JP2018136811A - Control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To obtain a control system for preventing alternation of a program by a computer virus or a third party and for minimizing an impact on a plant by such alternation.SOLUTION: A control system has an engineering apparatus having a program editor using a ladder language, a program conversion compiler, a program encoded by it, and a control parameter and transmitting these to another apparatus, a storage unit for storing programs and parameters received from the apparatus, a key calculating unit for calculating a security key from data on the storage unit, a previous-key storing unit for storing a security key previously calculated, and a control apparatus having a key matching unit for comparing two kinds of security data obtained by the units. If the compared data ara not matched with each other, a program is operated in response to set major failure and minor failure. In a case of major failure, execution of the entire program is stopped. In a case of minor failure, only a part of functions is stopped to carry out degeneration operation.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a technique for preventing falsification of a program in a control system having a control device for controlling a plant.

  Conventionally, a control system includes a control device that executes a program for controlling a plant, and an engineering device that creates the program and transfers the program to the control device. Generally, when a program is transferred from an engineering device, authentication is performed using a password set in the engineering device in advance, and the program is prevented from being falsified by permitting the transfer only when it is correctly authenticated. . Another method to prevent falsification of the program is to create a digest code from the program when transferring the program from the engineering device to the control device and compare it with the digest code of the previously transferred program read from the storage device. If not done, a method is proposed in which the transfer is judged to be an unauthorized change (see, for example, Patent Document 1).

JP 2003-202928 A

  In recent years, cyber attacks on control systems have occurred, and security requirements for control systems are increasing. Usually, the control device in the control system is not directly connected to the Internet, but is only connected to a control network or a local network closed in the control system, so that the possibility of computer virus infection via the Internet is low. However, there is a possibility of virus infection via an electronic medium such as a USB memory, and it is also conceivable that a program is altered by a third party via an engineering device. If the program is altered by these, countermeasures are necessary because it can cause enormous problems for the entire plant.

  The technique proposed in Patent Document 1 is to stop the transfer to the control apparatus when the program is transferred from the engineering apparatus to the control apparatus and the program is checked to determine that the change is illegal. This is to check whether the program once stored in the engineering device has been illegally changed. In the case of a computer virus, the program is tampered without going through the engineering device, so this method cannot detect or prevent tampering with the program stored in the control device. Cannot reduce the impact on the entire plant.

  The present invention has been made in order to solve the above-described problems, and prevents the computer virus or a third party from falsifying the program, and the control capable of minimizing the influence on the plant even if falsified. The purpose is to obtain a system.

The control system according to the present invention includes:
A control system comprising an engineering device for creating a program for controlling a plant and a control device for executing the program transferred from the engineering device,
The controller is
A key calculation unit that calculates a security key that is a hash value that is uniquely hashed from the program transferred from the engineering device, or a password that is given by a user when the program is first transmitted from the engineering device;
A previous key storage unit for storing the security key calculated by executing the previous program;
A key verification unit that compares and collates the security key calculated by executing the current program and the security key calculated when the previous program stored in the previous key storage unit;
If there is a previous security key calculated by the key calculation unit, the key verification unit performs comparison and verification, and if the comparison and verification result matches, the program is executed, and the comparison and verification result does not match To select whether to execute the program according to a predetermined condition,
When there is no previous security key calculated by the key calculation unit, the key verification unit does not perform comparison verification and executes the program.

  According to the present invention, in a control system having a control device for controlling a plant, control of a computer virus or a program by a third party can be prevented, and the control that can minimize the influence on the plant even if tampered. A system can be provided.

It is a figure which shows an example of the control system in Embodiment 1 of this invention. It is a figure which shows an example of the hardware constitutions which each of the control apparatus and engineering apparatus of the control system in Embodiment 1-5 of this invention has. It is a flowchart figure which shows operation | movement of the control system in Embodiment 1 of this invention. It is a figure which shows an example of the control system in Embodiment 2 of this invention. It is a figure which shows an example of the control system in Embodiment 3 of this invention. It is a figure which shows an example of the control system in Embodiment 4 of this invention. It is a figure which shows an example of the control system in Embodiment 5 of this invention.

Embodiment 1 FIG.
A first embodiment of the present invention will be described below with reference to FIG.
FIG. 1 is a block diagram of a control system including a control device with a falsification preventing function according to Embodiment 1 of the present invention.

  An engineering device 101 that creates a control program is connected to a control device 201 that executes the control program via a communication cable 301. The engineering device 101 includes a program editor 102 that creates a control program using a ladder language, a compiler 103 that converts the created program into machine language code, a control parameter 105 for operating the control device 201, and machine language code. It has the transmission part 106 which transmits the encoding program 104 which is the program after conversion to a control apparatus. The transmission operation is realized by the processor and the memory included in the engineering apparatus 101 by the processor executing a program stored in the memory (see FIG. 2).

The control device 201 includes a receiving unit 202 for receiving the program and control parameters transmitted from the engineering device 101, a storage unit 203 for storing the received program and control parameters, and security uniquely determined from the transmitted program. Key 205 (Here, the security key is a hash value hashed based on the original text given for program protection, and includes irreversible one-way function processing. This is a calculation processing method for generating a fixed-length pseudo-random number from a given original text (this calculation processing method is usually called a hash function or a summarization function), and a key calculation unit 204 that calculates the last time. To store the previous security key 207 which is the security key of the program And a key verification unit 208 for comparing and collating the previous security key 207 that security key 205 and previously stored calculated by the previous key storage unit 206, the key calculation unit 204.

  A user creates a control program in the program editor 102 of the engineering apparatus 101 and registers a control parameter 105 for operating the control apparatus 201. The created program is changed to a coded program 104 converted into a machine language code by the compiler 103 and transmitted to the control device 201 by the transmission unit 106 together with the control parameter 105. The control device 201 receives the coded program and control parameters transmitted from the engineering device 101 and stores them in the storage unit 203.

Thereafter, the operation as shown in the flowchart of FIG. 3 is performed.
The operation of the control device 201 shown in the flowchart of FIG. 3 will be described in detail. In step S201, the control device refers to the storage unit 203 that stores the coded program or the like, and calculates the security key 205 of the program in the key calculation unit 204 for the program stored in step S202. The security key 205 is a value uniquely determined from the program (only) by performing hash processing using, for example, the size of the program and the number of instructions. There is also a method in which a user assigns a password when an encoding program and a control parameter are transmitted for the first time from the engineering apparatus 101 to the control apparatus 201. In this case, the password can be used as the security key 205.

In step S203, the previous key storage unit 206 refers to the previous security key 207 that is the security key used at the previous execution. If the previous key is not registered, this time is regarded as the first execution, the program is executed as it is, and the security key calculated this time is stored in the previous key storage unit 206 (steps S205 to S206). If the previous key has been registered in step S203, the security key 205 calculated this time and the previous security key 207 stored in the previous key storage unit 206 are compared and verified by the key verification unit 208. If they match, the program is executed. . If they do not match, the program is not executed (steps S203 to S2).
04, S207).

  This is the operation when the user or a third party modifies the program using the engineering device, but also when it is altered by a computer virus or the like via the Internet, it operates according to the flowchart of FIG. It is possible to prevent execution of a falsified illegal program. Further, not only the program but also the control parameter can be applied to prevent falsification of the control parameter by calculating the security key in the same manner and comparing it with the previous execution.

  According to the first embodiment, the control device 201 includes a key calculation unit 204 that calculates a security key 205 uniquely determined from a program, and the security key 205 calculated thereby and the previous execution program stored in the previous key storage unit 206. Compared with the previous security key 207 by the key collating unit 208, the program is not executed if they do not match, so execution of a program illegally modified by a third party or a computer virus can be prevented. The operations of the receiving unit 202, the storage unit 203, the key calculation unit 204, the security key 205, the previous key storage unit 206, the previous security key 207, and the key verification unit 208, which are the components of the control device 201, are as follows. This is realized by using a processor and a memory included in the control device 201 and executing the program stored in the memory by the processor (see FIG. 2).

Embodiment 2. FIG.
The second embodiment of the present invention will be described below with reference to FIG.
FIG. 4 is a block diagram showing a control system according to Embodiment 2 of the present invention.

Unlike FIG. 1, FIG. 4 further includes a RAS unit 209 having a RAS (abbreviation of Reliability Availability and Serviceability) function for causing a major or minor failure when the control device detects falsification during program execution. . Other components are the same as those described in the first embodiment. In addition, the engineering device 101 has a heavy / light failure parameter 107 for setting which operation is to be performed between a heavy failure operation and a light failure operation when the control device detects program falsification. The serious failure parameter is a program part unit (here, the program part is a program in which the program (whole) is reduced in size according to function. For example, the computer function is a storage function, a calculation function, It is possible to set the operation according to the falsified part by setting the control function and input / output function, meaning that each program is grouped for each function).

  In the first embodiment, the security key 205 calculated from the program to be executed and the stored previous security key 207 are compared and collated, and if they do not match, they are not executed.

  However, if the control device 201 is stopped after the plant operation is started, the influence on the entire plant is large. Therefore, even if falsification is detected during the program execution, the influence on the system is small. Judgment is made based on whether or not the operation of the entire control device can be guaranteed in the case of stoppage, for example, if only a part of communication functions are stopped and other functions operate normally, the effect is small and minor failure It is desirable to be able to continue to execute programs other than the tampered part program. For this reason, the operation when tampering is detected can be set by the user in units of program parts.

  The control device 201 includes a RAS unit 209 having a RAS function for operating in accordance with the set control parameters. When falsification is detected by a program component set to a serious failure, the program of the entire control device is stopped and a minor failure is detected. When tampering is detected with the set program parts, only the program parts are stopped and other programs are executed to cause the system to perform a degenerate operation.

  According to the second embodiment, the engineering device 101 has the heavy / light failure parameter 107 for setting the heavy failure / light failure according to the falsification site, and the control device 201 has the RAS function that operates according to the setting. 209. As a result, even if the control device 201 detects tampering during the execution of the program, it is possible to continuously operate (light failure operation) by degrading the function without stopping the control device 201, so that the influence on the plant is minimized. To the limit. Note that the operation of the RAS unit 209, which is the above-described component of the control device 201, is realized by executing a program stored in the memory using the processor and memory included in the control device 201 ( (See FIG. 2).

Embodiment 3 FIG.
The third embodiment of the present invention will be described below with reference to FIG.
FIG. 5 is a block diagram showing a control system according to Embodiment 3 of the present invention. 5 is different from that shown in FIG. 4 in that a control unit 201 includes a notification unit 210 that notifies other programs that a program tampering has been detected. The rest is the same as in FIG.

  In the second embodiment, when a falsification of a program is detected, a major or minor fault operation is performed, and when a minor fault occurs, execution of only the program that has detected the falsification is stopped. In general, the program of the control device is composed of a plurality of program parts, and when only the altered program part is stopped, there is a possibility of affecting the control by other program parts.

  Therefore, when a falsification is detected in a certain program part, the information is stored in the internal memory, and a notification unit 210 that notifies other program parts that falsification has been detected is provided. As a result, by referring to the notified information in the other program parts, it is possible to perform an operation such as stopping the function affected when the altered program part is stopped.

  According to the third embodiment, the control unit 201 includes the notification unit 210 that notifies other program parts that the falsification of the program parts has been detected. As a result, functions that have an effect on other program parts can be stopped in conjunction with each other, so that even when tampering is detected, the degenerate operation can be performed more safely. Note that the operation of the notification unit 210, which is the above-described component of the control device 201, is realized by executing a program stored in the memory using the processor and memory of the control device 201 ( (See FIG. 2).

Embodiment 4 FIG.
A fourth embodiment of the present invention will be described below with reference to FIG.
FIG. 6 is a block diagram showing a control system according to Embodiment 4 of the present invention. In FIG. 6, the same reference numerals as those shown in FIG. 5 have the same contents as those in FIG.

  In FIG. 6, the engineering apparatus 101 includes a key calculation unit 109 that calculates a security key from a program, like the control apparatus 201. The engineering device 101 calculates the security key 110 from the pre-modification program 108 by the key calculation unit 109 and automatically registers it as a control parameter, and the transmission unit 106 modifies the coded program 104a (modified code after modification). The program is also referred to as a post-remodeling program for short) and transmitted to the control device 201.

  When modifying a program, it is necessary to make the controller recognize that it is a legitimate modification. Therefore, the engineering apparatus 101 also includes a key calculation unit 109 that calculates a security key from a program, like the control apparatus 201.

  In the engineering device 101, the security key 110 calculated from the pre-modification program 108 is registered as a control parameter, and when the modified program is transferred, the control parameter is also transferred to the control device 201. The control device 201 receives the modified coding program 104 a and the security key 110 calculated from the pre-modification program 108 by the receiving unit 202.

  The previous security key 207 stored in the previous key storage unit 206 and the security key 110 transferred from the engineering device 101 are compared and verified by the key verification unit 208. The encoding program 104a is adopted. If they do not match, it will be judged as an unauthorized modification, and the transferred program will not be adopted.

