信息网络安全 ›› 2019, Vol. 19 ›› Issue (6): 1-10.doi: 10.3969/j.issn.1671-1122.2019.06.001

• 等级保护 •    下一篇

工业控制系统安全可信环境构建技术及应用

尚文利1,2,3,4, 尹隆1,2,3,4(), 刘贤达1,2,3,4, 赵剑明1,2,3,4   

  1. 1.中国科学院沈阳自动化研究所,辽宁沈阳 110016
    2.中国科学院机器人与智能制造创新研究院,辽宁沈阳 110016
    3.中国科学院大学,北京 100049
    4. 中国科学院网络化控制系统重点实验室,辽宁沈阳 110016
  • 收稿日期:2019-01-21 出版日期:2019-06-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:尚文利(1974—),男,黑龙江,研究员,博士,主要研究方向为工业控制系统信息安全、计算智能与机器学习;尹隆(1991—),男,吉林,助理研究员,硕士,主要研究方向为工业控制网络安全;刘贤达(1985—),男,辽宁,助理研究员,硕士,主要研究方向为工业控制网络安全;赵剑明(1987—),男,辽宁,助理研究员,硕士,主要研究方向为工业控制网络安全。

  • 基金资助:
    国家重点研发计划[2018YFB2004200];中国科学院战略性先导科技专项[XDC02020200];国家自然科学基金[61773368]

Construction Technology and Application of Industrial Control System Security and Trusted Environment

Wenli SHANG1,2,3,4, Long YIN1,2,3,4(), Xianda LIU1,2,3,4, Jianming ZHAO1,2,3,4   

  1. 1. Shenyang Institute of Automation, Chinese Academy of Sciences, Shenyang Liaoning 110016, China
    2. Institutes for Robotics and Intelligent Manufacturing, Chinese Academy of Sciences, Shenyang Liaoning 110016, China
    3. University of Chinese Academy of Sciences, Beijing 100049, China
    4. Key Laboratory of Networked Control Systems, Chinese Academy of Sciences, Shenyang Liaoning 110016, China
  • Received:2019-01-21 Online:2019-06-10 Published:2020-05-11

摘要:

针对目前工业测控系统中传统PLC自身信息安全防护能力低下的问题,文章提出一种基于工业控制系统嵌入式设备安全防护关键技术的可信计算环境构建方法。文章首先介绍了现有可信计算在系统应用中的研究工作和不足;然后详细给出了面向工业嵌入式设备的安全技术架构设计,包括基于总线仲裁机制的可信PLC主控单元、基于虚拟化沙盒技术的可信PLC运行环境和基于白名单访问控制的可信PLC网络安全单元。实验证明,文章提出的可信计算环境构建方法能够用于为传统工控设备组建安全可信的系统网络,实现设备的内建安全能力。

关键词: 工业控制系统, 可信计算, 可信PLC, 网络安全单元

Abstract:

Aiming at the problem of low information security protection ability of traditional PLC in industrial measurement and control system, this paper presents a method of building a trusted computing environment based on the key technology of embedded equipment security protection in industrial control system. Firstly, this paper introduces the research work and shortcomings of trusted computing in system application, and then gives a detailed design of security technology architecture for industrial embedded equipment, including trusted PLC main control unit based on bus arbitration mechanism, trusted PLC running environment based on virtualization sandbox technology and trusted PLC network security unit based on white list access control. Experiments show that the trusted computing environment construction method proposed in this paper can be used to build a secure and trusted system network for traditional industrial control equipment and realize the equipment built-in security capability.

Key words: industrial control system, trusted computing, trusted PLC, network security unit

中图分类号: