1. Field of the Disclosure
The present disclosure relates to an improper communication detection system that acquires packets that are circulated through a plant network by mirroring and detects improper communication. More particularly, the present disclosure relates to an improper communication detection system capable of detecting improper traffic (communication of worms, bots, or viruses, setting mistakes, man-made attacks, etc.) that can become a menace to security in a plant network, and a symptom thereof without relying on log analysis of an firewall (FW), and disposal and operation/running of an intrusion detection system (IDS).
2. Description of the Related Art
In recent years, as a process control system in industrial automation, a field control network to which field devices including sensors, such as flowmeters and thermometers, actuators, and field controllers, which form a feedback control loop, are connected, has been proposed.
Furthermore, as a control network management system for optimizing the operation of the entire plant, a plant network has been proposed.
On the other hand, in factories, IP networks that are laid down for office purposes exist. IP networks have become widely popular, and Ethernet (registered trademark) that is often used in an IP network permits a network to be flexibly constructed.
Thus, protocols that allow a plant network or a field control network to operate in an IP network have been proposed.
By using such a protocol, it becomes possible to cause a plant network or a field control network to coexist with an IP network laid down for office purposes.
That is, sensors, actuators, and the like can be directly connected to an IP network, and it becomes possible to access terminal devices more easily in the aspect of maintenance, and operation/running.
In these networks, there is a possibility that improper traffic (communication of worms, bots, and viruses, setting mistakes, man-made attacks, etc.) that can become a menace to security is generated. If improper traffic is generated, the running of the plant may be affected. For this reason, there has been a need to identify improper traffic and understand the network situation.
FIG. 6 is a configuration illustration of an embodiment of an improper communication detection system in a plant network of the related art.
In FIG. 6, a plant network 100 is a control network management system for optimizing the operation of the entire plant, and is specifically constituted by the following elements.
The plant network 100 is constituted by, for example, an operation console 1, which is a console device for controlling field devices and operating the plant, an OPC server 2, that is a server for allowing different types of industrial automation control systems to mutually operate, that shares process-derived data in a multi-vendor environment, and that transfers the data to a business system of an intranet, and an engineering workstation 3, which is a work station, whereby development and alteration of control logic that is incorporated into devices belonging to a field control network, and other terminal devices (PC-2, PC-3) are performed. The operation console 1, the OPC server 2, and the engineering workstation 3 are interconnected through the network 100.
The plant network 100 is located in a water purification plant, another kind of plant or the like, and is, as a process control system in industrial automation, connected to a control bus network 200 constituted by field devices (devices including sensors of a flowmeter, a thermometer and the like, an actuator, and a field controller) forming a feedback control loop. Specifically, the operation console 1, the engineering workstation 2, and the OPC server 3 are interconnected through the control bus network 200 and the plant network 100.
The plant network 100 is connected to an IP network (hereinafter referred to as an intranet) 300 laid down for office purposes in a plant factory.
The intranet 300 is constituted by a PC-1, which is a terminal device for office purposes, and is connected to the Internet 400 through a firewall (hereinafter referred to as an FW) 4 having a function of limiting communication among networks.
Furthermore, the intranet 300 is connected to the plant network 100 through an FW 6. An intrusion detection system (IDS) 5, to which the intranet 300 is connected, is controlled by the PC-1 and the like. The IDS 5 is also connected to the connection line of the FW 6 and the plant network 100.
Here, regarding the plant network 100, in the portion encircled by the dotted line, in recent years, an apparatus having Windows™ (registered trademark) installed therein and open technology have been introduced. Consequently, there has been a security risk. By detecting intrusion by using the IDS 5, security of the plant network is ensured.
The IDS 5 forms an improper communication detection system of the related art. The IDS 5 detects improper traffic by monitoring the plant network 100, and thus ensures the security of the plant network 100.
More specifically, in a case where the IDS 5 is of a signature type, the IDS 5 obtains a packet that is transmitted and received between the plant network 100 and the FW 6, and checks the obtained packet against the information (hereinafter referred to simply as a signature) on prestored improper packets. When the content of the packet matches the signature, the IDS 5 determines the packet to be an improper packet, and blocks communication.
In a case where the IDS 5 is of an anomaly type, the IDS 5 judges the case in which the current state is deviated from the normal state that has been defined in advance by a statistical technique to be abnormal, and blocks the passage of an improper packet.
As a result, it becomes possible for the improper communication detection system in the plant network of the related art to make connection to a general-purpose network, such as the Internet, through a signature type (or anomaly type) IDS, thereby making it possible to detect the intrusion of an improper packet so as to block this packet.
An example of related art document related to an improper communication detection system in a plant network of the related art includes Japanese Unexamined Patent Application Publication No. 2005-128784.
The improper communication detection system in the plant network of the related art is often an environment in which applications and an operation system (OS), for which support has been expired, coexist. Consequently, the influence in a case where attack traffic (improper traffic) flows is larger than that in the case of an intranet, which is problematical.
Furthermore, another problem is that attack traffic (improper traffic) may affect the operation of a field device connected to a control bus network, causing a plant to not be capable of being operated appropriately.
Another problem is the following. Even if a vulnerability is found in a device connected to a plant network, and a security patch of software or the like provided in the relevant device becomes available, unscheduled stoppage of the running of the plant, and unscheduled stoppage of a process control system affect production planning for the reasons that it is not possible that the system is immediately stopped and a patch is used.
With respect to these problems, a system that monitors traffic by an IDS in the manner described above or that analyzes the log of an FW and monitors the plant network has been proposed. However, there are the following problems (A) to (C).    (A) In monitoring using an IDS, an attack can be detected only after attack traffic (improper traffic) flows through a plant network, and the operation of a field device connected to the control bus network may be affected, which is problematical.
That is, in the plant network, if attack traffic flows, damage increases. Consequently, monitoring using an IDS, in which detection is not possible in advance, is insufficient, which is problematical.    (B) In monitoring using an IDS, since only a known attack can be detected, attack traffic (improper traffic) using a new attack pattern cannot be detected, which is problematical.    (C) Monitoring of the log of an FW has problems in that a special skill is necessary and that it is difficult to monitor traffic in real time.