Trusted industrial control system host computer control command pre-checking method and system

By introducing the Trusted Engineer Station and the Trusted TPM module of the Trusted Security Center into the industrial control system, identity authentication and multi-level verification are performed, which solves the problems of invalid control commands and security vulnerabilities in the industrial control system, realizes the effectiveness and rationality of control commands, and improves system security.

CN117193083BActive Publication Date: 2026-06-26XIAN THERMAL POWER RES INST CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIAN THERMAL POWER RES INST CO LTD
Filing Date
2023-09-18
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

The existing industrial control system's host computer has a relatively simple verification method for user control commands, which leads to invalid control commands or illegal control operations, affecting the efficiency of operators' monitoring. Furthermore, the lack of a trusted module makes the system vulnerable to security vulnerabilities.

Method used

A trusted industrial control system is adopted, and a trusted TPM module is configured through a trusted engineering station and a trusted security center to perform identity and permission authentication, encryption and decryption of control command messages, and multi-level verification, including measurement point OID, type and interlock verification, to ensure the validity and rationality of control commands.

Benefits of technology

Effectively avoid invalid control commands, ensure the validity and rationality of officially issued user control commands, improve system security protection level, and prevent unauthorized operations and message tampering.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117193083B_ABST
    Figure CN117193083B_ABST
Patent Text Reader

Abstract

The application discloses a kind of trusted industrial control system host computer control command pre-checking method and system, including identity and authority identification, control command message encryption, control command message analysis and validity check, check result message encryption, check result message analysis and information initialization.The present application can avoid invalid control command and illegal control operation, ensure the effectiveness and rationality of user control command formal issue.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of industrial automation technology, specifically to a method and system for pre-verifying control commands of a trusted industrial control system. Background Technology

[0002] In industrial control systems, users control field devices in real time via control commands. Issuing control commands is a crucial and indispensable operation, making their rationality and validity paramount. However, current industrial control systems often employ simplistic verification methods for user control commands, mostly limited to single-level verification of measurement point OID validity and measurement point type, lacking multi-level checks. This can lead to invalid control commands or illegal control operations, impacting the efficiency of monitoring by operators. Furthermore, current industrial control systems rarely incorporate trusted modules, potentially resulting in system security vulnerabilities such as unauthorized operations by engineering workstations and message tampering. Summary of the Invention

[0003] The purpose of this invention is to provide a method and system for pre-verifying control commands of a reliable industrial control system, so as to overcome the defects of the existing technology. This invention can avoid invalid control commands and illegal control operations, and ensure the validity and rationality of the formal issuance of user control commands.

[0004] To achieve the above objectives, the present invention adopts the following technical solution:

[0005] A method for pre-verifying control commands from the host computer of a trusted industrial control system includes the following steps:

[0006] S1: The Trusted Engineer Station requests control permissions from the Trusted Security Center. Both the Trusted Engineer Station and the Trusted Security Center are configured with a Trusted TPM module. The Trusted TPM module of the Trusted Security Center authenticates the identity and control command issuance permissions of the Trusted Engineer Station. If the authentication of the Trusted Engineer Station's identity and control command issuance permissions is successful, the Trusted Engineer Station is authorized to issue control commands, and S2 is executed; if the authentication fails, the process ends.

[0007] S2: In S1, the authorized trusted engineer station encapsulates the control commands and generates control command messages. The trusted TPM module encrypts the control command messages to obtain encrypted command messages.

[0008] S3: The trusted TPM module decrypts the encrypted command message in S2 to obtain the control command message, performs validity verification on the control command message, generates a verification result message, and executes S4;

[0009] S4: Parse the verification result message in S3. If the verification result flag in the verification result message is 0, it means that the verification failed and the process ends; otherwise, the trusted TPM module encrypts the verification result message in S3 to obtain the encrypted result message and executes S5.

[0010] S5: Decrypt the encrypted result message in S4 to obtain the verification result message. Based on the data in the verification result message, complete the information initialization work before the official issuance of the control command. The pre-verification ends.

[0011] Furthermore, S1 also includes: the trusted engineer station and the trusted security center periodically exchanging identity authentication information to perform periodic identity verification;

[0012] The trusted engineer station and the trusted security center are configured with a trusted TPM module that calculates a hash value based on the received identity authentication information and sends it to the other party for identity verification. If the verification fails, it indicates that the other party is not trustworthy and the process ends; otherwise, the trusted engineer station and the trusted security center continue the above periodic identity verification process.

[0013] Furthermore, the control command message content in S2 includes: control command type, measurement point OID, and measurement point type.

[0014] Furthermore, step S3 involves validating the control command message and generating a validation result message, specifically including the following steps:

[0015] S31: Query the measurement point database based on the measurement point OID. If the query fails or the measurement point in the database is invalid, it indicates that the measurement point OID verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Verify the control command type. If the control command type is not equal to control closing and not equal to control split, it indicates that the control command type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Execute S4.

[0016] If the measurement point OID and control command type verification pass, execute S32;

[0017] S32: Verify the measurement point type. If the measurement point type is not remote control, remote signaling, or remote measurement, it indicates that the measurement point type verification has failed. The verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed. Otherwise, S33 is executed.

[0018] S33: Query the measurement point database according to the measurement point OID to obtain control information, and verify it according to the measurement point type; the control information includes measurement point description, measurement point upper and lower limits, associated control point information, and measurement point value step size. The associated control point information includes associated control point type and associated control point OID, wherein the associated control point type includes numerical control points and state control points.

[0019] Specifically as follows:

[0020] (a) For remote-controlled measurement points:

[0021] According to the measurement point OID, query the measurement point database to perform remote control type measurement point interlocking verification. If any of the following conditions are met: (1) remote control rule verification fails; (2) the measurement point group / device / station to which the measurement point belongs is not found; (3) the device / station to which the measurement point belongs is in an interlocking state; then command the interlocking flag position to 1, the verification result flag position to 0, write the relevant verification failure information into the verification result message, and execute S4; otherwise, command the interlocking flag position to 0, the verification result flag position to 1, write the measurement point name, measurement point OID, and control information into the verification result message, and execute S4;

[0022] (b) For telemetry type measurement points:

[0023] If the associated control point OID in the control information of the telemetry type measuring point is invalid or the associated control point type is not a numerical control point, the verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written to the verification result message, and S4 is executed.

[0024] (c) For remote signaling type measurement points:

[0025] If the associated control point OID in the control information of the remote signaling type measuring point is invalid or the associated control point type is not a status-type control point, the verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written to the verification result message, and S4 is executed.

[0026] Furthermore, in step S5, the encrypted result message in step S4 is decrypted to obtain the measurement point name, measurement point OID, and control information. Based on this, the information initialization work before the formal issuance of the control command is completed, including the initialization of the control command issuance interface. On this interface, the user obtains the verification failure information or the measurement point name, measurement point OID, and control information corresponding to this control command, and performs the formal control command issuance operation.

[0027] The trusted industrial control system's host computer control command pre-verification system includes, in sequence, an identity and authorization authentication module, a control command message encryption module, a control command message parsing and validity verification module, a verification result message encryption module, and a verification result message parsing and information initialization module; wherein:

[0028] Identity and permission authentication module: This module is used by the trusted engineer station to request control permissions from the trusted security center. Both the trusted engineer station and the trusted security center are equipped with a trusted TPM module. The trusted security center's trusted TPM module authenticates the identity and control command issuance permissions of the trusted engineer station. If the authentication of the trusted engineer station's identity and control command issuance permissions is successful, the trusted engineer station is authorized to issue control commands and enters the control command message encryption module. If the authentication fails, the process ends.

[0029] Control command message encryption module: used by the authorized trusted engineer station in the identity and permission authentication module to encapsulate control commands and generate control command messages. The trusted TPM module encrypts the control command messages to obtain encrypted command messages.

[0030] Control command message parsing and validity verification module: This module is used by the trusted TPM module to decrypt the encrypted command message in the control command message encryption module to obtain the control command message, perform validity verification on the control command message, generate a verification result message, and enter the verification result message encryption module.

[0031] Verification result message encryption module: parses the verification result message in the control command message parsing and validity verification module. If the verification result flag bit in the verification result message is 0, it means that the verification failed and the process ends; otherwise, the trusted TPM module encrypts the verification result message in the control command message parsing and validity verification module to obtain the encrypted result message, and enters the verification result message parsing and information initialization module.

[0032] Verification result message parsing and information initialization module: used to decrypt the encrypted result message in the verification result message encryption module to obtain the verification result message, and complete the information initialization work before the control command is officially issued based on the data in the verification result message, and the pre-verification ends.

[0033] Furthermore, the identity and authorization authentication module also includes: periodically exchanging identity authentication information between the trusted engineer station and the trusted security center for periodic identity verification;

[0034] The trusted engineer station and the trusted security center are configured with a trusted TPM module that calculates a hash value based on the received identity authentication information and sends it to the other party for identity verification. If the verification fails, it indicates that the other party is not trusted and the process ends; otherwise, the trusted engineer station and the trusted security center continue the above periodic identity verification process.

[0035] Furthermore, in the control command message encryption module, the control command message content includes: control command type, measurement point OID, and measurement point type.

[0036] Furthermore, the control command message parsing and validity verification module performs validity verification on the control command message and generates a verification result message, specifically including the following steps:

[0037] S31: Query the measurement point database based on the measurement point OID. If the query fails or the measurement point in the database is invalid, it indicates that the measurement point OID verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Verify the control command type. If the control command type is not equal to control closing and not equal to control split, it indicates that the control command type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message, which then enters the verification result message encryption module.

[0038] If the measurement point OID and control command type verification pass, execute S32;

[0039] S32: Verify the measurement point type. If the measurement point type is not remote control, remote signaling, or remote measurement, it indicates that the measurement point type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written into the verification result message and enters the verification result message encryption module. Otherwise, execute S33.

[0040] S33: Query the measurement point database according to the measurement point OID to obtain control information, and verify it according to the measurement point type; the control information includes measurement point description, measurement point upper and lower limits, associated control point information, and measurement point value step size. The associated control point information includes associated control point type and associated control point OID, wherein the associated control point type includes numerical control points and state control points.

[0041] Specifically as follows:

[0042] (a) For remote-controlled measurement points:

[0043] According to the measurement point OID, the measurement point database is queried to perform remote control type measurement point interlocking verification. If any of the following conditions are met: (1) remote control rule verification fails; (2) the measurement point group / device / station to which the measurement point belongs is not found; (3) the device / station to which the measurement point belongs is in the interlocking state; then the interlocking flag position is set to 1, the verification result flag position is set to 0, the relevant verification failure information is written into the verification result message, and S4 is executed; otherwise, the interlocking flag position is set to 0, the verification result flag position is set to 1, the measurement point name, measurement point OID, and control information are written into the verification result message, and the verification result message encryption module is entered.

[0044] (b) For telemetry type measurement points:

[0045] If the associated control point OID in the control information of the telemetry type measuring point is invalid or the associated control point type is not a numerical control point, the verification result flag is set to 0, the relevant verification failure information is written into the verification result message, and the verification result message encryption module is entered; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written into the verification result message, and the verification result message encryption module is entered.

[0046] (c) For remote signaling type measurement points:

[0047] If the associated control point OID in the control information of the remote signaling type measuring point is invalid or the associated control point type is not a status-based control point, the verification result flag is set to 0, the relevant verification failure information is written into the verification result message, and the verification result message encryption module is entered; otherwise, the verification result flag is set to 1, the measuring point database is queried according to the associated control point OID to obtain the control information of the associated control point, and the measuring point name, measuring point OID, and control information of the associated control point are written into the verification result message, and the verification result message encryption module is entered.

[0048] Furthermore, in the verification result message parsing and information initialization module, the encrypted result message in the verification result message encryption module is decrypted to obtain the measurement point name, measurement point OID and control information, and the information initialization work before the formal issuance of the control command is completed accordingly. This includes the initialization of the control command issuance interface, where the user obtains the verification failure information or the measurement point name, measurement point OID and control information corresponding to this control command, and performs the formal control command issuance operation.

[0049] Compared with the prior art, the present invention has the following beneficial technical effects:

[0050] This invention performs comprehensive pre-verification of control command information, pre-acquiring and verifying relevant control information, including the validity of measurement point OID, control command type, measurement point type, validity of numerical / state control points, and measurement point interlocking verification, thereby avoiding invalid control commands and illegal control operations and ensuring the validity and rationality of the formal issuance of user control commands.

[0051] This invention features a trusted security center and a trusted engineer station, and includes a trusted TPM module for trusted computing. It periodically verifies the identity and permissions of the trusted engineer station and performs encryption and decryption operations on messages within the system, preventing system security vulnerabilities such as unauthorized operations by the trusted engineer station and tampering with message information, thereby effectively improving the system's security protection level. Attached Figure Description

[0052] The accompanying drawings are provided to further understand the invention and constitute a part of this invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an improper limitation of the invention.

[0053] Figure 1 This is a flowchart of the pre-verification method for host computer control commands in a trusted industrial control system according to Embodiment 1 of the present invention;

[0054] Figure 2 This is a structural diagram of the pre-verification system for the host computer control commands of the trusted industrial control system in Embodiment 2 of the present invention. Detailed Implementation

[0055] The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

[0056] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.

[0057] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0058] Example 1

[0059] like Figure 1 As shown, this invention provides a method for pre-verifying control commands of a trusted industrial control system, comprising the following steps:

[0060] S1: Identity and Access Authentication

[0061] The Trusted Engineer Station requests control permissions from the Trusted Security Center. Both the Trusted Engineer Station and the Trusted Security Center are configured with a Trusted TPM module. The Trusted TPM module of the Trusted Security Center authenticates the identity and control command issuance permissions of the Trusted Engineer Station. If the authentication of the Trusted Engineer Station's identity and control command issuance permissions is successful, the Trusted Engineer Station is authorized to issue control commands and execute S2; if the authentication fails, the process ends.

[0062] Meanwhile, the Trusted Engineer Station and the Trusted Security Center periodically exchange identity authentication information for periodic identity verification. The Trusted TPM module configured in the Trusted Engineer Station and the Trusted Security Center calculates a hash value based on the received identity authentication information and sends it to the other party for identity verification. If the verification fails, it indicates that the other party is not trustworthy, and the process ends. Otherwise, the Trusted Engineer Station and the Trusted Security Center continue the above periodic identity verification process.

[0063] S2: Control command message encryption

[0064] In S1, the authorized trusted engineer station encapsulates the control commands and generates control command messages. The trusted TPM module encrypts the control command messages to obtain encrypted command messages.

[0065] S3: Control command message parsing and validity verification

[0066] The trusted TPM module decrypts the encrypted command message in S2 to obtain the control command message, performs validity verification on the control command message, generates a verification result message, and executes S4.

[0067] Specifically, including:

[0068] S31: Query the measurement point database based on the measurement point OID. If the query fails or the measurement point in the database is invalid, it indicates that the measurement point OID verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Verify the control command type. If the control command type is not equal to control closing and not equal to control split, it indicates that the control command type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Execute S4.

[0069] If the measurement point OID and control command type verification pass, execute S32;

[0070] S32: Verify the measurement point type. If the measurement point type is not remote control, remote signaling, or remote measurement, it indicates that the measurement point type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Execute S4; otherwise, execute S33.

[0071] S33: Query the measurement point database according to the measurement point OID to obtain control information, and verify it according to the measurement point type; the control information includes measurement point description, measurement point upper and lower limits, associated control point information, and measurement point value step size. The associated control point information includes associated control point type and associated control point OID, wherein the associated control point type includes numerical control points and state control points.

[0072] Specifically as follows:

[0073] (a) For remote-controlled measurement points:

[0074] According to the measurement point OID, query the measurement point database to perform remote control type measurement point interlocking verification. If any of the following conditions are met: (1) remote control rule verification fails; (2) the measurement point group / device / station to which the measurement point belongs is not found; (3) the device / station to which the measurement point belongs is in an interlocking state; then command the interlocking flag position to 1, the verification result flag position to 0, write the relevant verification failure information into the verification result message, and execute S4; otherwise, command the interlocking flag position to 0, the verification result flag position to 1, write the measurement point name, measurement point OID, and control information into the verification result message, and execute S4;

[0075] (b) For telemetry type measurement points:

[0076] If the associated control point OID in the control information of the telemetry type measuring point is invalid or the associated control point type is not a numerical control point, the verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written to the verification result message, and S4 is executed.

