| Due to a growing number of industrial control system securityincident,the security of modern industrial control system is brought to anunprecedented height, at the same time, industrial Ethernet technology iswidely used in industrial control field. As the core equipment of modernindustrial control network, it is necessary for industrial Ethernet switch toincrease its security defensive ability, which is a important node to theindustrial control system security system. However, because of thesimpleness function of switch, there is few research on industrial Ethernetswitch security, especially the security of data link layer. In addition,domestic manufacturers of industrial Ethernet switch do not have enoughaccumulation about this.This thesis is based on the data link layer of the industrial Ethernetswitch, to design and realize the security denfensive ability from threeimportant aspects including topological structure security, access controlsecurity and data confidentiality and integrity. And then analyze thesecurity, strengthen the security and give assessment. In this paper, themain innovation points are as follows:1. Design three security defensive mechanism, and combine themtogether. Spanning tree topology control is used to recover networkcommunication link failure, and equipment access control is used toidentify the identity of the access device, which can prevent illegalequipment from intruding into industrial control network, and the datalink layer encryption to prevent theft and tampering of important controldata.2. Spanning tree topology control and equipment access controlmechanisms are analyzed in security defensive, and take measures to strengthen its security defensive. From the spanning tree topology controlmechanism on the hidden trouble in security analysis of the spanning treetopology control, and proposed the corresponding safety precautions.Shadow attacks and server channel security problem of access control aredetected by model checking tool, and adopt the dynamic value calculationand local certification such as measures to deal with them.3. Using the Markov model and evaluation index to auxiliary assessthe security of the protocol function. Respectively to join securitymeasures before and after the spanning tree topology control and deviceaccess control were evaluated, evaluation index results show that thesecurity measures are beneficial to the security improvement.4. By using the method of fault tree, this paper proposes a method tobuild the data link layer security analysis model from the aspect ofmessage format. Minimum cut sets and structure importance analysis canprovide a reference for security defensive design, the quantitative analysisof top security incident probability can be more intuitive understanding ofthe security of the data link layer. |
PDF Full Text Request