CN-122027301-A - Industrial control communication protocol encryption realization method and industrial control system

Abstract

The application discloses an implementation method of encryption of an industrial control communication protocol and an industrial control system, wherein the method is applied to communication interaction between an upper computer and a controller in a distributed control system based on UDP protocol, a password card is additionally arranged in the upper computer and the controller respectively, a sender sends original communication data to a local password card for encryption processing to generate a safe communication frame containing ciphertext load and a message authentication code, the sender sends the safe communication frame to a receiver, the receiver analyzes the received safe communication frame, invokes the local password card to decrypt the ciphertext load contained in the safe communication frame and verify integrity and timeliness, if the verification is passed, the recovered plaintext data is delivered to the upper application processing, otherwise, the safe communication frame is discarded. The method provided by the application has the advantages of safety, efficiency and compatibility, and provides a feasible technical path for the safe operation of the industrial control system in a complex network environment.

Inventors

• WANG CHAOHUI
• YANG LIYE
• LIU LI
• YUAN FU
• ZHAO XIAOYAN
• WANG CHUNYAN

Assignees

• 国能智深控制技术有限公司

Dates

Publication Date

20260512

Application Date

20260226

Claims (10)

1. 1. A realization method for encrypting an industrial control communication protocol is characterized in that the method is applied to communication interaction between an upper computer and a controller in a distributed control system based on UDP protocol, and password cards are respectively added in the upper computer and the controller, and the method comprises the following steps: the sender sends the original communication data to a local password card for encryption processing to generate a safe communication frame containing a ciphertext load and a message authentication code; The sender sends the secure communication frame to a receiver; The receiving party analyzes the received safe communication frame, calls a local password card to decrypt a ciphertext load contained in the safe communication frame, and verifies the integrity and timeliness; if the verification is passed, delivering the recovered clear text data to an upper layer for application processing, otherwise, discarding the safe communication frame.
2. 2. The method according to claim 1, characterized in that the encryption process comprises in particular: Encrypting the original communication data by using a symmetric encryption algorithm to generate a ciphertext load; Calculating a message authentication code by the password card hardware, wherein the message authentication code is used for guaranteeing the data integrity; and generating a random Initial Vector (IV), and packaging the random initial vector and the encryption result into a communication frame to form a secure communication frame, wherein the symmetric encryption algorithm is an SM4-GCM-128 algorithm or an AES-128-GCM algorithm.
3. 3. The method according to claim 2, wherein the algorithm of the encryption processing adopts a symmetric encryption SM4-GCM-128 algorithm, the IV is 96 bits, the counter is 32 bits, and the maximum of a single frame is 232-1 blocks; Integrity verification uses the following settings, SM3-MAC truncation 128 bit, per packet hardware calculation, delay <0.5 ms/128B; The key life cycle is set by triggering rotation when accumulated encryption is more than or equal to 1GB or the time is more than or equal to 24 hours, and the old key is cached for 5ms for decrypting the delayed queuing message; The random number is set in the following way that the TRNG entropy rate is more than or equal to 50 Mbps, each packet IV is randomly generated, and the anti-replay is a window 232 packet.
4. 4. The method according to claim 2, wherein in the export regulation scenario, the algorithm of the encryption processing adopts a symmetric encryption AES-128-GCM algorithm, the IV is 96 bits, the counter is 32 bits, and the maximum of a single frame is 232-1 blocks; the hash algorithm adopts SHA-256 algorithm, and the MAC length is 16B cut-off; the signature uses ECDSA-P256 algorithm, and the certificate chain format is kept X.509v3.
5. 5. The method of claim 2, wherein the ciphertext payload is in the form of a UDP header, a version identification field, a sequence number field, an explicit IV field, a check field, and a ciphertext data field; The version identification field is used for supporting future protocol expansion, the ciphertext data field at least comprises original communication data, and the explicit IV field and the check field are mainly used for a check process.
6. 6. The method of claim 5, wherein the ciphertext payload is in a format that includes an 8-byte UDP header, a 3-byte sequence number, a variable length ciphertext data field, and an 8-byte message authentication code in an ultra-low bandwidth scenario; Removing the explicit IV field, performing exclusive OR operation on the sequence number to deduce and generate the explicit IV field so as to save 12 bytes of transmission overhead; and the total length of single frame data is less than or equal to 256 bytes by adopting a micro packet, and the check field adopts a 64bit cut-off form.
7. 7. The method of claim 1, further comprising, prior to the data interaction, performing identity authentication between the host computer and the controller via a pre-shared key or a digital certificate, and establishing a session key; The session key may be automatically rotated based on a first preset period for a high frequency communication scenario, and the session key may be automatically rotated based on a second preset period for a low frequency communication scenario; The password card receives an external instruction through a built-in register, and adjusts the key rotation period of the high-frequency scene and the key rotation period of the low-frequency scene on line.
8. 8. The method of claim 1, wherein when the algorithm hard core fails, the SM4-CBC packet encryption algorithm and the SM3-HMAC hash message authentication code algorithm implemented by pure software are executed by the isomorphic trusted core, and the per frame data processing delay is less than a preset threshold.
9. 9. An industrial control system is a distributed control system, the upper computer and the controller can be used as a sender or a receiver to carry out communication interaction based on UDP protocol, and the industrial control system is characterized in that a password card is respectively added in the upper computer and the controller; In the communication interaction process, the sender sends original communication data to a local password card for encryption processing to generate a safe communication frame containing ciphertext load and message authentication codes, the sender sends the safe communication frame to the receiver, the receiver analyzes the received safe communication frame, calls the local password card to decrypt the ciphertext load contained in the safe communication frame and verify integrity and timeliness, if the verification is passed, the recovered plaintext data is delivered to an upper layer for application processing, and otherwise, the safe communication frame is discarded.
10. 10. The industrial control system according to claim 9, wherein the cryptographic card deployed in the host computer is PCIe, with a size of 68mm x 35mm, and a power consumption of 4W or less, and can be directly inserted into a host computer motherboard reservation slot; The controller password card is Mini-PCIe, the size is 30mm multiplied by 50mm, the power consumption is less than or equal to 4W, and the controller password card can be directly inserted into a main stream DCS controller or a telecontrol device; The password cards are all 2-level password cards.

Description

Industrial control communication protocol encryption realization method and industrial control system Technical Field The application relates to the technical field of industrial control, in particular to an implementation method for encrypting an industrial control communication protocol and an industrial control system. Background At present, a Distributed Control System (DCS) generally adopts a custom communication protocol based on TCP or UDP to communicate real-time data, operation instructions, file transfer, and the like. These protocols transmit process variables, closed-loop control instructions, alarm information, and logical configuration side files in a clear text manner with inadequate security for confidentiality, integrity, replay resistance, non-repudiation, and the like. Disclosure of Invention In order to solve the problems, the embodiment of the application provides an implementation method and an industrial control system for encrypting an industrial control communication protocol, which aim to provide an end-to-end implementation method for encrypting the industrial control communication with confidentiality, integrity, playback resistance and non-repudiation, and meet the requirements of DCS on high reliability, high real-time and low time delay so as to overcome or at least partially overcome the defects of the prior art. The embodiment of the application adopts the following technical scheme: In a first aspect, the present application provides a method for implementing encryption of an industrial control communication protocol, where the method is applied to communication interaction between an upper computer and a controller in a distributed control system based on a UDP protocol, and cryptographic cards are respectively added in the upper computer and the controller, and the method includes: the sender sends the original communication data to a local password card for encryption processing to generate a safe communication frame containing a ciphertext load and a message authentication code; The sender sends the secure communication frame to a receiver; The receiving party analyzes the received safe communication frame, calls a local password card to decrypt a ciphertext load contained in the safe communication frame, and verifies the integrity and timeliness; if the verification is passed, delivering the recovered clear text data to an upper layer for application processing, otherwise, discarding the safe communication frame. In a second aspect, the application also provides an industrial control system, the industrial control system is a decentralized control system, the upper computer and the controller can be used as a sender or a receiver to carry out communication interaction based on a UDP protocol, and password cards are respectively added in the upper computer and the controller; In the communication interaction process, the sender sends original communication data to a local password card for encryption processing to generate a safe communication frame containing ciphertext load and message authentication codes, the sender sends the safe communication frame to the receiver, the receiver analyzes the received safe communication frame, calls the local password card to decrypt the ciphertext load contained in the safe communication frame and verify integrity and timeliness, if the verification is passed, the recovered plaintext data is delivered to an upper layer for application processing, and otherwise, the safe communication frame is discarded. The above at least one technical scheme adopted by the embodiment of the application can achieve the following beneficial effects: According to the industrial control communication protocol encryption realization method provided by the application, the safety and reliability of communication between the upper computer and the controller in the decentralized control system are obviously improved through simple transformation of hardware. By disposing the password card with the security level of 2 on both communication parties, the high-strength encryption and integrity verification of the original data are realized, the eavesdropping, the tampering and the replay attack are effectively prevented, and the information leakage risk caused by plaintext transmission is thoroughly eliminated. Although an encryption mechanism is introduced, the whole communication is still based on the UDP protocol, the existing network equipment configuration or firewall policy is not required to be changed, and the method has good compatibility and engineering floor capability. The actual measurement shows that the single frame encryption and decryption time is less than 0.5 millisecond, the communication delay is hardly increased, and the severe requirement of industrial control scenes on real-time performance is completely met. In summary, the method provided by the application has the advantages of safety, efficiency and compatibility, and provides a f