[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

KR20130001767A - Data comunication system for communication security - Google Patents

Data comunication system for communication security Download PDF

Info

Publication number
KR20130001767A
KR20130001767A KR1020110062609A KR20110062609A KR20130001767A KR 20130001767 A KR20130001767 A KR 20130001767A KR 1020110062609 A KR1020110062609 A KR 1020110062609A KR 20110062609 A KR20110062609 A KR 20110062609A KR 20130001767 A KR20130001767 A KR 20130001767A
Authority
KR
South Korea
Prior art keywords
data
data frame
area
terminal device
security
Prior art date
Application number
KR1020110062609A
Other languages
Korean (ko)
Inventor
김경호
이병진
Original Assignee
엘에스산전 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 엘에스산전 주식회사 filed Critical 엘에스산전 주식회사
Priority to KR1020110062609A priority Critical patent/KR20130001767A/en
Publication of KR20130001767A publication Critical patent/KR20130001767A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24215Scada supervisory control and data acquisition

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

According to an embodiment of the present invention, a data communication system for communication security includes an operation server performing a function of a top layer in a network of a SCADA system, and a data frame including control or measurement information connected to the operation server through a communication port. A remote device that transmits / receives, and a terminal device that is connected to the remote device to transmit / receive the data frame, wherein the transmitted / received data frame includes a first area and an unencrypted data. And a second area containing data encrypted by the set security password.

Description

Data communication system for communication security {DATA COMUNICATION SYSTEM FOR COMMUNICATION SECURITY}

The present invention relates to data protection in a Supervisory Control And Data Acquisition (SCADA) network, and more particularly, to a data communication system for communication security that can implement stable and reliable communication by transmitting and receiving encrypted data frames.

SCADA system is a system for centrally monitoring and controlling devices and equipment installed in a remote place. It is a central control computer or SCADA server that can be centrally monitored and controlled by a central operator, and a remotely controlled central control computer. It is generally composed of remote devices (eg, RTU, MTU, etc.), and wired / wireless communication links that form a data transmission path between the central control computer and the remote devices.

In case of remote equipment, it has functions such as data collection, remote control and remote diagnosis independently, and it is implemented to transmit the situation and details to central control computer.In case of central control computer, it monitors various information reported by remote equipment Display.

As such, the SCADA system enables the central operator to monitor and control the remote situation and the equipment on the remote site in real time, so that the SCADA system has automatic control, monitoring and information processing functions and is widely used in a wide range of fields.

The actual SCADA system is applied to rail management and control, water resource management, transmission and distribution, gas, oil storage and supply, civil air defense, flood alarm system.

The implementation of the SCADA system results in a more effective and cost-saving effect, maximizing the efficiency of investments in equipment management and its operations personnel through the introduction of automation and remote control functions.

However, unlike foreign countries, Korea is operating a SCADA system of a dedicated network system separate from the public Internet network, so security awareness is still insufficient.

That is, due to security vulnerabilities on the SCADA network, security problems of communication, information leakage / leakage, etc. may occur, and thus there is a problem in that it is not possible to protect control measurement information transmitted to remote devices.

1 is a block diagram showing a data communication system according to the prior art.

Referring to FIG. 1, the data communication system 10 includes a monitoring group server 1, a regional cocenter center (RTU) 2, and a terminal device 3 including terminal devices # 1 to #N.

The data communication system 10 uses RS-232 / 422 using various protocols such as Modbus and DNP with the upper SCADA composed of the supervisory server 1 and the lower SCADA composed of the RTU 2 and the terminal device 3. Send and receive data via / 485 or Ethernet media.

The supervisory server 1 performs a supervisory control function using the SCADA protocol, and collects, records, and displays status information data of the lower SCADA through an analog or digital signal.

In particular, data communication is performed by establishing a dedicated communication line between the upper SCADA device and the lower SCADA device to configure closed communication.

However, the conventional monitoring panel server 1 as described above forms a closed network and does not connect other devices or protocols unnecessary for SCADA system configuration to the system.

That is, as shown in FIG. 2, the data communication system is configured on the premise that the local network configuration is not considered in consideration of the connection of any external device 4.

However, as shown in FIG. 2, the conventional SCADA protocols can check the type, state, and current value of data when a physical connection is made from the outside, and thus there is a problem that the data can be modulated. .

In addition, conventional SCADAs require high levels of availability (low frequency of failure and rapid recovery), and require very high levels of measurement accuracy and speed. Due to these features, the protocol is simple and highly readable, and thus, in reality, the protocol is exposed to hacking risks in connection with various intranets.

Therefore, there is a need for a device capable of preventing the leakage / leakage of data in the SCADA network.

According to an embodiment of the present invention, a data communication system and a transmission method for communication security capable of performing data communication using a protocol having improved security are provided.

In addition, the embodiment according to the present invention is a method for improving the security of the protocol used for SCADA communication so that other external users who are not authorized using the internal encryption algorithm during data transmission / reception cannot check communication data. .

Technical problems to be achieved in the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned above are clearly understood by those skilled in the art to which the embodiments proposed from the following description belong. Could be.

According to an embodiment of the present invention, a data communication system for communication security includes an operation server performing a function of a top layer in a network of a SCADA system, and a data frame including control or measurement information connected to the operation server through a communication port. A remote device that transmits / receives, and a terminal device that is connected to the remote device to transmit / receive the data frame, wherein the transmitted / received data frame includes a first area and an unencrypted data. And a second area containing data encrypted by the set security password.

In addition, the data frame is generated in at least one of the operation server and the terminal device.

In addition, the terminal device receives a security password for encrypting the data from the user.

In addition, the input security password is transmitted to the primary server to be shared with each other, or previously promised with the primary server.

In addition, the operation server or the terminal device decrypts the data transmitted from the upper or lower device by using the security password, or generates a data frame including the first area and the second area by using the security password. Or to a lower device.

In addition, the second area of the data frame is encrypted by a predetermined encryption algorithm, and the encryption algorithm can be selected and changed.

Further, the second area of the data frame is compressed based on the secure cipher.

In addition, the data frame is configured based on at least one protocol of DNP (Distributed Network Protocol), Modbus and IEC-60870.

The second area also includes a data field area.

According to the embodiment of the present invention, since the encrypted data frame is transmitted and received, the security of the SCADA power system can be enhanced without additional costs without changing the hardware of the existing SCADA system.

In addition, according to an embodiment of the present invention, it is possible to implement a stable and reliable communication by protecting the data frame transmitted to the network of the SCADA system from external hacking or intrusion.

In addition, the embodiment according to the present invention is compatible with the existing SCADA system because it enhances the security of the data while maintaining the inherent characteristics of the existing protocol.

1 and 2 is a configuration diagram showing a data communication system according to the prior art.
3 is a block diagram showing a data communication system according to an embodiment of the present invention.
4 is a diagram illustrating an MMI screen according to an embodiment of the present invention.
5 is a diagram for describing encryption of a data frame according to a first embodiment of the present invention.
6 is a diagram for describing encryption of a data frame according to a second embodiment of the present invention.
7 and 8 are flowcharts for explaining step-by-step a data communication method of a data communication system according to an embodiment of the present invention.

The proposed embodiment will be described.

Hereinafter, specific embodiments of the present invention will be described in detail with reference to the drawings. However, the spirit of the present invention is not limited to the embodiments presented, and other inventions which are further deteriorated by addition, change, deletion, etc. of other components, or other embodiments included within the scope of the present invention can be easily made. I can suggest.

3 is a block diagram of a data communication system for communication security according to an embodiment of the present invention.

Referring to FIG. 3, the data communication system 100 includes an operation server 101, a remote small device 102, and a terminal device 103.

In the data communication system 100 configured as described above, an industrial automation system such as a factory network connected to a dedicated network of a specific protocol based SCADA network, an industrial automation system such as a production system or a power system system, and an operation server 101 are remotely measured or monitored, When communicating for control, it overcomes security vulnerabilities in a closed network and enables rapid recovery through remote monitoring and control with a high level of security.

The operation server 101 performs a function of the highest layer in the network of the SCADA system.

The remote device 102 is connected to the operation server 101 through a communication port to transmit and receive a data frame consisting of control or measurement information.

In addition, the terminal device 103 is a master terminal unit (MTU), and transmits / receives the data frame. The terminal device 103 may be referred to as an intelligent electronic device (IED).

The terminal device 103 is a communication terminal installed in an individual regional feed center (RCC) and a sub-regional control center (SCC) to acquire a data frame transmitted from the remote small device 102. do.

In this case, the data frame may include information about control and measurement.

The remote device 102 may also be referred to as a remote terminal unit (RTU), and acquires data transmitted from the operation server 101 and transmits the data to the terminal device 103 or from the terminal device 103. Data is acquired and transmitted to the operation server 101.

The operation server 101 may receive measurement data related to their operating state or communication state from a remote terminal 102 such as an industrial automation system connected to a SCADA network, or a remote terminal such as a terminal device 103. Based on the generated data for monitoring and control of the remote terminal and transmits to the terminal device (103).

At this time, the data frame transmitted from the operation server 101 to the terminal device 103, or the data frame transmitted from the terminal device 103 to the operation server 101 is spoofing, reply attack (reply) In order to prevent artificial information distortion caused by external hacking, such as an attack and a denial of service attack, a data frame including the measurement data or control data is encrypted and transmitted.

That is, as described above, the monitoring and control data transmitted from the upper system such as the operation server 101 through the SCADA network between the operation server 101 and the terminal device 103 is encrypted or encoded. Afterwards, the encrypted data transmitted through the SCADA network and received through the SCADA network may be received and decrypted at a sub-system side such as the terminal device 103.

Similarly, the measurement data transmitted from the terminal 103 to the operation server 101 may also be encrypted and then transmitted through the SCADA network, and the encrypted data received through the SCADA network may be transmitted to the operation server ( 101 may be received and decrypted.

In this case, the data frame may be encrypted through an encryption algorithm based on a predetermined security password, or may be compressed using the predetermined security password as a compression key.

In addition, the encryption of the data frame may be performed on all fields constituting the data frame, but only for data fields containing data that are actually important for more efficient data communication. In other words, the data frame includes a first area without a data field and a second area with a data field, thereby encrypting only the second area including the data frame when transmitting the data frame.

In this case, the data frame may be configured based on any one of Modubus, DNP (Distributed Network Protocol) and IEC-60870 protocol.

Hereinafter, the encryption of the data frame as described above will be described in more detail.

4 is a diagram illustrating an MMI screen according to an embodiment of the present invention.

Referring to FIG. 4, the MMI screen 400 provided through the terminal device 103 includes a security password setting area 401 for encrypting a data frame, and a user may enter the security password setting area 401. You can enter a secure password.

In this case, the security password input to the security password setting area 401 may be a security password for the user to encrypt in the future, or may be a security password promised with the operation server 101 in advance.

That is, the user enters a security password to be used in the security password setting area 401. In this case, the terminal device 103 provides the security password input from the user to the operation server 101 and shares the security password set by the user with the operation server 101.

In addition, the security password setting area 401 may be input to the security password already promised with the operating server 101 in advance. In such a case, the user determines the security password to be used by telephone or internally, thereby inputting the security password already determined as described above into the security password setting area 401. In this case, since the security password is already shared between the terminal device 103 and the operation server 101, there is no need to transmit the input security password to the operation server 101.

When the security password is input as described above, the terminal device 103 generates a data frame corresponding to the information requested from the operation server 101, and encrypts the generated data frame using the set security password.

In addition, the terminal device 103 decrypts the encrypted data frame transmitted from the operation server 101 by using the set security password.

Similarly, the operation server 101 encrypts the data frame to be transmitted to the terminal device 103 by using the security password set as described above, and also decrypts the data frame transmitted from the terminal device 103.

In this case, the encryption may be performed by a predetermined encryption algorithm. In addition, the set encryption algorithm may be changed from time to time in order to maintain higher security.

The data scrambling method used in the encryption algorithm may be three methods of substitution, substitution, and arithmetic, or a combination thereof may be used.

In addition, a method of simply compressing the data frame may be applied to the encryption. In this case, the set security cipher may be used as a secret key for decompressing the compressed data frame.

FIG. 5 is a diagram illustrating encryption of a data frame according to a first embodiment of the present invention, and FIG. 6 is a diagram illustrating encryption of a data frame according to a second embodiment of the present invention.

Referring to FIG. 5, the data frame may be configured based on a Modbus protocol.

The data frame based on the Modbus protocol is composed of a start field, an address field, a function field, a data field, a checksum field, and an end field.

In this case, all the fields are referred to as an application data unit (ADU) section, wherein the start field and the address field belong to the header section, the function field and the data field belong to the data section, and the checksum field and the end field are tail. ) Belongs to the section.

