CN112615836A - Industrial control network safety protection simulation system - Google Patents
Industrial control network safety protection simulation system Download PDFInfo
- Publication number
- CN112615836A CN112615836A CN202011453191.9A CN202011453191A CN112615836A CN 112615836 A CN112615836 A CN 112615836A CN 202011453191 A CN202011453191 A CN 202011453191A CN 112615836 A CN112615836 A CN 112615836A
- Authority
- CN
- China
- Prior art keywords
- attack
- protection
- industrial control
- platform
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004088 simulation Methods 0.000 title claims abstract description 49
- 230000035515 penetration Effects 0.000 claims abstract description 60
- 238000001514 detection method Methods 0.000 claims abstract description 46
- 238000012360 testing method Methods 0.000 claims description 36
- 238000012550 audit Methods 0.000 claims description 12
- ZPUCINDJVBIVPJ-LJISPDSOSA-N ***e Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 claims description 6
- 238000011160 research Methods 0.000 abstract description 21
- 238000000034 method Methods 0.000 description 21
- 230000008569 process Effects 0.000 description 13
- 239000000047 product Substances 0.000 description 10
- 230000006399 behavior Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000012549 training Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000002265 prevention Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 230000007123 defense Effects 0.000 description 3
- 238000005553 drilling Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000005266 casting Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an industrial control network safety protection simulation system, which comprises a penetration attack platform, a detection protection platform and an industrial control system; the industrial control system comprises physical nodes and virtual nodes; the penetration attack platform is used for attacking a target node in the industrial control system and acquiring attack information; wherein the target node is the physical node or the virtual node; the detection protection platform is used for calling a target protection rule according to the attack information to carry out attack protection; the industrial control network safety protection simulation system can effectively ensure the accuracy of the industrial control network safety research result, and has low cost and higher expandability.
Description
Technical Field
The application relates to the technical field of internet security, in particular to an industrial control network security protection simulation system.
Background
With the development of the industrial era, the network security problem of the industrial control system is spotlighted. For an industrial control system, once the system is invaded by viruses, worms and the like, the system is in danger of shutdown, immeasurable economic loss is brought, more serious safety accidents even occur, and the life safety of operators is threatened. Therefore, the task of performing penetration attack test on the industrial control system, proposing a protection strategy and researching industrial control security threats according to different network topology architectures and specificities of various industries is urgent.
The industrial field environment is a continuous uninterrupted operation environment, industrial control network safety problems and detection protection methods are not allowed to be researched in a real industrial environment, industrial network architectures of different industries are quite different, if a test environment is built by completely using physical equipment, cost is ultrahigh and the requirement on occupied area is extremely high, so that a simulation system which is low in cost and can highly simulate and restore the field environment is required to be used as a research platform, and the generated safety threats and potential safety threats are analyzed and recovered. At present, the environment for industrial control network security research mainly comprises a full-virtual industrial control network security research simulation system and a full-physical industrial control network security research simulation system, however, the full-virtual industrial control network security research simulation system cannot form a real industrial environment network due to lack of key control equipment in an industrial control system, and the research result has great inaccuracy; the full-physical industrial control network safety research simulation system has higher dependence on the actual field environment due to the fact that all the physical devices are adopted, is inconvenient to change the industrial background, and has the serious defects of high cost, large occupied space and short service life.
Therefore, it is an urgent need to solve the problem of the art to provide a simulation system for industrial control network security research, which can not only ensure the accuracy of the results of the industrial control network security research, but also reduce the cost and improve the expandability.
Disclosure of Invention
The purpose of the application is to provide an industrial control network safety protection simulation system, which not only can effectively ensure the accuracy of the industrial control network safety research result, but also has low cost and higher expandability.
The application provides an industrial control network safety protection simulation system, which comprises a penetration attack platform, a detection protection platform and an industrial control system; the industrial control system comprises physical nodes and virtual nodes;
the penetration attack platform is used for attacking a target node in the industrial control system and acquiring attack information; wherein the target node is the physical node or the virtual node;
and the detection protection platform is used for calling a target protection rule according to the attack information to carry out attack protection.
Preferably, the penetration attack platform comprises:
the scanning tool is used for scanning the target node to obtain vulnerability information;
and the attack tool is used for attacking the target node according to the vulnerability information to obtain the attack information.
Preferably, the attack tool is specifically configured to attack the target node by executing a test case corresponding to the vulnerability information, so as to obtain the attack information; the test cases are obtained from a test case library.
Preferably, the penetration attack platform further comprises:
the penetration attack path generator is used for generating a penetration attack path according to the vulnerability information and the network architecture information of the industrial control system;
the attack tool is specifically configured to attack the target node according to the penetration attack path to obtain the attack information.
Preferably, the penetration attack platform further comprises:
and the leakage library is used for storing the leakage information.
Preferably, the detection protection platform is specifically configured to invoke and execute a target protection rule corresponding to the attack information by using an industrial control firewall to perform attack protection.
Preferably, the detection protection platform further comprises:
and the industrial control audit platform is used for outputting alarm information according to the attack information.
Preferably, the detection protection platform further comprises:
and the protection rule base is used for storing each protection rule.
Preferably, each of the protection rules is a Snort-based protection rule.
Preferably, the detection protection platform is further configured to update the protection rule base according to the attack information when the target protection rule does not exist in the protection rule base.
The industrial control network safety protection simulation system comprises a penetration attack platform, a detection protection platform and an industrial control system; the industrial control system comprises physical nodes and virtual nodes; the penetration attack platform is used for attacking a target node in the industrial control system and acquiring attack information; wherein the target node is the physical node or the virtual node; and the detection protection platform is used for calling a target protection rule according to the attack information to carry out attack protection.
Therefore, the industrial control network safety protection simulation system provided by the application mainly comprises an industrial control system, a penetration attack platform and a detection protection platform, can simulate the main process of various safety threats, recurs attacks and detects attack behaviors based on an attack principle, further realizes effective protection through protection rules, and achieves the purpose of industrial control system network safety attack and prevention research.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is a schematic structural diagram of an industrial control network security protection simulation system provided in the present application;
fig. 2 is a schematic structural diagram of another industrial control network security protection simulation system provided in the present application;
FIG. 3 is a schematic structural diagram of a penetration attack platform provided in the present application;
FIG. 4 is a schematic view of a workflow of a penetration attack platform provided in the present application;
fig. 5 is a working schematic diagram of an inspection and protection platform provided in the present application.
Detailed Description
The core of the application is to provide an industrial control network safety protection simulation system, which not only can effectively ensure the accuracy of the industrial control network safety research result, but also has low cost and higher expandability.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an industrial control network security protection simulation system provided in the present application, where the industrial control network security protection simulation system may include a penetration attack platform 1, a detection protection platform 2, and an industrial control system 3; the industrial control system 3 comprises physical nodes and virtual nodes;
the penetration attack platform 1 is used for attacking a target node in the industrial control system 3 and acquiring attack information; the target node is a physical node or a virtual node;
and the detection protection platform 2 is used for calling a target protection rule according to the attack information to carry out attack protection.
Therefore, the industrial control network security protection simulation system comprises a penetration attack platform 1, a detection protection platform 2 and an industrial control system 3, wherein the penetration attack platform 1 is used for launching an attack to the industrial control system 3, the detection protection platform 2 is used for detecting the attack process in real time and providing an attack protection function for the industrial control system 3, and therefore the simulation process of the industrial control network security protection is achieved, and further attack and defense research on the industrial control system network security can be achieved according to data information generated in the simulation process.
Specifically, the penetration attack platform 1 is configured to launch an attack on a target node in the industrial control system 3 by simulating a main process in which various security threats occur, to obtain attack information, where the target node is a node device that forms the industrial control system 3, and may be a virtual node or a physical node, and specific content of the attack information is not unique, and may include any data information generated in an attack process and an attack result obtained after the attack is completed; the detection protection platform 2 is used for detecting the attack behavior based on the attack principle and realizing effective attack protection through the protection rule, namely, the corresponding target protection rule is called according to the attack information to protect the attack behavior.
The industrial control system 3 is composed of physical nodes and virtual nodes, the physical nodes are physical devices, the virtual nodes are virtual devices, that is, the industrial control system 1 includes both the physical devices and the virtual devices, and the deployment of the industrial control system 1 is realized by combining the physical devices and the virtual devices, so that the purposes of reducing cost and improving expandability are effectively achieved, and meanwhile, the switching of the industrial background is more convenient.
It should be noted that, each type of device in the industrial control system 1 specifically adopts a virtual device or an entity device, and may be configured and deployed according to an actual situation, which is not limited in this application. Moreover, for various system devices in the penetration attack platform 1 and the detection protection platform 2, corresponding virtual devices or physical devices can be set according to actual requirements, and the application does not limit the same. For example, a host, a PLC (Programmable Logic Controller), or the like may be set to employ a virtual device, and a switch, a detection protection product, or the like may be set to employ a physical device.
As a preferred embodiment, the penetration attack platform 1 may include:
the scanning tool is used for scanning the target node to obtain vulnerability information;
and the attack tool is used for attacking the target node according to the vulnerability information to obtain attack information.
Specifically, the attack behavior is mostly caused by the existence of the vulnerability in the system device, and therefore, the penetration attack platform 1 may include a scanning tool and an attack tool, where the scanning tool is used to implement vulnerability scanning, and the attack tool is used to implement vulnerability attack. In the specific implementation process, firstly, a target node in the industrial control system 1 is scanned through a scanning tool, the existing loopholes are determined, and corresponding loophole information is obtained; furthermore, the attack tool initiates an attack to the target node based on the vulnerability information, and then corresponding attack information can be obtained.
As a preferred embodiment, the attack tool may be specifically configured to attack a target node by executing a test case corresponding to vulnerability information, so as to obtain attack information; wherein the test cases are obtained from a test case library.
For an attack tool, an attack initiated by the attack tool on a target node can be realized by executing a corresponding test case, and the test case can be called from a test case library. Specifically, a test case library can be created in advance and used for storing test cases corresponding to different types of vulnerabilities, so that after the attack tool obtains vulnerability information sent by the scanning tool, the corresponding test cases can be called from the test case library according to the vulnerability information and executed, and further attack on the target node is achieved. It can be understood that, when the test case corresponding to the attack information does not exist in the test case library, a technician can manually configure the test case to realize the target attack, and after the attack test is completed, the manually configured test case is added to the test case library to realize the update of the test case library.
As a preferred embodiment, the penetration attack platform 1 may further include a penetration attack path generator, configured to generate a penetration attack path according to the vulnerability information and the network architecture information of the industrial control system 3; the attack tool is specifically configured to attack the target node according to the penetration attack path to obtain attack information.
In order to further improve the success probability of the penetration attack, the penetration attack platform 1 may further include a penetration attack path generator for generating a penetration attack path, so that the attack tool may attack the target node according to the attack path, thereby improving the success rate of the attack. The penetration attack path may be specifically generated according to the vulnerability information and the network architecture information of the industrial control system 3.
As a preferred embodiment, the penetration attack platform 1 may further include a vulnerability database for storing vulnerability information.
Specifically, the penetration attack platform 1 may further include a vulnerability library for storing various vulnerability information, and when vulnerability information is obtained based on scanning by a scanning tool, the vulnerability information may be added to the vulnerability library. It can be understood that, in order to avoid the repetition of the vulnerability information, when the vulnerability information is stored, whether the vulnerability information exists in the vulnerability database or not can be judged firstly, if so, the vulnerability information does not need to be stored repeatedly, and the vulnerability information is discarded, and if not, the vulnerability information can be stored in the vulnerability database so as to fulfill the aim of perfecting the vulnerability database.
As a preferred embodiment, the detection and protection platform 2 may be specifically configured to invoke and execute a target protection rule corresponding to attack information by using an industrial control firewall to perform attack protection.
Specifically, the attack protection function of the detection protection platform 2 can be realized based on an industrial control firewall, the industrial control firewall has the functions of intercepting and alarming security threat risks and security risk events, and is a real logical protection physical hardware device, and the physical hardware device comprises a blacklist and a white list, wherein the blacklist is similar to a virus library in a traditional hardware firewall; the white list is a list allowing and legal operation, can be generated through self-learning, and also supports manual modification of the learned content of the white list. It should be noted that the industrial control protection wall is a dedicated device for industrial proprietary protocols (e.g., S7comm, Modbus, DNP3, CIP, etc.), industrial viruses (e.g., industrial control worm viruses, industrial control logic bombs, etc.), etc., and includes a parsing module and a protection rule base of the industrial protocol.
As a preferred embodiment, the detection and protection platform 2 may further include an industrial audit platform, configured to output alarm information according to the attack information.
Specifically, the detection and protection platform 2 may further include an industrial audit platform for implementing an attack alarm function, and may output corresponding alarm information according to the attack information. More specifically, the industrial control security audit platform can comprise industrial flow audit, industrial log audit and the like, can realize the post-incident tracing of network security events, obtains mirror flow data packets, syslog log information and the like in the switch, analyzes and obtains parts possibly with security risks, and generates alarm information.
As a preferred embodiment, the detection and protection platform 2 may further include a protection rule base for storing each protection rule.
Specifically, the detection and protection platform 2 may further include a protection rule base for storing various protection rules, and thus the detection and protection platform 2 may invoke the corresponding target protection rule from the protection rule base according to the attack information to implement the attack protection function.
As a preferred embodiment, each protection rule may be a Snort-based protection rule.
The preferred embodiment provides a specific type of protection rule, i.e. Snort based protection rule. In particular, Snort's rule is a "simple, lightweight description language" that can detect intrusion behavior packets on a network, which provides a simple, flexible method for describing intrusion behavior.
As a preferred embodiment, the detection and protection platform 2 is further configured to update the protection rule base according to the attack information when the target protection rule does not exist in the protection rule base.
Specifically, when the protection rule corresponding to the attack information does not exist in the protection rule base, technical personnel can manually configure the corresponding protection rule according to the attack information to realize attack protection; furthermore, after the attack protection test is completed, the manually configured protection rule can be added to the protection rule base, so that the protection rule base is updated.
Therefore, the industrial control network safety protection simulation system provided by the application mainly comprises an industrial control system, a penetration attack platform and a detection protection platform, can simulate the main process of various safety threats, recurs attacks and detects attack behaviors based on an attack principle, further realizes effective protection through protection rules, and achieves the purpose of industrial control system network safety attack and prevention research.
The embodiment of the application provides another industrial control network safety protection simulation system.
Please refer to fig. 2, fig. 2 is a schematic structural diagram of another industrial control network security protection simulation system provided in the present application, and as shown in the figure, the system is integrally composed of a penetration attack platform, a detection protection platform, and an industrial control system, where an environment required by a network security research of the industrial control system is an industrial basic environment (environment to which the industrial control system belongs), and the industrial basic environment can simulate main control flows in different fields of different industries, where key devices such as a PLC, a DCS, an industrial switch, an engineer station, an operator station, and the like use hardware physical devices, and other environments use simulation software to simulate a real field environment, and a plurality of different industrial communication protocols (such as a private public industrial protocol and a private non-public industrial protocol) and traditional network protocols (such as a TCPIP protocol and a UDP protocol) flow in a network; the penetration attack platform is used for simulating illegal behaviors of hackers on an industrial basic environment, and discovering and searching a potential 0day vulnerability (a vulnerability which is discovered but has no related patch by an official party), so as to test the security performances of stability, security, robustness and the like of key equipment in the industrial basic environment and security equipment in a security protection environment. Therefore, in the industrial control network safety protection simulation system, the industrial basic environment is 'basic', the penetration attack platform is 'means', the detection protection platform is 'target', the detection protection strategy is upgraded and modified through the attack and defense game process, the protection detection rule base capable of effectively coping with the continuously appeared safety threats is finally developed, and industrial control safety protection products are upgraded and modified to effectively protect the industrial control systems of all industries.
1. Penetration attack platform:
referring to fig. 3 and fig. 4, fig. 3 is a schematic structural diagram of a penetration attack platform provided in the present application, and fig. 4 is a schematic workflow diagram of a penetration attack platform provided in the present application, where the penetration attack platform is similar to a weapon library, and a carrier is a host (or server), in which a plurality of sub-modules are deployed, and the sub-modules mainly include a leak library, an attack path policy library, a penetration test module, a tool set, and the like.
(1) The vulnerability library mainly comprises traditional network vulnerabilities, industrial control system vulnerabilities and security protection product vulnerabilities, most vulnerabilities are obtained from well-known vulnerability websites such as CVE (composite video environment), CNNVD (CNNVD), and the like, and include detailed information such as vulnerability types, danger levels, manufacturers and the like, and other parts of vulnerabilities come from industrial field network security projects. The major vulnerability types comprise system vulnerabilities, protocol vulnerabilities, web vulnerabilities, middleware vulnerabilities and firmware vulnerabilities; the danger grades comprise low, medium and high dangers; the manufacturers comprise industrial control manufacturers at home and abroad such as Siemens, Schneider, GE, AB and the like and well-known safety protection product manufacturers. Further, when the vulnerability detected by the fuzz tool (a fuzzy testing tool) is a 0day vulnerability, the vulnerability is added into the existing vulnerability library, so that the vulnerability library actually comprises two parts, namely the existing vulnerability (information is complete) and the unknown vulnerability (information is incomplete), the unknown vulnerability can be supplemented with corresponding information manually, and the vulnerability library is gradually enriched and comprehensive through long-time accumulation.
(2) The attack path strategy library can obtain an optimal penetration attack path by analyzing the current network architecture and key nodes and sniffing the obtained vulnerability information, improve the probability of penetration success, and finally transmit key information such as an attack target and the generated optimal path to the penetration test module, thereby realizing node attack.
(3) And the penetration testing module searches a proper test case in the test case library and calls a tool set corresponding to the vulnerability to execute penetration attack action on the premise of mastering the attack path and the information of each vulnerability node in the path, and if the proper test case is not found, the test case can be manually configured and added into the test case library.
(4) The tool set can be divided into a sniffing scanning tool set and a vulnerability exploitation attack tool set, wherein the sniffing scanning tool set comprises a sniffing scanning tool and a vulnerability discovery tool, the vulnerability exploitation attack tool set comprises an open source tool and a script, a self-programming exp, a POC and the like, various tools in the tool set can be divided into classes such as injection attack, protocol vulnerability attack, firmware security attack, data illegal tampering, remote illegal control equipment and the like according to attack types, can also be divided into classes such as PLC, DCS, manufacturers and the like according to attack objects, can also be divided into classes such as local and remote according to utilization modes, detailed type division is more convenient to search and match when calling, in addition, when new vulnerabilities are increased in a vulnerability library, corresponding attack tools can also be added in the tool set.
2. Detecting a protection platform:
the deployment mode of the safety protection equipment in the detection protection platform can be divided into two modes, wherein one mode is that the safety protection equipment is deployed at the boundary of an area or at the entrance of a network of a protected object, such as an industrial control firewall; the other is deployed at a network equipment bypass, such as an industrial control audit platform.
(1) The industrial control firewall has the functions of intercepting and alarming security threat risks and security risk events, is a real logic protection physical hardware device and comprises a blacklist and a white list, wherein the blacklist is similar to a virus library in the traditional hardware firewall, the white list is a list allowing through and legal operation and can be generated through self learning, the content of the learned white list can be manually modified, and the industrial control firewall is a special device aiming at industrial proprietary protocols (such as S7comm, Modbus, DNP3, CIP and the like), industrial viruses (such as industrial control worm viruses, industrial control logic bombs and the like) and the like and comprises an analysis module of the industrial protocols and a snort protection rule library.
(2) The industrial control security audit platform comprises industrial flow audit, industrial log audit and the like, is mainly used for retrospective tracing of network security events, is also specially used for industrial network environments, can analyze parts possibly with security risks by acquiring a switch mirror image flow data packet, syslog information and the like, and generates alarm information.
The industrial firewall and the industrial audit are the most basic devices for industrial field protection, other safety protection devices can be correspondingly deployed according to different industries, for example, in the field of energy and power, due to special requirements of the industries, a one-way isolation device is required to be arranged between a production large area and a management large area, the one-way isolation device belongs to physical safety protection, a network is disconnected logically, two-side communication is realized through a special ferry structure in the isolation device, and various protection products are deployed at different nodes to supplement each other to form a protection system for jointly casting industrial network safety.
Further, referring to fig. 5, fig. 5 is a working schematic diagram of a detection and protection platform provided in the present application, where the detection and protection platform is a core of the whole simulation system, and the maximum value of the simulation system is to complete the development of the detection and protection platform and the expansion of the policy rule base in the industrial network security product by simulating the attack process and the consequences thereof, so as to present a complete attack and prevention process for learners. In the detection protection platform, the specific protection function of the deployed industrial safety product is matched with the content of the penetration attack platform, the protection rule base in the product is matched with the tool set in the penetration attack platform, and the rule base is updated in real time along with the continuous updating of the attack means and tools, so that the latest attack events and security loopholes at home and abroad can be tracked in time, and the advancement and the practicability of the simulation system are improved.
