Collect data from the industrial control systems scattered in the production processes that are physically isolated in the iron and steel industry, and upload it to the production scheduling system in one direction. , monitoring needs, to resist mutual illegal intrusion and attack between the two networks.
01 Project Background
This paper mainly introduces the network security protection construction of the production scheduling system of an iron and steel enterprise. In the actual network environment of the iron and steel enterprise, the network system supporting the production scheduling business mainly includes: the industrial control system network and the production management network. The industrial control system network is mainly responsible for the actual production business of the enterprise, and the production management network is mainly responsible for the decision-making at the production scheduling level.
1.1 Industrial Control System Network
Most of the 34 sets of industrial control systems scattered in the physically isolated production processes are DCS control systems, and some control systems use Siemens PLC equipment. Field control layer: mainly includes various types of DCS controllers and PLC controllers, which are used to control various field devices; process monitoring layer: mainly includes process control server and HMI/SCADA system functional units, which are used to control the entire production process data. Collecting and monitoring, the process technicians adjust and optimize the process parameters on the field control layer through the operator station to maintain the normal production process.
1.2 Production Management Network
Mainly through production management systems such as integrated production scheduling system, energy management system (EMS), etc., it is used to provide enterprises with production process data management, production planning management, production scheduling management, inventory management, quality management, human resource management, and cost management. , logistics management and other production management services.
The production management network realizes the collection of real-time production information of the production line by deploying 2 redundant data acquisition servers, and uploads it to the real-time database and business database of the production integrated scheduling system and other systems to provide data support for production decisions. Through the construction of the production integrated scheduling system, the difference between the enterprise performance target and the actual production index can be quickly and comprehensively obtained, and the dynamic situation of the production movement can be monitored to detect abnormalities in time and make correct decisions, so as to achieve continuous improvement of enterprise performance.
02 Project goals
According to the design of this pilot project, a steel industrial control system can achieve high-risk resistance to hackers, viruses, malicious codes, etc., prevent illegal access by internal/external personnel, and the relevant data collection in the industrial control system can be uploaded to the In the production integrated scheduling system of the production management network, zero data packets are returned.
The construction goals and main tasks of this pilot project are as follows:
(1) Defend against malicious attacks and damages initiated by the Internet/office network;
(2) Prevent malicious programs such as ransomware and Trojans from adversely affecting and destroying key industrial control systems;
(3) USB interface control, system reinforcement, virus prevention, etc. for the host of key industrial control systems;
(4) Real-time control and audit of the operation and maintenance personnel of the production management system such as the data mining server and the production integrated scheduling system;
(5) Realize physical isolation and access control between data acquisition links;
(6) In-depth audit and behavior control of the production management network;
(7) Perform inter-domain security isolation and access control for the security domain composed of DCS and SCADA systems in the process monitoring layer;
(8) Production equipment assets combined with security equipment protection logs and other information are aggregated into a unified security management platform, and micro-situational awareness is performed in the form of network topology and event warning.
03 Scheme design ideas
This solution mainly realizes the function of one-way data collection and uploading from the industrial control system of an iron and steel enterprise to the production management network production integrated scheduling system. At the same time, it also needs to achieve the security isolation and access control between the security domains of each production control system. Therefore, Anmeng Huayu is recommended. “Industrial data acquisition one-way shutter + industrial firewall” solution to realize the security protection function.
(1) One-way shutter for industrial data acquisition: realize one-way data acquisition of key production data and upload it to the production management management integrated production scheduling system (optical signal, no feedback).
(2) Industrial firewall: realize the security isolation and information exchange access control between the security domains of each production control system.
04 Overall solution
In the actual application environment of an iron and steel enterprise, the control network is “open”, such as the business interaction with the integrated production scheduling and the office network OA/ERP, and there is a lack of effective one-way control and isolation at the security domain boundaries and hierarchical boundaries of each control system. , security audit, operation and maintenance protection and other technologies and mechanisms.
The key technology in this project uses the one-way shutter of UNITA Huayu Industrial Data Acquisition to collect and summarize all kinds of data in the production control area, and export it to the external network side in one direction, which can provide general data services such as OPC and Modbus TCP to the outside world. , and can be connected to various cloud platforms such as Alibaba and Huawei. The one-way transmission of data from the industrial control network to the management network avoids the risk of threat information entering the industrial control network through the management network.
The construction of this project needs to protect 3 data mining links and 1 link of the office network system to achieve high security isolation of the production system. Supplemented by industrial firewall equipment, industrial audit system, host guards and network security management platform, the industrial control production network is comprehensively protected by network security to protect the security of the enterprise production network. The network security design diagram is shown in Figure 1.
Figure 1 Network security design diagram
Based on the actual business needs of an iron and steel enterprise, the characteristics of various safety products are integrated, and for the purpose of production safety, through the minimum economic investment, a small number of safety products are reasonably equipped to achieve maximum safety benefits.
(1) Use industrial data acquisition one-way shutter to realize one-way data acquisition and upload. According to the number of data acquisition links and the number of physical interfaces of the industrial data acquisition one-way optical shutter products, taking into account the interface redundancy backup function, 12 sets of Anmeng Huayu industrial data acquisition one-way optical shutters can be equipped (each set of industrial data acquisition one-way optical shutters) The shutter has a total of 5 communication interfaces, 3 of which are enabled as acquisition interfaces, 1 interface is reserved and 1 interface is used for management), as shown in Figure 2.
Figure 2 Industrial data acquisition one-way optical gate data acquisition link
(2) Use the industrial firewall to protect the data collection link, at the same time, configure the security policy for the information exchange between the security domains, and achieve the isolation between the collection links. Every 3 data acquisition links are aggregated to 1 industrial firewall, and each link uses an independent bridge without interfering with each other. 34 data acquisition links, equipped with 12 industrial firewalls (through interface expansion, each industrial firewall supports a maximum of 10 communication ports, provides 6 ports as communication ports, and provides 3 link protection with 3 in and 3 out, leaving 2 In and 2 out as backup. Each industrial firewall corresponds to 1 industrial data acquisition one-way shutter), as shown in Figure 3.
Figure 3 Data collection link of industrial firewall protection
05 Project difficulties and innovations
(1) Industrial data collection level
In the actual 34 data acquisition links of an iron and steel enterprise, there are various types of industrial automation systems, and there are differences between manufacturers. Therefore, the data acquisition work requires a platform device with various acquisition protocols. The data acquisition module of the intranet unit of ANMON Huayu industrial data acquisition one-way shutter supports multiple types of industrial protocols, such as common DCS systems, PLC controllers, smart meters, CNC machine tools, etc., and has the ability to integrate various industrial controls at high speed. system capabilities.
(2) Border security isolation level
With the vigorous advancement of industrial automation and intelligent manufacturing technology, the boundary between the production management network and the production control network in the enterprise is no longer clear, there is the upload of business information and the intersection of data, and there are system upgrades in both networks. , data backup, etc., the irregular use of mobile media has brought security threats to both networks. Anmono Huayu data mining one-way shutter utilizes the technical characteristics of the separation of the emitter and the receiver in the SFP optical module. The equipment not only realizes the one-way export of the industrial control network data, but also realizes that the office network has no feedback signal to the industrial control network. , which physically isolates the security boundary between the two networks.
(3) The vulnerability level of the industrial protocol itself
Due to the development history of industrial control and the limitations of industrial control systems, industrial control system SCADA software, PLC control systems, industrial communication protocols, etc. are mainly considered in the design process of availability and real-time, but insufficient consideration of security, there is the possibility of being invaded and attacked . However, the production management network and production control mostly use industrial protocols to communicate, and the security cannot be guaranteed. The one-way optical gate of ANMON Huayu data acquisition collects data from different industrial protocol types of the production control system, and forwards it to the acquisition server with a unified industrial protocol. While isolating, it also achieves protocol isolation, forming a double security protection for the security boundary.
(4) The safety level of the safety equipment itself
When the data collection work is carried out, the method of establishing a secondary center is generally adopted, and the data collection machine with dual network cards is used for data collection and forwarding. . ANMON Huayu industrial data acquisition one-way shutter adopts SUOS independent operating system (Linux-like operating system), and after professional system reinforcement, it has the characteristics of high reliability and high security in the industrial control industry, and is a reliable guarantee for the security boundary.
06 Project Value
(1) Seamless compatibility
The selected industrial data acquisition one-way shutter product data acquisition module supports multiple types of industrial protocols, which can meet the seamless connection with the industrial control system of a steel enterprise, and can also improve the performance and stability of the overall computing environment, and realize data acquisition and physical one-way Upload, security tailored.
(2) Physical one-way isolation
Using the technical characteristics of the separation of the emitter and the receiver in the SFP optical module, the equipment not only realizes the one-way export of the industrial control network data, but also realizes that the office network has no feedback signal to the industrial control network, providing an absolutely safe operating environment for the industrial control network. It can prevent various known and unknown security risks, and prevent viruses and related variants from spreading to industrial control production systems through data acquisition links.
(3) Agreement normalization
The industrial data acquisition one-way shutter can collect data from different industrial protocol types in the production control system, and forward it to the acquisition server with a unified industrial protocol, such as OPC DA, Modbus TCP, etc. The OPC DA protocol forwarding function has the ability of separate deployment, which can not only ensure the protocol isolation between the external network unit of the industrial data acquisition one-way optical gate and the data acquisition server, but also facilitate users to save the tedious operation of traditional OPC configuration DCOM and reduce the workload.
(4) The safety of the equipment itself
The industrial data acquisition one-way shutter adopts the SUOS independent operating system (Linux-like operating system), the device avoids the risk of multiple vulnerabilities in the Microsoft Windows operating system, and can shield the malicious code of the conventional desktop system, with high self-security.
(5) Visual management and control
Realize the management and audit of the operation of the business system of the production network, and achieve the whole-process management of the operation and maintenance operation for the operators, which is “knowable in advance, controllable during the event, and checkable after the event”.
(6) Abnormal operation audit and attack warning
Quickly identify relevant illegal operations, abnormal events, external attacks, etc. in the data mining layer, and alarm in real time.
(7) Protection of industrial control workstations
It can prevent users’ violations and misoperations in real time, block unknown programs, authorize access rights to mobile storage media, etc., effectively improving the deep “immunity” capability of industrial control hosts.
(8) Comprehensive audit
It can complete the real-time information collection of the data mining layer equipment, and monitor the communication flow and security events of the terminal equipment in real time. Conduct uninterrupted security event correlation analysis, and achieve multi-perspective and multi-level management and security visualization through a powerful integrated security management and control interface.
07 Technology promotion
With the faster and faster pace of informatization construction such as the integration of industrialization and industrialization, the automation network system in each enterprise is no longer an information island, and there are more and more business exchange requirements between networks, and therefore security issues are increasing. Production network and information security issues have become major hidden dangers that threaten the security of industrial enterprises. With the continuous recognition and understanding of industrial control security issues, especially the security protection of key infrastructure equipment, the state has promulgated and formulated corresponding systems and regulations, and the construction of information security has reached a certain height, and the focus of construction has also started from automation The application and technology research and development have been transferred to the current safety construction and comprehensive safety monitoring. At present, the one-way optical gate equipment of AN Meng Huayu Industrial Data Acquisition has been vigorously promoted in the manufacturing, energy, water conservancy, military and other industries.