equipment has a fault and sleeping the field equipment with the fault;
the network intermediate security layer unit is used for executing: dividing different attribute domains, encrypting and isolating the boundaries of the different attribute domains based on user attributes, and realizing internal and external network boundary access control; different access control strategies are formulated based on business and user attributes, and the access control strategies are issued to the field device safety layer unit; carrying out encryption processing on transmission data based on user attributes; performing credibility verification on configuration parameters of the field device and the gateway type node device, a system bootstrap program and a communication application program based on the credibility root;
the encryption setting based on the user attributes is executed on a cloud server, and comprises initialization, establishment of two multiplication cycle groups, setting of a mapping relation between the user attributes and a key generation algorithm according to the multiplication cycle groups, random selection of two random numbers, setting of a unique pseudo-random number and an attribute public key for each user attribute, and calculation of the two random numbers, the pseudo-random number and the attribute public key which are randomly selected together to obtain a main key and related parameters; inputting a master key and a user attribute set, randomly selecting a time variable and a user parameter from a multiplication loop group, wherein the user parameter is associated with each user one by one, and calculating to obtain an attribute private key of the user;
encrypting based on the user attribute further comprises: inputting transmission data, sending a user identity identifier carried by the transmission data and an attribute domain identifier to which a user belongs to a cloud server, searching a corresponding attribute private key by the cloud server according to the user identity identifier and the attribute domain identifier, and encrypting the data according to the searched attribute private key to obtain encrypted data; mapping a plurality of attributes in the user attribute set to attribute structures obtained by a plurality of switching matrixes according to the user attribute set again to generate a second encryption key, re-encrypting the encrypted data by using the second encryption key to obtain a re-encrypted ciphertext, and sending the ciphertext to a virtual master station module;
the service security layer unit is used for executing: checking the integrity and correctness of the service data packet, encapsulating and decapsulating the service data packet, and adding a packet header for indicating a service state; performing data fusion on various different service data packets according to types to obtain clustered service data, and analyzing whether the source of the service data is tampered;
the virtual master station module is used for executing: registering the field device, issuing an instruction for acquiring the working state of the field device, issuing an instruction for sleeping the failed field device, issuing an instruction for re-dividing the attribute domain, editing and online accessing a control strategy, responding to a service request, returning a result of the service request, interacting with a cloud server, and storing a key used in the encryption process.
6. The apparatus of claim 5, wherein the field device Security layer Unit, the intermediate network Security layer Unit, the Business Security layer Unit, and the virtual Master station Module are deployed on the same apparatus.
7. The apparatus of any of claims 5-6, wherein the network intermediate security layer unit further comprises employing access control, intrusion detection, security auditing of important network nodes, network boundaries, remote access user behavior, checking freshness of field device authentication data using timestamps or counters in combination with integrity checks and detecting whether data has been tampered with.
8. The apparatus of claim 7, wherein the virtual master station module further comprises risk assessment, attack association analysis, situational awareness, active defense, data mining in cloud servers, big data analysis, network vulnerability localization, and potential threat and attack discovery.
CN202010381893.4A 2020-05-08 2020-05-08 Protection method of industrial control network and corresponding device Active CN111464563B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010381893.4A CN111464563B (en) 2020-05-08 2020-05-08 Protection method of industrial control network and corresponding device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010381893.4A CN111464563B (en) 2020-05-08 2020-05-08 Protection method of industrial control network and corresponding device

Publications (2)

Publication Number Publication Date
CN111464563A CN111464563A (en) 2020-07-28
CN111464563B true CN111464563B (en) 2021-09-03

Family

ID=71681086

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010381893.4A Active CN111464563B (en) 2020-05-08 2020-05-08 Protection method of industrial control network and corresponding device

Country Status (1)

Country Link
CN (1) CN111464563B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104661B (en) * 2020-09-18 2022-10-21 北京珞安科技有限责任公司 Dynamic control method and system for industrial control equipment firewall
CN113382076A (en) * 2021-06-15 2021-09-10 中国信息通信研究院 Internet of things terminal security threat analysis method and protection method
CN114024767B (en) * 2021-11-25 2023-06-02 郑州信大信息技术研究院有限公司 Method for constructing password definition network security system, system architecture and data forwarding method
CN114301705A (en) * 2021-12-31 2022-04-08 公安部第三研究所 Industrial control defense method and system based on trusted computing
CN114666090A (en) * 2022-02-11 2022-06-24 广州理工学院 Fire-proof wall

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094056B (en) * 2007-05-30 2011-05-11 重庆邮电大学 Security system of wireless industrial control network, and method for implementing security policy
CN103491108B (en) * 2013-10-15 2016-08-24 浙江中控研究院有限公司 A kind of industrial control network security protection method and system
CN107018134B (en) * 2017-04-06 2020-11-06 北京国电通网络技术有限公司 Power distribution terminal safety access platform and implementation method thereof
CN109842585B (en) * 2017-11-27 2021-04-13 中国科学院沈阳自动化研究所 Network information safety protection unit and protection method for industrial embedded system

Also Published As

Publication number Publication date
CN111464563A (en) 2020-07-28

Similar Documents

Publication Publication Date Title
Al‐Turjman et al. An overview of security and privacy in smart cities' IoT communications
Zarpelão et al. A survey of intrusion detection in Internet of Things
CN111464563B (en) Protection method of industrial control network and corresponding device
Alladi et al. PARTH: A two-stage lightweight mutual authentication protocol for UAV surveillance networks
Kene et al. A review on intrusion detection techniques for cloud computing and security challenges
US9294489B2 (en) Method and apparatus for detecting an intrusion on a cloud computing service
Johnson et al. Assessing DER network cybersecurity defences in a power‐communication co‐simulation environment
Di Sarno et al. A novel security information and event management system for enhancing cyber security in a hydroelectric dam
Ghadeer Cybersecurity issues in internet of things and countermeasures
CN113411295A (en) Role-based access control situation awareness defense method and system
Chauhan et al. A literature review: Intrusion detection systems in internet of things
Yu et al. A faramework for cyber–physical system security situation awareness
CN111586045B (en) Attribute encryption and dynamic security layer protection method and corresponding firewall
CN111585813B (en) Management method and system of network nodes in Internet of things environment
Neu et al. An approach for detecting encrypted insider attacks on OpenFlow SDN Networks
Kolisnyk et al. Investigation of the smart business center for IoT systems availability considering attacks on the router
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
CN116232770B (en) Enterprise network safety protection system and method based on SDN controller
CN111586047B (en) Safety management method and system for centralized network data
Ihita et al. Security for oneM2M-Based Smart City Network: An OM2M Implementation
Kumar et al. IPv6 network security using Snort
Savukynas Internet of Things information system security for smart devices identification and authentication
CN114666090A (en) Fire-proof wall
CP et al. Analysis of security issues, threats and challenges in Cyber–physical system for IOT devices
Zarpelão et al. Detection in I nternet of Things, Journal of Network and Computer Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant