工业控制网络与系统研究室知识库

针对当前国内工控系统中普遍缺乏认证能力的现状,本文结合无证书签名和传统信息安全中的群组认证提出了一种面向工控终端的轻量级组认证机制,针对传统信息安全中的身份认证技术进行改进,实现工控系统中多机协作场景下对多台PLC进行同时认证.基于本方案实现的可信PLC设备采用嵌入式处理器和安全处理单元的结构,在数据传输时采用PCIE协议传输,替代了传统的网络接口的数据传输,确保网络数据不会外泄,最大程度上保证了数据的安全性.验证表明,本文提出的轻量级组认证机制减少了认证过程的计算量和通信开销,能够解决控制系统中身份认证机制存在的终端计算能力有限等问题.

Aiming at the current lack of certification ability in domestic industrial control system, we propose a lightweight group authentication mechanism for industrial control terminal; the mechanism combines the group authentication method of uncertificated signature and traditional information security. The proposed scheme improves the identity authentication technology in traditional information security and realizes simultaneous authentication of multiple PLCs in the multi-machine collaboration scenario of the industrial control system. The structure of the reliable PLC device based on the scheme adopts the embedded processor and the security processing unit. In this scheme, the PCIE protocol is used to transmit data, instead of the traditional network interface data transmission. It can certificateless signature group authentication mechanism. The PCIE protocol security processing unit ensures that network data are not compromised and that data security is guaranteed to the greatest extent. The verification shows that the proposed lightweight group authentication mechanism reduces the computational complexity and communication overhead of the authentication process. It can solve the problem of limited computing power of the terminal in the control system.