3. Industrial basic environment:
the industrial basic environment is an industrial network environment of the whole semi-physical simulation system and is an object of industrial control network security research. Because different fields, different trades, the inside composition unit of the industrial control system that builds is all different, and real industrial field control system is very complicated, the node number of involving is in the tens of thousands, consequently, the industrial basic environment in the simulation system only contains a part in whole control process, the minimum system of its key equipment constitution, primary equipment (such as executor, sensor etc.) all uses the simulation technique simulation because of restrictions such as with high costs, bulky, area is big, and key supervisory equipment (such as PLC, DCS, RTU, engineer station, operator's station, HMI etc.) adopts real physical equipment, especially PLC, DCS, RTU need keep unanimous with the model, the producer that the field usage.
As shown in fig. 2, the industrial control system is composed of a virtual host (engineer station), a virtual PLC controller, controlled objects (lamp 1 and lamp 2), the virtual PLC controller and the engineer station are located in a physical host, the engineer station configures and downloads a program for programming the PLC controller, and monitors an operation state of the PLC controller, the virtual PLC operates a logic control program as the physical PLC, and a controlled object simulation control system scene can be externally connected after a virtual PLC specific board card is added to the physical host. In an industrial basic environment, the virtual PLC may be installed and obtained by using a softPLC architecture provided by a well-known manufacturer such as siemens and AB, or may be obtained by finding an open source virtual PLC source code on a network and compiling and running the source virtual PLC source code.
Finally, the application scenarios of the industrial control network safety protection simulation system can include shooting range drilling, training, competition environment, scientific research and the like. For the shooting range drilling, industrial control security event vulnerabilities, security risks and related tools can be preset in a simulation environment, specific schemes are deployed and designed according to different requirements of network security operation and maintenance, emergency response, baseline verification, attack and defense drilling and the like, and various applications closely combined with an industrial field, such as known and unknown vulnerabilities of hardware devices, such as industrial equipment, safety equipment, network equipment and the like to be on-line, detection of the security of patches and the like can be developed. For training, the method can be divided into enterprise training and university experiment classes, and the enterprise training is divided into training for authenticating training requirements in the training and training for improving the safety awareness and problem handling capacity of staff; the university experiment class comparison foundation comprises the aspects of industrial control equipment debugging and use, network security equipment principle, attack and protection theory, practice and the like, and is used for cultivating comprehensive industrial security talents for the country. For the competition environment, the defects of the existing safety protection in the industrial field can be found in order to improve the safety protection skill, deeply understand the bad influence of the attack on the industrial system. For scientific research, experiments and scientific research can be performed in a simulation platform to enrich detection and protection strategies of industrial network security products, and achievements are integrated into the security products.
Therefore, the industrial control network safety protection simulation system provided by the embodiment of the application mainly comprises an industrial control system, a penetration attack platform and a detection protection platform, can simulate the main process of various safety threats, recurs attacks and detects attack behaviors based on an attack principle, further realizes effective protection through a protection rule, and achieves the purpose of network safety attack and prevention research of the industrial control system.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (10)
1. The industrial control network safety protection simulation system is characterized by comprising a penetration attack platform, a detection protection platform and an industrial control system; the industrial control system comprises physical nodes and virtual nodes;
the penetration attack platform is used for attacking a target node in the industrial control system and acquiring attack information; wherein the target node is the physical node or the virtual node;
and the detection protection platform is used for calling a target protection rule according to the attack information to carry out attack protection.
2. The industrial control network security protection simulation system according to claim 1, wherein the penetration attack platform comprises:
the scanning tool is used for scanning the target node to obtain vulnerability information;
and the attack tool is used for attacking the target node according to the vulnerability information to obtain the attack information.
3. The industrial control network security protection simulation system according to claim 2, wherein the attack tool is specifically configured to attack the target node by executing a test case corresponding to the vulnerability information to obtain the attack information; the test cases are obtained from a test case library.
4. The industrial control network security protection simulation system according to claim 2, wherein the penetration attack platform further comprises:
the penetration attack path generator is used for generating a penetration attack path according to the vulnerability information and the network architecture information of the industrial control system;
the attack tool is specifically configured to attack the target node according to the penetration attack path to obtain the attack information.
5. The industrial control network security protection simulation system according to claim 2, wherein the penetration attack platform further comprises:
and the leakage library is used for storing the leakage information.
6. The industrial control network security protection simulation system according to claim 1, wherein the detection protection platform is specifically configured to invoke and execute a target protection rule corresponding to the attack information by using an industrial control firewall to perform attack protection.
7. The industrial control network security protection simulation system according to claim 6, wherein the detection protection platform further comprises:
and the industrial control audit platform is used for outputting alarm information according to the attack information.
8. The industrial control network security protection simulation system according to claim 6, wherein the detection protection platform further comprises:
and the protection rule base is used for storing each protection rule.
9. The industrial control network security protection simulation system according to claim 8, wherein each of the protection rules is a Snort-based protection rule.
10. The industrial control network security protection simulation system according to claim 8, wherein the detection protection platform is further configured to update the protection rule base according to the attack information when the target protection rule does not exist in the protection rule base.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011453191.9A CN112615836A (en) | 2020-12-11 | 2020-12-11 | Industrial control network safety protection simulation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011453191.9A CN112615836A (en) | 2020-12-11 | 2020-12-11 | Industrial control network safety protection simulation system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112615836A true CN112615836A (en) | 2021-04-06 |
Family
ID=75233136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011453191.9A Pending CN112615836A (en) | 2020-12-11 | 2020-12-11 | Industrial control network safety protection simulation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112615836A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113341903A (en) * | 2021-06-28 | 2021-09-03 | 国家工业信息安全发展研究中心 | Intelligent manufacturing safety test bed |
| CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
| CN113746810A (en) * | 2021-08-13 | 2021-12-03 | 哈尔滨工大天创电子有限公司 | Network attack inducing method, device, equipment and storage medium |
| CN113794732A (en) * | 2021-09-22 | 2021-12-14 | 上海观安信息技术股份有限公司 | Method, device, equipment and storage medium for deploying simulated network environment |
| CN114244578A (en) * | 2021-11-24 | 2022-03-25 | 浙江中控技术股份有限公司 | Method, system, equipment and medium for testing protection capability of communication card |
| CN114257522A (en) * | 2021-12-21 | 2022-03-29 | 浙江国利网安科技有限公司 | Network security attack and defense demonstration system, method, device and storage medium |
| CN114296406A (en) * | 2021-11-24 | 2022-04-08 | 北京六方云信息技术有限公司 | Network attack and defense display system, method and device and computer readable storage medium |
| CN115576265A (en) * | 2022-11-21 | 2023-01-06 | 博智安全科技股份有限公司 | PLC device simulation method, device, equipment and storage medium |
| CN116305170A (en) * | 2023-05-16 | 2023-06-23 | 北京安帝科技有限公司 | Analog testing method, device, equipment and storage medium based on industrial control system |
| CN117240622A (en) * | 2023-11-13 | 2023-12-15 | 北京长亭科技有限公司 | Method and device for collecting attack simulation samples in batches based on HTTP protocol |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769022A (en) * | 2018-05-29 | 2018-11-06 | 浙江大学 | A kind of industrial control system safety experiment platform for penetration testing |
| US20190068618A1 (en) * | 2017-08-22 | 2019-02-28 | General Electric Company | Using virtual sensors to accommodate industrial asset control systems during cyber attacks |
| CN111049827A (en) * | 2019-12-12 | 2020-04-21 | 杭州安恒信息技术股份有限公司 | Network system safety protection method, device and related equipment |
-
2020
- 2020-12-11 CN CN202011453191.9A patent/CN112615836A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190068618A1 (en) * | 2017-08-22 | 2019-02-28 | General Electric Company | Using virtual sensors to accommodate industrial asset control systems during cyber attacks |
| CN108769022A (en) * | 2018-05-29 | 2018-11-06 | 浙江大学 | A kind of industrial control system safety experiment platform for penetration testing |
| CN111049827A (en) * | 2019-12-12 | 2020-04-21 | 杭州安恒信息技术股份有限公司 | Network system safety protection method, device and related equipment |
Non-Patent Citations (3)
| Title |
|---|
| 周黎辉等: "工业控制网络安全攻防演练平台设计与研发", 《信息与电脑》 * |
| 王继业等: "电力工控***攻击仿真验证关键技术研究", 《电力信息与通信技术》 * |
| 裴斐等: "网络攻防训练平台设计", 《中原工学院学报》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113341903A (en) * | 2021-06-28 | 2021-09-03 | 国家工业信息安全发展研究中心 | Intelligent manufacturing safety test bed |
| CN113746810A (en) * | 2021-08-13 | 2021-12-03 | 哈尔滨工大天创电子有限公司 | Network attack inducing method, device, equipment and storage medium |
| CN113794732A (en) * | 2021-09-22 | 2021-12-14 | 上海观安信息技术股份有限公司 | Method, device, equipment and storage medium for deploying simulated network environment |
| CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
| CN114296406A (en) * | 2021-11-24 | 2022-04-08 | 北京六方云信息技术有限公司 | Network attack and defense display system, method and device and computer readable storage medium |
| CN114244578A (en) * | 2021-11-24 | 2022-03-25 | 浙江中控技术股份有限公司 | Method, system, equipment and medium for testing protection capability of communication card |
| CN114296406B (en) * | 2021-11-24 | 2024-01-19 | 北京六方云信息技术有限公司 | Network attack and defense display system, method and device and computer readable storage medium |
| CN114244578B (en) * | 2021-11-24 | 2024-05-10 | 浙江中控技术股份有限公司 | Method, system, equipment and medium for testing protection capability of communication card |
| CN114257522A (en) * | 2021-12-21 | 2022-03-29 | 浙江国利网安科技有限公司 | Network security attack and defense demonstration system, method, device and storage medium |
| CN114257522B (en) * | 2021-12-21 | 2024-01-12 | 浙江国利网安科技有限公司 | Network security attack and defense demonstration system, method, device and storage medium |
| CN115576265A (en) * | 2022-11-21 | 2023-01-06 | 博智安全科技股份有限公司 | PLC device simulation method, device, equipment and storage medium |
| CN116305170A (en) * | 2023-05-16 | 2023-06-23 | 北京安帝科技有限公司 | Analog testing method, device, equipment and storage medium based on industrial control system |
| CN117240622A (en) * | 2023-11-13 | 2023-12-15 | 北京长亭科技有限公司 | Method and device for collecting attack simulation samples in batches based on HTTP protocol |
| CN117240622B (en) * | 2023-11-13 | 2024-01-23 | 北京长亭科技有限公司 | Method and device for collecting attack simulation samples in batches based on HTTP protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112615836A (en) | Industrial control network safety protection simulation system | |
| CN110430190B (en) | Deception defense system based on ATT & CK, construction method and full link defense realization method | |
| Alanazi et al. | SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues | |
| McDermott | Attack net penetration testing | |
| Fovino et al. | Modbus/DNP3 state-based intrusion detection system | |
| Carcano et al. | State-based network intrusion detection systems for SCADA protocols: a proof of concept | |
| Fovino et al. | Cyber security assessment of a power plant | |
| CN108809951A (en) | A kind of penetration testing frame suitable for industrial control system | |
| Yi et al. | An intelligent communication warning vulnerability detection algorithm based on IoT technology | |
| Maesschalck et al. | Don’t get stung, cover your ICS in honey: How do honeypots fit within industrial control system security | |
| Cook et al. | Attribution of cyber attacks on industrial control systems | |
| Foglietta et al. | From detecting cyber-attacks to mitigating risk within a hybrid environment | |
| Rubio et al. | Tracking apts in industrial ecosystems: A proof of concept | |
| Bakić et al. | 10 years since Stuxnet: What have we learned from this mysterious computer software worm? | |
| Banik et al. | Implementing man-in-the-middle attack to investigate network vulnerabilities in smart grid test-bed | |
| Khan et al. | Lightweight testbed for cybersecurity experiments in scada-based systems | |
| Konstantinou et al. | 15. Security Analysis of Smart Grid | |
| Rouached et al. | An efficient formal framework for intrusion detection systems | |
| Lu et al. | A Survey of the Offensive and defensive in Industrial Control System | |
| Sindhwad et al. | Exploiting Control Device Vulnerabilities: Attacking Cyber-Physical Water System | |
| Liu et al. | SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering | |
| Lau et al. | Securing supervisory control and data acquisition control systems | |
| Nikolopoulos et al. | 7. Strategic and Tactical Cyber-Physical Security for Critical Water Infrastructures | |
| Silva et al. | On the use of k-nn in intrusion detection for industrial control systems | |
| Rao et al. | Impact analysis of attacks using agent-based SCADA Testbed |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210406 |