技术领域Technical Field
本发明属于区块链、零信任访问控制等新一代信息技术和工业控制系统数据网络攻击防御等领域,具体涉及一种双层区块链辅助的工业控制系统(Industrial ControlSystems,ICS)数据可信流转系统及方法。The present invention belongs to the fields of new generation information technologies such as blockchain, zero-trust access control, and industrial control system data network attack defense, and specifically relates to a double-layer blockchain-assisted industrial control system (ICS) data trusted flow system and method.
背景技术Background Art
工业控制系统(Industrial Control Systems,ICS)作为关键基础设施的核心组成,能够被描述为采用自动化控制组件、计算机以及底层感知设备进行实时数据采集检测以及过程控制的集成系统。随着信息技术的发展,全球正在加速进入互联互通的新时代,在ICS的主要领域已经由传统的机电系统逐渐转换到基于网络的数字系统。这在打破传统ICS信息孤岛现状的同时,也给ICS带来了更高的网络攻击风险。根据Dragos和Honeywell的2022年度工控安全报告中展示,当前全球工业基础设施,80%的工控系统OperationalTechnology(OT,工业控制)网络可见性有限,53%的工控系统在其OT网络中建立了未公开或不受控制的连接,且54%的工控系统Information Technology(IT,信息交互)网络和OT网络之间缺乏用户管理分离。工业控制系统所面临的网络攻击威胁剧烈增加。Industrial Control Systems (ICS), as the core component of critical infrastructure, can be described as an integrated system that uses automated control components, computers, and underlying sensing devices for real-time data collection, detection, and process control. With the development of information technology, the world is accelerating into a new era of interconnection and interoperability. In the main areas of ICS, traditional electromechanical systems have gradually shifted to network-based digital systems. While breaking the status quo of traditional ICS information islands, this also brings higher risks of cyberattacks to ICS. According to the 2022 Industrial Control Security Report by Dragos and Honeywell, in the current global industrial infrastructure, 80% of industrial control systems have limited visibility of Operational Technology (OT, industrial control) networks, 53% of industrial control systems have established undisclosed or uncontrolled connections in their OT networks, and 54% of industrial control systems lack user management separation between Information Technology (IT, information interaction) networks and OT networks. The threat of cyberattacks faced by industrial control systems has increased dramatically.
由于工业控制系统最开始的设计专注于工业生产、加工,因此只考虑了高效性以及实时性,缺乏对网络攻击的防御手段。考虑到工业控制系统遭受的攻击不仅能够对网络环境进行破坏,还能直接对基础物理器件进行攻击,影响生产活动,产生恶劣的影响。传统的工业控制系统的防护主要依靠防火墙、杀毒软件、物理/网络隔离以及提高攻击检测水平等手段进行安全保护。传统的ICS网络防护方法在一定程度上保护了工业控制系统的数据流转,但是,传统的ICS对数据的流转保护呈现集中控制、集中存储以及被动防御的特点,极其容易造成数据的篡改、丢失、泄露等问题的发生,并且传统的防御手段研究只能使得病毒库、漏洞扫描库不断增大,使得工控网入侵检测系统更加复杂化,无法有效的应对新的病毒、漏洞以及攻击,难以实现工业控制系统真正的数据流转可信。Since the initial design of industrial control systems focused on industrial production and processing, only efficiency and real-time performance were considered, and there was a lack of defense against network attacks. Considering that the attacks suffered by industrial control systems can not only damage the network environment, but also directly attack the basic physical devices, affecting production activities and having a bad impact. The protection of traditional industrial control systems mainly relies on firewalls, anti-virus software, physical/network isolation, and improving the level of attack detection for security protection. Traditional ICS network protection methods protect the data flow of industrial control systems to a certain extent. However, the traditional ICS data flow protection presents the characteristics of centralized control, centralized storage, and passive defense, which is extremely easy to cause data tampering, loss, leakage, etc., and the research on traditional defense methods can only make the virus library and vulnerability scanning library continue to increase, making the industrial control network intrusion detection system more complicated, unable to effectively deal with new viruses, vulnerabilities and attacks, and difficult to achieve the real data flow of industrial control systems. Trustworthy.
区块链技术是一种按照时间顺序将数据区块以链条的方式组合成特定数据结构,并以密码学方式保证的不可篡改和不可伪造的去中心化共享总账。将区块链技术应用于工业控制系统能够改变当下工业控制系统中心化、被动防御、防御复杂化的痛点问题。研究学者初步探究了区块链在工业控制系统中的网络防御作用,包括基于区块链技术实现了工业控制系统的去中心化、身份验证、权限的分发以及控制;利用区块链的高容错性提高工业控制系统的鲁棒性;通过区块技术为工业控制系统的攻击检测以及数据共享提供一个可信的执行环境等方面。上述研究初步解决了传统工业控制系统的网络防御问题,但是研究依旧存在一定的挑战:Blockchain technology is a decentralized shared ledger that combines data blocks into a specific data structure in a chain in chronological order, and cryptographically guarantees that it cannot be tampered with or forged. Applying blockchain technology to industrial control systems can change the pain points of centralization, passive defense, and complex defense of current industrial control systems. Researchers have preliminarily explored the role of blockchain in network defense in industrial control systems, including the decentralization, identity authentication, distribution and control of permissions of industrial control systems based on blockchain technology; using the high fault tolerance of blockchain to improve the robustness of industrial control systems; and providing a trusted execution environment for attack detection and data sharing of industrial control systems through block technology. The above research has preliminarily solved the network defense problem of traditional industrial control systems, but there are still certain challenges in the research:
(1)工业控制系统ICS的OT网络和IT网络边界依旧模糊。虽然研究学者利用区块链对ICS进行去中心化防御,但是工业控制网络和信息交互网络呈现深度交融的情况,ICS内部操作数据流和对外的共享数据流隔离欠缺,对工业控制系统的私有数据安全造成了一定威胁,增加了被攻击的风险。(1) The boundary between the OT network and IT network of the industrial control system ICS is still blurred. Although researchers use blockchain to decentralize the defense of ICS, the industrial control network and the information interaction network are deeply integrated, and the internal operation data flow of ICS and the external shared data flow are not isolated, which poses a certain threat to the private data security of the industrial control system and increases the risk of being attacked.
(2)工业控制系统ICS的数据访问控制依旧较为粗粒度。虽然研究学者探究了基于区块链的ICS身份验证以及动态授权,但是工业控制系统ICS面临的威胁不仅使数字网络层面的,还有物理设备层面的攻击,缺少面向物理和数据资源的、可持续的、动态的零信任访问控制策略。(2) Data access control for industrial control systems (ICS) is still relatively coarse-grained. Although researchers have explored blockchain-based ICS identity authentication and dynamic authorization, the threats faced by industrial control systems (ICS) are not only at the digital network level, but also at the physical device level. There is a lack of sustainable, dynamic zero-trust access control strategies for physical and data resources.
(3)工业控制系统ICS的防御主动性依旧不足。学者们探究了利用区块链的高容错以及高可信环境,为ICS网络攻击检测和数据共享提供了基础条件,但是呈现被动检测的防御特性,对ICS的全生命周期的主动防御不足。(3) The proactive defense of industrial control systems (ICS) is still insufficient. Scholars have explored the use of blockchain’s high fault tolerance and high-trust environment to provide basic conditions for ICS network attack detection and data sharing, but it presents the defensive characteristics of passive detection and is insufficient for proactive defense of the entire life cycle of ICS.
发明内容Summary of the invention
为了解决上述模糊的OT和IT网络边界、粗粒度的数据访问控制、缺乏主动性的防御措施三大技术问题,本发明提供了一种基于双层区块链辅助的ICS数据可信流转系统及方法。In order to solve the three major technical problems of blurred OT and IT network boundaries, coarse-grained data access control, and lack of proactive defense measures, the present invention provides an ICS data trusted flow system and method based on a double-layer blockchain.
本发明的系统采用的技术方案是:一种基于双层区块链辅助的ICS数据可信流转系统,包括制造执行层、过程监控层、控制网络层和现场控制层;所述系统通过OT区块链以及IT区块链两层区块链,进行数据可信流转;其中,OT区块链账本为ICS内部数据流,IT区块链账本为ICS与外界信息交互数据流;The technical solution adopted by the system of the present invention is: an ICS data trusted circulation system based on double-layer blockchain assistance, including a manufacturing execution layer, a process monitoring layer, a control network layer and a field control layer; the system performs data trusted circulation through two layers of blockchain, the OT blockchain and the IT blockchain; wherein the OT blockchain account book is the ICS internal data flow, and the IT blockchain account book is the ICS and external information interaction data flow;
所述ICS,节点包括设备节点si、工作站节点gi和交互节点ji;设备节点si为现场控制器件的链上映射,工作站节点gi包括工程师工作站、操作站和运维站,交互节点ji为外部车间节点;所述设备节点si,在OT区块链进行注册上链,返回相应的证书及唯一哈希H(p),并将证书信息在IT区块链共识备份;所述交互节点ji,在IT区块链进行注册上链,返回相应的证书及唯一哈希H(p),并将证书信息在OT区块链共识备份;所述工作站节点gi,属于OT区块链以及IT区块链的中继节点,在OT区块链上链后在IT区块链进行注册上链,返回相应的证书及唯一哈希H(p)。The ICS nodes include device nodessi , workstation nodesgi and interactive nodesj ; device nodesi is the on-chain mapping of field control devices, workstation nodegi includes engineer workstation, operation station and operation and maintenance station, and interactive nodej is an external workshop node; the device nodesi is registered and chained on the OT blockchain, returns the corresponding certificate and unique hash H(p), and backs up the certificate information in the IT blockchain consensus; the interactive nodej is registered and chained on the IT blockchain, returns the corresponding certificate and unique hash H(p), and backs up the certificate information in the OT blockchain consensus; the workstation nodeg is a relay node of the OT blockchain and the IT blockchain, and is registered and chained on the IT blockchain after being chained on the OT blockchain, and returns the corresponding certificate and unique hash H(p).
作为优选,设备节点si注册上链时,用户Client首先向OT区块链发送注册请求,并发送相关的注册信息Mis;OT区块链节点通过Raft共识进行验证、投票,并将共识结果发送至物理设备,进行验证匹配;物理设备将验证结果信息返回至OT区块链,与Mis进行匹配,并将最终的共识结果发送给认证中心CA;认证中心CA对设备节点si生成唯一证书,并进行签名,将证书广播、颁发至物理设备节点、OT区块链,将结果返回至用户Client;最后将本次注册请求结果广播至IT区块链,IT区块链内通过一轮广播,对该信息进行分布式备份,设备节点si注册上链。Preferably, when the device nodesi is registered on the chain, the user Client first sends a registration request to the OT blockchain and sends the relevant registration informationMis; the OT blockchain node verifies and votes through the Raft consensus, and sends the consensus result to the physical device for verification and matching; the physical device returns the verification result information to the OT blockchain, matches it withMis , and sends the final consensus result to the authentication center CA; the authentication center CA generates a unique certificate for the device nodesi, signs it, broadcasts and issues the certificate to the physical device node and the OT blockchain, and returns the result to the user Client; finally, the result of this registration request is broadcast to the IT blockchain, and the information is distributedly backed up within the IT blockchain through a round of broadcasting, and the device nodesi is registered on the chain.
作为优选,交互节点ji注册上链时,用户Client首先向IT区块链发送注册请求,并发送相关的注册信息Mij,IT区块链内节点通过Raft共识,将共识结果发送至认证中心CA;认证中心CA签名并生成唯一证书,进行证书颁发,将共识结果广播至OT区块链节点;OT区块链经过一轮广播至全部节点进行备份,并将结果返回至用户Client,交互节点ji注册上链。Preferably, when the interactive node ji is registered on the chain, the user Client first sends a registration request to the IT blockchain and sends relevant registration information Mij . The nodes in the IT blockchain use Raft consensus and send the consensus result to the authentication center CA. The authentication center CA signs and generates a unique certificate, issues the certificate, and broadcasts the consensus result to the OT blockchain node. After a round of broadcasting to all nodes for backup, the OT blockchain returns the result to the user Client, and the interactive node ji is registered on the chain.
作为优选,工作站节点gi注册上链时,用户Client首先向OT区块链发送注册请求,并发送相关的注册信息Mig;OT区块链节点通过Raft进行投票共识,并将OT区块链共识结果ROT以及注册信息Mig发送至IT区块链,IT区块链节点通过Raft进行投票共识,将OT区块链共识结果ROT以及IT区块链共识结果RIT发送至认证中心CA;认证中心CA进行签名,并生成唯一证书,颁发至用户Client、OT区块链以及IT区块链,工作站节点gi注册上链。Preferably, when the workstation node gi is registered on the chain, the user Client first sends a registration request to the OT blockchain and sends relevant registration information Mig ; the OT blockchain node performs voting consensus through Raft, and sends the OT blockchain consensus result ROT and the registration information Mig to the IT blockchain, and the IT blockchain node performs voting consensus through Raft, and sends the OT blockchain consensus result ROT and the IT blockchain consensus result RIT to the certification center CA; the certification center CA signs and generates a unique certificate, which is issued to the user Client, the OT blockchain and the IT blockchain, and the workstation node gi is registered on the chain.
本发明的方法采用的技术方案是:一种基于双层区块链辅助的ICS数据可信流转方法,通过布隆滤波器和可信数据库的身份辅助认证机制,对不诚实节点的进行快速排查;The technical solution adopted by the method of the present invention is: a trusted circulation method of ICS data based on double-layer blockchain assistance, which quickly checks dishonest nodes through the identity auxiliary authentication mechanism of Bloom filter and trusted database;
通过信用积分激励机制,对节点的每一次行为进行记录,并进行实时的判定与更新结算,将OT区块链账本与IT区块链账本按照三类节点划分出了三个可信数据库,并对每个可信数据库设计相应的布隆滤波器;在后续验证过程中,只需要验证节点是否在相应的可信数据库中,便能判断该节点的实时身份是否可信;Through the credit points incentive mechanism, every behavior of the node is recorded, and real-time judgment and update settlement are carried out. The OT blockchain ledger and IT blockchain ledger are divided into three trusted databases according to the three types of nodes, and a corresponding Bloom filter is designed for each trusted database. In the subsequent verification process, it is only necessary to verify whether the node is in the corresponding trusted database to determine whether the real-time identity of the node is credible.
所述布隆滤波器,有m个bit的位数组,包含n个元素数xi的集合T,k个布隆滤波器重哈希函数hk;首先进行初始化,将布隆滤波器m个bit位置为0;其次进行元素添加,将集合T中的n个待添加元素x1,,,n使用k个布隆滤波器重哈希函数h1,,,k进行哈希化,每一个元素得到布隆滤波器中的k个bit位,并将其置为1;进行节点认证时,将待查询的元素xi进行哈希化,即{h1(xi),h2(xi),,,hk-1(xi),hk(xi)},得到k个bit位,如果这k个bit位都为1,那么该元素在集合T中,否则不在;在首次筛选到该节点存在后,对该节点数据进行遍历验证,并对该节点具体依据路径,从IT区块链账本以及OT区块链账本中提取信息,对节点的注册信息进行验证。The Bloom filter has an m-bit bit array, including a set T of n elements xi , and k Bloom filter re-hash functions hk ; first, initialization is performed, and the m bit positions of the Bloom filter are set to 0; secondly, elements are added, and the n elements to be added x1,,,n in the set T are hashed using k Bloom filter re-hash functions h1,,,k , and each element obtains k bits in the Bloom filter and is set to 1; when performing node authentication, the element xi to be queried is hashed, that is, {h1 (xi ),h2 (xi ),,,hk-1 (xi ),hk (xi )}, to obtain k bits. If these k bits are all 1, then the element is in the set T, otherwise it is not; after the node is first screened to exist, the node data is traversed and verified, and information is extracted from the IT blockchain ledger and the OT blockchain ledger based on the specific path of the node, and the registration information of the node is verified.
本发明还提供了一种基于双层区块链辅助的ICS数据可信流转方法,基于RBAC的ICS-RBAC零信任访问控制机制,创建策略库ST,设备节点只能访问OT区块链账本,交互节点只能访问IT区块链账本,工作站节点能够访问OT区块链账本以及IT区块链账本;保障OT区块链、IT区块链与ICS物理设备间的零信任数据交互。The present invention also provides an ICS data trusted flow method assisted by a double-layer blockchain, an ICS-RBAC zero-trust access control mechanism based on RBAC, creates a policy library ST, device nodes can only access OT blockchain ledgers, interactive nodes can only access IT blockchain ledgers, and workstation nodes can access OT blockchain ledgers and IT blockchain ledgers; ensuring zero-trust data interaction between OT blockchain, IT blockchain and ICS physical devices.
作为优选,OT区块链访问控制的具体实现包括以下子步骤:As a preference, the specific implementation of OT blockchain access control includes the following sub-steps:
(1)主体发送一个事务Txi给OT访问控制合约OT-ACSC,事务包含证书CAi、客体IDi、操作内容OP、实时环境因素EVi以及实时信用积分Tri,将该消息Txi使用SHA256哈希哈希化,并使用自身私钥skp对Txi进行加密,生成数字签名Sig;(1) The subject sends a transaction Txi to the OT access control contract OT-ACSC. The transaction contains the certificate CAi , the object IDi , the operation content OP, the real-time environmental factor EVi, and the real-time credit score Tri . The message Txi is hashed using SHA256, and Txi is encrypted using its own private key skp to generate a digital signature Sig;
(2)OT-ACSC对主体使用动态身份认证机制进行验证,包含验证主体的证书、并判断是否在可信数据库;(2) OT-ACSC uses a dynamic identity authentication mechanism to verify the subject, including verifying the subject's certificate and determining whether it is in the trusted database;
(3)验证通过,则调用动态身份认证机制验证客体身份,包含验证客体的证书、并判断是否在可信数据库;(3) If the verification is successful, the dynamic identity authentication mechanism is called to verify the identity of the object, including verifying the object's certificate and determining whether it is in the trusted database;
(4)验证通过,则调用OT访问控制决策合约OT-ADSC,匹配策略库ST;(4) If the verification is successful, the OT access control decision contract OT-ADSC is called to match the policy library ST;
(5)权限符合,进行授权,将匹配结果返回OT-ACSC;(5) If the permissions are met, authorization is performed and the matching result is returned to OT-ACSC;
(6)OT-ACSC将Txi使用客体公钥pkp进行RSA加密与Sig发送给客体,设备节点为发送至OT区块链上映射节点,客体收到Txi以及Sig后,使用客体公钥pkp对Sig进行解密,从而获得Txi的哈希值;然后,客体使用相同的哈希函数SHA256对原始消息进行哈希,将生成的哈希值与解密得到的哈希值进行比较;如果两个哈希值相匹配,则数字签名Sig有效,Txi完整且来自发送方;进而使用客体私钥进行解密,获得并调用Oracle-Modbus TCP合约,对现场设备进行数据指令发放;(6) OT-ACSC uses the object public keypkp to perform RSA encryption on Txi and Sig and sendsit to the object. The device node sends it to the mapping node on the OT blockchain. After the object receivesTxi and Sig, it uses the object public keypkp to decrypt Sig to obtain the hash value ofTxi . Then, the object uses the same hash function SHA256 to hash the original message and compares the generated hash value with the decrypted hash value. If the two hash values match, the digital signature Sig is valid,Txi is complete and comes from the sender. Then, the object private key is used to decrypt and obtain And call the Oracle-Modbus TCP contract to issue data instructions to the on-site equipment;
(7)客体对数据生成数字签名Sig,OT风险防控合约OT-RPSC对客体进行二次验证;为保证主体以及客体信用积分的有效性,设计时间阈值Time,并对时间间隔进行阈值判定,将使用RSA加密,并与Sig与结果返还给主体,主体进行验证与解密,并进行区块链记录以及信用积分更新。(7) Object to Data Generate a digital signature Sig, and the OT risk prevention and control contract OT-RPSC performs secondary verification on the object; in order to ensure the validity of the subject and object credit points, a time threshold Time is designed, and a threshold judgment is made on the time interval. Use RSA encryption and return it to the subject together with Sig and the result. The subject verifies and decrypts it, and then records it on the blockchain and updates the credit score.
作为优选,IT区块链访问控制的具体实现包括以下子步骤:As a preferred embodiment, the specific implementation of IT blockchain access control includes the following sub-steps:
(1)用户发送一个事务Txi给IT访问控制合约IT-ACSC,事务包含证书CAi、客体IDi、查询内容RP以及实时信用积分Tri,将Txi使用SHA256哈希哈希化,并使用公钥skp对Txi进行加密,生成数字签名Sig;(1) User Send a transactionTxi to the IT access control contract IT-ACSC. The transaction contains the certificateCAi , objectIDi , query content RP and real-time credit scoreTri . HashTxi with SHA256 and use The public key skp encrypts Txi and generates a digital signature Sig;
(2)IT-ACSC对使用动态身份认证机制进行验证,包含验证的证书、并判断是否在可信数据库;(2) IT-ACSC Use dynamic identity authentication mechanism for verification, including verification and determine whether the certificate is in the trusted database;
(3)验证通过,则调用动态身份认证机制验证客体身份,包含验证的证书、并判断是否在可信数据库;(3) If the verification is successful, the dynamic identity authentication mechanism is called to verify the object Identity, including verification and determine whether the certificate is in the trusted database;
(4)验证通过,则调用IT访问控制决策合约IT-ADSC,匹配策略库ST;(4) If the verification is successful, the IT access control decision contract IT-ADSC is called to match the policy library ST;
(5)权限符合,进行授权,将匹配结果Match返回IT-ACSC;(5) If the permissions are met, authorization is performed and the matching result Match is returned to IT-ACSC;
(6)IT-ACSC将Txi使用公钥pkp进行RSA加密并与Sig发送给收到Txi以及Sig后,使用的公钥pkp对Sig进行解密,从而获得Txi的哈希值;然后,使用相同的哈希函数SHA256对原始消息进行哈希,将生成的哈希值与解密得到的哈希值进行比较;如果两个哈希值相匹配,则数字签名Sig有效,Txi完整且来自发送方;进而使用私钥进行解密,获得数据(6) IT-ACSC uses Txi The public keypkp is RSA encrypted and sent to Sig After receivingTxi and Sig, use The public key pkp is used to decrypt Sig to obtain the hash value of Txi ; then, The original message is hashed using the same hash function SHA256, and the resulting hash value is compared with the decrypted hash value; if the two hash values match, the digital signature Sig is valid,Txi is complete and comes from the sender; then use The private key is used to decrypt and obtain the data
(7)对数据生成数字签名Sig,IT风险防控合约IT-RPSC对进行二次验证;为保证以及信用积分的有效性,设计时间阈值Time,并对时间间隔进行阈值判定,将Txireturn使用RSA加密,并与Sig与结果返还给进行验证与解密,并进行区块链记录以及信用积分更新。(7) Data Generate digital signature Sig, IT risk prevention and control contract IT-RPSC Perform secondary verification to ensure as well as The validity of the credit score is determined by designing a time threshold Time, and determining the time interval by threshold.Txireturn is encrypted using RSA and returned to the server together with Sig and the result. Verify and decrypt, and update blockchain records and credit points.
作为优选,OT&IT跨链访问控制的具体实现包括以下子步骤:As a preferred implementation, the specific implementation of OT&IT cross-chain access control includes the following sub-steps:
(1)请求校验:请求方发送一个事务Txi给IT访问控制合约IT-ACSC或者OT访问控制合约OT-ACSC;将Txi使用SHA256哈希函数哈希化,并使用公钥skp对Txi进行加密,生成数字签名Sig;(1) Request verification: The requester sends a transactionTxi to the IT access control contract IT-ACSC or the OT access control contract OT-ACSC; hashTxi using the SHA256 hash function, and encryptTxi using the public keyskp to generate a digital signature Sig;
(2)IT-ACSC或者OT-ACSC对请求者使用动态身份认证机制进行验证;(2) IT-ACSC or OT-ACSC authenticates the requester using a dynamic identity authentication mechanism;
(3)验证通过,则采用Raft共识挑选gi节点,并对该节点采用动态身份认证机制进行验证,采用信用积分对gi节点进行激励;(3) If the verification is successful, the Raft consensus is used to select the gi node, and the dynamic identity authentication mechanism is used to verify the node, and the credit points are used to incentivize the gi node;
(4)验证通过,则调用OT访问控制决策合约OT-ADSC或IT访问控制决策合约IT-ADSC,匹配策略库ST;(4) If the verification is successful, the OT access control decision contract OT-ADSC or the IT access control decision contract IT-ADSC is called to match the policy library ST;
(5)权限符合,进行授权,将匹配结果Match返回OT-ADSC或IT-ACSC;(5) If the permissions are met, authorization is performed and the matching result Match is returned to OT-ADSC or IT-ACSC;
(6)IT-ACSC或者OT-ACSC将Txi使用gi节点公钥pkp进行RSA加密并与Sig发送给请求者,gi节点收到Txi以及Sig后,会使用请求者的公钥pkp对Sig进行解密,从而获得Txi的哈希值;然后,gi节点使用相同的哈希函数SHA256对原始消息进行哈希,将生成的哈希值与解密得到的哈希值进行比较;如果两个哈希值相匹配,则数字签名Sig有效,Txi完整且来自发送方;进而使用该gi节点私钥进行解密;(6) IT-ACSC or OT-ACSC uses the public keypkpof nodeg to perform RSA encryption on Txi and sends it to the requester with Sig. After receivingTxi and Sig, nodeg uses the public keypkp of the requester to decrypt Sig to obtain the hash value ofTxi . Then, nodeg uses the same hash function SHA256 to hash the original message and compares the generated hash value with the decrypted hash value. If the two hash values match, the digital signature Sig is valid,Txi is complete and comes from the sender. Then, nodeg uses the private key of node g to decrypt.
(7)数据提取:gi节点将OT区块链或IT区块链请求进行跨链转移,并对Txi进行广播,被请求节点所在链上的节点使用Raft共识机制进行共识;共识通过后,将数据Data使用RSA加密算法进行加密,并发送至该交互节点gi;(7) Data extraction: The gi node transfers the OT blockchain or IT blockchain request across chains and broadcasts Txi . The nodes on the chain where the requested node is located use the Raft consensus mechanism to reach a consensus. After the consensus is reached, the data Data is encrypted using the RSA encryption algorithm and sent to the interactive node gi ;
(8)数据校验:gi对数据Data采用动态身份认证机制进行校验,包含验证数据的真实性以及是否被篡改;(8) Data verification: gi uses a dynamic identity authentication mechanism to verify the data Data, including verifying the authenticity of the data and whether it has been tampered with;
(9)数据上传:gi对数据Data、数据Data提供节点打包成一个事务Txireturn,并进行数据的跨链上传;(9) Data upload: gi packages the data Data and the data provider node into a transaction Txireturn and uploads the data across chains;
(10)OT风险防控合约OT-RPSC或IT风险防控合约IT-RPSC对gi进行二次验证;为保证参与节点信用积分的有效性,设计时间阈值Time,并对时间间隔进行阈值判定,将Txireturn使用RSA加密并与Sig与结果返还给请求者,请求者进行验证与解密,并进行区块链记录以及信用积分更新。(10) The OT risk prevention and control contract OT-RPSC or the IT risk prevention and control contract IT-RPSC performs a second verification on gi . To ensure the validity of the credit points of the participating nodes, a time threshold Time is designed, and a threshold judgment is performed on the time interval.Txireturn is encrypted using RSA and returned to the requester together with Sig and the result. The requester verifies and decrypts it, and records it on the blockchain and updates the credit points.
本发明还提供了一种基于双层区块链辅助的ICS数据可信流转方法,基于心跳机制与区块链智能结合的主动防御机制,实时检测不诚实的节点;The present invention also provides a trusted ICS data transfer method based on a double-layer blockchain, an active defense mechanism based on the combination of a heartbeat mechanism and blockchain intelligence, and real-time detection of dishonest nodes;
具体实现包括以下子步骤:The specific implementation includes the following sub-steps:
(1)设置心跳测试周期时间Th,并在不大于该Th内,向节点发送随机挑战,挑战设计为:随机挑选历史测试时间戳,设置挑战反馈时间阈值Tt;(1) Set the heartbeat test cycle timeTh , and send a random challenge to the node withinTh . The challenge is designed to randomly select a historical test timestamp and set a challenge feedback time thresholdTt ;
(2)按照历史时间戳,查询相应的区块链账本,并随机获取数据交互请求记录;(2) According to the historical timestamp, query the corresponding blockchain ledger and randomly obtain data interaction request records;
(3)调用交互双方数据交互记录,并与区块链账本数据进行比对,如果在规定Tt内没有进行回复,该节点判定为问题节点,并进行人为测试,区分宕机、故障以及被伪造,如果在规定Tt内进行了回复并比对成果,则该节点为安全节点;(3) Call the data interaction records of both parties and compare them with the blockchain ledger data. If there is no response within the specified Tt , the node is judged as a problem node and a manual test is performed to distinguish between downtime, failure, and forgery. If there is a response within the specified Tt and the results are compared, the node is a safe node;
(4)对不同类型的节点的信用值进行更新,并进行标注。(4) Update the credit values of different types of nodes and mark them.
相当于现有技术,本发明的优点在于:Equivalent to the prior art, the advantages of the present invention are:
(1)本发明建立的双层区块链辅助的工业控制系统数据可信流转模型及方法是将多层区块链技术、零信任访问控制技术、人工智能技术与工业控制系统进行结合的一次尝试,具有创新性,对后续该方法扩展到其他物联网系统甚至其他行业具有一定指导价值。(1) The double-layer blockchain-assisted industrial control system data trusted flow model and method established by the present invention is an attempt to combine multi-layer blockchain technology, zero-trust access control technology, artificial intelligence technology and industrial control systems. It is innovative and has certain guiding value for the subsequent expansion of the method to other Internet of Things systems and even other industries.
(2)本发明能够对通过预言机的定制化设计,实现区块链系统在工业控制系统中的嵌入,采用双层区块链网络重新确定了工业控制网络OT与IT的网络边界。(2) The present invention can embed the blockchain system in the industrial control system through the customized design of the oracle, and use a two-layer blockchain network to redefine the network boundary between the industrial control network OT and IT.
(3)本发明定制化设计了面向物理设备和网络节点数据的ICS-RBAC零信任访问控制策略,增加工业控制系统的数据流转网络防护的细粒度,有效地保护了ICS中的工业控制数据流,对能够有效抵御各种安全威胁攻击。。(3) The present invention customizes the design of ICS-RBAC zero-trust access control policies for physical devices and network node data, increases the granularity of network protection for data flow in industrial control systems, effectively protects industrial control data flows in ICS, and can effectively resist various security threats and attacks.
(4)本发明使用布隆滤波器与可信数据库辅助工业控制系统进行身份验证,缩减了对不诚实节点以及无权限节点的快速排除。(4) The present invention uses Bloom filters and a trusted database to assist the industrial control system in identity authentication, thereby reducing the rapid exclusion of dishonest nodes and unauthorized nodes.
(5)本发明采用智能合约技术设计了面向ICS全访问周期的主动防御手段。通过“区块链-心跳机制-智能合约”设计的“OT区块链组织—IT区块链组织”与“区块链链上节点-预言机-现场设备”节点隐藏式可信度验证,实现了工业控制系统数据的高安全、高可控流转,为远程工程师操作以及车间数据交互提供有效支持。(5) The present invention uses smart contract technology to design active defense measures for the entire access cycle of ICS. Through the hidden credibility verification of the "OT blockchain organization-IT blockchain organization" and "blockchain node-oracle-field equipment" designed by "blockchain-heartbeat mechanism-smart contract", the highly secure and highly controllable flow of industrial control system data is achieved, providing effective support for remote engineer operations and workshop data interaction.
(6)本发明适用性强,针对不同场景下的工业控制系统,均可实现数据的可信流转保护,具有普遍适用性。(6) The present invention has strong applicability and can realize trusted data flow protection for industrial control systems in different scenarios, and has universal applicability.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
下面使用实施例,以及具体实施方式作进一步说明本发明的技术方案。另外,在说明技术方案的过程中,也使用了一些附图。对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图以及本发明的意图。The technical solution of the present invention is further described below using embodiments and specific implementation methods. In addition, in the process of describing the technical solution, some drawings are also used. For those skilled in the art, other drawings and the intention of the present invention can also be obtained based on these drawings without paying creative work.
图1为本发明实施例的系统架构图;FIG1 is a system architecture diagram of an embodiment of the present invention;
图2为本发明实施例的方法原理图;FIG2 is a schematic diagram of a method according to an embodiment of the present invention;
图3为本发明实施例的动态身份认证机制(注册)原理图;FIG3 is a schematic diagram of a dynamic identity authentication mechanism (registration) according to an embodiment of the present invention;
图4为本发明实施例的动态身份认证机制(认证)原理图;FIG4 is a schematic diagram of a dynamic identity authentication mechanism (authentication) according to an embodiment of the present invention;
图5为本发明实施例的ICS-RBAC访问控制机制原理图;FIG5 is a schematic diagram of an ICS-RBAC access control mechanism according to an embodiment of the present invention;
图6为本发明实施例的OT&IT跨链访问控制原理图;FIG6 is a schematic diagram of OT&IT cross-chain access control according to an embodiment of the present invention;
图7为本发明实施例的主动防御机制原理图;FIG7 is a schematic diagram of an active defense mechanism according to an embodiment of the present invention;
图8为本发明实施例的身份认证不诚实节点排查时间消耗对比图;FIG8 is a comparison diagram of time consumption for checking dishonest nodes in identity authentication according to an embodiment of the present invention;
图9为本发明实施例的身份认证诚实节点辅助验证时间消耗图;FIG9 is a diagram showing the time consumption of identity authentication honest node assisted verification according to an embodiment of the present invention;
图10为本发明实施例的链码模拟与证书模拟示意图;FIG10 is a schematic diagram of chain code simulation and certificate simulation according to an embodiment of the present invention;
图11为本发明实施例的RSA私钥及证书(公钥)模拟示意图;FIG11 is a schematic diagram of a simulation of an RSA private key and certificate (public key) according to an embodiment of the present invention;
图12为本发明实施例的工业控制系统物理设备节点证书验证与公钥提取示意图;12 is a schematic diagram of a physical device node certificate verification and public key extraction of an industrial control system according to an embodiment of the present invention;
图13为本发明实施例的工业控制系统物理设备节点数据解密示意图;FIG13 is a schematic diagram of data decryption of a physical device node of an industrial control system according to an embodiment of the present invention;
图14为本发明实施例的测试结果示意图。FIG. 14 is a schematic diagram of test results of an embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
为了便于本领域普通技术人员理解和实施本发明,下面结合附图及实施例对本发明作进一步的详细描述,应当理解,此处所描述的实施示例仅用于说明和解释本发明,并不用于限定本发明。In order to facilitate ordinary technicians in the field to understand and implement the present invention, the present invention is further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the implementation examples described herein are only used to illustrate and explain the present invention, and are not used to limit the present invention.
由于现场控制层与现场设备层之间主要通过I/O串口连接以及接线连接,数据流转环境相对封闭安全,因此本实施例设计的框架主要涵盖了传统工业控制系统中制造执行层、过程监控层、控制网络层、现场控制层共4层。具体来说,本实施例定制化设计了区块链预言机,通过对Modbus协议进行合约化,对现场物理设备进行数据实时采集上链以及控制指令的发送,并利用区块链网络实现了对流转数据的安全保护,下面将对每一个模块进行详细介绍。Since the field control layer and the field equipment layer are mainly connected through I/O serial ports and wiring, the data flow environment is relatively closed and safe, so the framework designed in this embodiment mainly covers the manufacturing execution layer, process monitoring layer, control network layer, and field control layer in the traditional industrial control system. Specifically, this embodiment customizes the design of the blockchain oracle, and through the contractualization of the Modbus protocol, the real-time data collection and chaining of the field physical equipment and the sending of control instructions are realized, and the blockchain network is used to realize the security protection of the flow data. Each module will be introduced in detail below.
工业控制系统物理设备模块:工业控制系统物理设备模块主要分为了现场控制器件(PLC、RTU、PAC等)与现场设备器件(执行器、传感器、现场仪表等)的互联以及现场控制器件与区块链网络模块的数据交互两个部分。通过I/O串口等进行连接,实现了现场控制器件与现场设备器件之间通信。通过预言机与Modbus等工业通信协议进行融合,实现了工业控制系统物理设备模块与区块链网络模块的信息互通。Industrial control system physical equipment module: The industrial control system physical equipment module is mainly divided into two parts: the interconnection between field control devices (PLC, RTU, PAC, etc.) and field equipment devices (actuators, sensors, field instruments, etc.), and the data interaction between field control devices and blockchain network modules. Through the connection of I/O serial ports, etc., the communication between field control devices and field equipment devices is realized. Through the integration of oracle and industrial communication protocols such as Modbus, the information exchange between the physical equipment module of the industrial control system and the blockchain network module is realized.
区块链网络模块:区块链网络模块主要包含模型架构、加密传输、共识机制、访问控制策略、防御手段共6个部分。模型架构方面,本实施例设计了OT以及IT双通道,即双层区块链架构。配置了OT账本/合约以及IT账本/合约。将设备节点、工作站节点、交互节点划分为三个组织,设备节点为现场控制器件的链上映射,工作站节点为工程师工作站、操作站、运维站等,交互节点为外部车间节点,另外包含一个初始化-排序节点,用于创世区块的生成和事务处理次序排序。加密传输与共识机制方面,区块链上的数据传递采用SHA256加密算法进行加密,并采用raft算法进行节点共识。访问控制策略方面,基于RBAC零信任访问控制策略,设计了ICS-RBAC访问控制模型,进行身份认证、动态授权以及动态访问。防御手段方面,依据实时的数据记录(实时行为、信用积分、指令规范、环境因素等),定制化设计智能合约并结合心跳机制进行自适应主动式网络攻击防御。Blockchain network module: The blockchain network module mainly includes 6 parts, including model architecture, encrypted transmission, consensus mechanism, access control strategy, and defense means. In terms of model architecture, this embodiment designs OT and IT dual channels, that is, a two-layer blockchain architecture. OT ledger/contract and IT ledger/contract are configured. The device node, workstation node, and interactive node are divided into three organizations. The device node is the on-chain mapping of the field control device, the workstation node is the engineer workstation, operation station, operation and maintenance station, etc., the interactive node is the external workshop node, and an initialization-sorting node is also included for the generation of the genesis block and the order of transaction processing. In terms of encrypted transmission and consensus mechanism, the data transmission on the blockchain is encrypted using the SHA256 encryption algorithm, and the raft algorithm is used for node consensus. In terms of access control strategy, based on the RBAC zero-trust access control strategy, the ICS-RBAC access control model is designed for identity authentication, dynamic authorization, and dynamic access. In terms of defense means, based on real-time data records (real-time behavior, credit points, instruction specifications, environmental factors, etc.), customized smart contracts are designed and combined with the heartbeat mechanism for adaptive active network attack defense.
在工业控制系统场景中,为了窥探工业生产、加工、制造数据,可能存在窃听者,可以窃听现场设备与PLC、PLC与工程师节点、车间交互节点之间的通信链路。同时,攻击者可能会破坏物理设备功能、恶意加密工业数据、恶意消耗ICS资源、篡改传输信息(e.g.操作指令、采集数据),例如,蠕虫病毒、勒索软件攻击、DoS攻击、重放攻击,威胁工业控制系统安全。在本实施例的对手模型中,本实施例将网络中可能发生的威胁分为物理设备层攻击和通讯网络层攻击。In the industrial control system scenario, in order to spy on industrial production, processing, and manufacturing data, there may be eavesdroppers who can eavesdrop on the communication links between field equipment and PLC, PLC and engineer nodes, and workshop interaction nodes. At the same time, attackers may destroy the functions of physical devices, maliciously encrypt industrial data, maliciously consume ICS resources, and tamper with transmission information (e.g. operating instructions, collected data), such as worm viruses, ransomware attacks, DoS attacks, and replay attacks, threatening the security of industrial control systems. In the adversary model of this embodiment, this embodiment divides the threats that may occur in the network into physical device layer attacks and communication network layer attacks.
物理设备层攻击:攻击者可以利用工业控制系统的漏洞和弱点,在PLC等控制器件中嵌入工业蠕虫等病毒,获得ICS系统中部分或全部控制权,并通过网络进行自我复制以及传播,破坏物理设备功能以及恶意消耗ICS资源等。因此,模型必须拥有精细化到物理设备的权限管理,并且能够主动防御攻击者从ICS物理设备(USB接口、打印机等)向工业控制器件传播恶意程序。Physical device layer attacks: Attackers can exploit vulnerabilities and weaknesses in industrial control systems to embed industrial worms and other viruses in PLCs and other control devices, gain partial or full control of the ICS system, and replicate and spread through the network to destroy the functions of physical devices and maliciously consume ICS resources. Therefore, the model must have refined permission management down to the physical device level, and be able to actively prevent attackers from spreading malicious programs from ICS physical devices (USB ports, printers, etc.) to industrial control devices.
通讯网络层攻击:第一类攻击是OT区块链恶意节点攻击。例如,恶意节点(如工程师工作站、操作员站)可能会受到未被检测到的恶意软件(如勒索软件)的影响,通过发送恶意指令,对数据进行窃听,造成工业数据的丢失以及工业控制系统的破坏。因此,模型必须对工业数据的流转进行完全仲裁。第二类攻击是IT区块链恶意节点(如车间交互节点)攻击,发起在车间数据交互过程中的一些主动攻击,例如,在数据交互过程中,恶意节点冒充网络中的合法节点,发起一些主动攻击(如DoS攻击、重放攻击),损害工业数据的真实性和完整性。Communication network layer attacks: The first type of attack is an attack on malicious nodes of the OT blockchain. For example, malicious nodes (such as engineer workstations and operator stations) may be affected by undetected malware (such as ransomware), and eavesdrop on data by sending malicious instructions, causing the loss of industrial data and the destruction of industrial control systems. Therefore, the model must fully arbitrate the flow of industrial data. The second type of attack is an attack on malicious nodes of the IT blockchain (such as workshop interaction nodes), which initiates some active attacks during the data interaction process of the workshop. For example, during the data interaction process, malicious nodes impersonate legitimate nodes in the network and initiate some active attacks (such as DoS attacks and replay attacks), which damage the authenticity and integrity of industrial data.
请见图1和图2,本实施例提供的一种基于双层区块链辅助的ICS数据可信流转系统,包括制造执行层、过程监控层、控制网络层和现场控制层;所述系统通过OT区块链以及IT区块链两层区块链,进行数据可信流转;其中,OT区块链账本为ICS内部数据流,IT区块链账本为ICS与外界信息交互数据流。Please see Figures 1 and 2. This embodiment provides an ICS data trusted flow system based on the assistance of a double-layer blockchain, including a manufacturing execution layer, a process monitoring layer, a control network layer, and a field control layer. The system performs data trusted flow through two layers of blockchain, the OT blockchain and the IT blockchain. Among them, the OT blockchain ledger is the ICS internal data flow, and the IT blockchain ledger is the ICS and external information interaction data flow.
所述ICS,节点包括设备节点si、工作站节点gi和交互节点ji;设备节点si为现场控制器件的链上映射,工作站节点gi包括工程师工作站、操作站和运维站等,交互节点ji为外部车间节点;所述设备节点si,在OT区块链进行注册上链,返回相应的证书及唯一哈希H(p),并将证书信息在IT区块链共识备份;所述交互节点ji,在IT区块链进行注册上链,返回相应的证书及唯一哈希H(p),并将证书信息在OT区块链共识备份;所述工作站节点gi,属于OT区块链以及IT区块链的中继节点,在OT区块链上链后在IT区块链进行注册上链,返回相应的证书及唯一哈希H(p)。The ICS nodes include device nodessi , workstation nodesgi and interactive nodesj ; device nodesi is the on-chain mapping of field control devices, workstation nodegi includes engineer workstations, operation stations and operation and maintenance stations, etc., and interactive nodej is an external workshop node; the device nodesi is registered and chained on the OT blockchain, returns the corresponding certificate and unique hash H(p), and backs up the certificate information in the IT blockchain consensus; the interactive nodej is registered and chained on the IT blockchain, returns the corresponding certificate and unique hash H(p), and backs up the certificate information in the OT blockchain consensus; the workstation nodeg is a relay node of the OT blockchain and the IT blockchain, and is registered and chained on the IT blockchain after being chained on the OT blockchain, and returns the corresponding certificate and unique hash H(p).
si节点仅能访问OT链账本,在注册过程中,si节点在OT链进行上链,并将证书信息在IT链共识备份,ji节点仅能访问IT链账本,在注册过程中,ji节点在IT链进行上链,并将证书信息在OT链共识备份,gi节点属于中间连接节点,能够访问OT以及IT账本,需要在OT链上链后在IT链进行上链,注册过程如图3所示。The si node can only access the OT chain ledger. During the registration process, the si node is chained on the OT chain and the certificate information is backed up in the IT chain consensus. The ji node can only access the IT chain ledger. During the registration process, the ji node is chained on the IT chain and the certificate information is backed up in the OT chain consensus. The gi node is an intermediate connection node and can access the OT and IT ledgers. It needs to be chained on the IT chain after being chained on the OT chain. The registration process is shown in Figure 3.
si节点注册:Client首先向OT链发送注册请求,并发送相关的注册信息Mis={idi,namei,sitei,timei,.....},OT链节点进行过Raft共识进行验证、投票,并将共识结果发送至PLC等物理设备,进行验证匹配,PLC等物理设备将结果信息返回至OT链,与Mis进行匹配,并将最终的共识结果发送给CA,CA对该节点生成唯一证书,并进行签名,将证书广播、颁发至物理设备节点、OT链,将结果返回至Client。最后,将本次注册请求结果广播至IT链,IT链内通过一轮广播,对该信息进行分布式备份,该节点注册上链。si node registration: Client first sends a registration request to the OT chain and sends the relevant registrationinformationMis = {idi , namei , sitei , timei , .....}. The OT chain node verifies and votes through Raft consensus, and sends the consensus result to physical devices such as PLC for verification and matching. PLC and other physical devices return the result information to the OT chain, matchit withMis , and send the final consensus result to CA. CA generates a unique certificate for the node, signs it, broadcasts and issues the certificate to physical device nodes and OT chain, and returns the result to Client. Finally, the result of this registration request is broadcast to the IT chain. The IT chain performs a round of broadcasting to perform distributed backup of the information, and the node is registered on the chain.
ji节点注册:Client首先向IT链发送注册请求,并发送相关的注册信息IT链内节点通过Raft共识,将共识结果发送至CA,CA签名并生成唯一证书,进行证书颁发,将共识结果广播至OT链节点,OT链经过一轮广播至全部节点进行备份,并将结果返回至Client,该节点注册上链。ji node registration: Client first sends a registration request to IT chain and sends relevant registration information The nodes in the IT chain use Raft consensus to send the consensus results to the CA. The CA signs and generates a unique certificate, issues the certificate, and broadcasts the consensus results to the OT chain nodes. The OT chain is backed up after a round of broadcasting to all nodes and returns the results to the Client, which is then registered on the chain.
gi节点注册:gi节点本质上是OT链以及IT链的中继节点,身份注册过程为向OT链发送注册请求,并发送相关的注册信息OT链节点通过Raft进行投票共识,并将OT链共识结果ROT以及注册信息发送至IT链,IT链节点通过Raft进行投票共识,将共识结果ROT以及共识结果RIT发送至CA,CA进行签名,并生成唯一证书,颁发至Client、OT链以及IT链,该节点注册上链。GI node registration:GI nodes are essentially relay nodes of the OT chain and IT chain. The identity registration process is to send a registration request to the OT chain and send relevant registration information. OT chain nodes use Raft to vote and send the OT chain consensus results toOT and registration information. It is sent to the IT chain. The IT chain nodes conduct voting consensus through Raft and send the consensus results ROT and RIT to CA. CA signs and generates a unique certificate, which is issued to the Client, OT chain and IT chain. The node is registered on the chain.
具有设备当前状态、设备IP、位置信息、运行时长等多种数据因素,具有操作人员名字、唯一哈希、位置信息等多种数据因素,Mij具有车间地点、位置信息、名字等多种数据因素。 It contains multiple data factors such as the current status of the device, device IP, location information, and running time. It has multiple data factors such as operator name, unique hash, location information, etc.Mij has multiple data factorssuch as workshop location, location information, name, etc.
本实施例首先设计了OT区块链与IT区块链重构了ICS的网络边界,其次,设计了基于布隆滤波器和可信数据库的身份辅助认证机制,对不诚实节点的进行快速排查,然后,设计了基于RBAC的ICS-RBAC零信任访问控制机制,用于保障OT区块链、IT区块链与ICS物理设备间的零信任数据交互。最后,基于心跳机制原理设计了面向ICS全访问周期的主动防御机制。This embodiment first designs the OT blockchain and IT blockchain to reconstruct the network boundary of ICS. Secondly, it designs an identity-assisted authentication mechanism based on Bloom filter and trusted database to quickly check dishonest nodes. Then, it designs an ICS-RBAC zero-trust access control mechanism based on RBAC to ensure zero-trust data interaction between OT blockchain, IT blockchain and ICS physical devices. Finally, based on the principle of heartbeat mechanism, it designs an active defense mechanism for the entire access cycle of ICS.
请见图4,本实施例提供的一种基于双层区块链辅助的ICS数据可信流转方法,通过布隆滤波器和可信数据库的身份辅助认证机制,对不诚实节点的进行快速排查;通过信用积分激励机制,对节点的每一次行为进行记录,并进行实时的判定与更新结算,将OT区块链账本与IT区块链账本按照三类节点划分出了三个可信数据库,并对每个可信数据库设计相应的布隆滤波器;在后续验证过程中,只需要验证节点是否在相应的可信数据库中,便能判断该节点的实时身份是否可信;Please see FIG4 . This embodiment provides a trusted ICS data transfer method based on a double-layer blockchain. Through the identity-assisted authentication mechanism of the Bloom filter and the trusted database, dishonest nodes are quickly checked. Through the credit point incentive mechanism, each behavior of the node is recorded, and real-time judgment and update settlement are performed. The OT blockchain ledger and the IT blockchain ledger are divided into three trusted databases according to three types of nodes, and a corresponding Bloom filter is designed for each trusted database. In the subsequent verification process, it is only necessary to verify whether the node is in the corresponding trusted database to determine whether the real-time identity of the node is credible.
初次认证过程为节点的加入注册,通过Raft共识进行认证,并将相应的信息进行上链,返回相应的证书以及唯一哈希H(p)。为了便于后续认证的高效性,需要进行及时的更新,更新通过Raft共识对数据进行增添,并依据时间戳判定最新的数据信息。The initial authentication process is the registration of the node, which is authenticated through Raft consensus and the corresponding The information is uploaded to the chain, and the corresponding certificate and unique hash H(p) are returned. In order to facilitate the efficiency of subsequent authentication, Timely updates are required. The data is added through Raft consensus, and the latest data information is determined based on the timestamp.
后续认证:首先对节点的证书进行验证,主要对CA的数字签名进行验证,用于保证证书的真实性和完整性,进而确保该节点公钥和身份信息的可信性。如果证书的私钥被泄露、证书信息发生变更或者证书所有者不再被信任,CA可以撤销数字证书。撤销的证书将被列入证书吊销列表(CRL)或者在线证书状态协议(OCSP)响应中,以便接收方在通信过程中验证证书的状态。其次,对节点的实时行为进行持续性验证,用于保证该节点没有进行“叛变”,因此,本发明设计了信用积分激励机制,对节点的每一次行为进行记录,并进行实时的判定与更新结算,将OT账本与IT账本按照三类节点划分出了三个可信数据库,为了降低每一次验证的共识次数,本发明对每个可信数据库设计相应的布隆滤波器,在后续验证过程中,只需要验证该节点是否在该数据库中,便能判断该节点的实时身份是否可信。过程分为三步,第一步,请求,Client向模型发送请求。第二步,预判,对每一个节点的唯一哈希值H(p)在布隆滤波器上进行提前映射,本发明假设一个布隆滤波器有m个比特的位数组,包含n个元素数xi={x1,x2,x3....xn-1,xn},k个布隆滤波器重哈希函数hi={h1,h2,h3....hn-1,hn}。Subsequent authentication: First, the node's certificate is verified, mainly the CA's digital signature is verified to ensure the authenticity and integrity of the certificate, and then ensure the credibility of the node's public key and identity information. If the private key of the certificate is leaked, the certificate information is changed, or the certificate owner is no longer trusted, the CA can revoke the digital certificate. The revoked certificate will be included in the certificate revocation list (CRL) or the online certificate status protocol (OCSP) response so that the receiver can verify the status of the certificate during the communication process. Secondly, the real-time behavior of the node is continuously verified to ensure that the node has not "rebelled". Therefore, the present invention designs a credit point incentive mechanism to record each behavior of the node, and make real-time judgments and update settlements. The OT ledger and IT ledger are divided into three trusted databases according to three types of nodes. In order to reduce the number of consensuses for each verification, the present invention designs a corresponding Bloom filter for each trusted database. In the subsequent verification process, it is only necessary to verify whether the node is in the database to determine whether the real-time identity of the node is credible. The process is divided into three steps. The first step is request. The client sends a request to the model. The second step is to pre-judge and map the unique hash value H(p) of each node on the Bloom filter in advance. The present invention assumes that a Bloom filter has an m-bit bit array, including n elements xi ={x1 ,x2 ,x3 ....xn-1 ,xn }, and k Bloom filter heavy hash functions hi ={h1 ,h2 ,h3 ....hn-1 ,hn }.
首先,进行初始化,将布隆滤波器m个bit位置为0,Bit1,2,3,,,m=Bit1,2,3,,,m→0。其次,进行元素添加,提前将集合T中的n个待添加元素x1,,,n使用k个布隆滤波器重哈希函数h1,,,k进行哈希化,hk(xi)={h1(x1,,,n),h2(x1,,,n)....hk-1(x1,,,n),hk(x1,,,n)}。每一个元素得到布隆滤波器中的k个bit位,并将其置为1,Bit1,2,3,,,k=Bit1,2,3,,,k→1。First, initialize and set the m bits of the Bloom filter to 0, Bit1, 2, 3,,, m = Bit 1, 2, 3,,, m → 0. Second, add elements and hash the n elements x1,,, n to be added in the set T using k Bloom filter re-hash functions h1,,, k in advance, hk (xi ) = {h1 (x1,,,n ),h2 (x1,,,n )....hk-1 (x1,,,n ), hk (x1,,,n )}. Each element gets k bits in the Bloom filter and sets them to 1, Bit1, 2, 3,,, k = Bit 1, 2, 3,,, k → 1.