Accordingly, when the information to be transmitted is generated, the operation server 101 or the terminal device 103 generates a data frame based on the Modbus protocol including the information to be transmitted, and the fuction field and the data among the sections included in the data frame. Only encrypt data sections consisting of fields. That is, the operation server 101 or the terminal device 103 encrypts the data section by applying an encryption algorithm based on the security password set as described above.

In addition, referring to FIG. 6, the data frame may be configured based on the DNP protocol.

The data frame based on the DNP protocol includes a header field, an address field, a checksum field, a data header field, a data field, a data CRC field, and a frame CRC field. Among the fields included in the data frame based on the DNP protocol, a header field, an address field, and a checksum field belong to a data link header section, a data header field and a data field, and a data CRC field belong to a data block section, and a frame CRC field. Belongs to the data link end section.

Accordingly, when information to be transmitted is generated, the operation server 101 or the terminal device 103 generates a data frame based on the DNP protocol including the information to be transmitted, and the data header field of the section included in the data frame. Only the data block section including the data field and the data CRC field is encrypted. That is, the operation server 101 or the terminal device 103 encrypts the data section by applying an encryption algorithm based on the security password set as described above.

Further, the data frame encrypted as described above is decrypted based on the security cipher used for the encryption at the receiving side.

Accordingly, even if a hacker approaches between the terminal device 103 and the operation server 101, since the security password used for encrypting the data frame is not known, the data frame cannot be accessed.

7 and 8 are flowcharts for explaining step-by-step a data communication method of a data communication system according to an embodiment of the present invention.

Hereinafter, the data communication method will be described based mainly on the operation of the terminal apparatus 103. However, the operation of the operation server 101 may be performed as described above.

First, referring to FIG. 7, the terminal device 103 receives a data frame divided into a first area and a second area (step 101). In this case, the data frame is control data provided through the operation server 101. Can be.

In addition, the first area includes unencrypted data, and the second area includes data encrypted by the operation server 101.

The terminal device 103 checks the suitability of the data frame using the data included in the first area in the received data frame (step 102).

That is, the terminal device 103 determines the suitability of the data frame by determining a communication address, an IP address, a frame header value, etc. included in the first area. In other words, the terminal device 103 checks whether the data frame is normally received.

If it is determined that the data frame is suitable, the terminal apparatus 103 decodes the data frame (step 103).

That is, the terminal device 103 extracts only data included in the second area from the data included in the data frame, and obtains unencrypted data by passing an encryption algorithm based on the set security cipher.

When the decoding of the data included in the second area is completed, the terminal device 103 checks whether the data included in the second area is normal data (step 105).

If the data included in the second area is abnormal data, the terminal device 103 discards the received data frame and transmits an error message to the operation server 101 providing the data frame.

In addition, if the data included in the second area is normal data, the terminal device 103 proceeds to step A and performs subsequent operations (step 107).

Referring to FIG. 8, the terminal device 103 checks the data requested by the operation server 101 by using the decoded data (step 201).

Thereafter, the terminal device 103 configures a data frame corresponding to the data requested by the operation server 101 (step 202). In this case, the data frame includes a first region and a second region corresponding to the corresponding protocol.

As the data frame is configured, the terminal device 103 encrypts the second area included in the data frame based on a preset security cipher (step 203).

Thereafter, the terminal device 103 transmits a data frame including the first area and the encrypted second area to the operation server 101 (step 204).

As described above, according to the embodiment of the present invention, since the encrypted data frame is transmitted and received, the security of the SCADA power system can be enhanced without additional costs without changing the hardware of the existing SCADA system.

In addition, according to an embodiment of the present invention, it is possible to implement a stable and reliable communication by protecting the data frame transmitted to the network of the SCADA system from external hacking or intrusion.

In addition, the embodiment according to the present invention is compatible with the existing SCADA system because it enhances the security of the data while maintaining the inherent characteristics of the existing protocol.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood that various modifications and applications are possible. For example, each component specifically shown in the embodiments can be modified and implemented. It is to be understood that all changes and modifications that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.

101: production server
102: remote device
103: terminal device

Claims (8)

An operation server performing a function of a top layer in a network of a SCADA system;
A remote device connected to the operation server through a communication port for transmitting / receiving a data frame made of control or measurement information; And
A terminal device connected to the remote device to transmit / receive the data frame;
And transmitting and receiving the data frame comprises a first area including unencrypted data and a second area including data encrypted by a predetermined security password. The method of claim 1,
The data frame is a data communication system for communication security generated by at least one of the operating server and the terminal device. The method of claim 1,
The terminal device is a data communication system for communication security that receives a security password for encrypting the data from the user. The method of claim 3,
The input security password is transmitted to the primary server and shared with each other, or the data communication system for communication security, characterized in that the appointment with the primary server in advance. The method of claim 1,
The operation server or terminal device
Decrypts data transmitted from an upper or lower device using the security password;
And a data frame including the first area and the second area by using the security password, and transmitting the generated data frame to an upper or lower device. The method of claim 1,
The second area of the data frame is encrypted by a preset encryption algorithm,
And said encryption algorithm is selectable and modifiable. The method of claim 1,
And a second area of the data frame is compressed based on the secure cipher. The method of claim 1,
And said second area comprises a data field area.
KR1020110062609A 2011-06-28 2011-06-28 Data comunication system for communication security KR20130001767A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020110062609A KR20130001767A (en) 2011-06-28 2011-06-28 Data comunication system for communication security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020110062609A KR20130001767A (en) 2011-06-28 2011-06-28 Data comunication system for communication security

Publications (1)

Publication Number Publication Date
KR20130001767A true KR20130001767A (en) 2013-01-07

Family

ID=47834659

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020110062609A KR20130001767A (en) 2011-06-28 2011-06-28 Data comunication system for communication security

Country Status (1)

Country Link
KR (1) KR20130001767A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104914855A (en) * 2015-06-15 2015-09-16 洛阳理工学院 ZigBee-based traditional Chinese medicine warehouse internal environment parameter control system
CN105242659A (en) * 2014-06-05 2016-01-13 北车大连电力牵引研发中心有限公司 Locomotive running data recording method, TCU (traction control unit) terminal and locomotive running data recording system
KR20190089493A (en) * 2018-01-23 2019-07-31 이장형 Method of encrypting protocol for programmable logic controller

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105242659A (en) * 2014-06-05 2016-01-13 北车大连电力牵引研发中心有限公司 Locomotive running data recording method, TCU (traction control unit) terminal and locomotive running data recording system
CN104914855A (en) * 2015-06-15 2015-09-16 洛阳理工学院 ZigBee-based traditional Chinese medicine warehouse internal environment parameter control system
KR20190089493A (en) * 2018-01-23 2019-07-31 이장형 Method of encrypting protocol for programmable logic controller

Similar Documents

Publication Publication Date Title
Liu et al. Cyber security and privacy issues in smart grids
Gao et al. SCADA communication and security issues
Youssef et al. IEC 61850: Technology standards and cyber-threats
Lim et al. Security protocols against cyber attacks in the distribution automation system
Ferst et al. Implementation of secure communication with modbus and transport layer security protocols
CN104320332A (en) Multi-protocol industrial communication safety gateway and communication method with gateway applied
Stewart et al. Synchrophasor security practices
CN104506500A (en) GOOSE message authentication method based on transformer substation
Fauri et al. Encryption in ICS networks: A blessing or a curse?
KR20090102469A (en) System and method for data protection and security of scada network based on dnp
CN105245329A (en) Quantum communication-based trusted industrial control network realizing method
CN103560911A (en) Method and system for financial self-service equipment initiative preventive maintenance
KR101023708B1 (en) Data Protection Method and Apparatus for SCADA Network Based on MODBUS Protocol
KR101048286B1 (en) Multi-Cryptographic Apparatus and Method thereof for Securing SCAD Communication
KR20130001767A (en) Data comunication system for communication security
KR101959686B1 (en) L2 switch for network security, and remote supervisory system using the same
Kumar et al. Cyber security threats in synchrophasor system in WAMS
O'Raw et al. IEC 61850 substation configuration language as a basis for automated security and SDN configuration
Jung et al. Design on SCADA test-bed and security device
CN111314382B (en) Network safety protection method suitable for high-frequency emergency control system
KR20120074040A (en) Security system and its operating method for supervisory control and data acquisition system
Wang Smart grid, automation, and scada systems security
CN107995086A (en) A kind of method of business datum encrypted transmission in intelligence manufacture Internet of Things based on VPDN and IPSEC
Alsiherov et al. Research trend on secure SCADA network technology and methods
Cagalaban et al. Scada network insecurity: Securing critical infrastructures through scada security exploitation

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination