信息网络安全 ›› 2019, Vol. 19 ›› Issue (2): 60-69.doi: 10.3969/j.issn.1671-1122.2019.02.008

• 技术研究 • 上一篇    下一篇

工业控制系统安全监控协议的设计与优化研究

陈瑞滢1(), 陈泽茂1, 王浩2   

  1. 1. 海军工程大学信息安全系,湖北武汉 430033
    2. 91910部队,辽宁大连 116001
  • 收稿日期:2018-09-12 出版日期:2019-02-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:陈瑞滢(1993—),女,浙江,硕士研究生,主要研究方向为信息安全;陈泽茂(1975—),男,福建,教授,博士,主要研究方向为网络安全、可信计算;王浩(1988—),男,辽宁,硕士,主要研究方向为网络安全。

  • 基金资助:
    国家自然科学基金[61672531]

Design and Optimization of Security Monitoring and Controlling Protocol in Industrial Control Systems

Ruiying CHEN1, Zemao CHEN1, Hao WANG2   

  1. 1. Information Security Department, Naval University of Engineering, Wuhan Hubei 430033, China
    2. 91910 Troops of PLA, Dalian Liaoning 116001, China
  • Received:2018-09-12 Online:2019-02-10 Published:2020-05-11

摘要:

工业监控协议面临的安全威胁主要有完整性、新鲜性和机密性等方面的攻击,而现有工业监控协议在设计时通常将传输数据的可用性放在首位,对协议的安全性研究主要集中于对协议机密性的改进,对协议完整性认证考虑不足。针对上述问题,文章采用消息认证码技术增强监控消息完整性,采用随机数与Diffie-Hellman密钥交换算法原理相结合的技术生成会话对称密钥,避免Diffie-Hellman密钥交换过程的中间人攻击。针对一些特殊工业控制系统资源受限等工作环境特点,文章在确保完整性的前提下对设计的协议进行优化,以提高监控协议运行效率。通过安全性与性能分析可知,整套协议方案可以有效地解决监控消息完整性认证、抵抗重放攻击等安全问题。

关键词: 工业控制系统, 监控协议, 完整性认证, 消息认证码, 密钥协商

Abstract:

The security threats to industrial monitoring and controlling protocols mainly include integrity, freshness and confidentiality. In contrast, existing industrial monitoring and controlling protocols usually place the first priority on the availability of transmitted data. The study on the security of protocols mainly focuses on the improvement of the confidentiality of the protocols but lack consideration for integrity. Aiming at issues above, the paper uses message authentication code technology to enhance the integrity of monitoring messages and uses a combination of random numbers and the Diffie-Hellman key exchange algorithm to generate the session symmetric key, to avoid the man-in-the-middle attack in the process of Diffie-Hellman key exchange. For the characteristics of the operating environment of special industrial control systems such as limited resources, the paper optimizes the designed protocol on the premise of ensuring the integrity, in order to improve the runtime efficiency of the protocol. Through the analysis of security and performance, the protocol scheme can effectively solve security problems such as source and target authentication, monitoring message integrity authentication, and resistance to reply attacks, etc.

Key words: industrial control system, monitoring and controlling protocol, integrity authentication, message authentication code, key agreement

中图分类号: