JP6937251B2 - Abnormal factor determination device, control system, and abnormal factor determination method - Google Patents

Description

Embodiments of the present invention relate to an abnormality factor determination device, a control system, and an abnormality factor determination method.

In recent years, networking has progressed in control systems that control equipment installed in plants, FAs (Factory Automation), and the like. In such a control system, network security measures are important.
Therefore, a device called an IDS (Intrusion Detection System) that detects a network abnormality in a control system is known.

Japanese Unexamined Patent Publication No. 2012-169731

The abnormalities that can occur in the control system described above can be classified into two types, for example, an attack via a network and a device failure. The measures to be taken against these anomalies are completely different.

However, since the conventional device is premised on detecting only one of the above two types of abnormalities, the cause of the abnormality cannot be identified. Therefore, when an abnormality occurs in the control system, it is expected that it will take a lot of time to deal with the abnormality.

An object of the present invention is to provide an abnormality factor determination device, a control system, and an abnormality factor determination method capable of quickly dealing with an abnormality in a system.

According to one embodiment, the abnormality factor determination device is provided in a control system including a control device that controls the device by data communication via a network. This anomaly factor determination device analyzes the acquisition unit that acquires the information contained in the data used in data communication and the information, and based on the analysis result, determines the cause of the anomaly that occurred in the control system as an attack on the network. , Or an analysis unit for determining whether the device is out of order.

According to this embodiment, it is possible to quickly deal with an abnormality in the control system.

It is a block diagram which shows the structure of the control system which concerns on 1st Embodiment. (A) is a diagram showing an example of a determination table, and (b) is a diagram showing another example of the determination table. It is a flowchart of a header information determination process. (A) is an example of a display image for notifying an unauthorized operation abnormality, and (b) is an example of a display image for notifying an unauthorized connection abnormality. It is a flowchart of time information determination processing. (A) is an example of a display image for notifying a cycle abnormality, and (b) is an example of a display image for notifying an output stop abnormality. It is a block diagram which shows the structure of the abnormality factor determination apparatus which concerns on 2nd Embodiment. It is a flowchart of a diagnostic mode. It is a flowchart of the abnormality factor determination method which concerns on 3rd Embodiment. FIG. 10 is a flowchart of the abnormality factor determination method according to the fourth embodiment. It is a block diagram which shows the structure of the control system which concerns on the modification.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. The present embodiment is not limited to the present invention.

(First Embodiment)
FIG. 1 is a block diagram showing a configuration of a control system according to the first embodiment. The control system 1 shown in FIG. 1 includes a control device 10, an HMI (Human Machine Interface) 20, a tool 30, a network switch 40, and an abnormality factor determination device 50.

The control device 10 controls equipment installed in a plant, FA, or the like by data communication via a network. The control device 10 includes, for example, a controller 11, a sensor 12, and an actuator 13 as shown in FIG. The controller 11 is composed of, for example, a PLC (Programmable Logic Controller). The sensor 12 senses the state, environment, and the like of the device to be controlled. The actuator 13 operates under the control of the controller 11. In the present embodiment, a plurality of control devices 10 are provided in the control system 1, but the number of control devices 10 is not particularly limited. Further, the configuration of the control device 10 may be any configuration as long as it controls the above-mentioned equipment, and is not limited to the configuration shown in FIG.

The HMI 20 monitors the state of each control device 10 via the network switch 40. The tool 30 is an engineering tool that changes the control program of each control device 10 via the network switch 40.

The network switch 40 connects each control device 10 to the network. In this embodiment, this network is Ethernet®, but it may be a network of other standards. Further, the network switch 40 has a mirror port, and the abnormality factor determination device 50 is connected to the mirror port. As a result, the abnormality factor determination device 50 can acquire all the data in the packet format transmitted in the control system 1 via the network switch 40.

As shown in FIG. 1, the abnormality factor determination device 50 includes a communication interface unit 51, a timer unit 52, an acquisition unit 53, an analysis unit 54, a storage unit 55, and a display unit 56. These components constituting the abnormality factor determination device 50 may be realized by hardware or software. Further, the display unit 56 may be included in the components of the abnormality factor determination device 50, or may be externally attached to the abnormality factor determination device 50.

The communication interface unit 51 inputs / outputs data via the network switch 40. The timer unit 52 acquires the current time. The acquisition unit 53 acquires header information from the data received by the communication interface unit 51. Further, the acquisition unit 53 adds the time information acquired from the timer unit 52 to the header information and outputs the time information to the analysis unit 54.

The analysis unit 54 analyzes the information input from the acquisition unit 53, and determines the cause of the abnormality based on the analysis result. The storage unit 55 stores the determination table used by the analysis unit 54. Here, the determination table will be described with reference to FIGS. 2 (a) and 2 (b).

The determination table 100 shown in FIG. 2A shows a combination of a source and a destination for which data communication is permitted in advance, a data transmission cycle preset for each combination, and a previous data acquisition time. show. In the determination table 100, the IP address is used as the source and destination identification information. In addition, the data acquisition time is updated each time data is acquired. On the other hand, the determination table 101 shown in FIG. 2B shows protocol information in addition to the items of the determination table 100. According to the determination table 101, the security determination can be made more rigorous.

Hereinafter, the method for determining an abnormality factor by the above-mentioned abnormality factor determination device 50 will be described. The abnormality factor determination device 50 sequentially performs header information determination processing and time information determination processing each time new data is received in order to determine the cause of the abnormality that has occurred in the control system 1.

FIG. 3 is a flowchart of the header information determination process. In the flowchart shown in FIG. 3, first, the communication interface unit 51 receives data via the network switch 40 (step S101). Subsequently, the acquisition unit 53 acquires the header information of the data received by the communication interface unit 51 (step S102). At this time, the acquisition unit 53 acquires the time information from the timer unit 52 and outputs it to the analysis unit 54 together with the header information.

The analysis unit 54 determines whether or not the combination of the source IP address and the destination IP address shown in the header information is registered in the determination table of the storage unit 55 (step S103). When the above combination is registered, the analysis unit 54 determines that it is normal (step S104).

When the above combination is not registered, the analysis unit 54 searches for whether or not there is a plurality of source IP addresses registered in the determination table that match the source IP address of the header information. (Step S105). If there is a matching source IP address, the analysis unit 54 sets the detection flag FLG to "1" (step S106). On the contrary, when there is no matching source IP address, the analysis unit 54 sets the detection flag FLG to “0” (step S107).

When the detection flag FLG is "1", since only the source IP address is registered in the determination table, there is a possibility that the terminal corresponding to the source IP address is illegally operated. Therefore, the analysis unit 54 determines that the attack via the network is an unauthorized operation of the transmission source. In this case, the display unit 56 displays, for example, as shown in the image 200 shown in FIG. 4A, that the cause of the abnormality is an illegal operation and its countermeasures (step S108).

On the other hand, when the detection flag FLG is "0", the IP addresses of the source and the destination are not registered in the determination table, so that there is a possibility that an illegal connection has occurred. Therefore, the analysis unit 54 determines that the attack via the network is an unauthorized connection. In this case, the display unit 56 displays, for example, as shown in the image 201 shown in FIG. 4B, that the cause of the abnormality is an unauthorized connection and its countermeasures (step S109). When the analysis unit 54 analyzes the content of the attack via the network, the determination table 101 shown in FIG. 2B can be used to detect the connection by an invalid protocol. Further, the image 200 and the image 201 may be displayed not only on the display unit 56 but also on the HMI 20.

When the header information determination process described above is completed, the time information determination process is then executed. FIG. 5 is a flowchart of the time information determination process. In the flowchart shown in FIG. 5, when the communication interface unit 51 receives the data (step S201), the analysis unit 54 makes a difference based on the header information and the time information input from the acquisition unit 53 in the header information determination process described above. The time Δt1 is calculated (step S202). The difference time Δt1 corresponds to the difference between the current time shown in the time information and the previous data acquisition time recorded in the determination table. That is, the difference time Δt1 corresponds to the difference time of the data acquisition time from the previous time to the present time.

Subsequently, the analysis unit 54 determines whether or not the calculated difference time Δt1 is within the permissible range of the transmission cycle (step S203). The permissible range is set to, for example, ± 10% of the transmission cycle recorded in the determination table. When the difference time Δt1 is within the permissible range, the analysis unit 54 determines that it is normal, and updates the previous acquisition time of the determination table to the current acquisition time (step S204).

On the other hand, when the difference time Δt1 is out of the permissible range, the analysis unit 54 determines that the cause of the abnormality is a transmission cycle abnormality classified as a device failure (step S205). In this case, the display unit 56 displays, for example, as shown in the image 202 shown in FIG. 6A, that the cause of the abnormality is a transmission cycle abnormality and its countermeasures (step S206).

In step S201, when the communication interface unit 51 has not received the data, the analysis unit 54 calculates the elapsed time Δt2 (step S207). The elapsed time Δt2 corresponds to the difference between the current time shown in the time information of the timer unit 52 and the previous data acquisition time recorded in the determination table. That is, the elapsed time Δt2 corresponds to the elapsed time from the previous data acquisition time.

Subsequently, the analysis unit 54 determines whether or not the calculated elapsed time Δt2 exceeds the threshold value set based on the period (step S208). The threshold value is set to, for example, twice the transmission cycle. If the elapsed time Δt2 does not exceed the threshold value, the analysis unit 54 determines that it is normal (step S209).

On the other hand, when the elapsed time Δt2 exceeds the threshold value, the analysis unit 54 determines that the cause of the abnormality is an output stop abnormality classified as a device failure (step S210). In this case, the display unit 56 displays that the cause of the abnormality is the output stop abnormality and the countermeasures thereof, as shown in the image 203 shown in FIG. 6B, for example (step S211). The images 202 and 203 may also be displayed not only on the display unit 56 but also on the HMI 20.

According to the present embodiment described above, when an abnormality occurs in the control system 1, the analysis unit 54 determines whether the cause of the abnormality is an attack via a network or a device failure. As a result, the cause of the abnormality is identified, and it is possible to deal with it promptly.

Further, in the present embodiment, when the cause of the abnormality is an attack via a network, the content of the attack is subdivided into unauthorized connection and unauthorized operation. Similarly, when the cause of the abnormality is a device failure, the details of the failure are subdivided into a data transmission cycle abnormality and an output stop abnormality. By subdividing the abnormal factors in this way, the user can more accurately grasp the abnormal factors and take appropriate measures. Regarding the subdivision of attacks, for example, spoofing, data falsification, denial, information disclosure, service inability, privilege promotion, etc. may be added. Further, with respect to the subdivision of the failure, the repetition of the operation and the like may be added.

(Second Embodiment)
Hereinafter, the second embodiment will be described focusing on the differences from the first embodiment. In the control system according to the present embodiment, the configuration of the abnormality factor determination device 50 is different from that of the first embodiment. FIG. 7 is a block diagram showing the configuration of the abnormality factor determination device according to the second embodiment. The same components as those in the first embodiment described above are designated by the same reference numerals, and detailed description thereof will be omitted.

As shown in FIG. 7, the abnormality factor determination device 50 according to the present embodiment is different from the first embodiment in that it has a mode switching unit 57. In this embodiment as well, the abnormality factor determination device 50 may be realized by hardware or software. Further, the display unit 56 may be included in the components of the abnormality factor determination device 50, or may be externally attached to the abnormality factor determination device 50.

The mode switching unit 57 switches the operation mode of the analysis unit 54 between the diagnostic mode for determining the cause of the abnormality and the learning mode for creating the determination table. The mode switching unit 57 may switch the operation mode of the analysis unit 54 according to a preset time zone, or may switch when the user's operation is accepted.

In the diagnostic mode, the analysis unit 54 sequentially executes the header information determination process and the time information determination process described in the first embodiment. Next, the operation contents of the diagnostic mode will be described with reference to FIG.

FIG. 8 is a flowchart of the diagnostic mode. In the flowchart shown in FIG. 8, the communication interface unit 51 receives the data via the network switch 40 (step S301), and the acquisition unit 53 acquires the header information of the received data (step S302). At this time, the acquisition unit 53 acquires the time information from the timer unit 52 and outputs it to the analysis unit 54 together with the header information.

The analysis unit 54 determines whether or not the source IP address and the destination IP address shown in the header information are already registered in the determination table stored in the storage unit 55 (step S303). When the source IP address and the destination IP address are registered, the analysis unit 54 calculates the data transmission cycle and registers it in the determination table (step S304). In step S304, the analysis unit 54 calculates the difference time between the current time shown in the time information and the previous acquisition time recorded in the determination table as a cycle.

On the other hand, when the source IP address and the destination IP address are not registered, the analysis unit 54 registers them and the time information in the determination table (step S305). The current time shown in this time information is recorded in the determination table as the data acquisition time. In the diagnostic mode, the operations of steps S301 to S305 described above are repeated each time data is received.

According to the present embodiment described above, when the analysis unit 54 is in the diagnostic mode, the cause of the abnormality is identified as in the first embodiment, so that it is possible to quickly deal with it. Further, in the learning mode, a determination table for identifying the cause of the abnormality is automatically created. Therefore, it is possible to reduce the load on the user.

(Third Embodiment)
Since the configuration of the control system according to the third embodiment is the same as that of the control system 1 according to the first embodiment shown in FIG. 1, detailed description thereof will be omitted. Hereinafter, the abnormality factor determination method by the abnormality factor determination device 50 according to the present embodiment will be described.

FIG. 9 is a flowchart of the abnormality factor determination method according to the third embodiment. In the flowchart shown in FIG. 9, first, the communication interface unit 51 receives data via the network switch 40 (step S401).

Next, the acquisition unit 53 acquires the header information and the auxiliary information from the received data and outputs the header information and the auxiliary information to the analysis unit 54 (step S402). The auxiliary information includes, for example, at least one of the sensing data of the sensor 12, the information indicating the state of the control device 10, the operation log, and the like. In this embodiment, this auxiliary information is included in the data transmitted through the network.

Next, the analysis unit 54 analyzes the header information and the auxiliary information (step S403), and determines the presence or absence of an abnormality (step S404). In step S404, for example, the analysis unit 54 determines the source and destination of the header information according to the result of collating with the determination table of the storage unit 55.

If no abnormality is detected, the analysis unit 54 determines that it is normal (step S405). On the contrary, when the abnormality is detected, the analysis unit 54 determines the cause of the abnormality (step S406). In step S406, for example, the analysis unit 54 determines that the cause of the abnormality is an attack via the network based on the header information as in the first embodiment. Alternatively, the analysis unit 54 determines that the cause of the abnormality is a device failure based on the sensing data shown in the auxiliary information. The result determined in this way is displayed on at least one of the display unit 56 and the HMI 20 (step S407).

According to the present embodiment described above, since the cause of the abnormality is identified by the analysis unit 54, it is possible to quickly deal with it. Further, in the present embodiment, the analysis unit 54 uses not only the header information but also the auxiliary information that assists in the determination of the abnormal factor. Therefore, it is possible to determine the cause of the abnormality with higher accuracy.

(Fourth Embodiment)
The fourth embodiment is different from the third embodiment in that the above-mentioned auxiliary information exists in each control device 10 instead of the transmission information. This auxiliary information includes, for example, at least one of the diagnosis result of the self-diagnosis function of the control device 10, the state information of the control device 10, and the operation log of the control device 10.

The self-diagnosis function of the control device 10 is a function that is performed at a periodic timing during startup or operation to diagnose whether or not the self-diagnosis function is operating correctly. By using this diagnosis result as auxiliary information, it is possible to detect an abnormality that cannot be understood only from the information contained in the network data. Further, the state information of the control device corresponds to, for example, information indicating an ON state or an OFF state of the control device, normal or abnormal, operating or stopped, and the like.

Hereinafter, the abnormality factor determination method by the abnormality factor determination device 50 according to the present embodiment will be described. FIG. 10 is a flowchart of the abnormality factor determination method according to the fourth embodiment. In the flowchart shown in FIG. 10, first, the communication interface unit 51 receives data via the network switch 40 (step S501).

Next, the acquisition unit 53 acquires header information from the received data and outputs it to the analysis unit 54 (step S502). Subsequently, the analysis unit 54 analyzes the header information (step S503) and determines the presence or absence of an abnormality (step S504).

If no abnormality is detected, the analysis unit 54 determines that it is normal (step S505). On the contrary, when the abnormality is detected, the analysis unit 54 analyzes the cause of the abnormality (step S506) and determines whether or not the abnormality factor can be identified (step S507). In step S507, for example, if the degree of agreement between the header information and the factor list stored in the storage unit 55 is equal to or greater than the reference value, the abnormal factor can be identified. When the cause of the abnormality is identified, the content of the abnormality and its countermeasure are displayed on at least one of the display unit 56 and the HMI 20 (step S508).

In step S507, for example, when the cause cannot be identified due to lack of information or the like, the analysis unit 54 requests auxiliary information from the control device 10 (step S509). After that, the analysis unit 54 analyzes the abnormality factor again using the auxiliary information acquired from the control device 10 and the header information acquired earlier. At this time, the analysis unit 54 may repeat the process of analyzing the abnormal factor while acquiring auxiliary information one by one from the control device 10 until the abnormal factor can be identified. Further, the analysis unit 54 may acquire auxiliary information from the control device 10 all at once and analyze the abnormal factor in one process.

According to the present embodiment described above, it is possible to determine the cause of the abnormality with higher accuracy by using the auxiliary information as in the third embodiment. Further, in the present embodiment, since the auxiliary information is acquired as needed, it is possible to reduce the processing load of the apparatus.

The abnormality factor determination device 50 according to the present embodiment acquires auxiliary information from the control device 10 when the abnormality factor cannot be specified, but the acquisition form of the auxiliary information is not limited to this. For example, the abnormality factor determination device 50 may periodically acquire auxiliary information from the control device 10. In this case as well, it is possible to determine the cause of the abnormality with high accuracy.

(Modification example)
FIG. 11 is a block diagram showing a configuration of a control system according to a modified example. In the control system 1a shown in FIG. 11, an abnormality factor determination device 50a is provided in each control device 10. Any of the above-described abnormality factor determination devices 50 of the first embodiment to the fourth embodiment can be applied to each abnormality factor determination device 50a.

The abnormality factor determination device 50a is connected to the network in the control device 10 via the network switch 14. The abnormality factor determination device 50a determines whether the abnormality factor generated in the control device 10 is an attack via a network or a failure of a device to be controlled. The abnormality factor determined by each abnormality factor determination device 50a is transmitted to the abnormality factor determination device 50b via the network switch 40. The abnormality factor determination device 50b identifies the abnormality factor of the entire system based on these abnormality factors. The communication between the abnormality factor determination device 50a and the abnormality factor determination device 50b may be directly performed wirelessly.

According to the present modification described above, the processing function of the abnormality factor determination device 50 described in the first to fourth embodiments is shared between the abnormality factor determination device 50a and the abnormality factor determination device 50b. Even with such a processing format, the cause of the abnormality can be determined, so that it can be dealt with promptly.

In the above-described embodiment and modification, when an abnormality is detected, the cause of the abnormality is determined as "attack" or "failure", but even if the abnormality detection process and the factor determination process are performed at the same time. good. In this case, for example, by performing a cluster analysis that distinguishes between normal and the cause of each abnormality, the cause of the abnormality can be narrowed down to one or a small number.

Although some embodiments and modifications have been described above, these embodiments are presented only as examples and are not intended to limit the scope of the invention. The novel system described herein can be implemented in a variety of other forms. In addition, various omissions, substitutions, and changes can be made to the form of the system described in the present specification without departing from the gist of the invention. The appended claims and their equivalent scope are intended to include such forms and variations that are included in the scope and gist of the invention.

10 Control device, 40 Network switch, 50 Abnormal factor judgment device, 53 Acquisition unit, 54 Analysis unit, 55 Storage unit, 56 Display unit

Claims (9)

An abnormality factor determination device installed in a control system including a control device that controls devices by data communication via a network.
An acquisition unit that acquires information contained in the data used in the data communication, and an acquisition unit.
An analysis unit that analyzes the information and determines whether the cause of the abnormality generated in the control system is an attack via the network or a failure of the device based on the analysis result.
A display unit that displays the determination result of the analysis unit and
It is provided with a storage unit for storing a determination table in which a combination of a source and a destination for which data communication is permitted in advance is registered.
The information is header information indicating a source and a destination of the data, and is
The analysis unit determines whether or not the combination of the source and the destination shown in the header information is registered in the determination table, and if the combination is not registered in the determination table, the analysis unit determines. It is determined whether or not only the source of the header information matches the source of the determination table, and if only the source of the header information matches the source of the determination table, the attack is performed. An abnormality factor determining device that determines that the source is an unauthorized operation, and if not, determines that the attack is an unauthorized connection. The determination table shows the data transmission cycle preset for each combination.
The abnormality factor determination according to claim 1, wherein the analysis unit determines that the cause of the abnormality is the failure when the difference time between the acquisition times of the data from the previous time to the present time is outside the permissible range of the transmission cycle. Device. The analyzer is also the elapsed time from the acquisition time of the last of said data exceeds a preset threshold based on the transmission period, determining the cause of the abnormality the malfunction, to claim 2 The above-mentioned abnormality factor determination device. The operation mode according to any one of claims 1 to 3 , further comprising a mode switching unit capable of switching the operation mode of the analysis unit between a diagnostic mode for determining the cause of the abnormality and a learning mode for creating the determination table. Abnormal factor determination device. The abnormality factor determination device according to claim 1, wherein the analysis unit determines the cause of the abnormality by using the information and auxiliary information that assists in the determination of the cause of the abnormality. The abnormality factor determination device according to claim 5 , wherein the auxiliary information is present in the data or the control device. The auxiliary information according to claim 5 or 6 , which includes at least one of the state information of the control device and the operation log of the control device as a result of self-diagnosis of whether the control device is normal or abnormal. Abnormal factor determination device. A control system including a control device that controls a device by data communication via a network, a network switch that connects the control device to the network, and an abnormality factor determination device that is connected to the network switch.
The abnormality factor determination device is
An acquisition unit that acquires information contained in the data used in the data communication, and an acquisition unit.
An analysis unit that analyzes the information and determines whether the cause of the abnormality generated in the control system is an attack via the network or a failure of the device based on the analysis result.
A display unit that displays the determination result of the analysis unit and
It is provided with a storage unit for storing a determination table in which a combination of a source and a destination for which data communication is permitted in advance is registered.
The information is header information indicating a source and a destination of the data, and is
The analysis unit determines whether or not the combination of the source and the destination shown in the header information is registered in the determination table, and if the combination is not registered in the determination table, the analysis unit determines. It is determined whether or not only the source of the header information matches the source of the determination table, and if only the source of the header information matches the source of the determination table, the attack is performed. A control system that determines that the source is an unauthorized operation, and if not, that the attack is an unauthorized connection. It is a method for determining the cause of an abnormality in a control system including a control device that controls a device by data communication via a network.
A save step for saving a judgment table in which a combination of a source and a destination for which data communication is permitted in advance is registered, and a save step.
An acquisition step for acquiring information contained in the data used in the data communication, and
Analysis steps to analyze the information and
Based on the analysis result, a determination step for determining whether the cause of the abnormality generated in the control system is an attack via the network or a failure of the device, and a determination step .
A display step for displaying the result of the determination step is provided.
In the analysis step, it is determined whether or not the combination of the source and the destination shown in the header information is registered in the determination table, and if the combination is not registered in the determination table, the header information It is determined whether or not only the source matches the source in the determination table.
In the determination step, if only the source of the header information matches the source of the determination table, the attack is determined to be an unauthorized operation of the source, otherwise the attack is determined. Anomalous factor determination method that determines that the connection is unauthorized.

Images