The present invention relates to the field of attack detection technology in industrial control system, and particularly relates to a method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus.
The industrial control system is an automatic control system applied in the fields of electric power, industrial production, transportation, processing, manufacturing and etc. The system mainly relies on the control center to monitor the operation status of equipments in networks at all levels, and analyze the measurement data collected from equipments, and further to carry out physical measures to maintain the stability and safety. With the development of communication technology and the integration of information networks, the cascading relationship of systems in various fields has made the whole of industrial control system increasingly large and complex. In the process of transition from centralized control to distributed control, although the overall control efficiency and response speed of industrial control system are improved, the ability of the control center to supervise the safety and security of the bus-level network at the bottom or edge is reduced. Especially in unattended locations, the safety of the equipment itself cannot be guaranteed.
In 2017, Dr. Staggs and his team from the University of Tulsa in the United States disclosed a “Windshark” attack on wind farms, which caused damage to the turbines and controllers in wind farm by breaking the server cabinet and physical connecting into the communication equipment to realize the control and malicious operation of the wind farm internal system. It can be seen from this case that most of the current industrial control systems are not well protected against physical intrusion attacks, and the attacker can easily access the communication devices in the serial communication bus network and utilize the device to tamper with the communication signal on the communication bus, or send forging malicious instructions or data to the communication bus, which is a great threat to the industrial control system because it could cause abnormalities in the operation of the devices in the serial communication bus network, and even disturbing the stable operation of the system.
In the traditional industrial control system, for common network intrusion attacks, there have been many researches on security defense methods, such as communication encryption to ensure information security, traffic monitoring to prevent malicious data injection, and intrusion detection system to identify malicious attack behavior, etc. However, the above method is difficult to apply against the physical intrusion attacks in industrial control system. On the one hand, the serial bus communication network lacks of safety protection. After the physical intrusion, there is no effective way to detect whether there is an external device in the system, and there is no corresponding identity authentication mechanism in communication. On the other hand, in the serial communication bus network, due to the real-time requirements of industrial equipment communication and the weak computing power of the device itself, it is difficult to rely on well-designed encryption algorithms to ensure reliable information in the serial communication bus protocol, and these protocols are open to the public at the beginning of design, which is easy for an attacker to use these protocols to intercept information or falsify instructions. The above two points all indicate that the serial communication bus network of the industrial control system has security risks of physical intrusion, and it is difficult to detect the external devices, which will have a great adverse effect on the stable operation of the industrial control system.
An object of the present invention is to provide a method for detecting physical intrusion attack in industrial control system based on analysis of signal on serial communication bus, which is used for preventing a physical intrusion attack threat that an industrial control system may face, and effectively solving the security problem that the traditional network intrusion prevention method cannot detect the malicious external devices in serial communication bus network
In order to achieve the above object, the present invention adopts technical solutions as follows.
A method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus, comprises steps of: actively sending a detection signal to communication bus via a bus controller in a serial communication bus network, sampling and analyzing signals on the communication bus by a monitoring device, performing differential comparison with a standard signal stored in the monitoring device database, detecting an intrusion signal in difference signal based on noise reduction technology and weak signal detection technology, and according to a detection result of the intrusion signal caused by an external device, effectively determining whether there is an external malicious device in the system, and determining whether the system is subjected to a physical intrusion attack.
Furthermore, the method specifically comprises steps of:
S1: monitoring a service condition of serial communication bus in the industrial control system according to a set time period by the bus controller;
if the communication bus is in an idle state, sending a detection signal once by the bus controller;
if the communication bus is in a data transmission state, continuing to monitor and wait until the communication bus is in an idle state, then sending the detection signal once by the bus controller;
S2: performing sampling and protocol parsing on all received communication signals on the serial communication bus by the monitoring device deployed in the network;
S3: analyzing signals after parsing and determining whether to start detecting physical intrusion attack in the industrial control system;
S4: comparing signal data received with standard signal data in the database of monitoring device to obtain a difference signal therebetween;
S5: detecting the intrusion signal on the difference signal; if the intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is subjected to the physical intrusion attack and continuing to execute S6; if no intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is not subjected to the physical intrusion attack and continuing to monitor the bus to receive a next communication signal;
S6: according to a detection result of the intrusion signal, if the serial communication bus network of the industrial communication system is subjected to physical intrusion attack, reporting the detection result to the bus controller in the serial communication bus network, and making a quick judgment and an emergency response on the physical intrusion attack by the bus controller.
Preferably, in the step S1, the detection signal is set according to a protocol specification of the serial communication bus, and the detection signal is different from all normal communication signals in the digital sequence, and the detection signal is only capable of being identified and analyzed by a corresponding monitoring device in the serial communication bus network, and the other devices are not capable of responding to detection signals.
Preferably, the step S2 specifically comprises steps of: according to types of the serial communication bus in the industrial control system, performing protocol parsing on communication signals by adopting one corresponding protocol such as Modbus, CANBus, P-Net, ProfiBus, WorldFIP, ControlNet, FF or HART to obtain a digital signal sequence.
Preferably, the step S3 specifically comprises steps of:
S301: performing consistency detection on the digital signal sequence parsed in the step S2 and the digital sequence of the detection signal, if the signal received is the detection signal, starting detecting the physical intrusion attack in the industrial control system, and performing a step S302; if the signal received is not the detection signal, then making no response, and continuing monitoring the bus to receive the next communication signal;
S302: according to a consistency detection result between the signal received and the detection signal, continuing to determine whether the monitoring device receives the detection signal for a first time; if the signal database of the monitoring device is empty, storing the received signal data in the local database, and considering the signal is a standard signal under normal conditions of the system; if the signal data is already stored in the signal database of the monitoring device, continuing performing the step S4.
Preferably, in the step S5, the intrusion signal is a definite signal added to an original detection signal sent by the bus controller caused by the physical intrusion attack, and the intrusion signal has the same period with the detection signal.
Preferably, the step S5 specifically comprises steps of:
S501: performing noise reduction processing on the difference signal data obtained in step S4;
S502: by using weak signal detection technology, detecting and determining whether the intrusion signal exists in the difference signal according to a result of the weak signal detection.
Furthermore, the step further comprises a step of: alerting to a primary station after receiving the detection signal of the physical intrusion attack by the bus controller.
Compared with the conventional arts, the present invention has the following beneficial effects:
The invention provides a method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus, in which, the serial communication bus signals are sampled and analyzed by monitoring device, and the intrusion signal is detected with noise reduction technology and weak signal detection technology after being compared with the standard signals stored in the database. According to the detection result of the intrusion signal, it can quickly and effectively determine whether there is an external malicious device in the system, and determine whether the system is security against the physical intrusion attack, which solves the security technical problem that the external devices can not be detected effectively by network defense method in serial communication bus network of industrial control system.
In addition, the present invention utilizes the bus controller in serial communication bus network of industrial control system to transmit a detection signal, and then uses the monitoring device deployed in the network to perform sampling, differential comparison analysis, and signal detection, thereby it will not increase the cost of modification on original devices and will not change the connection structure of the original communication network.
The detection signal of the present invention is set according to the serial communication bus type and protocol of the industrial control system, and the detection signal is different from all normal communication signals in the digital sequence, and the detection signal is transmitted only when the serial communication bus is idle. It will not affect the normal communication between communication devices, and will not disturb the system by abnormal responses from other devices receiving detection signals.
In the invention, after receiving the signal, the monitoring device first performs the consistency comparison between the received signal sequence and the detection signal sequence, and continues to monitor when two signal sequence are inconsistent, besides, the monitoring device keeps monitoring state after the intrusion signal is not found according to the intrusion detection result. The above measures are to further reduce the time and resources of detecting the physical intrusion attack in serial communication bus in industrial control system and improve the rapidity and efficiency of detection method.
In order to more clearly illustrate the embodiments of the present invention or the current technical solutions, the drawings described in the preferred embodiments or the current technical solutions will be briefly described below.
The preferred embodiments of the present invention provide a method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus, which solves the safety and security technology problem that the external devices can not be effectively detected by network defense methods in the serial communication bus network in the industrial control system.
The technical solutions of the embodiments of the present invention will be clearly and completely described in conjunction with the drawings in the embodiments of the present invention. The present invention provides a method for detecting physical intrusion attack which can deal with an attack scenario, that is, in the industrial control system RS485 bus network, the attacker implants an external device in the system through physical invasion, and uses the device to obtain communication information and forge control instructions to endanger the system security and stability. For specific analysis, see the following embodiments.
In the steady state model, the transmission line is equivalent to impedance which is only related to the resistance of the transmission line itself and its inherent parameters such as length, thickness and material, different from the characteristic impedance. As shown in
Therefore, in the case that there is no external device accessed in the system, the following two iterative processes are required to calculate the system impedance of the steady state model in
1) Assign the initial value r0=Zr, and calculate the impedance after ZM:
2) Calculate the impedance before ZM with the above iterative result rn:
When an attacker accesses an external device into the system through physical intrusion attack, assuming that the access location of the external device is between the kth device and the (k+1)th device, the above two impedance iterative calculation will be changed:
1) While calculating rk to rk+1:
2) While calculating r2n−k to r2n−k+1:
For such an attack situation, combined with
When the system first uses the method for detecting physical intrusion attack of the present invention, the specific execution process and steps are as follows:
Step S1: The bus controller in the RS485 communication bus network monitors the bus usage state, and when detecting that the bus is in an idle state, sends a detection signal U(t) to the two RS485 signal lines, the detection signal is a square wave signal with a period of 200 μs and an amplitude of −5V to 5V;
Step S2: The monitoring device deployed in the RS485 communication bus network collects signals on the bus. According to the steady state model of
V
diff(m,t)=2(ρm−μm)U(t)+ν(t)
Wherein ν(t) is the sum of the environment noise and the measurement noise, and ρm, ρm are the voltage signal partition coefficient at the mth monitoring device:
Then the monitoring device will parse the signal according to the RS485 common protocol-ModBus protocol to obtain the corresponding digital signal sequence;
Step S3: The monitoring device analyzes and processes the parsed signal, and specifically includes the following steps:
Step S301: Perform consistency detection on the digital sequence of the received signal and the digital sequence of the detection signal. If the two sequence are inconsistent, this indicates that the received signal is not the detection signal and the monitoring device continues to maintain the monitoring state; If the two sequence are consistent, this indicates that the detection signal is received, and the process goes to step S302;
Step S302: The monitoring device determines whether the detection signal is received for the first time. After detecting the local signal database of the device, if there is no data in the database, it is determined that the detection signal at this time is a standard signal in the initial state of the system, and the standard signal will be stored in the signal database and the physical intrusion attack detection process will be ended.
When the system does not uses the method for detecting physical intrusion attack for the first time, the specific execution process and steps are as follows:
Step S1: When the RS485 bus is in an idle state, the bus controller sends a detection signal to the two signal lines of RS485 which is inversely processed according to the RS485 balanced transmission mode;
Step S2: The monitoring device collects the signals on the bus. According to the steady state model of
V
diff′(m,t)=2(ρm′−μm′)U(t)+ω(t)
Wherein ω(t) is the sum of environment noise and measurement noise, and ρm′, μm′ become the following two cases:
1) If the (k+1)th device is before the mth device:
2) If the kth device is after the mth device:
Then, the monitoring device parses the signal according to the RS485 common protocol-ModBus protocol, and obtains a corresponding digital signal sequence;
Step S3: The monitoring device analyzes and processes the parsed signal, and specifically includes the following steps:
Step S301: Perform consistency detection on the digital sequence of the received signal and the digital sequence of the detection signal. If the two sequence are inconsistent, this indicates that the signal is not a detection signal and the monitoring device continues to maintain the monitoring state; If the two sequence are consistent, this indicates that the detection signal is received, and the process goes to step S302;
Step S302: The monitoring device determines whether the detection signal is received for the first time. After detecting the local signal database of the device, since the standard signal is already stored in the database, the physical intrusion attack detection process is continued, and the process goes to step S4.
Step S4: differentially comparing the received detection signal data with standard signal data in the monitoring device signal database to obtain a difference signal between the two signals;
If the system is not attacked by physical intrusion, that means there is no external device, the result of the differential signal should be:
ΔVdiff(m,t)=ν(t)−ω(t)
If the system is attacked by physical intrusion, that means there is at least one external device, the result of the differential signal should be:
ΔVdiff(m,t)=δ(t)+ν(t)−ω(t)
δ(t)=2[(ρm−ρm′)−(μm−μm′]U(t)
Among them δ(t) is the intrusion signal caused by the external device;
Step S5: detecting intrusion signal on the difference signal, wherein the detection processing and the step specifically include:
Step S501: performing noise reduction processing on the difference signal data; in the embodiment, using the digital averaging method to improve the SNR of the difference signal, and using MATLAB software to simulate the difference signal noise reduction processing.
Step S502: detecting whether the intrusion signal exists in the difference signal; the detection method in the embodiment uses the cross-correlation detection technology, and uses the MATALB software to perform the intrusion detection simulation on the difference signal.
If the intrusion signal is detected in the difference signal, it is determined that the RS485 communication bus network has been subjected to a physical intrusion attack and continues to execute S6; if the intrusion signal is not detected in the difference signal, it is determined that the RS485 communication bus network is not subjected to a physical intrusion attack. The monitoring device turns to continue to monitoring state, and ends the processing of detecting the physical intrusion attack;
Step S6: According to the detection result of the intrusion signal, if the RS485 communication bus network is subjected to a physical intrusion attack, the detection result is reported to the RS485 controller, so that the controller can quickly judge and respond to the physical intrusion attack.
It can be seen from the above that by using the method for detecting physical intrusion attack proposed by the present invention, it is possible to quickly and accurately determine whether an external device exists in the system in the RS485 communication bus network, and determine that the system is subject to physical intrusion attacks.
One skilled in the art will understand that the embodiment of the present invention as shown in the drawings and described above is exemplary only and not intended to be limiting.
It will thus be seen that the objects of the present invention have been fully and effectively accomplished. Its embodiments has been shown and described for the purposes of illustrating the functional and structural principles of the present invention and is subject to change without departure from such principles. Therefore, this invention includes all modifications encompassed within the spirit and scope of the following claims.
Number | Date | Country | Kind |
---|---|---|---|
201810361229.6 | Apr 2018 | CN | national |
This is a U.S. National Stage under 35 U.S.C. 371 of the International Application PCT/CN2018/120178, filed Jan. 22, 2019, which claims priority under 35 U.S.C. 119(a-d) to CN 201810361229.6, filed Apr. 20, 2018.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/CN2018/120178 | 1/22/2019 | WO | 00 |