阅读说明：本技术 控制系统及设定方法 (Control system and setting method ) 是由 广部直树 永田雄大 田原豊 于 2020-02-20 设计创作，主要内容包括：一种控制系统,包括：控制器系统(1),对控制对象进行控制；及支持装置(600),对控制器系统(1)的设定进行支持。支持装置(600)包括系统结构输入部(630)、威胁分析数据库(6106)、威胁场景制作部(632)、对策数据库(6108)、对策制作部(634)及安保设定部(636)。对策制作部(634)根据威胁场景与对策数据库的对策来制作保存有针对控制器系统的各个保护资产的对策的对策场景。(A control system, comprising: a controller system (1) that controls a control target; and a support device (600) that supports the setting of the controller system (1). The support device (600) includes a system configuration input unit (630), a threat analysis database (6106), a threat scenario creation unit (632), a countermeasure database (6108), a countermeasure creation unit (634), and a security setting unit (636). A countermeasure creation unit (634) creates a countermeasure scenario in which countermeasures for each protected asset of the controller system are stored, based on the threat scenario and the countermeasures of the countermeasure database.)

1. A control system, comprising:

a controller system that controls a control object; and

a support device that supports setting of the controller system;

the controller system includes:

a control unit that executes a control operation for controlling a control object; and

the security unit is connected with the control unit and is responsible for the security function aiming at the controller system;

the support device includes:

a system configuration input unit that acquires a device configuration and a protected asset from the controller system;

a threat analysis database in which an importance level of a protected asset for the controller system and a threat level of a threat for security are stored in advance;

a threat scene creation unit that creates a threat scene based on the importance level and the threat level of the threat analysis database, in accordance with the device structure and the protected asset acquired by the system structure input unit;

a countermeasure database in which countermeasures corresponding to security threats are stored in advance;

a countermeasure creation unit that creates a countermeasure scenario in which countermeasures for each protected asset of the controller system are stored, based on the threat scenario created by the threat scenario creation unit and the countermeasures in the countermeasure database; and

and a security setting unit that outputs setting data of a security function to the security means, based on the countermeasure scene created by the countermeasure creation unit.

2. The control system according to claim 1, wherein the support device further includes a countermeasure result output section that outputs a countermeasure report containing information of at least one of the threat scenario and the countermeasure scenario.

3. The control system according to claim 1 or 2, wherein a threat level of a threat against security in the threat analysis database differs according to a device class of the controller system.

4. The control system according to any one of claims 1 to 3, wherein the threat scenario holds risk values that are calculated by trial using a predetermined method for each of the protection assets and the secured threats of the controller system.

5. The control system according to claim 4, wherein the countermeasure creation unit creates the countermeasure scenario for each of the protection assets and the security threats of the controller system for which the risk value stored in the threat scenario is equal to or greater than a predetermined value.

6. The control system according to any one of claims 1 to 5, wherein the countermeasure database holds, as countermeasures corresponding to a threat of security, countermeasures based on a security function of the security unit and countermeasures based on an operation not using the security function, respectively.

7. The control system according to any one of claims 1 to 6, wherein the countermeasure creation unit selects a countermeasure based on a security function of the security unit in accordance with a resource of the security unit and creates the countermeasure scene.

8. The control system according to claim 7, wherein the countermeasure creation section selects different countermeasures depending on versions of software and hardware of each of devices constituting the controller system.

9. The control system according to any one of claims 6 to 8, wherein the countermeasure creation unit selects a countermeasure based on an operation to create the countermeasure scenario when resources of the security unit are insufficient.

10. A setting method of setting data of a security function to a controller system, the controller system comprising: a control unit that executes a control operation for controlling a control object; the security unit is connected with the control unit and is responsible for the security function aiming at the controller system; the setting method of the controller system comprises the following steps:

a step of acquiring a device structure and a protected asset from the controller system;

a step of creating a threat scenario according to an importance level and a threat level pre-stored in a threat analysis database, corresponding to the acquired device structure and protected asset;

creating a countermeasure scene in which countermeasures for each protected asset of the controller system are stored, based on the created threat scene and countermeasures corresponding to threats for security protection stored in advance in a countermeasure database; and

and outputting setting data of a security function to the security unit according to the created countermeasure scene.

Technical Field

The present invention relates to a security function and a setting method for a control system including a controller system that controls a control object.

Background

In recent years, damage such as malware occurs in a manufacturing site such as a factory, and security measures are also required for a control device such as a Programmable Logic Controller (PLC). Therefore, in the case of developing a device or a production line in a factory or the like, a production technician, a device manufacturer developer, or the like needs to take security measures.

In the PLC, for example, as disclosed in japanese patent laid-open No. 2000-137506 (patent document 1), no security measures are taken into consideration to the extent that an electronic mail is transmitted to a destination specified in advance when an abnormal history is registered or when a predetermined time has come.

Documents of the prior art

Patent document

Patent document 1: japanese patent laid-open No. 2000-137506

Disclosure of Invention

Problems to be solved by the invention

Particularly, with the recent progress of Information and Communication Technology (ICT), the control apparatus is also connected to various external apparatuses via a network, and the processes executed by the control apparatus are also becoming higher. With such networking or intelligence, the variety of security threats envisioned has also increased.

However, the threat analysis for analyzing the threat of the assumed security requires professional knowledge, and when the threat analysis is performed by a production technician or a device manufacturer developer, a long education time is required to acquire the knowledge. In addition, when an expert is employed for security threat analysis, the labor cost of the expert becomes a cost burden for the manufacturer of the plant or the device.

An object of the present invention is to solve the following new problems: security threats that may occur accompanying networking or intellectualization of the control device and the control system are analyzed, and countermeasures against the threats are taken.

Means for solving the problems

A control system of an aspect of the present invention includes: a controller system that controls a control object; and a support device for supporting the setting of the controller system; the controller system includes: a control unit that executes a control operation for controlling a control object; the security unit is connected with the control unit and is responsible for the security function aiming at the controller system; the support device includes: a system configuration input part for acquiring a device configuration and a protection asset from the controller system; a threat analysis database in which an importance level of a protected asset for the controller system and a threat level of a threat for security are stored in advance; a threat scene creation unit for creating a threat scene according to the importance level and threat level of the threat analysis database, in accordance with the device structure and the protected asset acquired by the system structure input unit; a countermeasure database in which countermeasures corresponding to security threats are stored in advance; a countermeasure creation unit that creates a countermeasure scenario in which countermeasures for each protected asset of the controller system are stored, based on the threat scenario created by the threat scenario creation unit and the countermeasures in the countermeasure database; and a security setting unit for outputting setting data of the security function to the security unit based on the countermeasure scene created by the countermeasure creation unit.

According to the aspect, the control system can analyze threats of security with the support device and easily take countermeasures against the threats.

Preferably: the support apparatus may further include a countermeasure result output unit that outputs a countermeasure report including at least one of information of the threat scenario and the countermeasure scenario. According to the aspect, countermeasures against threats of security may be output.

Preferably: it may also be set that the threat level of the threat against security in the threat analysis database differs depending on the device class of the controller system. According to the aspect, countermeasures against threats can be appropriately taken according to the purpose, important matters of the device class of the controller system.

Preferably: the threat scenario may also save risk values for each of the controller system's protected assets and secured threats that were calculated using a predetermined method. According to the aspect, the threat of security can be appropriately analyzed by saving the value tentatively calculated by a predetermined method as the risk value.

Preferably: the countermeasure creation unit may create a countermeasure scenario for each of the protection assets and security threats of the controller system for which the risk value stored in the scenario is equal to or greater than a predetermined value. According to the aspect, countermeasures for security at a level of risk necessary for countermeasures required by the user can be taken.

Preferably: the countermeasure database can store, as countermeasures corresponding to security threats, countermeasures based on a security function of the security means and countermeasures based on an operation not using the security function. According to the aspect, various countermeasures for security can be taken according to the controller system.

Preferably: the countermeasure creation unit may select a countermeasure based on the security function of the security unit based on the resource of the security unit and create a countermeasure scenario. According to the aspect, countermeasures for security can be taken according to the resource capacity of the security unit.

Preferably: the countermeasure creation unit may select different countermeasures depending on the versions of software and hardware of the respective devices constituting the controller system. According to the aspect, countermeasures against threats can be appropriately taken according to the devices constituting the controller system.

Preferably: the countermeasure creation unit may select a countermeasure to be applied to create a countermeasure scenario when the security unit has insufficient resources. According to the aspect, countermeasures for security can be taken according to the resource capacity of the security unit.

Another aspect of the present invention is a setting method for setting data of a security function to a controller system, the controller system including: a control unit that executes a control operation for controlling a control object; the security unit is connected with the control unit and is responsible for the security function aiming at the controller system; the setting method of the controller system comprises the following steps: acquiring a device structure and protecting assets from a controller system; a step of creating a threat scenario according to an importance level and a threat level pre-stored in a threat analysis database, corresponding to the acquired device structure and protected asset; creating a countermeasure scenario in which countermeasures for each protected asset of the controller system are stored, based on the created threat scenario and countermeasures corresponding to the security threats stored in advance in the countermeasure database; and outputting the setting data of the security function to the security unit according to the created countermeasure scene.

According to the aspect, the threat of security can be analyzed by the support device in the control system, and countermeasures against the threat can be easily set.

ADVANTAGEOUS EFFECTS OF INVENTION

According to the present invention, the following new problems can be solved: security threats that may occur accompanying networking or intellectualization of the control device and the control system are analyzed, and countermeasures against the threats are taken.

Drawings

Fig. 1 is an external view showing a configuration example of a controller system according to the present embodiment.

Fig. 2 is a schematic diagram showing an example of a hardware configuration of a control unit constituting the controller system of the present embodiment.

Fig. 3 is a schematic diagram showing an example of a hardware configuration of a security unit constituting the controller system according to the present embodiment.

Fig. 4 is a schematic diagram showing an example of a hardware configuration of a safety unit constituting the controller system according to the present embodiment.

Fig. 5 is a block diagram illustrating a system configuration for setting security using a support device connected to the controller system of the present embodiment.

Fig. 6 is a schematic diagram showing an example of the hardware configuration of a support device connected to the controller system of the present embodiment.

Fig. 7 is a sequence diagram for explaining threat analysis and security setting in the controller system and the support apparatus according to the present embodiment.

Fig. 8 is a flowchart showing a procedure of processing for creating a threat scenario list in the support apparatus according to the present embodiment.

Fig. 9 is a flowchart showing a procedure of processing for creating a countermeasure scenario in the support apparatus according to the present embodiment.

Fig. 10 is a schematic diagram showing an example of the configuration of an apparatus for setting threat analysis and security using the support apparatus according to the present embodiment.

Fig. 11 is a flowchart showing a processing procedure for creating a protected asset evaluation list by the support apparatus according to the present embodiment.

Fig. 12 is a diagram showing an example of a protected asset evaluation list created by the support apparatus according to the present embodiment.

Fig. 13 is a diagram showing another example of the protected asset evaluation list created by the support apparatus according to the present embodiment.

Fig. 14 is a flowchart showing a processing procedure for creating a threat list by the support apparatus according to the present embodiment.

Fig. 15 is a diagram showing an example of a threat list created by the support apparatus according to the present embodiment.

Fig. 16 is a diagram showing another example of the threat list created by the support apparatus according to the present embodiment.

Fig. 17 is a diagram showing a modification example of the threat list created by the support apparatus according to the present embodiment.

Fig. 18 is a diagram showing an example of a threat scenario list created by the support apparatus according to the present embodiment.

Fig. 19 is a diagram showing an example of a countermeasure scenario created by the support apparatus according to the present embodiment.

Fig. 20 is a diagram showing an example of a countermeasure scenario when the resource capacity is 50, which is created by the support apparatus according to the present embodiment.

Fig. 21 is a diagram showing an example of a countermeasure scenario when the resource capacity is 100, which is created by the support apparatus according to the present embodiment.

Fig. 22 is a diagram showing an example of a countermeasure scenario when the resource capacity is 20, which is created by the support apparatus according to the present embodiment.

Fig. 23 is a diagram showing an example of a threat analysis result report created by the support apparatus according to the present embodiment.

Fig. 24 is a diagram showing another example of a threat analysis result report created by the support apparatus according to the present embodiment.

Fig. 25 is a diagram showing an example of information on the device configuration displayed by the support device according to the present embodiment.

Fig. 26 is a diagram showing an example of a protected asset evaluation list displayed by the support apparatus according to the present embodiment.

Fig. 27 is a diagram showing an example of a threat list displayed by the support apparatus of the present embodiment.

Fig. 28 is a diagram showing an example of setting of the risk value trial calculation method displayed by the support apparatus according to the present embodiment.

Fig. 29 is a diagram showing an example of a threat scenario list displayed by the support apparatus according to the present embodiment.

Fig. 30 is a diagram showing an example of selection of a countermeasure policy displayed by the support apparatus according to the present embodiment.

Fig. 31 is a diagram showing an example of a threat countermeasure list displayed by the support apparatus of the present embodiment.

Fig. 32 is a diagram showing an example of a countermeasure scenario displayed by the support apparatus according to the present embodiment.

Fig. 33 is a diagram showing an example of selection of output contents displayed by the support apparatus according to the present embodiment.

Detailed Description

Embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the drawings, the same or corresponding portions are denoted by the same reference numerals, and description thereof will not be repeated.

< A. application example >

An example of a scene to which the present invention is applied will be described. First, the configuration of the controller system 1 of the present embodiment will be explained.

Fig. 1 is an external view showing a configuration example of a controller system 1 according to the present embodiment. Referring to fig. 1, a controller system 1 includes a control unit 100, a security unit 200, a security unit 300, one or more functional units 400, and a power supply unit 450.

The control unit 100 and the security unit 200 are connected via an arbitrary data transmission path (for example, peripheral component interconnect Express (PCI Express), Ethernet (registered trademark), or the like). The control unit 100, the security unit 300, and the one or more function units 400 are connected via an internal bus not shown.

The control unit 100 performs a central process in the controller system 1. The control unit 100 executes a control operation for controlling a control target in accordance with an arbitrarily designed requirement specification. In contrast to the control operation performed by the safety unit 300 described later, the control operation performed by the control unit 100 is also referred to as "standard control". In the configuration example shown in fig. 1, the control unit 100 has one or more communication ports.

The security unit 200 is connected to the control unit 100 and is responsible for security functions for the controller system 1. In the configuration example shown in fig. 1, the security unit 200 has one or more communication ports. Details of the security function provided by the security unit 200 will be described later.

The safety unit 300 is independent of the control unit 100, and executes control calculation for realizing a safety function related to a control target. The control operation performed by the safety unit 300 is also referred to as "safety control". Generally, "safety control" is designed to satisfy conditions for realizing a safety function specified by International Electrotechnical Commission (IEC) 61508 or the like. "security control" is a generic term for a process for preventing the security of a person from being threatened by equipment, machinery, or the like.

The function unit 400 provides various functions for realizing control of various control objects by the controller system 1. Typically, the functional unit 400 may include an Input Output (I/O) unit, a safety I/O unit, a communication unit, an operation controller unit, a temperature adjustment unit, a pulse counter unit, and the like. Examples of the I/O unit include: a Digital Input (DI) unit, a Digital Output (DO) unit, an Analog Input (AI) unit, an Analog Output (AO) unit, a pulse capture Input unit, and a composite unit in which a plurality of kinds are mixed. The secure I/O unit is responsible for safety controlled I/O processing.

The power supply unit 450 supplies power of a predetermined voltage to each unit constituting the controller system 1.

Example of hardware Structure of Each Unit

Next, an example of a hardware configuration of each unit constituting the controller system 1 of the present embodiment will be described.

(b 1: control unit 100)

Fig. 2 is a schematic diagram showing an example of the hardware configuration of the control unit 100 constituting the controller system 1 of the present embodiment. Referring to fig. 2, the control Unit 100 includes a processor 102 such as a Central Processing Unit (CPU) or a Graphic Processing Unit (GPU), a chipset 104, a main storage device 106, a secondary storage device 108, a communication controller 110, a Universal Serial Bus (USB) controller 112, a memory card interface 114, network controllers 116, 118, and 120, an internal Bus controller 122, and an indicator 124 as main components.

The processor 102 reads various programs stored in the secondary storage device 108, expands and executes the programs in the main storage device 106, and thereby realizes control calculation of the standard control and various processes described later. The chipset 104 mediates data interchange between the processor 102 and the components, thereby realizing overall processing of the control unit 100.

The secondary storage device 108 stores not only the system program but also a control program that runs on an execution environment provided by the system program.

The communication controller 110 is responsible for data interchange with the security unit 200. As the communication controller 110, for example, a communication chip corresponding to PCI Express, ethernet (registered trademark), or the like can be used.

The USB controller 112 is responsible for data exchange with an arbitrary information processing apparatus via a USB connection.

The memory card interface 114 is configured to be attachable to and detachable from the memory card 115, and is capable of writing data such as a control program and various settings to the memory card 115, and reading data such as a control program and various settings from the memory card 115.

The network controllers 116, 118, 120 are each responsible for data interchange with any device via the network. The network controllers 116, 118, and 120 may use industrial network protocols such as EtherNet control automation technology (EtherCAT) (registered trademark), EtherNet industrial protocol (EtherNet/IP) (registered trademark), device network (DeviceNet) (registered trademark), and companet (registered trademark).

The internal bus controller 122 is responsible for data interchange with the secure unit 300 or one or more of the functional units 400 constituting the controller system 1. As for the internal bus, a communication protocol inherent to the manufacturer may be used, and a communication protocol identical to or in accordance with any industrial network protocol may be used.

The indicator 124 notifies the control unit 100 of an operation state and the like, and includes one or more Light Emitting Diodes (LEDs) and the like disposed on a surface of the unit.

Fig. 2 shows an example of a configuration in which the processor 102 executes a program to provide a desired function, but a part or all of the provided functions may be implemented by a dedicated hardware Circuit (e.g., an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or the like). Alternatively, the main part of the control unit 100 may also be implemented using hardware in a general architecture (e.g., a general-purpose personal computer-based industrial personal computer). In this case, a plurality of Operating Systems (OSs) having different applications may be executed in parallel using a virtualization technique, and a desired application may be executed on each OS.

(b 2: Security Unit 200)

Fig. 3 is a schematic diagram showing an example of a hardware configuration of the security unit 200 constituting the controller system 1 according to the present embodiment. Referring to fig. 3, the security unit 200 includes a processor 202 such as a CPU or GPU, a chipset 204, a primary storage device 206, a secondary storage device 208, a communication controller 210, a USB controller 212, a memory card interface 214, network controllers 216, 218, and an indicator 224 as main components.

The processor 202 reads various programs stored in the secondary storage device 208, and expands and executes the programs in the primary storage device 206, thereby implementing various security functions as described later. The chipset 204 mediates data interchange between the processor 202 and the components, thereby achieving overall processing of the security unit 200.

The secondary storage device 208 stores not only the system program but also a security system program that runs on an execution environment provided by the system program.

The communication controller 210 is responsible for data interchange with the control unit 100. As the communication controller 210, a communication chip corresponding to PCI Express, ethernet (registered trademark), or the like, for example, can be used as in the communication controller 210 of the control unit 100.

The USB controller 212 is responsible for data interchange with an arbitrary information processing apparatus via a USB connection.

The memory card interface 214 is configured to be attachable to and detachable from the memory card 215, and is capable of writing data such as a control program and various settings to the memory card 215, and reading data such as a control program and various settings from the memory card 215.

The network controllers 216, 218 are each responsible for data interchange with any device via the network. The network controllers 216 and 218 may use a general-purpose network protocol such as ethernet (registered trademark).

The indicator 224 notifies the security unit 200 of the operating state and the like, and includes one or more LEDs and the like disposed on the surface of the unit.

An example of a structure that provides necessary functions by the processor 202 executing a program is shown in fig. 3, but a part or all of the provided functions may be implemented using a dedicated hardware circuit (for example, ASIC or FPGA or the like). Alternatively, the main part of the security unit 200 may also be implemented using hardware in a general architecture (e.g., a general-purpose personal computer-based industrial personal computer). In this case, a plurality of OSs having different purposes may be executed in parallel using a virtualization technique, and a desired application may be executed on each OS.

(b 3: safety unit 300)

Fig. 4 is a schematic diagram showing an example of a hardware configuration of the safety unit 300 constituting the controller system 1 of the present embodiment. Referring to fig. 4, the secure unit 300 includes a processor 302 such as a CPU or GPU, a chipset 304, a main storage 306, a secondary storage 308, a memory card interface 314, an internal bus controller 322, and an indicator 324 as main components.

The processor 302 reads various programs stored in the secondary storage device 308, expands the programs in the primary storage device 306, and executes the programs, thereby realizing control calculation for security control and various processes described later. The chipset 304 exchanges data with each component through the intermediary processor 302, thereby realizing the overall processing of the secure element 300.

The secondary storage device 308 stores not only the system program but also a security program that operates in an execution environment provided by the system program.

The memory card interface 314 is configured to be able to attach and detach the memory card 315, and is capable of writing data such as a security program and various settings to the memory card 315, or reading data such as a security program and various settings from the memory card 315.

The internal bus controller 322 is responsible for data interchange with the control unit 100 via the internal bus.

The indicator 324 notifies the operation state of the safety unit 300 and the like, and includes one or more LEDs and the like disposed on the surface of the unit.

An example of a structure that provides the necessary functions by the processor 302 executing a program is shown in fig. 4, but a part or all of the provided functions may be implemented using a dedicated hardware circuit (for example, ASIC or FPGA). Alternatively, the main part of the security unit 300 may also be implemented using hardware in a general architecture (e.g., a general-purpose personal computer-based industrial personal computer). In this case, a plurality of OSs having different purposes may be executed in parallel using a virtualization technique, and a desired application may be executed on each OS.

< C: setting of security function

Next, an example of processing performed when the security unit 200 performs setting for realizing various security functions will be described. Fig. 5 is a block diagram illustrating a system configuration for setting security using a support device connected to the controller system of the present embodiment. As shown in fig. 5, the support apparatus 600 includes a system configuration input unit 630, a threat scenario creation unit 632, a countermeasure creation unit 634, and a security setting unit 636. Furthermore, the support apparatus 600 further includes a threat analysis database 6106 and a countermeasure database 6108. However, the threat analysis database 6106 and the countermeasure database 6108 may be provided in an external server instead of the support apparatus 600.

First, the support apparatus 600 acquires information on the apparatus configuration (apparatus system configuration) and information on the protected asset (including resource information of the security unit 200) from the controller system 1 by using the system configuration input unit 630. The threat scenario creation unit 632 creates a threat scenario based on the importance level and threat level of the threat analysis database 6106, in accordance with the device configuration and the protected asset acquired by the system configuration input unit 630. In this specification, the "importance level" is an index indicating the importance of the protected assets constituting the controller system 1, and may be set by a user. In the present specification, the "threat level" is an index indicating a threat against security of the controller system 1, and may be set by a user. In this specification, the "protected asset" is a device or the like constituting the controller system 1, and includes the control unit 100, the security unit 200, the field device 500, and the like.

The threat analysis database 6106 stores in advance the importance level of the protected assets for the controller system 1 and the threat level of the threats for security. The user determines whether the threat scene created by the threat scene creation unit 632 is OK or NG, and inputs the determination result to the threat scene creation unit 632. In addition, the user can input a risk level necessary for countermeasures to the threat scenario creation unit 632.

The countermeasure creation unit 634 creates a countermeasure scenario in which countermeasures for each protection asset of the controller system 1 are stored, based on the threat scenario created by the threat scenario creation unit 632 and the countermeasures in the countermeasure database 6108. Countermeasures corresponding to security threats are stored in the countermeasure database 6108 in advance. The user determines whether the countermeasure scene created by the countermeasure creation unit 634 is OK or NG, and inputs the determination result to the countermeasure creation unit 634.

The security setting unit 636 outputs setting data of the security function (security function setting data) to the security unit 200 based on the countermeasure scenario created by the countermeasure creation unit 634. In the security unit 200, various security functions are implemented based on setting data (security function setting data). The countermeasure result output unit 638 outputs the threat analysis result including the countermeasure scenario created by the countermeasure creation unit 634 to the user as a threat analysis result report.

The structure illustrated in fig. 5 is implemented by a hardware structure of the support apparatus 600 described below. Fig. 6 is a schematic diagram showing an example of the hardware configuration of a support apparatus 600 connected to the controller system 1 of the present embodiment. As an example, the support apparatus 600 is implemented using hardware according to a general-purpose architecture (for example, a general-purpose personal computer).

Referring to fig. 6, the support apparatus 600 includes a processor 602, a main memory 604, an input 606, an output 608, a storage 610, an optical drive 612, and a USB controller 620. These components are connected via a processor bus 618.

The processor 602 includes a CPU, a GPU, and the like, reads programs (for example, the OS 6102 and the support program 6104) stored in the storage 610, develops the programs in the main memory 604, and executes the programs, thereby realizing setting processing for the controller system 1 and the like.

The main Memory 604 includes volatile Memory devices such as Dynamic Random Access Memory (DRAM) and Static Random Access Memory (SRAM). The storage 610 includes a nonvolatile storage device such as a Hard Disk Drive (HDD) or a Solid State Drive (SSD).

In the storage 610, a support program 6104 for providing a function as the support apparatus 600 is saved in addition to the OS 6102 for realizing the basic function. That is, the support program 6104 is executed by a computer connected to the controller system 1, thereby realizing the support apparatus 600 of the present embodiment. Further, a threat analysis database 6106 and a countermeasure database 6108 are stored in the storage 610.

The input unit 606 includes a keyboard, a mouse, and the like, and receives a user operation. The output unit 608 includes a display, various indicators, a printer, and the like, and outputs a processing result from the processor 602.

The USB controller 620 exchanges data with the controller system 1 and the like via the USB connection.

The support apparatus 600 includes an optical drive 612, reads a program stored in a computer-readable recording medium 614 (for example, an optical recording medium such as a Digital Versatile Disc (DVD)) which stores the program in a non-transitory manner, and installs the program in a storage 610 or the like.

The support program 6104 and the like executed by the support apparatus 600 may be installed via the computer-readable recording medium 614, or may be installed in a form downloaded from a server apparatus or the like on a network. In addition, the functions provided by the support apparatus 600 according to the present embodiment may be implemented by using a part of the modules provided by the OS.

An example of a structure provided as functions required for the support apparatus 600 by the processor 602 executing a program is shown in fig. 6, but a part or all of the provided functions may be implemented using dedicated hardware circuits (for example, ASIC or FPGA, or the like).

Next, in the system configuration in which security setting is performed by the support apparatus 600, threat analysis and security setting performed at the time of device development or device activation will be described in detail. Fig. 7 is a sequence diagram for explaining threat analysis and security setting in the controller system and the support apparatus according to the present embodiment. A typical example of a control system including the controller system 1 and the support apparatus 600 will be described in the sequence diagram shown in fig. 7.

First, the user activates the setting tool of the security unit 200 using the support device 600. When the setting tool is activated, the system configuration input section 630 makes an inquiry to the controller system 1. The controller system 1 returns information on the device configuration of the controller system 1 and information on the protected assets to the system configuration input unit 630 in response to the inquiry from the system configuration input unit 630. The system configuration input unit 630 acquires information on the device configuration and information on the protected asset from the controller system 1. Further, the system configuration input unit 630 acquires resource information of the security unit 200 such as version information of software and hardware and resource capacity from the security unit 200.

When the user selects the start setting security unit 200 and selects the device type using the support device 600, the threat scenario creation unit 632 creates a threat scenario list based on the importance level and threat level of the threat analysis database 6106 according to the device type. Specifically, the threat scenario creation unit 632 creates a protected asset evaluation list and a threat list with reference to the information in the threat analysis database 6106, and presents the user with a threat scenario list based on the protected asset evaluation list and the threat list. The threat scenario creation unit 632 may create a list of threat scenarios based on the importance level and threat level of the threat analysis database 6106, regardless of the device type.

The user determines whether the presented threat scene list is OK or NG, and inputs the determination result to the threat scene creation unit 632. In the case where the threat scenario list is NG, the user may correct it by hand work. In addition, the user can input a risk level necessary for countermeasures to the threat scenario creation unit 632. Further, the support apparatus 600 can create countermeasures corresponding to security threats according to the risk level required for countermeasures.

The countermeasure creation unit 634 creates a countermeasure scenario in which countermeasures for each protection asset of the controller system 1 are stored, based on the threat scenario list created by the threat scenario creation unit 632 and the countermeasures in the countermeasure database 6108. The countermeasure creation unit 634 refers to the threat countermeasure list stored in the threat analysis database 6106, determines countermeasures for the various threats in the threat scenario list, and creates a countermeasure scenario.

The countermeasure creation unit 634 presents the created countermeasure scene to the user. The user determines whether the countermeasure scene created by the countermeasure creation unit 634 is OK or NG, and inputs the determination result to the countermeasure creation unit 634. If the countermeasure scenario is NG, the process returns to the threat scenario creation unit 632, and the user can correct the threat scenario list by manual operation.

The security setting unit 636 outputs setting data of the security function (security function setting data) to the security unit 200 based on the countermeasure scenario created by the countermeasure creation unit 634. In the security unit 200, various security functions are implemented based on setting data (security function setting data). When the setting is completed based on the setting data (security function setting data), the security unit 200 returns OK information to the security setting unit 636, and when the setting is not completed, returns NG information to the security setting unit 636.

The countermeasure result output unit 638 outputs the threat analysis result including the countermeasure scenario created by the countermeasure creation unit 634 to the user as a threat analysis result report. As described above, the control system can analyze threats of security using the support apparatus 600 and easily take countermeasures against the threats.

< D: creation of threat scenario list and countermeasure scenario >

Next, fig. 8 is a flowchart showing a procedure of processing for creating a threat scenario list in the support apparatus 600 according to the present embodiment. Fig. 9 is a flowchart showing a procedure of processing for creating a countermeasure scenario in the supporting apparatus 600 according to the present embodiment. First, when the process shown in fig. 8 is started, the support apparatus 600 acquires information of the apparatus configuration using the system configuration input section 630 (step S101). Since the purpose, important items, and the like of control differ depending on the type of device controlled by the controller system 1, the security function to be set differs.

For example, if the apparatus controlled by the controller system 1 is a semiconductor manufacturing apparatus, it is important to continuously maintain the control of the apparatus because there is substantially no case where a person enters the vicinity of the apparatus during the manufacturing process. On the other hand, if the device controlled by the controller system 1 is a press device, it is essential that a person performs work in the vicinity of the device in the manufacturing process, and therefore it is important to reliably stop the device in an emergency to protect the safety of the person. Therefore, in the case of a semiconductor manufacturing apparatus, the security function of the configuration necessary for continuously maintaining the control of the apparatus is preferentially set, and in the case of a press apparatus, the security function of the configuration necessary for reliably stopping the apparatus is preferentially set.

Fig. 10 is a schematic diagram showing an example of the configuration of an apparatus for setting threat analysis and security using the support apparatus according to the present embodiment. The apparatus configuration shown in fig. 10(a) is a semiconductor manufacturing apparatus, and the apparatus configuration shown in fig. 10(b) is a press apparatus. In the device configuration shown in fig. 10(a) and 10(b), the controller system 1 is configured by a control unit (PLC)100 and a security unit 200.

The security unit 200 of the controller system 1 is connected to a network via a communication port (the network controller 216 of fig. 3) and to a support apparatus (a maintenance Personal Computer (PC)) 600.

The support apparatus 600 can access at least the control unit 100 and provide functions such as creation, debugging, setting of various parameters, and setting of various security functions of programs executed by the units included in the controller system 1 to a user.

The controller system 1 is connected to a Network via a communication port (the Network controller 116 in fig. 2), and is connected to a Human Machine Interface (HMI) 800 and an external Network (Network, NW) 900.

The HMI 800 presents various information obtained through control operations in the controller system 1 to an operator, and generates an internal command and the like to the controller system 1 in accordance with an operation from the operator.

The control unit 100 of the controller system 1 is connected to one or more field devices 500 via a communication port (network controller 118 of fig. 2). The field device 500 includes a sensor or a detector that collects various information required for control operation from a control object, an actuator that gives some action to the control object, and the like.

Returning to fig. 8, in step S101, the system configuration input unit 630 queries the controller system 1 for device configuration information and asset protection information, and acquires the device configuration information and asset protection information from the controller system 1. Further, the system configuration input unit 630 creates the device configuration shown in fig. 10 based on information on the device type (for example, semiconductor manufacturing device, press device, or the like) selected by the user, and based on information on the device configuration and information on the protected asset.

Next, the support apparatus 600 creates a protected asset evaluation list from the apparatus configuration and the protected asset acquired by the system configuration input unit 630 by the threat scenario creation unit 632 (step S102). The process of making the protected asset valuation list is described in more detail. Fig. 11 is a flowchart showing a processing procedure for creating a protected asset evaluation list by the support apparatus according to the present embodiment. First, the threat scenario creation unit 632 extracts a configuration device from the device configuration information (step S201). The threat scenario creation unit 632 links each function and each protected asset list of information in the threat analysis database 6106 to the configuration machine extracted in step S201 (step S202).

For example, in the case of the semiconductor manufacturing apparatus shown in fig. 10(a), the apparatus configuration includes HMI, PLC, camera, and servo. Therefore, the threat scenario creation unit 632 extracts and connects the lists of the HMI protected asset, the PLC protected asset, the camera protected asset, and the servo protected asset from the protected asset list in the threat analysis database 6106. Fig. 12 is a diagram showing an example of a protected asset evaluation list created by the support apparatus according to the present embodiment. Fig. 12 shows a protected asset evaluation list (a) in the case of the semiconductor manufacturing apparatus shown in fig. 10 (a). Attributes and importance levels of an HMI protected asset, a PLC protected asset, a camera protected asset and a servo protected asset are stored in the protected asset evaluation list (a).

In the case of the press apparatus shown in fig. 10(b), the apparatus configuration includes an HMI, a PLC, and a servo. Therefore, the threat scenario creation unit 632 extracts and concatenates the lists of the HMI protected asset, the PLC protected asset, and the servo protected asset from the protected asset list in the threat analysis database 6106. Fig. 13 is a diagram showing another example of the protected asset evaluation list created by the support apparatus according to the present embodiment. Fig. 13 shows a protected asset evaluation list (b) in the case of the press apparatus shown in fig. 10 (b). Attributes and importance levels of the HMI protected asset, the PLC protected asset, and the servo protected asset are stored in the protected asset evaluation list (b).

In the protected asset evaluation list (a) and the protected asset evaluation list (b), the protected assets stored are different from each other because the device structures are different from each other. Further, in the protection asset evaluation list (a) and the protection asset evaluation list (b), since important items are different between the semiconductor manufacturing apparatus and the pressing apparatus, the importance levels are also different. For example, in the protection asset evaluation list (a), in order to continuously maintain the control of the device, the importance level of the user program of the PLC protection asset is as high as "5" (fig. 12). On the other hand, in the protection asset evaluation list (b), the importance level of the servo function and control instruction data of the servo protection asset is as high as "5" in order to stop the device reliably (fig. 13).

Returning to fig. 11, the threat scenario creation unit 632 presents the list of protected assets created in step S202 to the user (step S203). The threat scenario creation unit 632 determines whether or not confirmation is obtained from the user, based on the protected asset list presented in step S203 (step S204). When confirmation is obtained from the user (YES in step S204), the threat scenario creation unit 632 completes creation of the created protected asset list as a protected asset evaluation list (step S205). If the user has not confirmed the situation (NO in step S204), the threat scenario creation unit 632 accepts the correction of the protected asset list by the user (step S206). The threat scenario creation unit 632 completes creation of the protected asset list corrected in step S206 as a protected asset evaluation list (step S205).

After creating the protection asset evaluation list, the threat scenario creation unit 632 creates a threat scenario as shown in fig. 8 (step S103). When creating a threat scenario in step S103, the threat scenario creation unit 632 needs to first create a threat list.

The process of making the threat list is described in more detail. Fig. 14 is a flowchart showing a processing procedure for creating a threat list by the support apparatus according to the present embodiment. First, the threat scenario creation unit 632 extracts a configuration device from the device configuration information (step S301). The threat scene creation unit 632 links the threat list of the assumed attack sites in the threat analysis database 6106 to the structural machine extracted in step S301 (step S302).

For example, in the case of the semiconductor manufacturing apparatus shown in fig. 10(a), the apparatus configuration includes HMI, PLC, camera, and servo. Therefore, the threat scenario creation unit 632 extracts and connects a list of threats of expected attack sites predetermined for the protected assets of HMI, PLC, camera, and servo from the threat list of each attack site in the threat analysis database 6106. Fig. 15 is a diagram showing an example of a threat list created by the support apparatus according to the present embodiment. Fig. 15 shows a threat list (a) in the semiconductor manufacturing apparatus shown in fig. 10 (a). In the threat list (a), threats of external networks, unauthorized device connections, memory cards, maintenance PCs, cameras, and servos, object attributes, and threat levels are stored as attack sites assumed for protection assets of HMIs, PLCs, cameras, and servos.

Here, in the present specification, the "threat" refers to any matter that prevents the normal operation of the equipment or machine. Regarding typical threats, in a PLC-centered control device, the following four threats are considered: (1) an attack from a host device such as a database, (2) an attack from a field device, (3) an attack via a support device, and (4) an attack via a storage medium such as a memory card mounted in a control device. Furthermore, all physical ports mounted on the control device are at a security risk of being attacked.

For example, the external network of the assumed attack site shown in fig. 15 is classified into "(1) attack from a higher-level device such as a database", and specific threats include "Distributed Denial of Service (DoS) attack", "communication data interception", "communication data falsification". The "communication DoS attack" is an attack of sending a large number of packets to a communication address of an attack target, and only a communication function with the outside is affected, and in many cases, the device itself can be operated. Therefore, in the "communication DoS attack", the object attribute is "function", and the threat level is set to "3".

The "communication data interception" is an attack of snooping data in communication by monitoring communication via a network device, and only reveals information without affecting the function of the device. Therefore, in the "communication data interception", the object attribute is "information", and the threat level is set to "4". "communication data falsification" is an attack of falsifiing data in communication via a network machine, and is a threat against information. In "communication data falsification", the object attribute is "information", and the threat level is set to "2".

The memory card at the assumed attack site shown in fig. 15 is classified as "(4) attack via a storage medium such as a memory card attached to the control device", and specific threats include "firmware tampering" and "fraudulent use of a user program". The "firmware falsification" is, for example, an attack of falsifiing the updated firmware of the control unit 100 and writing an illegally operated program, and is a threat against information. Therefore, in "firmware tampering", the object attribute is "information" and the threat level is set to "4". "ripping of a user program" is an attack of ripping a user program and performing reuse in another machine, and is leakage of information. Therefore, in "pirating of a user program", the object attribute is "information" and the threat level is set to "4".

Further, the maintenance PC of the assumed attack site shown in fig. 15 is classified as "(3) attack via the support device", and specific threats include "functional insufficiency by malware", "data theft", and "communication data falsification". The "function insufficiency caused by malware" is, for example, an attack that infects the control unit 100 with malware and makes it function insufficient, and is a threat against information. Therefore, in "functional insufficiency by malware", the object attribute is "function", and the threat level is set to "4". "data stealing" is an attack of stealing data of a device, and reusing the data in another device, and is information leakage. Therefore, in "data stealing", the object attribute is "information" and the threat level is set to "4". "communication data falsification" is an attack of falsifiing data in communication via a network machine, and is a threat against information. In "communication data falsification", the object attribute is "information", and the threat level is set to "3".

The camera and servo of the assumed attack site shown in fig. 15 are classified into "(2) attack from a field device", and specific threats include "camera hijacking", "illegal image falsification", "servo function stop", and "servo control data falsification". The "camera hijacking" is an attack against the control unit 100, which is an attack against the function of the control unit 100, and is a threat to malicious operation of the camera by a user without an operation authority. Therefore, in "camera hijacking", the object attribute is "function", and the threat level is set to "3".

The "illegal tampering of an image" is an attack of tampering with an image captured by a camera, and is a threat to information. In "image tampering", the object attribute is "information", and the threat level is set to "1". The "servo function stop" is a threat to the function of the control unit 100, in which a user having no operation authority maliciously stops the servo function, does not attack the servo control by the control unit 100, and does not perform any attack. Therefore, in "servo function stop", the object attribute is "function", and the threat level is set to "3". "servo control data tampering" is an attack that tampers with data needed for servo control and is a threat to information. In "servo control data falsification", the object attribute is "information", and the threat level is set to "2".

In the case of the press apparatus shown in fig. 10(b), the apparatus configuration includes HMI, PLC, and servo. Therefore, the threat scenario creation unit 632 extracts and connects a list of threats of assumed attack sites predetermined for the protected assets of the HMI, PLC, and servo from the list of threats of each attack site in the threat analysis database 6106. Fig. 16 is a diagram showing another example of the threat list created by the support apparatus according to the present embodiment. Fig. 16 shows a threat list (b) in the case of the punching apparatus shown in fig. 10 (b). The threat list (b) stores threats, object attributes, and threat levels of external networks, unauthorized device connections, memory cards, maintenance PCs, and servers as attack sites assumed for protected assets of HMI, PLC, and servers.

Since the threat list (a) and the threat list (b) have different important items between the semiconductor manufacturing apparatus and the pressing apparatus, the stored threat levels are different even for the same threat. For example, in the threat list (b), in order to surely stop the apparatus, the threat level of the threat against the memory card, the maintenance PC is as high as "5" (fig. 16).

Returning to fig. 14, the threat scene creation unit 632 presents the threat list created in step S302 to the user (step S303). The threat scenario creation unit 632 determines whether or not confirmation is obtained from the user, based on the threat list presented in step S303 (step S304). When confirmation is obtained from the user (YES in step S304), the threat scene creation unit 632 completes creation of the presented threat list (step S305). If the user has not been confirmed (NO in step S304), the threat scenario creation unit 632 accepts correction of the threat list by the user (step S306). The threat scene creation unit 632 completes creation of the threat list corrected in step S306 (step S205).

Further, the threat list is described as storing threats, object attributes, and threat levels for each attack site assumed as shown in fig. 15 and 16. However, the information stored in the threat list is not limited to this, and may be, for example, version information of software and hardware of the control unit 100 or the security unit 200. Fig. 17 is a diagram showing a modification example of the threat list created by the support apparatus according to the present embodiment. In addition to the information of the threat, the object attribute, and the threat level, the threat list (c) shown in fig. 17 is added with the version information of the software and hardware of the control unit 100 or the security unit 200. Since security vulnerabilities of the control unit 100 and the security unit 200 differ according to version information of software and hardware, it is necessary to make threat levels different according to the version information.

Returning to fig. 8, in step S103, the threat scenario creation unit 632 creates a threat scenario from the threat list and the protected asset evaluation list. The threat scenario creation unit 632 creates a combined threat scenario by linking the threat list with the protected asset evaluation list using the attributes. The threat scenario tabulates the items that combine the protected assets with the threats. The listed threat scenarios are also referred to as threat scenario lists in the following. The threat scenario creation unit 632 calculates a risk value for each item in the created threat scenario list (step S104). The risk value is an index indicating the risk of a threat against security, and is obtained by integrating the threat level of the threat list and the importance level of the protected asset evaluation list by a predetermined trial calculation method, for example.

The threat scenario creation unit 632 determines whether or not the risk value of the created threat scenario list is equal to or higher than the risk level necessary for countermeasure set by the user (step S105). If the risk value is equal to or higher than the risk level necessary for countermeasure (YES in step S105), the threat scenario creation unit 632 sets the items of the threat scenario list to require countermeasures (step S106). On the other hand, if the risk value is lower than the risk level required for countermeasures (NO in step S105), the threat scenario creation unit 632 sets items of the threat scenario list without countermeasures (step S107).

The threat scenario creation unit 632 determines whether trial calculation of countermeasures is necessary for all the risk values of the created threat scenario list is finished (step S108). If trial calculations of whether or not measures are necessary for all risk values have not been completed (NO in step S108), the threat scenario creation unit 632 returns the process to step S104. When trial calculation of whether or not countermeasures are necessary for all the risk values is completed (YES in step S108), the threat scenario creation unit 632 rearranges the items of the threat scenario list in the order of whether or not countermeasures are necessary in the order of the risk values from high to low (step S109).

A specific example will be described with respect to the threat scenario list created in steps S103 to S109. Fig. 18 is a diagram showing an example of a threat scenario list created by the support apparatus according to the present embodiment. In the threat scenario list shown in fig. 18, the result of integrating the items of the protected asset evaluation list of the device function having the importance level "5" and the items of the DoS attack having the threat level "5" is stored as a risk value of "25". For the threat scenario list, the risk level necessary for countermeasure is set to "15" or more, and the risk values are rearranged in order from high to low. The rearranged threat scenario list is shown in the lower side of fig. 18.

Next, the following processing will be explained: the countermeasure creation unit 634 creates a countermeasure scenario in which countermeasures for each protection asset of the controller system 1 are stored, based on the threat scenario list created by the threat scenario creation unit 632 and the countermeasures (threat countermeasure list) in the countermeasure database 6108. Returning to fig. 9, first, the countermeasure creation unit 634 extracts countermeasures corresponding to the items of the threat scene list from the countermeasure database 6108 (step S110). The countermeasures extracted from the countermeasure database 6108 include countermeasures based on the security function of the security unit 200 and countermeasures based on an operation not using the security function. Of course, in the case where the countermeasures stored in the countermeasures database 6108 are only countermeasures based on the security function of the security unit 200, the extracted countermeasures may be only countermeasures based on the security function of the security unit 200.

The countermeasure creation unit 634 determines whether or not the security unit 200 of a version equal to or larger than the version required for the security unit is provided for taking a countermeasure based on the security function selected from the threat countermeasure list of the countermeasure database 6108 (step S111). If the version is equal to or larger than the required version (YES in step S111), the countermeasure creation unit 634 determines whether or not the resource capacity required by the security unit for taking the countermeasures by the security function is equal to or smaller than the resource capacity of the security unit 200 (step S112).

If the required resource capacity is equal to or less than the resource capacity of security section 200 (YES in step S112), countermeasure creation unit 634 sets a countermeasure based on the security function for the item of the threat scenario list (step S113). When a countermeasure by the security function is set for an item in the threat scenario list, the countermeasure creation unit 634 subtracts the set resource capacity of the countermeasure by the security function from the resource capacity of the security unit 200 (step S114).

If the version is lower than the required version (NO in step S111), or if the required resource capacity is larger than the resource capacity of security section 200 (NO in step S112), countermeasure creation unit 634 sets a countermeasure based on the operation not using the security function for the item of the threat scenario list (step S115).

The countermeasure creation unit 634 determines whether or not the setting of countermeasures is completed for all the items in the threat scenario list (step S116). If the setting of the countermeasure has not been completed for all the items (NO in step S116), the countermeasure creation unit 634 returns the process to step S111. When the setting of the countermeasure is completed for all the items (YES in step S116), the countermeasure creation unit 634 creates a countermeasure scenario in which the setting of the countermeasure is completed for all the items in the threat scenario list. The security setting unit 636 outputs setting data of the security function (security function setting data) to the security unit 200 based on the countermeasure scenario created by the countermeasure creation unit 634 (step S117). In step S117, the countermeasure result output unit 638 outputs the threat analysis result including the countermeasure scenario created by the countermeasure creation unit 634 to the user as a threat analysis result report.

A specific example will be described with respect to the countermeasure scenario created in step S110 to step S116. Fig. 19 is a diagram showing an example of a countermeasure scenario created by the support apparatus according to the present embodiment. In the countermeasure scenario (b) shown in fig. 19, a countermeasure selected from the threat countermeasure list (a) in the countermeasure database 6108 is set for each item in the threat scenario list shown in fig. 18. In the countermeasure scenario (b), in addition to the information of the threat scenario list, various pieces of information of countermeasures, resources, effect threat levels, and risk values after countermeasures are stored. For example, in the item of "device function" x "DoS attack", there are stored "Intrusion Detection System (IDS) -quarantine" as a countermeasure, "50" as a resource, "1" as an effect threat level, and "5" as a risk value after the countermeasure. Here, "IDS-isolation" is a countermeasure to cut off communication by an intrusion detection system that is one of the security functions of the security unit 200, while isolating from other devices.

In the countermeasure scenario (b), whether or not countermeasures are necessary is determined based on whether or not the risk value is "10" or more of the risk level necessary for countermeasures, and countermeasures are set for all items of "10" or more of the risk level necessary for countermeasures, assuming that the device version is 1.3 and the resource capacity of the security unit 200 can be loaded with all functions. However, the security unit 200 has a limited resource capacity in practice, and the countermeasure selected according to the resource capacity is different. Fig. 20 is a diagram showing an example of a countermeasure scenario when the resource capacity is 50, which is created by the support apparatus according to the present embodiment. In the countermeasure scenario (c) shown in fig. 20, since the device version is 1.0 and the resource capacity is 50, unlike the countermeasure scenario (b), "filtering" as a countermeasure, "10" as a resource, "2" as an effect threat level, and "10" as a risk value after the countermeasure are stored in the item of "device function" x "DoS attack. In the countermeasure scenario (c), "encrypted" as a countermeasure, "20" as a resource, "2" as an effect threat level, and "8" as a risk value after the countermeasure are stored in the item of "user program" x "eavesdropping".

Fig. 21 is a diagram showing an example of a countermeasure scenario when the resource capacity is 100, which is created by the support apparatus according to the present embodiment. In the countermeasure scenario (d) shown in fig. 21, since the device version is 1.2 and the resource capacity is 100, unlike the countermeasure scenario (c), "IDS-quarantine" as a countermeasure, "50" as a resource, "1" as an effect threat level, and "5" as a risk value after the countermeasure are stored in the item of "device function" x "DoS attack. In the countermeasure scenario (d), "encrypted" as a countermeasure, "20" as a resource, "2" as an effect threat level, and "8" as a risk value after the countermeasure are stored in the item of "user program" x "eavesdropping".

Fig. 22 is a diagram showing an example of a countermeasure scenario when the resource capacity is 20, which is created by the support apparatus according to the present embodiment. In the countermeasure scenario (e) shown in fig. 22, since the device version is 1.2 and the resource capacity is 20, unlike the countermeasure scenario (b), "filtering" as a countermeasure, "10" as a resource, "2" as an effect threat level, and "10" as a risk value after the countermeasure are stored in the item of "device function" x "DoS attack. Further, in the countermeasure scenario (e), since the remaining resource capacity is small, a countermeasure based on the operation is selected from the items of "user program" x "eavesdropping" instead of the countermeasure based on the security function. In the countermeasure scenario (e), "wired communication/blocked port" as a countermeasure, "0" as a resource, "2" as an effect threat level, and "8" as a risk value after the countermeasure are stored in the item of "user program" x "eavesdropping.

Countermeasures (e.g., IDS-isolation, filtering, etc.) based on the security functions of the security unit 200 use the resources of the security unit 200, and therefore countermeasures need to be taken within the resource capacity. On the other hand, since the resources of the security unit 200 are not used for measures based on the operation (e.g., wired communication, port blockage, etc.), measures can be taken without paying attention to the resource capacity. In the countermeasure scenarios shown in fig. 19 to 22, whether or not countermeasures are necessary is determined based on whether or not the risk value of each item is equal to or greater than the risk level necessary for countermeasures.

Next, a specific example will be described with respect to the threat analysis result report created in step S117. Fig. 23 is a diagram showing an example of a threat analysis result report created by the support apparatus according to the present embodiment. The threat analysis result report shown in fig. 23 includes an apparatus configuration diagram, an attack opening, and a list of assumed threats, and is a report for Information Technology (IT) departments of factories, for example. Fig. 23(a) shows a diagram showing the configuration of the apparatus, fig. 23(b) shows a threat scenario list, and fig. 23(c) shows a countermeasure scenario. In particular, in the threat scenario list of fig. 23(b), since the number of the attack opening is marked in the diagram showing the device configuration in fig. 23(a), even a person having security knowledge can easily recognize the threat of security.

Fig. 24 is a diagram showing another example of a threat analysis result report created by the support apparatus according to the present embodiment. The threat analysis result report shown in fig. 24 is a report for the operator of a plant, for example, in which countermeasures based on the operation are described in a manner that is easy to understand. Fig. 24(a) shows a view in which information of a function (security function) used in the security unit 200 is added to a countermeasure scene, and fig. 24(b) shows a countermeasure list based on an operation. In particular, fig. 24(b) shows a list of measures based on the operation, and details of the implementation thereof are also described. For example, the content of the "wired communication/blocked port" item is described as "performing locking to disable the communication port". In addition, the countermeasure list based on the operation clearly describes the location (for example, PLC) where the countermeasure is taken.

Next, a screen displayed on a Display unit (for example, a Liquid Crystal Display (LCD)) of the support apparatus 600 in the processing described in fig. 8 and 9 will be described. Fig. 25 is a diagram showing an example of information on the device configuration displayed by the support device according to the present embodiment. Fig. 25(a) shows an example of a screen on which the user selects a device type (e.g., a semiconductor manufacturing apparatus, a press apparatus, or the like). Fig. 25(b) shows an example of a device configuration diagram when the device type is a semiconductor manufacturing device. The support apparatus 600 can present, to the user, the information of the apparatus configuration acquired from the controller system 1 by the processing of step S101 and the apparatus configuration created from the information of the protected asset through the screen shown in fig. 25 (b). Thus, the user can visually grasp the device structure.

Fig. 26 is a diagram showing an example of a protected asset evaluation list displayed by the support apparatus according to the present embodiment. The support apparatus 600 can present the protected asset evaluation list created by the processing of step S102 to the user through the screen shown in fig. 26. Further, the support apparatus 600 can accept addition of a list and editing of an importance level as necessary for the displayed protected asset evaluation list.

Fig. 27 is a diagram showing an example of a threat list displayed by the support apparatus of the present embodiment. In the support apparatus 600, the threat list created by the processing of step S103 can be presented to the user through the screen shown in fig. 27. Further, the support apparatus 600 can accept addition of a list and editing of a threat level as necessary for the displayed threat list.

Fig. 28 is a diagram showing an example of setting of the risk value trial calculation method displayed by the support apparatus according to the present embodiment. The support apparatus 600 can present the setting of the trial calculation method of the risk values of the threat scene list created by the processing of step S104 to the user through the screen shown in fig. 28. Fig. 28(a) shows an example of a screen in which the user selects a method of trial calculation of the risk value (for example, importance (importance level) × threat level). Fig. 28(b) shows an example of a screen in which the weight for trial calculation of the risk value by the importance (importance level) × threat level is set. Here, the risk value may be obtained by simply integrating the importance (importance level) and the threat level, or by integrating the importance level and the threat level by setting a weight to each value. For example, the threat level may also be doubled to try out the risk value. As another trial calculation method, a Risk value may be calculated using a Common virtual Vulnerability evaluation System (CVSS) or an automobile System Risk evaluation method (RSMA), which is a Risk evaluation method for general threat analysis.

Fig. 29 is a diagram showing an example of a threat scenario list displayed by the support apparatus according to the present embodiment. In the support apparatus 600, the threat scene list created by the processing of step S109 can be presented to the user through the screen shown in fig. 29. Further, the support apparatus 600 can accept a risk level necessary for countermeasures with respect to the displayed threat scene list.

Fig. 30 is a diagram showing an example of selection of a countermeasure policy displayed by the support apparatus according to the present embodiment. In support apparatus 600, the setting of the policy (for example, setting of a Default value (MAX)) in the processing of steps S111 to S114 can be presented to the user via the screen shown in fig. 30. The Default value (Default) (MAX) is set to select a countermeasure so as to be the largest within the allowable range of the resource capacity of the security unit 200.

Fig. 31 is a diagram showing an example of a threat countermeasure list displayed by the support apparatus of the present embodiment. In the support apparatus 600, the threat countermeasure list read from the countermeasure database 6108 by the processing of step S111 to step S114 can be presented to the user through the screen shown in fig. 31. Further, the support apparatus 600 can accept editing of countermeasure technology, resources, and the like as necessary for the displayed threat countermeasure list.

Fig. 32 is a diagram showing an example of a countermeasure scenario displayed by the support apparatus according to the present embodiment. In the support apparatus 600, the user can be presented with the countermeasure scene created by the processing of step S117 on the screen shown in fig. 32. Therefore, the support apparatus 600 allows the user to confirm the created countermeasure scenario.

Fig. 33 is a diagram showing an example of selection of output contents displayed by the support apparatus according to the present embodiment. In the support apparatus 600, the screen for setting the content output in step S117 can be presented to the user via the screen shown in fig. 33. The support apparatus 600 may be configured to output a threat analysis result report, an operation countermeasure report, and unit setting data, for example.

< E, attached notes >

The present embodiment described above includes the following technical ideas.

[ Structure 1]

A control system, comprising:

a controller system (1) that controls a control target; and

a support device (600) that supports setting of the controller system (1);

the controller system (1) comprises:

a control unit (100) that executes a control operation for controlling a control target; and

a security unit (200) connected to the control unit (100) and responsible for security functions for the controller system (1);

the support apparatus (600) comprises:

a system configuration input unit (630) that acquires a device configuration and a protected asset from the controller system (1);

a threat analysis database (6106) in which an importance level of a protection asset for the controller system (1) and a threat level of a threat for security are stored in advance;

a threat scenario creation unit (632) for creating a threat scenario from the importance level and threat level of the threat analysis database (6106) in accordance with the device configuration and protected asset acquired by the system configuration input unit (630);

a countermeasure database (6108) in which countermeasures corresponding to security threats are stored in advance;

a countermeasure creation unit (634) that creates a countermeasure scenario in which countermeasures for each protected asset of the controller system (1) are stored, based on the threat scenario created by the threat scenario creation unit (632) and the countermeasures in the countermeasure database (6108); and

and a security setting unit (636) that outputs setting data of a security function to the security unit (200) based on the countermeasure scenario created by the countermeasure creation unit (634).

[ Structure 2]

The control system according to configuration 1, wherein the support device (600) further includes a countermeasure result output unit (638), and the countermeasure result output unit (638) outputs a countermeasure report including information on at least one of the threat scenario and the countermeasure scenario.

[ Structure 3]

The control system according to structure 1 or structure 2, wherein a threat level of a threat against security in the threat analysis database (6106) differs according to a device class of the controller system (1).

[ Structure 4]

The control system according to any one of configurations 1 to 3, wherein the threat scenario stores risk values obtained by trial calculation using a predetermined method for each of the threats of the protection assets and the security of the controller system (1).

[ Structure 5]

The control system according to configuration 4, wherein the countermeasure creation unit (634) creates the countermeasure scenario for each of the assets to be protected and the threats to be secured of the controller system (1) in which the risk value stored in the threat scenario is equal to or greater than a predetermined value.

[ Structure 6]

The control system according to any one of configurations 1 to 5, wherein the countermeasure database (6108) stores, as countermeasures corresponding to security threats, countermeasures based on a security function of the security unit (200) and countermeasures based on an operation not using the security function.

[ Structure 7]

The control system according to any one of configurations 1 to 6, wherein the countermeasure creation unit (634) selects a countermeasure based on a security function of the security unit (200) according to a resource of the controller system (1) and creates the countermeasure scenario.

[ Structure 8]

The control system according to configuration 7, wherein the countermeasure creation unit (634) selects different countermeasures according to versions of software and hardware of each of devices constituting the controller system (1).

[ Structure 9]

The control system according to any one of configurations 6 to 8, wherein the countermeasure creation unit (634) selects a countermeasure to be applied to create the countermeasure scene when resources of the controller system (1) are insufficient.

[ Structure 10]

A setting method of setting data of a security function to a controller system (1), the controller system (1) comprising: a control unit (100) that executes a control operation for controlling a control target; the security unit (200) is connected with the control unit (100) and is responsible for the security function aiming at the controller system (1); and the setting method of the controller system (1) comprises the following steps:

a step of acquiring a device structure and a protected asset from the controller system (1);

a step of creating a threat scenario according to the importance level and threat level previously stored in the threat analysis database (6106) in accordance with the acquired device configuration and protection asset;

creating a countermeasure scenario in which countermeasures for each asset to be protected of the controller system (1) are stored, based on the created threat scenario and countermeasures corresponding to threats of security protection stored in advance in a countermeasure database (6108); and

and outputting setting data of a security function to the security unit (200) according to the created countermeasure scene.

< F. advantage >

According to the control system of the present embodiment, the threat of security can be analyzed by the support device, and countermeasures against the threat can be easily taken.

The presently disclosed embodiments are to be considered in all respects as illustrative and not restrictive. The scope of the present invention is indicated by the claims rather than the description, and all changes which come within the meaning and range of equivalency of the claims are intended to be embraced therein.

Description of the symbols

1: controller system

10: control system

100: control unit

102. 202, 302, 602: processor with a memory having a plurality of memory cells

104. 204, 304: chip group

106. 206, 306: main storage device

108. 208, 308: secondary storage device

110. 210: communication controller

112. 212, 620: USB controller

114. 214, 314: memory card interface

115. 215, 315: memory card

116. 118, 120, 216, 218: network controller

122. 322: internal bus controller

124. 224, 324: indicator device

142. 144, 242: communication port

200: security unit

300: security unit

400: functional unit

450: power supply unit

500: in-situ device

600: support device

604: main memory

606: input unit

608: output unit

610: storage container

612: optical drive

614: recording medium

618: processor bus

800：HMI

900: external network

6102：OS

6104: support program

6106: threat analytics database

6108: countermeasure database