布隆过滤器支持元素操作有“查询、添加”,不支持“修改、删除”。因此,n的数量越多,false positive rate越大,但是能够保证0false negative rate。当n/m过大时,会导致false positive过高,此时就需要重新组建滤波器。本发明假设元素xi都能等概率的映射到m个bit位中,对某一mi在一个元素xi由hi插入时没有被置位为1的概率为ε,则k个h1,,,k中没有一个对其置位的概率为β,如果插入了n个元素,但都未将其置位的概率为α,则此位被置位的概率为σ,在查询阶段,若对应某个待查询元素xi的k bits全部置位为1,则可判定其在集合中。因此将某元素误判的概率为ρ=(1-σ)k。由当m增大或n减小时,都会使得误判率减小。对ρ进行取对数、求导、求最值后,可得时误判率最低为P(error),Bloom filter supports element operations such as "query, add", but does not support "modify, delete". Therefore, the more n, the greater the false positive rate, but it can guarantee 0 false negative rate. When n/m is too large, it will lead to too high false positive, and the filter needs to be rebuilt. The present invention assumes that the element xi can be mapped to m bits with equal probability, and the probability that a certainmi is not set to 1 when an element xi is inserted byhi is ε, Then the probability that none of the k h1,,,k sets it is β, If n elements are inserted but none of them are set, the probability is α. Then the probability of this bit being set is σ, In the query phase, if all k bits corresponding to a query element xi are set to 1, it can be determined that it is in the set. Therefore, the probability of misjudging an element is ρ = (1-σ)k . When m increases or n decreases, the misjudgment rate will decrease. After taking the logarithm, taking the derivative, and finding the maximum value of ρ, we can get When the error rate is the lowest, P(error),
最后,进行ICS节点认证,将待查询的元素xi进行哈希化,即{h1(xi),h2(xi),,,hk-1(xi),hk(xi)},得到k个bit位,如果这k个bit位都为1,那么该元素在集合T中,否则不在。布隆滤波器的设计仅仅对模型中ICS节点进行预查询,用于快速排除不存在的节点,进行快速的验证。第三步,匹配,在查询到该节点时,由于布隆滤波器具有误报率,因此在首次筛选到该节点存在后,需要对该节点数据进行遍历验证,并对该节点具体依据路径,从IT账本以及OT账本中提取信息,对节点的进行验证,公式为:Finally, ICS node authentication is performed, and the element xi to be queried is hashed, that is, {h1 (xi ),h2 (xi ),,,hk-1 (xi ),hk (xi )}, to obtain k bits. If these k bits are all 1, then the element is in the set T, otherwise it is not. The design of the Bloom filter only pre-queries the ICS nodes in the model to quickly exclude non-existent nodes and perform rapid verification. The third step is matching. When the node is queried, since the Bloom filter has a false alarm rate, it is necessary to traverse and verify the node data after the node is first screened out, and extract information from the IT ledger and the OT ledger based on the specific path of the node to verify the node. To verify, the formula is:
本实施例还提供了一种基于双层区块链辅助的ICS数据可信流转方法,基于RBAC的ICS-RBAC零信任访问控制机制,创建策略库ST,设备节点只能访问OT区块链账本,交互节点只能访问IT区块链账本,工作站节点能够访问OT区块链账本以及IT区块链账本;保障OT区块链、IT区块链与ICS物理设备间的零信任数据交互。This embodiment also provides an ICS data trusted flow method assisted by a two-layer blockchain, an ICS-RBAC zero-trust access control mechanism based on RBAC, creates a policy library ST, device nodes can only access OT blockchain ledgers, interactive nodes can only access IT blockchain ledgers, and workstation nodes can access OT blockchain ledgers and IT blockchain ledgers; ensuring zero-trust data interaction between OT blockchain, IT blockchain and ICS physical devices.
ICS-RBAC访问控制机制如图5所示。The ICS-RBAC access control mechanism is shown in Figure 5.
首先,采用动态身份认证机制对节点进行快速注册,依据注册属性划分到相应的组织以及相应的通道。其次,设计策略库ST,OT区块链包含设备节点以及工作站节点,工作站节点在OT通道进行数据的操作,即设备节点仅能访问OT账本,交互节点仅能访问IT账本,工作站节点能访问OT以及IT账本。ICS-RBAC机制采用了动态的授权方式,使用信用积分对节点进行信用评估,实时信用值也被用作授权的依据之一。然后,Client发送一个请求,OT/IT访问控制合约通过动态身份认证机制对Client以及相应的客体进行验证,调用访问控制决策合约,匹配策略库。最后,进行主体授权,以及更新ICS策略库。在模型中共包含三类节点,其中物理设备节点依靠预言机进行通信,下面以Modbus TCP协议为例进行预言机设计,如算法1所示。First, a dynamic identity authentication mechanism is used to quickly register nodes, and they are divided into corresponding organizations and channels according to the registration attributes. Secondly, the strategy library ST is designed. The OT blockchain contains device nodes and workstation nodes. The workstation nodes operate data in the OT channel, that is, device nodes can only access the OT ledger, interactive nodes can only access the IT ledger, and workstation nodes can access both OT and IT ledgers. The ICS-RBAC mechanism adopts a dynamic authorization method, using credit points to evaluate the credit of nodes, and real-time credit values are also used as one of the bases for authorization. Then, the client sends a request, and the OT/IT access control contract verifies the client and the corresponding object through the dynamic identity authentication mechanism, calls the access control decision contract, and matches the strategy library. Finally, the subject authorization is performed, and the ICS strategy library is updated. There are three types of nodes in the model, among which the physical device nodes rely on oracles for communication. The following takes the Modbus TCP protocol as an example to design the oracles, as shown in Algorithm 1.
在一种实施方式中,OT区块链访问控制,具体的流程共分为七个步骤:In one implementation, the OT blockchain access control process is divided into seven steps:
(1)用户发送一个事务Txi给OT访问控制合约(OT-ACSC),事务包含证书CAi、客体IDi、操作内容OP、实时环境因素EVi(IP、实时时间等)以及实时信用积分Tri,将该消息使用SHA256哈希哈希化,并使用skp对Txi进行加密,生成数字签名Sig,(1) User Send a transaction Txi to the OT access control contract (OT-ACSC). The transaction contains the certificate CAi , object IDi , operation content OP, real-time environmental factors EVi (IP, real-time time, etc.) and real-time credit points Tri . Hash the message using SHA256, and encrypt Txi using skp to generate a digital signature Sig.
(2)OT-ACSC对使用动态身份认证机制进行验证,包含验证的证书、并判断是否在可信数据库。(2) OT-ACSC Use dynamic identity authentication mechanism for verification, including verification and determine whether it is in the trusted database.
(3)如果通过,以及动态身份认证机制验证客体身份,包含验证的证书、并判断是否在可信数据库。(3) If passed, the dynamic identity authentication mechanism verifies the object Identity, including verification and determine whether it is in the trusted database.
(4)验证通过调用OT访问控制决策合约(OT-ADSC),匹配策略库ST。(4) Verification is performed by calling the OT access control decision contract (OT-ADSC) and matching the policy library ST.
(5)权限符合,进行授权,将匹配结果Match返回OT-ACSC。(5) If the permissions are met, authorization is performed and the matching result Match is returned to OT-ACSC.
(6)OT-ACSC将Txi使用公钥pkp进行RSA加密与Sig发送给si节点为发送至si链上映射节点,收到Txi以及Sig后,会使用的公钥pkp对Sig进行解密,从而获得Txi的哈希值。然后,使用相同的哈希函数SHA256对原始消息进行哈希,将生成的哈希值与解密得到的哈希值进行比较。如果两个哈希值相匹配,则数字签名Sig有效,Txi完整且来自发送方。进而使用私钥进行解密,并调用Oracle-ModbusTCP合约,对现场设备进行数据指令发放。(6) OT-ACSC uses Txi The public keypkp is RSA encrypted with Sig and sent to si node is sent to the mapping node on si chain, After receiving Txi and Sig, it will use The public key pkp is used to decrypt Sig to obtain the hash value of Txi . Then, The original message is hashed using the same hash function SHA256, and the resulting hash value is compared with the decrypted hash value. If the two hash values match, the digital signature Sig is valid,Txi is complete and comes from the sender. The private key is decrypted and the Oracle-ModbusTCP contract is called to issue data instructions to the on-site equipment.
(7)对数据生成数字签名Sig(物理设备节点,先返回至链上映射节点,后进行Sig生成),OT风险防控合约(OT-RPSC)对进行二次验证,。为了保证以及信用积分的有效性,设计时间阈值Time,并对时间间隔进行阈值判定,判定过程为将使用RSA加密,并与Sig与结果返还给进行验证与解密,并进行区块链记录以及信用积分更新,信用积分更新(7) Data Generate digital signature Sig (physical device node, first return to the mapping node on the chain, then generate Sig), OT risk prevention and control contract (OT-RPSC) To ensure as well as The validity of credit points, the time threshold Time is designed, and the time interval is determined by the threshold. The determination process is as follows: Will Use RSA to encrypt and return the result with Sig Verify and decrypt, record on blockchain and update credit points.
OT-ACSC的伪代码设计如算法2所示,OT-ADSC的伪代码如算法3所示,OT-RPSC的伪代码如算法4所示。The pseudo code design of OT-ACSC is shown in Algorithm 2, the pseudo code of OT-ADSC is shown in Algorithm 3, and the pseudo code of OT-RPSC is shown in Algorithm 4.
在一种实施方式中,IT链访问控制,具体的流程共分为七个步骤:In one implementation, the IT chain access control process is divided into seven steps:
(1)用户发送一个事务Txi给IT访问控制合约(IT-ACSC),事务包含证书CAi、客体IDi、查询内容RP以及实时信用积分Tri,将该消息使用SHA256哈希哈希化,并使用skp对Txi进行加密,生成数字签名Sig。(1) User Send a transactionTxi to the IT access control contract (IT-ACSC). The transaction contains the certificateCAi , objectIDi , query content RP and real-time credit scoreTri . Hash the message using SHA256 and encryptTxi usingskp to generate a digital signature Sig.
(2)IT-ACSC对使用动态身份认证机制进行验证,包含验证的证书、并判断是否在可信数据库。(2) IT-ACSC Use dynamic identity authentication mechanism for verification, including verification and determine whether it is in the trusted database.
(3)如果通过,以及动态身份认证机制验证客体身份,包含验证的证书、并判断是否在可信数据库。(3) If passed, the dynamic identity authentication mechanism verifies the object Identity, including verification and determine whether it is in the trusted database.
(4)验证通过调用OT访问控制决策合约(IT-ADSC),匹配策略库ST。(4) Verification is performed by calling the OT access control decision contract (IT-ADSC) and matching the policy library ST.
(5)权限符合,进行授权,将匹配结果Match返回IT-ACSC。(5) If the permissions are met, authorization is performed and the matching result Match is returned to IT-ACSC.
(6)IT-ACSC将Txi使用公钥pkp进行RSA加密并与Sig发送给收到Txi以及Sig后,会使用的公钥pkp对Sig进行解密,从而获得Txi的哈希值。然后,使用相同的哈希函数SHA256对原始消息进行哈希,将生成的哈希值与解密得到的哈希值进行比较。如果两个哈希值相匹配,则数字签名Sig有效,Txi完整且来自发送方。进而使用私钥进行解密。(6) IT-ACSC uses Txi The public keypkp is RSA encrypted and sent to Sig After receiving Txi and Sig, it will use The public key pkp is used to decrypt Sig to obtain the hash value of Txi . Then, The original message is hashed using the same hash function SHA256, and the resulting hash value is compared with the decrypted hash value. If the two hash values match, the digital signature Sig is valid,Txi is complete and comes from the sender. Private key for decryption.
