| The influence of network security problems has extended from traditional Internet area to industry area. With the development of INDUSTRIE 4.0 process, industrial network which was designed to be a structure of closed environment in the past, now it's more closely connected to internet. But industrial control system(ICS) emphasis on timeliness, availability and efficiency, lack of perfect security design specification, which will cause the fragile ICS is under threat from Internet attacks. Industrial attacks are rampant in recent years: “Stuxnet”, “Duqu”, “Flame” and “Havex”, which have caused serious damage to many countries.In traditional information system, security problems is typically separated to two major classes of host security and network security. According to this idea, security problem of ICS also can be separated to ICS computing nodes security problem and ICS network security problem. This paper focus on ICS computing nodes security and divides ICS computing nodes into upper computer and lower computer, then take an example of Stuxnet to analize how Stuxnet influence ICS. Finially, this paper designs upper computer security detection method based on trusted computing and industrial programmable logic controller(PLC) security detection method.Upper computer security detection method is based on trusted computing, the whole method includes Windows operating system security detection method and industrial software security detection method. Windows operation system security detection method is for to ensure the operating system secure and trusted, which implements a trustworthiness measurement of windows system module during startup by hooking a kernel API function, it ensures the security of industrial software system platform; industrial software security detection method includes static measurement and dynamic measurement in two parts: static measurement ensures industrial software's trustworthy before launched by measuring the executable file and imported DLLs, dynamic measurement monitor the creation of industrial software process and hook the first instruction which is to be executed in the memory, meanwhile get the code page of the process, finally measure the code page. During system and industrial software running time, also measure the key system structure SSDT which ensures the trustworthy of Windows API. This method constructs a complete chain of trustworthy.Lower computer security detection method takes a case study of Siemens S7-200 PLC, puts forward an innovative method which combines PLC simulation and realtime monitor and it can detect abnormal operation status of the remote PLC immediately.PLC simulation module can simulate a real PLC's running status as a virtual PLC, then records the time sequence value of virtual PLC's output image register. In the sametime remote monitor module use LIBNODAVE library to monitor remote PLC and also records the time sequence value of real PLC's output image register. Finally, it uses a security detection algorithm to compare the difference between two time sequences and will warn system users when abnormal situation occurs. Security detection algorithm includes time sequence matching algorithm based on sequence similarity and time sequence matching algorithm based on time window, the former applies to low-level security environment and the latter applies to high-level security environment. |
PDF Full Text Request