[0077] (c) For remote signaling type measurement points:

[0078] If the associated control point OID in the control information of the remote signaling type measuring point is invalid or the associated control point type is not a status-type control point, the verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written to the verification result message, and S4 is executed.

[0079] S4: Encrypt the verification result message

[0080] The verification result message in S3 is parsed. If the verification result flag in the verification result message is 0, it means that the verification failed and the process ends; otherwise, the trusted TPM module encrypts the verification result message in S3 to obtain the encrypted result message and executes S5.

[0081] S5: Verification result message parsing and information initialization

[0082] Decrypt the encrypted result message in S4 to obtain the verification result message. Based on the data in the verification result message, complete the information initialization work before the control command is officially issued. The pre-verification ends.

[0083] Specifically, the encrypted result message in S4 is decrypted to obtain the measurement point name, measurement point OID, and control information. Based on this, the information initialization work before the formal issuance of the control command is completed, including the initialization of the control command issuance interface. On this interface, the user obtains the verification failure information or the measurement point name, measurement point OID, and control information corresponding to this control command, and performs the formal control command issuance operation.

[0084] S1-S5 use a trusted TPM module to generate encrypted messages to complete communication, ensuring information security during the communication process.

[0085] Example 2

[0086] See Figure 2The present invention also provides a trusted industrial control system host computer control command pre-verification system, comprising, in sequence, an identity and authorization authentication module, a control command message encryption module, a control command message parsing and validity verification module, a verification result message encryption module, and a verification result message parsing and information initialization module; wherein:

[0087] Identity and permission authentication module: This module is used by the trusted engineer station to request control permissions from the trusted security center. Both the trusted engineer station and the trusted security center are equipped with a trusted TPM module. The trusted security center's trusted TPM module authenticates the identity and control command issuance permissions of the trusted engineer station. If the authentication of the trusted engineer station's identity and control command issuance permissions is successful, the trusted engineer station is authorized to issue control commands and enters the control command message encryption module. If the authentication fails, the process ends.

[0088] It also includes: the trusted engineer station and the trusted security center periodically exchanging identity authentication information for periodic identity verification; the trusted TPM module configured in the trusted engineer station and the trusted security center calculates a hash value based on the received identity authentication information and sends it to the other party for identity verification. If the verification fails, it indicates that the other party is not trusted and the process ends; otherwise, the trusted engineer station and the trusted security center maintain the above periodic identity verification process.

[0089] Control command message encryption module: used by the authorized trusted engineer station in the identity and permission authentication module to encapsulate control commands and generate control command messages. The trusted TPM module encrypts the control command messages to obtain encrypted command messages.

[0090] Control command message parsing and validity verification module: This module is used by the trusted TPM module to decrypt the encrypted command message in the control command message encryption module to obtain the control command message, perform validity verification on the control command message, generate a verification result message, and enter the verification result message encryption module.

[0091] Specifically, the following steps are included:

[0092] S31: Query the measurement point database based on the measurement point OID. If the query fails or the measurement point in the database is invalid, it indicates that the measurement point OID verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Verify the control command type. If the control command type is not equal to control closing and not equal to control split, it indicates that the control command type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message, which then enters the verification result message encryption module.

[0093] If the measurement point OID and control command type verification pass, execute S32;

[0094] S32: Verify the measurement point type. If the measurement point type is not remote control, remote signaling, or remote measurement, it indicates that the measurement point type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written into the verification result message and enters the verification result message encryption module. Otherwise, execute S33.

[0095] S33: Query the measurement point database according to the measurement point OID to obtain control information, and verify it according to the measurement point type; the control information includes measurement point description, measurement point upper and lower limits, associated control point information, and measurement point value step size. The associated control point information includes associated control point type and associated control point OID, wherein the associated control point type includes numerical control points and state control points.

[0096] Specifically as follows:

[0097] (a) For remote-controlled measurement points:

[0098] According to the measurement point OID, the measurement point database is queried to perform remote control type measurement point interlocking verification. If any of the following conditions are met: (1) remote control rule verification fails; (2) the measurement point group / device / station to which the measurement point belongs is not found; (3) the device / station to which the measurement point belongs is in the interlocking state; then the interlocking flag position is set to 1, the verification result flag position is set to 0, the relevant verification failure information is written into the verification result message, and S4 is executed; otherwise, the interlocking flag position is set to 0, the verification result flag position is set to 1, the measurement point name, measurement point OID, and control information are written into the verification result message, and the verification result message encryption module is entered.

[0099] (b) For telemetry type measurement points:

[0100] If the associated control point OID in the control information of the telemetry type measuring point is invalid or the associated control point type is not a numerical control point, the verification result flag is set to 0, the relevant verification failure information is written into the verification result message, and the verification result message encryption module is entered; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written into the verification result message, and the verification result message encryption module is entered.

[0101] (c) For remote signaling type measurement points:

[0102] If the associated control point OID in the control information of the remote signaling type measuring point is invalid or the associated control point type is not a status-based control point, the verification result flag is set to 0, the relevant verification failure information is written into the verification result message, and the verification result message encryption module is entered; otherwise, the verification result flag is set to 1, the measuring point database is queried according to the associated control point OID to obtain the control information of the associated control point, and the measuring point name, measuring point OID, and control information of the associated control point are written into the verification result message, and the verification result message encryption module is entered.

[0103] Verification result message encryption module: parses the verification result message in the control command message parsing and validity verification module. If the verification result flag bit in the verification result message is 0, it means that the verification failed and the process ends; otherwise, the trusted TPM module encrypts the verification result message in the control command message parsing and validity verification module to obtain the encrypted result message, and enters the verification result message parsing and information initialization module.

[0104] Verification result message parsing and information initialization module: used to decrypt the encrypted result message in the verification result message encryption module to obtain the verification result message, and complete the information initialization work before the control command is officially issued based on the data in the verification result message. The pre-verification ends.

[0105] Specifically, the encrypted result message in the decryption verification result message encryption module is used to obtain the measurement point name, measurement point OID and control information, and based on this, the information initialization work before the formal issuance of the control command is completed, including the initialization of the control command issuance interface. On this interface, the user obtains the verification failure information or the measurement point name, measurement point OID and control information corresponding to this control command, and performs the formal control command issuance operation.

[0106] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0107] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0108] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0109] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0110] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit its scope of protection. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that after reading the present invention, they can still make various changes, modifications or equivalent substitutions to the specific implementation of the invention, but these changes, modifications or equivalent substitutions are all within the scope of protection of the pending claims of the invention.

Claims

1. A method for pre-verifying control commands of a trusted industrial control system's host computer, characterized in that, Includes the following steps: S1: The Trusted Engineer Station requests control permissions from the Trusted Security Center. Both the Trusted Engineer Station and the Trusted Security Center are configured with a Trusted TPM module. The Trusted TPM module of the Trusted Security Center authenticates the identity and control command issuance permissions of the Trusted Engineer Station. If the authentication of the Trusted Engineer Station's identity and control command issuance permissions is successful, the Trusted Engineer Station is authorized to issue control commands, and S2 is executed; if the authentication fails, the process ends. S2: In S1, the authorized trusted engineer station encapsulates the control commands and generates control command messages. The trusted TPM module encrypts the control command messages to obtain encrypted command messages. The control command message content includes: control command type, measurement point OID, and measurement point type; S3: The trusted TPM module decrypts the encrypted command message in S2 to obtain the control command message, performs validity verification on the control command message, generates a verification result message, and executes S4; Specifically, the following steps are included: S31: Query the measurement point database based on the measurement point OID. If the query fails or the measurement point in the database is invalid, it indicates that the measurement point OID verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Verify the control command type. If the control command type is not equal to control closing and not equal to control split, it indicates that the control command type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Execute S4. If the measurement point OID and control command type verification pass, execute S32; S32: Verify the measurement point type. If the measurement point type is not remote control, remote signaling, or remote measurement, it indicates that the measurement point type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Execute S4; otherwise, execute S33. S33: Query the measurement point database according to the measurement point OID to obtain control information, and verify it according to the measurement point type; the control information includes measurement point description, measurement point upper and lower limits, associated control point information, and measurement point value step size. The associated control point information includes associated control point type and associated control point OID, wherein the associated control point type includes numerical control points and state control points. S4: Parse the verification result message in S3. If the verification result flag in the verification result message is 0, it means that the verification failed and the process ends; otherwise, the trusted TPM module encrypts the verification result message in S3 to obtain the encrypted result message and executes S5. S5: Decrypt the encrypted result message in S4 to obtain the verification result message. Based on the data in the verification result message, complete the information initialization work before the official issuance of the control command. The pre-verification ends.