(7)对数据生成数字签名Sig,IT风险防控合约(IT-RPSC)对进行二次验证。为了保证以及信用积分的有效性,设计时间阈值Time,并对时间间隔进行阈值判定,将使用RSA加密,并与Sig与结果返还给进行验证与解密,并进行区块链记录以及信用积分更新。(7) Data Generate digital signature Sig, IT risk prevention and control contract (IT-RPSC) To ensure as well as The validity of credit points, design time threshold Time, and make threshold judgment on time interval. Use RSA to encrypt and return the result with Sig Verify and decrypt, and update blockchain records and credit points.
由于IT-ACSC与OT-ACSC以及IT-RPSC与OT-RPSC仅节点性质不同,因此不做伪代码展示。IT-ADSC如算法5所示。Since IT-ACSC and OT-ACSC, as well as IT-RPSC and OT-RPSC, only differ in node properties, no pseudo code is provided. IT-ADSC is shown in Algorithm 5.
在一种实施方式中,OT&IT跨链访问控制,工作站节点能访问OT链以及IT链账本,因此,该节点为模型中继节点,作为跨链数据的审计节点,数据跨链方式如图6所示,具体的流程共分为十个步骤:In one implementation, OT&IT cross-chain access control, the workstation node can access the OT chain and IT chain ledgers. Therefore, the node is a model relay node and serves as an audit node for cross-chain data. The data cross-chain method is shown in Figure 6. The specific process is divided into ten steps:
(1)请求校验:请求方发送一个事务Txi给IT-ACSC或者OT-ACSC。将Txi使用SHA256哈希函数哈希化,并使用skp对Txi进行加密,生成数字签名Sig。(1) Request verification: Requester Send a transactionTxi to IT-ACSC or OT-ACSC. HashTxi using the SHA256 hash function and encryptTxi usingskp to generate a digital signature Sig.
(2)IT-ACSC或者OT-ACSC对使用动态身份认证机制进行验证。(2) IT-ACSC or OT-ACSC Use dynamic authentication mechanism for verification.
(3)如果通过,采用Raft共识挑选gi节点(leader),并对该节点采用动态身份认证机制进行验证,采用信用积分对gi节点进行激励。(3) If it passes, the Raft consensus is used to select the gi node (leader), and the dynamic identity authentication mechanism is used to verify the node, and the credit points are used to incentivize the gi node.
(4)验证通过调用OT-ADSC或IT-ADSC,匹配策略库ST。(4) Verify that the strategy library ST is matched by calling OT-ADSC or IT-ADSC.
(5)权限符合,进行授权,将匹配结果Match返回OT-ADSC或IT-ACSC。(5) If the permissions are met, authorization is performed and the matching result Match is returned to OT-ADSC or IT-ACSC.
(6)IT-ACSC或者OT-ACSC将Txi使用公钥pkp进行RSA加密并与Sig发送给收到Txi以及Sig后,会使用的公钥pkp对Sig进行解密,从而获得Txi的哈希值。然后,使用相同的哈希函数SHA256对原始消息进行哈希,将生成的哈希值与解密得到的哈希值进行比较。如果两个哈希值相匹配,则数字签名Sig有效,Txi完整且来自发送方。进而使用私钥进行解密。(6) IT-ACSC or OT-ACSC uses Txi The public keypkp is RSA encrypted and sent to Sig After receiving Txi and Sig, it will use The public key pkp is used to decrypt Sig to obtain the hash value of Txi . Then, The original message is hashed using the same hash function SHA256, and the resulting hash value is compared with the decrypted hash value. If the two hash values match, the digital signature Sig is valid,Txi is complete and comes from the sender. Private key for decryption.
(7)数据提取:将OT或IT链请求进行跨链转移,并对Txi进行广播,被请求节点所在链上的节点使用Raft共识机制进行共识。共识通过后,将数据Data使用RSA加密算法进行加密,并发送至该交互节点gi。(7) Data extraction: Transfer the OT or IT chain request across chains and broadcastTxi . The nodes on the chain use the Raft consensus mechanism to reach consensus. The data Data is encrypted using the RSA encryption algorithm and sent to the interactive node gi .
(8)数据校验:gi对数据采用动态身份认证机制进行校验,包含验证数据的真实性(路径、身份验证)以及是否被篡改(签名验证)。(8) Data verification:Gi uses a dynamic identity authentication mechanism to verify the data, including verifying the authenticity of the data (path, identity verification) and whether it has been tampered with (signature verification).
(9)数据上传:gi对该数据、数据提供节点等打包成一个事务并进行数据的跨链上传。(9) Data upload:gi packages the data, data provider nodes, etc. into a transaction And upload data across chains.
(10)OT-RPSC或IT-RPSC对gi进行二次验证。为了保证参与节点信用积分的有效性,设计时间阈值Time,并对时间间隔进行阈值判定,将使用RSA加密并与Sig与结果返还给进行验证与解密,并进行区块链记录以及信用积分更新。(10) OT-RPSC or IT-RPSC performs a secondary verification on gi . In order to ensure the validity of the credit points of the participating nodes, a time threshold Time is designed and a threshold judgment is made on the time interval. Encrypt using RSA and return the result to Sig Verify and decrypt, and update blockchain records and credit points.
本实施例还提供了一种基于双层区块链辅助的ICS数据可信流转方法,基于心跳机制与区块链智能结合的主动防御机制,实时检测不诚实的节点;This embodiment also provides a trusted ICS data transfer method based on a double-layer blockchain, an active defense mechanism based on the combination of a heartbeat mechanism and blockchain intelligence, and real-time detection of dishonest nodes;
本实施例通过区块链的账本数据与心跳机制进行结合,对ICS系统的宕机、故障以及伪造节点、设备进行验证,用于进行主动防御。流程示意图如图7所示。将该心跳测试与正常操作相结合,如果心跳测试正确,即能保证在正常的数据访问、共享过程中,该节点没有进行恶意操作(伪造指令请求、伪造返回数据)。基于心跳测试原理的主动防御机制具体的流程共分为包含四个步骤:This embodiment combines the blockchain's ledger data with the heartbeat mechanism to verify the downtime, failure, and forged nodes and devices of the ICS system for active defense. The flow chart is shown in Figure 7. The heartbeat test is combined with normal operation. If the heartbeat test is correct, it can be guaranteed that during normal data access and sharing, the node does not perform malicious operations (forged instruction requests, forged return data). The specific process of the active defense mechanism based on the heartbeat test principle is divided into four steps:
(1)设置心跳测试周期时间Th,并在不大于该Th内,向节点发送随机挑战,挑战设计为:随机挑选历史测试时间戳,设置挑战反馈时间阈值Tt。(1) Set the heartbeat test cycle timeTh , and send a random challenge to the node withinTh . The challenge is designed as follows: randomly select a historical test timestamp and set a challenge feedback time thresholdTt .
(2)按照历史时间戳,查询相应的区块链账本,并随机获取数据交互请求记录。(2) According to the historical timestamp, query the corresponding blockchain ledger and randomly obtain data interaction request records.
(3)调用交互双方数据交互记录,并与区块链账本数据进行比对,如果在规定Tt内没有进行回复,该节点判定为问题节点,并进行人为测试,区分宕机、故障以及被伪造,如果在规定Tt内进行了回复并比对成果,则该节点为安全节点。最后,对不同类型的节点的信用值进行更新,并进行标注。(3) The data interaction records of both parties are called and compared with the blockchain ledger data. If there is no response within the specified Tt , the node is judged as a problem node and artificially tested to distinguish between downtime, failure and forgery. If there is a response within the specified Tt and the results are compared, the node is a safe node. Finally, the credit values of different types of nodes are updated and marked.
以下通过具体实验对本发明做进一步阐述。The present invention is further described below through specific experiments.
首先将工业控制系统角色进行了抽解,确定了设备节点、工作站节点以及交互节点,覆盖了工业控制系统参与主体,设计OT链与IT链双层的区块链架构(见图2),将不同角色的节点部署到不同区块链上。First, the roles of the industrial control system were extracted, and the device nodes, workstation nodes, and interaction nodes were determined, covering the participants of the industrial control system. A two-layer blockchain architecture of the OT chain and the IT chain was designed (see Figure 2), and nodes of different roles were deployed on different blockchains.
将设备节点、工作站节点、交互节点证书信息全链广播,操作、日志等数据分链存储,满足了工业控制系统OT数据流转过程中高隐私性的需求,以及降低外部网络环境对工业控制系统的攻击。动态认证流程为ICS-RBAC零信任访问控制策略中验证的可持续性提供支持,通过布隆滤波器与可信数据库的设计降低每次认证阶段的共识次数,达到降低用户身份遍历时间消耗的目的。ICS-RBAC零信任访问控制机制分为了OT、IT以及OT/IT访问控制,通过RSA加密算法、数字签名、智能合约、“一步一验”的设计,确保了工业控制系统中不同角色数据共享与访问过程中“从不信任、可持续验证、策略集中化管理、动态且最小化授权”的零信任数据访问,该方案是正确且可行的。The certificate information of device nodes, workstation nodes, and interactive nodes is broadcasted throughout the chain, and operation, log and other data are stored in separate chains, which meets the high privacy requirements of the industrial control system OT data flow process and reduces the attacks on the industrial control system from the external network environment. The dynamic authentication process provides support for the sustainability of verification in the ICS-RBAC zero-trust access control strategy. The design of Bloom filters and trusted databases reduces the number of consensuses in each authentication phase, thereby reducing the time consumption of user identity traversal. The ICS-RBAC zero-trust access control mechanism is divided into OT, IT, and OT/IT access control. Through the RSA encryption algorithm, digital signatures, smart contracts, and "one-step-one-verification" design, it ensures zero-trust data access of "never trust, continuous verification, centralized policy management, dynamic and minimized authorization" in the data sharing and access process of different roles in the industrial control system. This solution is correct and feasible.
通过区块链的账本数据与心跳机制进行结合,对ICS系统的宕机、故障以及伪造节点、设备进行验证,实现对工业控制系统物理设备以及链上节点的主动防御。By combining blockchain ledger data with the heartbeat mechanism, the ICS system's downtime, failures, and forged nodes and devices can be verified, enabling active defense of the physical equipment of the industrial control system and nodes on the chain.
动态身份认证机制的认证效率验证,并与不适用布隆滤波器进行数据查询进行比对。由于布隆滤波器的作用为预先筛选,因此,本实验将误判率设置为0.01。本实验共模拟了100000组数据,不同数据量需要申请的二进制位数以及内存如表1所示。The authentication efficiency of the dynamic identity authentication mechanism is verified and compared with the data query without the Bloom filter. Since the Bloom filter is used for pre-screening, the false positive rate is set to 0.01 in this experiment. A total of 100,000 sets of data are simulated in this experiment. The number of binary bits and memory required for different data volumes are shown in Table 1.
表1参数设置Table 1 Parameter settings
图8展示了在不同数据量的情况下使用布隆滤波器对一个不在可信数据库中的节点的时间消耗与不采用布隆滤波器排查的时间消耗对比图,可以看到本发明的设计能够对不诚实节点(不在可信数据库中的节点)进行快速排查。这因为查询操作只需要在位数组中进行简单的位操作,无论数据量多大,查询的时间复杂度都是O(1)。FIG8 shows a comparison of the time consumption of using a Bloom filter to check a node that is not in the trusted database and the time consumption of not using a Bloom filter under different data volumes. It can be seen that the design of the present invention can quickly check dishonest nodes (nodes that are not in the trusted database). This is because the query operation only requires simple bit operations in the bit array, and the query time complexity is O(1) regardless of the amount of data.
图9展示了在不同数据量下,本发明采用布隆滤波器随机查询100次数据的时间消耗箱图,可以看到随着数据量的增加,本文所设计的身份验证机制时间消耗并没有极具增加,并且查询时间消耗平均为1微秒,这相较于对不诚实节点的排查带来的效率上的提升是一个可以接受的数值,能够满足工业控制系统频繁的数据交互以及所设计的“一传一验”机制所需要频繁的角色验证请求。FIG9 shows a box plot of the time consumption when the present invention uses a Bloom filter to randomly query data 100 times under different data volumes. It can be seen that with the increase in data volume, the time consumption of the identity authentication mechanism designed in this article does not increase significantly, and the query time consumption is 1 microsecond on average, which is an acceptable value compared to the efficiency improvement brought about by the screening of dishonest nodes, and can meet the frequent data interactions of industrial control systems and the frequent role verification requests required by the designed “one transmission and one verification” mechanism.
ICS-RBAC访问控制机制验证,仿真环境配置如表2所示。ICS-RBAC access control mechanism verification,The simulation environment configuration is shown in Table 2.
表2仿真环境配置Table 2 Simulation environment configuration
本实验展示了模拟工作站节点对设备节点的数据分发过程,首先,图10(a)为链码调用函数,用于调用OT-ACSC合约,其次,本实验为设备节点、工作站节点以及交互节点生成了三个ECDSA证书,并使用x509.CreateCertificate方法生成相应的自签名证书,并使用ecdsa.GenerateKey方法生成相关节点的椭圆曲线(P-384)私钥,然后,本实验模拟了RSA加密,并生成了一个RSA证书,证书模板如图10(b)。设备节点、工作站节点以及交互节点的证书(公钥)以及私钥如图11(a)所示,RSA的私钥如图11(b)所示,证书(公钥)如图11(c)所示。This experiment demonstrates the data distribution process of simulated workstation nodes to device nodes. First, Figure 10(a) shows the chain code call function, which is used to call the OT-ACSC contract. Second, this experiment generates three ECDSA certificates for device nodes, workstation nodes, and interactive nodes, and uses the x509.CreateCertificate method to generate the corresponding self-signed certificates, and uses the ecdsa.GenerateKey method to generate the elliptic curve (P-384) private key of the relevant node. Then, this experiment simulates RSA encryption and generates an RSA certificate. The certificate template is shown in Figure 10(b). The certificates (public keys) and private keys of device nodes, workstation nodes, and interactive nodes are shown in Figure 11(a), the RSA private key is shown in Figure 11(b), and the certificate (public key) is shown in Figure 11(c).
本实验以对设备节点的访问为例进行了链码展示,首先,工作站节点C对设备节点s进行访问,在对事务Txi进行签名后,合约对C以及设备节点的身份进行验证,验证通过后,匹配相应的访问控制策略,C获得相应的权限。进而合约对s节点证书进行解析与验证,并提取s节点公钥,C利用该设备节点公钥进行RSA加密,并对数据请求进行发送,该设备节点s利用自身私钥对数据进行解密,并验证消息的正确性,无误后将调用Oracle-Modbus TCP对指令进行下发。图12展示了合约对设备节点s的证书进行解析验证,并提取公钥的过程。图13展示了设备节点s使用私钥解密数据的过程。该设备节点s采用相同的方法对请求数据加密返回至工作站节点。本发明对其进行了测试,测试结果如图14所示。This experiment uses the access to the device node as an example to demonstrate the chain code. First, the workstation node C accesses the device node s. After signing the transactionTxi , the contract verifies the identity of C and the device node. After the verification is passed, the corresponding access control policy is matched, and C obtains the corresponding authority. Then the contract parses and verifies the s node certificate, and extracts the s node public key. C uses the device node public key to perform RSA encryption and sends the data request. The device node s uses its own private key to decrypt the data and verify the correctness of the message. After it is correct, Oracle-Modbus TCP will be called to issue the instruction. Figure 12 shows the process of parsing and verifying the certificate of the device node s and extracting the public key. Figure 13 shows the process of the device node s using the private key to decrypt the data. The device node s uses the same method to encrypt the request data and return it to the workstation node. The present invention has tested it, and the test results are shown in Figure 14.
本实验对所设计的模型功能进行用例测试,包含节点注册功能、认证功能、权限匹配功能以及主动防御功能,经过测试,模型能够对工业控制系统中数据的流转提供可信的保护,能够实现OT与IT的深度隔离,以及零信任的访问控制,测试表如3所示。This experiment conducted use case tests on the designed model functions, including node registration function, authentication function, permission matching function and active defense function. After testing, the model can provide reliable protection for the flow of data in industrial control systems, and can achieve deep isolation between OT and IT, as well as zero-trust access control. The test table is shown in Figure 3.
表3:部分功能测试表Table 3: Partial function test table
应当理解的是,上述描述的实施例是本发明一部分实施例,而不是全部的实施例。另外,本发明提供的各个实施例或单个实施例中的技术特征可以相互任意结合,以形成可行的技术方案,这种结合不受步骤先后次序和/或结构组成模式的约束,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时,应当认为这种技术方案的结合不存在,也不在本发明要求的保护范围之内。It should be understood that the embodiments described above are part of the embodiments of the present invention, rather than all of the embodiments. In addition, the technical features in the various embodiments or single embodiments provided by the present invention can be arbitrarily combined with each other to form a feasible technical solution. Such combination is not restricted by the sequence of steps and/or the structural composition mode, but must be based on the ability of ordinary technicians in the field to implement. When the combination of technical solutions is contradictory or cannot be implemented, it should be considered that such combination of technical solutions does not exist and is not within the protection scope required by the present invention.
应当理解的是,上述针对较佳实施例的描述较为详细,并不能因此而认为是对本发明专利保护范围的限制,本领域的普通技术人员在本发明的启示下,在不脱离本发明权利要求所保护的范围情况下,还可以做出替换或变形,均落入本发明的保护范围之内,本发明的请求保护范围应以所附权利要求为准。It should be understood that the above description of the preferred embodiment is relatively detailed and cannot be regarded as limiting the scope of patent protection of the present invention. Under the enlightenment of the present invention, ordinary technicians in this field can also make substitutions or modifications without departing from the scope of protection of the claims of the present invention, which all fall within the scope of protection of the present invention. The scope of protection requested for the present invention shall be based on the attached claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410774176.6ACN118748583B (en) | 2024-06-17 | 2024-06-17 | ICS data trusted circulation system and method based on double-layer blockchain assistance |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410774176.6ACN118748583B (en) | 2024-06-17 | 2024-06-17 | ICS data trusted circulation system and method based on double-layer blockchain assistance |
| Publication Number | Publication Date |
|---|---|
| CN118748583Atrue CN118748583A (en) | 2024-10-08 |
| CN118748583B CN118748583B (en) | 2025-09-26 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410774176.6AActiveCN118748583B (en) | 2024-06-17 | 2024-06-17 | ICS data trusted circulation system and method based on double-layer blockchain assistance |
| Country | Link |
|---|---|
| CN (1) | CN118748583B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119652646A (en)* | 2024-12-25 | 2025-03-18 | 武汉大学 | Blockchain-assisted industrial control system zero dynamic attack defense method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190141026A1 (en)* | 2017-11-07 | 2019-05-09 | General Electric Company | Blockchain based device authentication |
| CN114448654A (en)* | 2021-09-02 | 2022-05-06 | 中国科学院信息工程研究所 | Block chain-based distributed trusted audit security evidence storing method |
| US20230091179A1 (en)* | 2021-09-17 | 2023-03-23 | B Data Solutions Inc. | System and method for building a trusted network of devices |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190141026A1 (en)* | 2017-11-07 | 2019-05-09 | General Electric Company | Blockchain based device authentication |
| CN114448654A (en)* | 2021-09-02 | 2022-05-06 | 中国科学院信息工程研究所 | Block chain-based distributed trusted audit security evidence storing method |
| US20230091179A1 (en)* | 2021-09-17 | 2023-03-23 | B Data Solutions Inc. | System and method for building a trusted network of devices |
| Title |
|---|
| XIANGZHEN PENG: "Double layer blockchain-assisted trusted data flow model for industrial control systems", RELIABILITY ENGINEERING AND SYSTEM SAFETY, 12 March 2025 (2025-03-12)* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119652646A (en)* | 2024-12-25 | 2025-03-18 | 武汉大学 | Blockchain-assisted industrial control system zero dynamic attack defense method and device |
| CN119652646B (en)* | 2024-12-25 | 2025-09-26 | 武汉大学 | Zero dynamic attack defense method and device for block chain assisted industrial control system |
| Publication number | Publication date |
|---|---|
| CN118748583B (en) | 2025-09-26 |
| Publication | Publication Date | Title |
|---|---|---|
| Da Xu et al. | Embedding blockchain technology into IoT for security: A survey | |
| Hao et al. | A blockchain-based cross-domain and autonomous access control scheme for internet of things | |
| Zhong et al. | Distributed blockchain‐based authentication and authorization protocol for smart grid | |
| CN114244527B (en) | Block chain-based electric power Internet of things equipment identity authentication method and system | |
| Cui et al. | Efficient blockchain-based mutual authentication and session key agreement for cross-domain IIoT | |
| Wang et al. | Perm-guard: Authenticating the validity of flow rules in software defined networking | |
| CN114139203B (en) | Blockchain-based heterogeneous identity alliance risk assessment system, method and terminal | |
| Tian et al. | Research on distributed blockchain‐based privacy‐preserving and data security framework in IoT | |
| CN117278214A (en) | Network safety communication method for power system | |
| CN118395477A (en) | Electronic license user information security and privacy protection method | |
| CN114301624A (en) | Block chain-based tamper-proof system applied to financial business | |
| CN112019481A (en) | Block chain device management and data transmission system based on directed acyclic graph architecture | |
| CN118764201A (en) | A trusted authentication security chip system and control method for the Internet of Things | |
| CN113507370B (en) | Forestry Internet of things equipment authorization authentication access control method based on block chain | |
| CN118233193A (en) | Identity authentication method, key storage method and device of Internet of things equipment | |
| CN118748583A (en) | ICS data trusted circulation system and method based on double-layer blockchain assistance | |
| CN119484028A (en) | A method and system for realizing security authentication of Internet of Things devices based on blockchain technology | |
| CN116781332A (en) | Block chain-based network flow evidence obtaining and tracing method and system | |
| CN120429882A (en) | Multi-level access control and authority synchronization method for secure mobile storage | |
| Akkaoui et al. | Resilient, auditable, and secure IoT-enabled smart inverter firmware amendments with blockchain | |
| CN119995935A (en) | A privacy-enhanced access control method for industrial Internet of Things | |
| Lin et al. | MDFS: A mimic defense theory based architecture for distributed file system | |
| CN118316712A (en) | A method for configuring industrial equipment based on dual-chain architecture | |
| Chew et al. | Log Preservation in Custody Dual Blockchain With Energy Regime and Obfuscation Shuffle | |
| Wang et al. | Blockchain-based sdn security guarantee model |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |