Research And Implementation Of Fine-Grained Access Control Method In Industrial Control System Of Hydropower Station

Under the background of Intelligent Manufacturing and Industry 4.0,the integration of industrial digitization and information technology has become an inevitable trend,and the industrial control system(ICS)is gradually developing from a closed state to an open state.But this situation also constitutes a certain threat to the information security of ICS.According to the analysis of the security status of ICSs in hydropower stations,we can find two main types of security threats.One is external attackers,from illegal users entering the protected communication network,and the other is internal attackers,from legal users who have unauthorized access to protected network resources.Generally,both traditional information technology systems and ICS use access control technology to solve those attackers.However,considering the differences in the actual application of the two systems,it can be seen that the access control technology in ICS environment is still at a preliminary stage according to the current researches of hydropower stations at home and abroad.It is facing actual problems such as possible conflicts between production and security requirements,resource constraints on security technical means,difficulty in authority monitoring and management,resulting in coarse-grained and incomplete access control methods.It is impossible to detect whether authorized users’ operations are ultra vires and whether an attacker pretends to be an authorized user to operate.In view of these two threats,ICSs have higher requirements for access authentication and access authority control of devices,and need to implement more fine-grained access control covering the underlying resource-limited devices.In response to the above security requirements,this thesis proposes to use certificateless lightweight identity authentication technology to solve the access security problem,and use the authorization control technology based on control rules to solve the authorization security problem.The two solutions are integrated to ensure the overall safety of the process control area and real-time control area.First of all,the thesis designs an identity authentication protocol based on certificateless method and signcryption technology,which is suitable for ICS devices with low hardware performance.Compared with other protocols,the protocol further reduces the communication and computing costs of client devices while ensuring security requirements.At the same time,the thesis proves that the protocol can resist two types of attackers under the Random Oracle Model.Secondly,the thesis designs a control rule self-generation algorithm to solve the difficulty and complexity of manual configuration.It generates and updates the access control list through statistical analysis of data traffic within a specified time interval,and combines it with policy tree construction algorithm and branch merge algorithm to optimize the generated control rules.It can speed up the response speed of a single rule matching and generate the optimal control set.Finally,through simulation experiments and the analysis of experimental results,the thesis verifies the validity of the proposed lightweight authentication protocol in ICS access authentication,the performance improvement effect of rule selfgeneration and rule optimization in access authority control.It is proved that the proposed fine-grained access control scheme can improve the comprehensive defense capability of ICS.