2. The method for pre-verifying host computer control commands in a reliable industrial control system according to claim 1, characterized in that, S1 also includes: the trusted engineer station and the trusted security center periodically exchanging identity authentication information for periodic identity verification; The trusted engineer station and the trusted security center are configured with a trusted TPM module that calculates a hash value based on the received identity authentication information and sends it to the other party for identity verification. If the verification fails, it indicates that the other party is not trusted and the process ends; otherwise, the trusted engineer station and the trusted security center continue the above periodic identity verification process.

3. The method for pre-verifying control commands of a trusted industrial control system host computer according to claim 1, characterized in that, S33 is as follows: (a) For remote-controlled measurement points: According to the measurement point OID, query the measurement point database to perform remote control type measurement point interlocking verification. If any of the following conditions are met: (1) remote control rule verification fails; (2) measurement point group / device / station to which the measurement point belongs is not found; (3) the device / station to which the measurement point belongs is in the interlocking state; then command the interlocking flag position to 1, the verification result flag position to 0, write the relevant verification failure information into the verification result message, and execute S4. Otherwise, set the command to lockout flag to 0, set the verification result flag to 1, write the measurement point name, measurement point OID, and control information into the verification result message, and execute S4; (b) For telemetry type measurement points: If the associated control point OID in the control information of the telemetry type measuring point is invalid or the associated control point type is not a numerical control point, the verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written to the verification result message, and S4 is executed. (c) For remote signaling type measurement points: If the associated control point OID in the control information of the remote signaling type measuring point is invalid or the associated control point type is not a status-type control point, the verification result flag is set to 0, the relevant verification failure information is written to the verification result message, and S4 is executed; otherwise, the verification result flag is set to 1, the control information of the associated control point is obtained by querying the measuring point database according to the associated control point OID, and the measuring point name, measuring point OID, and control information of the associated control point are written to the verification result message, and S4 is executed.

4. The method for pre-verifying control commands of a trusted industrial control system host computer according to claim 1, characterized in that, In step S5, the encrypted result message in step S4 is decrypted to obtain the measurement point name, measurement point OID, and control information. Based on this, the information initialization work before the formal issuance of the control command is completed, including the initialization of the control command issuance interface. On this interface, the user obtains the verification failure information or the measurement point name, measurement point OID, and control information corresponding to this control command, and performs the formal control command issuance operation.

5. A pre-verification system for host computer control commands in a reliable industrial control system, characterized in that, This includes, in sequence, an identity and authorization authentication module, a control command message encryption module, a control command message parsing and validity verification module, a verification result message encryption module, and a verification result message parsing and information initialization module; wherein: Identity and permission authentication module: This module is used by the trusted engineer station to request control permissions from the trusted security center. Both the trusted engineer station and the trusted security center are equipped with a trusted TPM module. The trusted security center's trusted TPM module authenticates the identity and control command issuance permissions of the trusted engineer station. If the authentication of the trusted engineer station's identity and control command issuance permissions is successful, the trusted engineer station is authorized to issue control commands and enters the control command message encryption module. If the authentication fails, the process ends. Control command message encryption module: used by the authorized trusted engineer station in the identity and authorization authentication module to encapsulate the control command and generate a control command message. The trusted TPM module encrypts the control command message to obtain an encrypted command message. The content of the control command message includes: control command type, measurement point OID and measurement point type. Control command message parsing and validity verification module: This module is used by the trusted TPM module to decrypt the encrypted command message in the control command message encryption module to obtain the control command message, perform validity verification on the control command message, generate a verification result message, and enter the verification result message encryption module. Specifically, the following steps are included: S31: Query the measurement point database based on the measurement point OID. If the query fails or the measurement point in the database is invalid, it indicates that the measurement point OID verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message. Verify the control command type. If the control command type is not equal to control closing and not equal to control split, it indicates that the control command type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written to the verification result message, which then enters the verification result message encryption module. If the measurement point OID and control command type verification pass, execute S32; S32: Verify the measurement point type. If the measurement point type is not remote control, remote signaling, or remote measurement, it indicates that the measurement point type verification has failed. The verification result flag is set to 0, and the relevant verification failure information is written into the verification result message and enters the verification result message encryption module. Otherwise, execute S33. S33: Query the measurement point database according to the measurement point OID to obtain control information, and verify it according to the measurement point type; the control information includes measurement point description, measurement point upper and lower limits, associated control point information, and measurement point value step size. The associated control point information includes associated control point type and associated control point OID, wherein the associated control point type includes numerical control points and state control points. Verification result message encryption module: parses the verification result message in the control command message parsing and validity verification module. If the verification result flag bit in the verification result message is 0, it means that the verification failed and the process ends; otherwise, the trusted TPM module encrypts the verification result message in the control command message parsing and validity verification module to obtain the encrypted result message, and enters the verification result message parsing and information initialization module. Verification result message parsing and information initialization module: used to decrypt the encrypted result message in the verification result message encryption module to obtain the verification result message, and complete the information initialization work before the control command is officially issued based on the data in the verification result message, and the pre-verification ends.

6. The trusted industrial control system host computer control command pre-verification system according to claim 5, characterized in that, The identity and authorization authentication module also includes: periodically exchanging identity authentication information between the trusted engineer station and the trusted security center for periodic identity verification; The trusted engineer station and the trusted security center are configured with a trusted TPM module that calculates a hash value based on the received identity authentication information and sends it to the other party for identity verification. If the verification fails, it indicates that the other party is not trusted and the process ends; otherwise, the trusted engineer station and the trusted security center continue the above periodic identity verification process.

7. The trusted industrial control system host computer control command pre-verification system according to claim 5, characterized in that, S33 is as follows: (a) For remote-controlled measurement points: According to the measurement point OID, query the measurement point database to perform remote control type measurement point interlocking verification. If any of the following conditions are met: (1) remote control rule verification fails; (2) measurement point group / device / station to which the measurement point belongs is not found; (3) the device / station to which the measurement point belongs is in the interlocking state; then command the interlocking flag position to 1, the verification result flag position to 0, write the relevant verification failure information into the verification result message, and execute S4. Otherwise, the command lockout flag is set to 0, the verification result flag is set to 1, the measurement point name, measurement point OID, and control information are written into the verification result message, and the verification result message encryption module is entered. (b) For telemetry type measurement points: If the associated control point OID in the control information of the telemetry type measurement point is invalid or the associated control point type is not a numerical control point, the verification result flag is set to 0, the relevant verification failure information is written into the verification result message, and the verification result message encryption module is entered. Otherwise, the verification result flag is set to 1. The control information of the associated control point is obtained by querying the measurement point database according to the associated control point OID. The measurement point name, measurement point OID, and control information of the associated control point are written into the verification result message and enter the verification result message encryption module. (c) For remote signaling type measurement points: If the associated control point OID in the control information of the remote signaling type measurement point is invalid or the associated control point type is not a status type control point, the verification result flag is set to 0, the relevant verification failure information is written into the verification result message, and the verification result message encryption module is entered. Otherwise, the verification result flag is set to 1. The control information of the associated control point is obtained by querying the measurement point database based on the associated control point OID. The measurement point name, measurement point OID, and control information of the associated control point are written into the verification result message and then enter the verification result message encryption module.

8. The trusted industrial control system host computer control command pre-verification system according to claim 5, characterized in that, In the verification result message parsing and information initialization module, the encrypted result message in the verification result message encryption module is decrypted to obtain the measurement point name, measurement point OID and control information, and the information initialization work before the formal issuance of the control command is completed accordingly. This includes the initialization of the control command issuance interface, where the user obtains the verification failure information or the measurement point name, measurement point OID and control information corresponding to this control command, and performs the formal control command issuance operation.