  According to the fourth embodiment, by performing authentication using the security key 110 calculated from the pre-modification program 108 in the engineering apparatus 101, it is possible to distinguish between unauthorized modification and regular modification. In addition, since the user does not need to memorize a password or the like for security authentication, it does not require the trouble of password management. Note that the operation of the key calculation unit 109 is realized by the processor and the memory included in the engineering apparatus 101 by the processor executing a program stored in the memory (see FIG. 2).

Embodiment 5. FIG.
The fifth embodiment of the present invention will be described below with reference to FIG.
FIG. 7 is a block diagram showing a control system according to Embodiment 5 of the present invention. 7 is different from that shown in FIG. 6 in that the control device 201 includes a holding unit 211 that holds a previously executed program as a backup.

  In the second embodiment, when a falsification of a program is detected, a major or minor fault operation is performed. However, in order to recover, it is necessary to delete the falsified program and transfer the correct program from the engineering device again. In that case, since the reset / run operation of the control device 201 is generally involved, the equipment must be stopped.

  Therefore, in the fifth embodiment, the control device 201 includes a holding unit 211 that holds a previously executed program as a backup. If tampering is detected when the program is executed, the security key is calculated with the stored program and the stored security key is collated. If they match, the program is executed with the stored program.

  According to the fifth embodiment, the storage unit 211 that holds a previously executed program as a backup is provided, and when it is detected that the program to be executed has been tampered with, the program can be executed with the backed up program. It is not necessary to tamper with the equipment and stop the equipment when restoring it, and the impact on plant operation can be minimized. Note that the operation of the holding unit 211, which is the above-described component of the control device 201, is realized by executing a program stored in the memory using the processor and the memory included in the control device 201 ( (See FIG. 2).

  It should be noted that the present invention can be freely combined with each other within the scope of the invention, and each embodiment can be appropriately modified or omitted. For example, in the first to fifth embodiments, the engineering device 101 or the control device 201 has been described as including one processor and a memory each. However, the present invention is not limited to this, and a plurality of processors or memories are included. Provided, and these may cooperate to execute the above-described operations.

  DESCRIPTION OF SYMBOLS 101 Engineering apparatus, 102 Program editor, 103 Compiler, 104 Coded program, 104a Coded program after modification, 105 Control parameter, 106 Transmitter, 107 Severe failure parameter, 108 Program before modification, 201 Controller, 202 Reception Unit, 203 storage unit, 109, 204 key calculation unit, 110, 205 security key, 206 previous key storage unit, 207 previous security key, 208 key verification unit, 209 RAS unit, 210 notification unit, 211 holding unit, 301 communication cable

Claims (5)

A control system comprising an engineering device for creating a program for controlling a plant and a control device for executing the program transferred from the engineering device,
The controller is
A key calculation unit that calculates a security key that is a hash value that is uniquely hashed from the program transferred from the engineering device, or a password that is given by a user when the program is first transmitted from the engineering device;
A previous key storage unit for storing the security key calculated by executing the previous program;
A key verification unit that compares and collates the security key calculated by executing the current program and the security key calculated when the previous program stored in the previous key storage unit;
If there is a previous security key calculated by the key calculation unit, the key verification unit performs comparison and verification, and if the comparison and verification result matches, the program is executed, and the comparison and verification result does not match To select whether to execute the program according to a predetermined condition,
When there is no previous security key calculated by the key calculation unit, the key verification unit executes the program without performing comparison verification. The engineering device has a control parameter for setting whether to stop or continue the execution of the program when the comparison result of the key verification unit does not match,
When the control device detects that the comparison collation result of the key collation unit does not match during the execution of the program, the control device sets the program for each program component that is reduced in size according to function by the control parameter. 2. The control system according to claim 1, further comprising a RAS unit having a RAS function that sets in advance whether to stop or continue execution of a component and operates according to the setting.   When the control device detects that the comparison result of the key verification unit does not match during execution of the program, when the execution of the detected program component is continued, the control device indicates that the execution of the program component is continued. The control system according to claim 2, further comprising a notification unit that notifies other program parts. The engineering equipment is
A key calculation unit that calculates a security key that is a hash value that is uniquely hashed from the program is registered, the security key calculated by the key calculation unit by the program is registered as a control parameter, and the program is modified from the program Transfer to the control device together with the program after modification,
The controller is
The security key stored in the previous key storage unit and the security key transferred from the engineering device are collated, and if they match, it is determined that the modified program can be executed. The described control system.   The control device includes a holding unit that holds a previously executed program as a backup, and does not execute the program when the comparison result of the key verification unit is detected to be inconsistent during the execution of the program. The control system according to claim 1, wherein a program backed up in the holding unit is executed.

Images