ATTACK / ABNORMALITY DETECTION DEVICE, ATTACK / ABNORMALITY DETECTION METHOD AND ATTACK / ABNORMALITY DETECTION PROGRAM
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Patents
- Current Assignee / Owner
- MITSUBISHI ELECTRIC CORP
- Filing Date
- 2017-01-25
- Publication Date
- 2026-07-02
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Technical field The present invention relates to a technology for detecting illegal manipulation / insertion and for sorting out due to an abnormality, such as a failure or a cyber attack on an instruction (hereinafter referred to as a "manufacturing instruction"), relating to the control of, for example, a factory or a plant. State of the art A method for detecting an abnormality in a manufacturing process by using a product ID to identify a product to be manufactured, which is contained in a manufacturing order, is disclosed (see, for example, patent literature 1). Furthermore, a method for detecting an abnormality by recording a normal operating state of, for example, a factory or a plant in advance by simulating and comparing an actual operating state of, for example, the factory or the plant with a simulation result that was recorded in advance is disclosed (see, for example, patent literature 2). List of counterclaims Patent literature [PTL 1] JP 2016-014992 A[PTL 2] JP 2013-218725 A Brief description of the invention Technical problem However, the technique has the following problem. The methods described in patent literature 1 and 2 capture a flow of normal manufacturing orders by simulation and store time-series data on the sequence of manufacturing orders as a group of normal orders in advance. Furthermore, the methods also store time-series data on the sequence of manufacturing orders in advance, for example, an actual factory or plant, as a group of actual orders in a similar manner. Then, if an additional manufacturing order is generated in, for example, the actual factory or plant, the techniques can detect an attack or abnormality of the additional manufacturing order by extracting only those orders that each contain a product ID of the additional manufacturing order from the groups of normal and actual orders and comparing the extraction results. However, if there is a manufacturing order that does not contain a product ID, the techniques will have difficulty detecting an attack or abnormality. 7. The present invention was developed to solve the above-mentioned problem and has an objective of providing an attack / abnormality detection device, an attack / abnormality detection method and an attack / abnormality detection program capable of detecting illegal tampering or insertion and of rejecting products due to an abnormality, such as a failure or attack, even if there is a manufacturing order that does not contain a product ID. Solution to the problem According to one embodiment of the present invention, an attack / abnormality detection device is provided which is configured to detect an attack or abnormality contained in a manufacturing order in an actual factory, wherein the attack / abnormality detection device comprises: a storage unit; an order extraction unit; and a detection unit, wherein the storage unit comprises a normal order storage area which stores a set of normal manufacturing orders, and an actual order storage area which stores a set of actual manufacturing orders transmitted from the actual factory, wherein the order extraction unit is configured to: receive an actual manufacturing order containing an order target, an order name, and an order parameter from the actual factory;Assigning an actual manufacturing instruction that has the same instruction target to an arrival sequence number in the order in which the actual manufacturing instruction was received, and storing the actual manufacturing instruction in the actual instruction storage area as an element of the set of actual manufacturing instructions; extracting, when the actual manufacturing instruction has just been received, elements that have the same instruction target as an instruction target contained in the actual manufacturing instruction just received, as a group of normal instructions from the set of normal manufacturing instructions stored in the normal instruction storage area as a configuration that includes an instruction target, an instruction name, an instruction parameter, and an arrival sequence;and extracting elements that have the same instruction target as the instruction target contained in the actual manufacturing instruction just received, as a group of actual instructions from the set of actual manufacturing instructions stored in the actual instruction storage area, and wherein the detection unit is configured to perform an initial detection processing of comparing the group of normal instructions and the group of actual instructions extracted by the instruction extraction unit with each other for each arrival sequence in order to detect the attack or abnormality. Furthermore, according to one embodiment of the present invention, an attack / abnormality detection method is provided, which is to be carried out by an attack / abnormality detection device configured to detect an attack or an abnormality contained in a manufacturing order in an actual factory, wherein the attack / abnormality detection method comprises: a first step of receiving an actual manufacturing order containing an order target, an order name, and an order parameter from the actual factory; a second step of assigning an actual manufacturing order having the same order target to an arrival sequence number in the order of receiving the actual manufacturing order and storing the actual manufacturing order in an actual order storage area as one element of a set of actual manufacturing orders;a third step of pre-storing a normal set of manufacturing instructions into a normal instruction storage area as a configuration that includes an instruction target, an instruction name, an instruction parameter, and an arrival order; a fourth step of extracting, when the actual manufacturing instruction has just been received, elements that have the same instruction target as an instruction target contained in the actual manufacturing instruction just received, as a group of normal instructions from the set of normal manufacturing instructions that are stored in the normal instruction storage area in the third step;a fifth step of extracting elements that have the same instruction target as the instruction target contained in the actual manufacturing instruction just received, as a group of actual instructions from the set of actual manufacturing instructions stored in the actual instruction memory area; and a sixth step of performing an initial detection processing of comparing the group of normal instructions extracted in the fourth step and the group of actual instructions extracted in the fifth step with each other for each arrival sequence, in order to detect the attack or abnormality. Furthermore, according to one embodiment of the present invention, an attack / abnormality detection program is provided to achieve functionality as the command extraction unit and the detection unit contained in the attack / abnormality detection device. Advantageous effects of the invention According to one embodiment of the present invention, the following is provided: the configuration for extracting elements with the same instruction target as an instruction target of an additionally received actual manufacturing instruction from both the set of normal manufacturing instructions and the set of actual manufacturing instructions, which contain information about the instruction target and the arrival sequence and are stored in the instruction storage area; and the configuration for detecting an attack or an abnormality by comparing details of the instructions with each other for each arrival sequence of both extracted elements.As a result, the attack / abnormality detection device, the attack / abnormality detection method and the attack / abnormality detection program are provided, which are capable of detecting an illegal tampering / insertion and sorting out due to an abnormality, such as a cyberattack or a failure, even if there is a manufacturing order that does not contain a product ID. Brief description of the drawings Fig. 1 is a configuration diagram illustrating a detection server in a first embodiment of the present invention. Fig. 2 is a diagram illustrating a network configuration of the detection server, a factory simulator, and an actual factory in the first embodiment of the present invention. Fig. 3 is a diagram illustrating an example of a hardware configuration of the detection server, the factory simulator, and an actual factory monitoring device in the first embodiment of the present invention. Fig. 4 is a flowchart illustrating a series of operations of an attack / abnormality detection processing to be performed by the detection server in the first embodiment of the present invention.Figure 5 is a diagram illustrating how an instruction memory area is stored, as a specific example of the instruction memory area in the first embodiment of the present invention. Figure 6 is a diagram illustrating how an updated instruction memory area is stored after receiving an additional manufacturing instruction from the actual factory in a state of the example instruction memory area illustrated in Figure 5, as a specific example of the instruction memory area in the first embodiment of the present invention. Figure 7 is a diagram illustrating how an updated instruction memory area is stored after receiving an additional manufacturing instruction from the actual factory in a state of the example instruction memory area illustrated in Figure 7.Figure 6 illustrates how an instruction storage area is stored, as a specific example of the instruction storage area in the first embodiment of the present invention. Figure 8 is a configuration diagram illustrating a detection server in a second embodiment of the present invention. Figure 9 is a flowchart illustrating a series of operations of an attack / abnormality detection processing to be performed by the detection server in the second embodiment of the present invention. Figure 10 is a diagram illustrating how an instruction storage area is stored, as a specific example of the instruction storage area in the second embodiment of the present invention.Figure 11 is a diagram illustrating how an updated instruction storage area is stored after receiving an additional manufacturing instruction from the actual factory in a state of the example instruction storage area illustrated in Figure 10, as a specific example of the instruction storage area in the second embodiment of the present invention. Figure 12 is a diagram illustrating how an updated instruction storage area is stored after receiving an additional manufacturing instruction from the actual factory in a state of the example instruction storage area illustrated in Figure 11, as a specific example of the instruction storage area in the second embodiment of the present invention. Figure 13 is a configuration diagram illustrating a detection server in a third embodiment of the present invention.Figure 14 is a flowchart illustrating a series of operations of an attack / abnormality detection processing to be performed by the detection server in the third embodiment of the present invention. Figure 15 is a diagram illustrating how an instruction storage area is stored as a specific example of the instruction storage area in the third embodiment of the present invention. Figure 16 is a diagram illustrating how an updated instruction storage area is stored after receiving an additional manufacturing instruction from the actual factory in a state of the example instruction storage area illustrated in Figure 15, as a specific example of the instruction storage area in the third embodiment of the present invention. Description of the embodiments A description of an attack / abnormality detection device, an attack / abnormality detection method and an attack / abnormality detection program according to preferred embodiments of the present invention is now given with reference to the accompanying drawings. The present invention focuses on ensuring that the sequence of issuing production orders to, for example, a production plant serving as a destination of the production order is guaranteed for each destination of the production order, not only in, for example, a factory or plant for high-mix, low-volume production, but also in mass customization production where low-mix, high-volume production is required. Furthermore, based on this fact, the present invention includes a technical feature for solving the technical problem by comparing a group of standard orders with a group of actual orders by extracting only those production orders that have the same destination as that of an additional production order generated, for example, in a factory or plant. Each embodiment described below includes a description of, for example, an attack / abnormality detection device capable of detecting an attack or abnormality by comparing normal manufacturing instructions obtained by a computer (hereinafter referred to as the "simulation device") configured to simulate a flow of normal manufacturing instructions with a flow of actual manufacturing instructions obtained by, for example, an actual factory / plant (hereinafter referred to as the "actual factory"). An information processing method in the present invention can be implemented by a procedure illustrated in a flowchart of each embodiment. First embodiment Fig. 1 is a configuration diagram illustrating a detection server 101 in a first embodiment of the present invention. The detection server 101 corresponds to a specific example of the attack / abnormality detection device. Detection Server 101 includes a Target-Specific Command Extraction Unit 102, an Attack / Anomaly Detection Unit 103, and a Command Storage Unit 110. Command Storage Unit 110 contains a Normal Command Storage Area 120 and an Actual Command Storage Area 130. Command Storage Area 110 then stores information held by Detection Server 101. The normal instruction memory area 120 stores, for example, the information illustrated in Fig. 1. That is, in the first embodiment, the normal instruction memory area 120 includes an instruction target 121, an instruction name 122, an instruction parameter 123, and an arrival sequence 124. The actual instruction memory area 130 stores, for example, the information illustrated in Fig. 1. That is, in the first embodiment, the actual instruction memory area 130 includes an instruction target 131, an instruction name 132, an instruction parameter 133, and an arrival sequence 134. A factory simulator 151 corresponds to an example of the simulation device. An actual factory 152 corresponds to an example of the actual factory. Fig. 2 is a diagram illustrating a network configuration of the detection server 101, the factory simulator 151, and the actual factory 152 in the first embodiment of the present invention. The factory simulator 151 includes a factory simulator 210 configured to implement a simulation and transmit a result. The factory simulator 210 includes a command transmission unit 211 and a factory simulation unit 212. The actual factory 152 includes an actual factory monitoring device 220, which is configured to monitor a manufacturing order in the factory and to transmit a result. The actual factory monitoring device 220 includes an order transmission unit 221 and an order monitoring unit 222. Detection server 101 can be configured to have multiple factory simulators 151 and multiple actual factories 152 connected to it. Furthermore, factory simulator 151 connected to detection server 101 can have a network configuration that includes multiple layers of the multiple factory simulators 151. Similarly, actual factory 152 can have a network configuration that includes multiple layers of the multiple actual factories 152. The aforementioned Server 101, Factory Simulator 210, and Actual Factory Monitoring Device 220 are computers, and each component of a data management device can perform processing by a program. Furthermore, the program can be stored on a storage medium, from which the computer can read it. Fig. 3 is a diagram illustrating an example of a hardware configuration of the detection server 101, the factory simulator 210, and the actual factory monitoring device 220 in the first embodiment of the present invention. In Fig. 3, a computing device 301, an external storage device 302, a main memory device 303, and a communication device 304 are interconnected via a bus 305. The computing device 301 is a central processing unit (CPU) configured to execute a program. The external storage device 302 is, for example, a read-only memory (ROM) or a hard disk drive. The main memory device 303 is generally a random access memory (RAM). The communication device 304 is generally a communication card designed for Ethernet (trademark). Programs are generally stored in the external storage device 302 and are read sequentially by the computing device 301. Processing is performed in a state where these programs are loaded into the main memory device 303. Special programs correspond to programs for implementing the illustrated functions as the target-specific instruction extraction unit 102 and the attack / abnormality detection unit 103 in Fig. 1. Furthermore, the instruction storage area 110 illustrated in Fig. 1 is implemented, for example, by the external storage device 302. Furthermore, the external storage device 302 also stores an operating system (OS). At least part of the OS is loaded into the main memory device 303, and the computing device 301 executes the programs to implement the functions of the target-specific instruction extraction unit 102 and the attack / abnormality detection unit 103, illustrated in Fig. 1, while the OS is running. Furthermore, in the description of the first embodiment, information, data, a signal value, and a variable indicating a result of the processing are stored in the main memory device 303 as a file. The configuration shown in Fig. 3 is merely an illustration of an example of the hardware configuration of the detection server 101, the factory simulator 210, and the actual factory monitoring device 220, and can be a different configuration without being limited to the one illustrated in Fig. 3. For example, in the hardware configuration, a screen and other output devices, or a mouse, keyboard, or other input devices, can also be connected to bus 305. A description of the operation of the detection server 101 of the first embodiment is now given with reference to Fig. 1. Details of such operation will be described later with reference to a flowchart illustrated in Fig. 4. The Target-Specific Command Extraction Unit 102 receives a manufacturing order transmitted by the Factory Simulator 151. The Target-Specific Command Extraction Unit 102 then extracts an order target, an order name, and an order parameter from the received manufacturing order and assigns these data items to an arrival sequence. The Target-Specific Command Extraction Unit 102 then stores an order target 121, an order name 122, an order parameter 123, and an arrival sequence 124 in the Normal Command Storage Area 120. Furthermore, the Target-Specific Instruction Extraction Unit 102 receives a manufacturing instruction transmitted from the Actual Factory 152. The Target-Specific Instruction Extraction Unit 102 then extracts an instruction target, an instruction name, and an instruction parameter from the received manufacturing instruction and assigns these data items to an arrival sequence. Afterward, the Target-Specific Instruction Extraction Unit 102 stores an instruction target 131, an instruction name 132, an instruction parameter 133, and an arrival sequence 134 in the Actual Instruction Storage Area 130. The Attack / Anomaly Detection Unit 103 obtains a manufacturing order with the same command target as that of the manufacturing order of the actual factory 152, which is received by the Target Specific Command Extraction Unit 102 from the Normal Command Storage Area 120 and the Actual Command Storage Area 130. If a group of manufacturing orders obtained from the Actual Order Storage Area 130 is a subgroup of a group of manufacturing orders obtained from the Normal Order Storage Area 120, the Attack / Anomaly Detection Unit 103 further determines the current status as "normal" and otherwise determines the current status as "abnormal". The result of the determination can be stored in the actual command storage area 130 or can be communicated by, for example, a transmission to another device. Next, a description of a data structure in the first embodiment is given. The normal instruction memory area 120 from Fig. 1 is a table to show an example of a normal instruction memory format. The instruction target 121 is a unique identifier for identifying the target of a manufacturing instruction. The instruction name 122 is a unique identifier for identifying the type of manufacturing instruction. The instruction parameter 123 is an area for storing one or more parameters, such as a numeric value, a string, or a binary value, that are necessary to execute the manufacturing instruction. The arrival sequence 124 is a field for storing the order in which manufacturing orders arrive by destination. If information that allows the order to be identified, such as a time, is assigned to the manufacturing order, this information can be used instead of the arrival sequence 124. The actual instruction storage area 130 from Fig. 1 is a table showing an example of a storage format for a normal instruction. The instruction target 131 is a unique identifier for identifying a target of a manufacturing instruction. The instruction name 132 is a unique identifier for identifying a type of manufacturing instruction. The instruction parameter 133 is an area for storing one or more parameters, such as a numeric value, a string, or a binary value, that are necessary to execute the manufacturing instruction. Arrival Sequence 134 is a space for storing the order in which manufacturing orders arrive by destination. If information that allows the order to be identified, such as a time, is assigned to the manufacturing order, this information can be used instead of Arrival Sequence 134. Furthermore, a space can be added to store the result of a determination of whether the manufacturing order is "normal" or "attack / abnormal". Fig. 4 is a flowchart illustrating a series of operations of an attack / abnormality detection processing to be performed by the detection server 101 in the first embodiment of the present invention. A description of the attack / abnormality detection processing to be performed by the target-specific command extraction unit 102 and the attack / abnormality detection unit 103 in the detection server 101 will now be given with reference to the flowchart illustrated in Fig. 4. In the series of processing steps from Fig. 4, it is assumed that if the operation of the actual factory 152 is normal, a manufacturing order having the same order destination and arrival sequence will arrive from the factory simulator 151 before the manufacturing order from the actual factory 152 and will be stored in the normal order storage area 120 before the manufacturing order from the actual factory 152. In step S101, the target-specific command extraction unit 102 receives a manufacturing command from the factory simulator 151 or the actual factory 152. Next, in step S102, the Target-Specific Instruction Extraction Unit 102 interprets the transmission source of the received manufacturing instruction. Then, if the transmission source of the manufacturing instruction is the actual factory 152, the Target-Specific Instruction Extraction Unit 102 continues processing at step S103; or, if the transmission source of the manufacturing instruction is the factory simulator 151, the Target-Specific Instruction Extraction Unit 102 continues processing at step S104. When processing proceeds to step S103, the target-specific instruction extraction unit 102 assigns the manufacturing instruction to a number in the manufacturing instruction target's arrival sequence and adds the instruction target, instruction name, instruction parameter, and arrival sequence to the actual instruction storage area 130. Processing then proceeds to step S105. When the Target Specific Instruction Extraction Unit 102 moves to step S104, the Target Specific Instruction Extraction Unit 102 assigns the manufacturing instruction to a number of the arrival sequence of the manufacturing instruction's target and adds the instruction target, instruction name, instruction parameter, and arrival sequence to the Normal Instruction Storage Area 120. When processing moves from step S103 to step S105, the Attack / Anomaly Detection Unit 103 obtains a group of normal orders and a group of actual orders, which are a group of manufacture orders with the same objective as that of the manufacture order obtained from actual Factory 152 in the previous step S101, from Normal Order Storage Area 120 and Actual Order Storage Area 130. Next, in step S106, the Attack / Anomaly Detection Unit 103 compares the group of normal instructions with the group of actual instructions obtained in step S105. If the group of normal instructions and the group of actual instructions have the same sequence of manufacturing instructions, the Attack / Anomaly Detection Unit 103 determines the current status as normal, and processing proceeds to step S107. Conversely, if the group of normal instructions and the group of actual instructions do not have the same sequence of manufacturing instructions, the Attack / Anomaly Detection Unit 103 determines the current status as under attack or abnormal, and processing proceeds to step S108. The phrase "have the same order of manufacturing orders" refers to the fact that the group of normal orders and the group of actual orders have the same order of arrival, command target, command name, and command parameters. Even if there is a manufacturing order that exists in the arrival order of the group of normal orders but does not exist in the arrival order of the group of actual orders, the Attack / Anomaly Detection Unit 103 will determine the current status as normal at that time, if the group of normal orders and the group of actual orders have the same order of manufacturing orders. In contrast, if there is a manufacturing order that exists in the arrival order of the actual orders group but does not exist in the arrival order of the normal orders group, the Attack / Abnormality Detection Unit 103 determines the current status as under attack or abnormal, even if the normal orders group and the actual orders group have the same order of manufacturing orders. A specific description of an operational processing procedure for detecting an attack / abnormality in the first embodiment is now given by using examples of instruction storage areas from Fig. 5, Fig. 6 and Fig. 7. Fig. 5 is a diagram illustrating how an instruction storage area 510 is stored, as a specific example for the instruction storage area 110 in the first embodiment of the present invention. First, a description of an example of operational processing for detecting an attack / abnormality for the instruction storage area 510 illustrated in Fig. 5 is given. It is assumed that a normal instruction storage area 520 stores a result of the target-specific instruction extraction unit 102, which interprets a manufacturing instruction transmitted by the factory simulator 151, extracts an instruction target 521, an instruction name 522 and an instruction parameter 523, and assigns these data elements to an arrival sequence 524. In contrast, it is assumed that an actual instruction storage area 530 stores a result of the target-specific instruction extraction unit 102, which interprets a manufacturing instruction transmitted by the actual factory 152, extracts an instruction target 531, an instruction name 532 and an instruction parameter 533, and assigns these data elements to an arrival sequence 534. Now, a description of an operation is given based on an example of a normal state in which four manufacturing instructions are stored in the Normal Instruction memory area 520 and two manufacturing instructions are stored in the Actual Instruction memory area 530. Fig. 6 is a diagram illustrating how an updated instruction storage area 610 is stored after receiving an additional manufacturing instruction from the actual factory 152 in a state of the example for the instruction storage area 510 illustrated in Fig. 5, as a special example for the instruction storage area 110 of the first embodiment of the present invention. In particular, the example for instruction storage area 610 corresponds to a state in which the target-specific instruction extraction unit 102 receives an additional manufacturing instruction “(instruction target = Plant 2, instruction name = Start Process, instruction parameters = A = 80, B = 15, ..., arrival sequence = 1)” from the actual factory 152 and stores the additional manufacturing instruction in the actual instruction storage area 630 in the state of the example for instruction storage area 510 illustrated in Fig. 5. Then, based on the additional manufacturing order mentioned above, the Attack / Anomaly Detection Unit 103 obtains a group of normal orders with the order target = Annex 2 from a Normal Order Storage Area 620 and obtains a group of actual orders with the order target = Annex 2 from the Actual Order Storage Area 630. As a result, the attack / abnormality detection unit 103 acquires “(command target = facility 2, command name = start process, command parameters = A = 80, B = 15, ..., arrival order = 1)” as the group of normal commands and acquires “(command target = facility 2, command name = start process, command parameters = A = 80, B = 15, ..., arrival order = 1)” as the group of actual commands. At this time, the Attack / Anomaly Detection Unit 103 compares the acquired group of normal orders with the group of actual orders. As a result of the comparison, all order targets, order names, order parameters, and arrival sequences match, and accordingly, the Attack / Anomaly Detection Unit 103 interprets the group of normal orders and the group of actual orders as having the same sequence of manufacturing orders, and determines the current status to be normal. Next, Fig. 7 is a diagram illustrating how an updated instruction storage area 710 is stored after receiving an additional manufacturing instruction from the actual factory 152 in a state of the example for the instruction storage area 610 illustrated in Fig. 6, as a special example for the instruction storage area 110 of the first embodiment of the present invention.
[66] In particular, the example for the instruction storage area 710 corresponds to a state in which the target-specific instruction extraction unit 102 receives an additional manufacturing instruction “(instruction target = Plant 1, instruction name = Start Process, instruction parameters = A = 0, B = 50, ..., arrival sequence = 3)” from the actual factory 152 and stores the additional manufacturing instruction in the actual instruction storage area 730 in the state of the example for the instruction storage area 610 illustrated in Fig. 6. Then, based on the additional manufacturing order mentioned above, the Attack / Anomaly Detection Unit 103 obtains a group of normal orders with the order target = Annex 1 from a Normal Order Storage Area 720 and obtains a group of actual orders with the order target = Annex 1 from the Actual Order Storage Area 730. As a result, the attack / abnormality detection unit 103 acquires “(command target = Plant 1, command name = start process, command parameter = A = 100, B = 20, ..., arrival order = 1), (command target = Plant 1, command name = end process, command parameter = C = 100, D = 0, ..., arrival order = 2) and (command target = Plant 1, command name = start process, command parameter = A = 150, B = 50, ..., arrival order = 3)” as the group of normal commands. Likewise, the attack / abnormality detection unit 103 obtains “(command target = Plant 1, command name = start process, command parameter = A = 100, B = 20, ..., arrival order = 1)”, (command target = Plant 1, command name = end process, command parameter = C = 100, D = 0, ..., arrival order = 2) and (command target = Plant 1, command name = start process, command parameter = A = 0, B = 50, ..., arrival order = 3))” as the group of actual commands. At this time, Attack / Anomaly Detection Unit 103 compares the acquired group of normal orders with the group of actual orders. As a result of the comparison, all order targets, order names, order parameters, and arrival sequences for the manufacturing orders match arrival sequences 1 and 2, but the order parameters for the manufacturing orders do not match arrival sequence 3. Accordingly, Attack / Anomaly Detection Unit 103 interprets this as the group of normal orders and the group of actual orders not having the same sequence of manufacturing orders and determines the current status as under attack or abnormal. In the first embodiment, a processing configuration is provided in which a manufacturing instruction, extracted by the target-specific instruction extraction unit 102, is stored in the normal instruction storage area 120 and the actual instruction storage area 130 of the instruction storage area 110, which is managed by the detection server 101. The group of normal instructions and the group of actual instructions are extracted with respect to the manufacturing instruction, which is additionally received by the attack / abnormality detection unit 103 from the actual factory 152, and the sequences of these groups of normal instructions and actual instructions are compared with each other in order to detect an attack / abnormality. Previously, it was assumed that the group of normal instructions and the group of actual instructions were managed based on a product ID, and it was difficult to handle a manufacturing instruction that did not have a product ID assigned to it. In contrast, with the processing configuration in the first embodiment, even if there is a manufacturing instruction that does not have a product ID assigned to it, it is possible to obtain a significant effect in detecting an attack / abnormality for a manufacturing instruction in the actual factory by using the manufacturing instruction's target, which is always assigned. Second embodiment In a second embodiment of the present invention, a description is given of a case of implementing a detection server that is capable of detecting an attack / abnormality of a manufacturing order with a specific target, which is filtered out by using additional information, for example a product ID, in addition to the target of the manufacturing order. Fig. 8 is a configuration diagram illustrating a detection server 801 in a second embodiment of the present invention. The detection server 801 corresponds to a specific example of the attack / abnormality detection device. In comparison with the detection server 101 from Fig. 1, the detection server 801 differs from the detection server 101 in that a product ID is further added to the data items stored by a normal command storage area 820 and an actual command storage area 830. The following description focuses primarily on this difference. The product ID is an example of information other than the command target that allows a target to be identified upon which a manufacturing order is applied. Accordingly, information other than the product ID can be used as additional information, provided that the information fulfills a condition that allows a target to be identified upon which the manufacturing order is applied. Fig. 9 is a flowchart illustrating a series of operations of an attack / abnormality detection processing to be performed by the detection server 801 in the second embodiment of the present invention. A description of the attack / abnormality detection processing to be performed by a target-specific command extraction unit 802 and an attack / abnormality detection unit 803 in the detection server 801 will now be given with reference to the flowchart illustrated in Fig. 9. In step S201, the Target Specific Command Extraction Unit 802 receives a manufacturing command from a factory simulator 851 or an actual factory 852. Next, in step S202, the target-specific instruction extraction unit 802 interprets the transmission source of the received manufacturing instruction. Then, if the transmission source of the manufacturing instruction is the actual factory 852, processing proceeds to step S203; or, if the transmission source of the manufacturing instruction is the factory simulator 851, the process to be identified proceeds to step S204. When processing proceeds to step S203, the target-specific instruction extraction unit 802 assigns the manufacturing instruction to a number in the manufacturing instruction target's arrival sequence and adds the instruction target, instruction name, instruction parameter, arrival sequence, and product ID to the actual instruction storage area 830. Processing then proceeds to step S205. Meanwhile, when processing proceeds to step S204, the Target Specific Instruction Extraction Unit 802 assigns the manufacturing instruction to a number of the manufacturing instruction target's arrival sequence and adds the instruction target, instruction name, instruction parameter, arrival sequence, and product ID to the Normal Instruction Storage Area 820. When processing moves from step S203 to step S205, the Attack / Anomaly Detection Unit 803 obtains a group of normal orders and a group of actual orders, which are a group of manufacture orders with the same objective as that of the manufacture order obtained from the actual factory 852 in the previous step S201, from the Normal Order Storage Area 820 and the Actual Order Storage Area 830. Next, in step S206, the Attack / Anomaly Detection Unit 803 compares the set of normal instructions with the set of actual instructions obtained in step S205. If the set of normal instructions and the set of actual instructions have the same sequence of manufacturing instructions, processing proceeds to step S207. Conversely, if the set of normal instructions and the set of actual instructions do not have the same sequence of manufacturing instructions, the Attack / Anomaly Detection Unit 803 determines the current status as under attack or abnormal, and processing proceeds to step S210. The phrase "have the same order of manufacturing orders" refers to the fact that the group of normal orders and the group of actual orders have the same order of arrival, the same order of arrival, and the same order of arrival. Even if there is a manufacturing order that exists in the arrival order of the group of normal orders but does not exist in the arrival order of the group of actual orders, the Attack / Anomaly Detection Unit 803 will determine the current status as normal at that time, if the group of normal orders and the group of actual orders have the same order of manufacturing orders. In contrast, if there is a manufacturing order that exists in the arrival order of the actual orders group but does not exist in the arrival order of the normal orders group, the Attack / Abnormality Detection Unit 803 determines the current status as under attack or abnormal, even if the normal orders group and the actual orders group have the same order of manufacturing orders. When processing proceeds to step S207, the Attack / Anomaly Detection Unit 803 obtains a group of normal instructions and a group of actual instructions, which are a group of manufacture instructions with the same product ID as that of the manufacture instruction obtained from the actual factory 852 in the previous step S201, from the normal instruction storage area 820 and the actual instruction storage area 830. Next, in step S208, the Attack / Anomaly Detection Unit 803 compares the group of normal instructions with the group of actual instructions obtained in step S207. If the group of normal instructions and the group of actual instructions have the same set of manufacturing instructions, the Attack / Anomaly Detection Unit 803 determines the current status as normal, and processing proceeds to step S209. Conversely, if the group of normal instructions and the group of actual instructions do not have the same set of manufacturing instructions, the Attack / Anomaly Detection Unit 803 determines the current status as under attack or abnormal, and processing proceeds to step S210. The phrase "have the same set of manufacturing instructions" refers to the fact that the group of normal instructions and the group of actual instructions have the same instruction target, the same instruction name, and the same instruction parameter for manufacturing instructions with the same product ID. Even if there is a manufacturing order that exists in the product ID of the normal orders group but does not exist in the product ID of the actual orders group, the Attack / Anomaly Detection Unit 803 determines the current status as normal at that time, if the normal orders group and the actual orders group have the same set of manufacturing orders. In contrast, if there is a manufacturing order that exists in the product ID of the actual orders group but does not exist in the product ID of the normal orders group, the attack / abnormality detection unit 803 determines the current status as under attack or abnormal, even if the normal orders group and the actual orders group have the same set of manufacturing orders. A specific description of an operational processing procedure for detecting an attack / abnormality in the second embodiment is now given by using examples of instruction storage areas from Fig. 10, Fig. 11 and Fig. 12. Fig. 10 is a diagram illustrating how an instruction storage area 1010 is stored, as a specific example for the instruction storage area 810 in the second embodiment of the present invention. First, a description of an example of operational processing for detecting an attack / abnormality for the instruction storage area 1010 illustrated in Fig. 10 is given. It is assumed that a normal instruction storage area 1020 stores a result of the target-specific instruction extraction unit 802, which interprets a manufacturing instruction transmitted by the factory simulator 851, extracts an instruction target 1021, an instruction name 1022, an instruction parameter 1023 and a product ID 1025, and assigns these data elements to an arrival sequence 1024. Meanwhile, it is assumed that an actual instruction storage area 1030 stores a result of the target-specific instruction extraction unit 802, which interprets a manufacturing instruction transmitted by the actual factory 852, extracts an instruction target 1031, an instruction name 1032, an instruction parameter 1033 and a product ID 1035, and assigns these data elements to an arrival sequence 1034. Now, a description of an operation is given based on an example of a normal state in which five manufacturing instructions are stored in the Normal Instruction memory area 1020 and three manufacturing instructions are stored in the Actual Instruction memory area 1030. Fig. 11 is a diagram illustrating how an updated instruction storage area 1110 is stored after receiving an additional manufacturing instruction from the actual factory 852 in a state of the example for the instruction storage area 1010 illustrated in Fig. 10, as a special example for the instruction storage area 1010 of the second embodiment of the present invention. In particular, the example for instruction storage area 1110 corresponds to a state in which the target-specific instruction extraction unit 802 receives an additional manufacturing instruction “(instruction target = Plant 1, instruction name = Finish Process, instruction parameters = C = 50, D = 0, ..., arrival sequence = 4, product ID = P002)” from the actual factory 852 and stores the additional manufacturing instruction in the actual instruction storage area 1130 in the state of the example for instruction storage area 1010 illustrated in Fig. 10. Then, based on the additional manufacturing order mentioned above, the Attack / Anomaly Detection Unit 803 obtains a group of normal orders with the order target = Annex 1 from a Normal Order Storage Area 1120 and obtains a group of actual orders with the order target = Annex 1 from the Actual Order Storage Area 1130. As a result, the Attack / Anomaly Detection Unit 803 acquires “(Command Target = Plant 1, Command Name = Start Process, Command Parameters = A = 100, B = 20, ..., Arrival Sequence = 1)”, (Command Target = Plant 1, Command Name = End Process, Command Parameters = C = 100, D = 0, ..., Arrival Sequence = 2), (Command Target = Plant 1, Command Name = Start Process, Command Parameters = A = 150, B = 50, ..., Arrival Sequence = 3)” (Command Target) Plant 1, Command Name = End Process, Command Parameters = C = 50, D = 0, ..., Arrival Sequence = 4)” as the group of normal commands. Likewise, the Attack / Anomaly Detection Unit 803 obtains “(Command Target = Plant 1, Command Name = Start Process, Command Parameters = A = 100, B = 20, ..., Arrival Sequence = 1)”, (Command Target = Plant 1, Command Name = End Process, Command Parameters = C = 100, D = 0, ..., Arrival Sequence = 2), (Command Target = Plant 1, Command Name = Start Process, Command Parameters = A = 150, B = 50, ..., Arrival Sequence = 3)” (Command Target) Plant 1, Command Name = End Process, Command Parameters = C = 50, D = 0, ..., Arrival Sequence = 4)” as the group of actual commands. At this time, the Assault / Anomaly Detection Unit 803 compares the acquired group of normal orders with the group of actual orders. As a result of the comparison, all order targets, order names, order parameters, and arrival sequences match, and accordingly, the Assault / Anomaly Detection Unit 803 interprets the group of normal orders and the group of actual orders as having the same sequence of manufacturing orders. Next, based on the additional manufacturing order mentioned above, the Attack / Anomaly Detection Unit 803 obtains the group of normal orders with product ID = P002 from the normal order storage area 1120 and obtains the group of actual orders with product ID = P002 from the actual order storage area 1130. As a result, the Attack / Anomaly Detection Unit 803 acquires “(Command Target = Plant 1, Command Name = Start Process, Command Parameters = A = 150, B = 50, ..., Arrival Order = 3)” and “(Command Target = Plant 1, Command Name = End Process, Command Parameters = C = 50, D = 0, ..., Arrival Order = 4)” as the group of normal commands. Likewise, the Attack / Anomaly Detection Unit 803 obtains “(Command Target = Plant 1, Command Name = Start Process, Command Parameters = A = 150, B = 50, ..., Arrival Sequence = 3)” and “(Command Target = Plant 1, Command Name = End Process, Command Parameters = C = 50, D = 0, ..., Arrival Sequence = 4)” as the group of actual commands. At this time, the Attack / Anomaly Detection Unit 803 compares the acquired set of normal orders with the set of actual orders. As a result of the comparison, all order targets, order names, and order parameters match, and accordingly, the Attack / Anomaly Detection Unit 803 interprets the sets of manufacturing orders as being consistent. Next, Fig. 12 is a diagram illustrating how an updated instruction storage area 1210 is stored after receiving the additional manufacturing instruction from the actual factory 852 in a state of the example for the instruction storage area 1110 illustrated in Fig. 11, as a special example for the instruction storage area 1010 of the second embodiment of the present invention. In particular, the example for instruction storage area 1210 corresponds to a state in which the target-specific instruction extraction unit 802 receives an additional manufacturing instruction “(instruction target = Plant 2, instruction name = Start Process, instruction parameters = A = 80, B = 15, ..., arrival sequence = 1, product ID = P102)” from the actual factory 852 and stores the additional manufacturing instruction in an actual instruction storage area 1230 in the state of the example for instruction storage area 1110 illustrated in Fig. 11. Then, based on the aforementioned additional manufacturing order, the Attack / Anomaly Detection Unit 803 obtains a group of normal orders with the order target = Annex 2 from a Normal Order Storage Area 1220 and obtains a group of actual orders with the order target = Annex 2 from the Actual Order Storage Area 1230. As a result, the attack / abnormality detection unit 803 “(command target = facility 2, command name = start process, command parameters = A = 80, B = 15, ..., arrival order = 3)” is recognized as the group of normal commands. Likewise, the attack / abnormality detection unit 803 “(command target = facility 2, command name = start process, command parameters = A = 80, B = 15, ..., arrival order = 1)” is obtained as the group of actual commands. At this time, the Assault / Anomaly Detection Unit 803 compares the acquired set of normal orders with the set of actual orders. As a result of this comparison, all order targets, order names, order parameters, and arrival sequences match, and accordingly, the Assault / Anomaly Detection Unit 803 interprets this as indicating that the sequences of manufacturing orders are consistent. Next, based on the additional manufacturing order mentioned above, the Attack / Anomaly Detection Unit 803 obtains the group of normal orders with product ID = P102 from a normal order storage area 1120 and obtains the group of actual orders with product ID = P102 from the actual order storage area 1130. As a result, Attack / Anomaly Detection Unit 803 acquires an "empty set" as the group of normal instructions. Likewise, Attack / Anomaly Detection Unit 803 acquires "(Command Target = Plant 2, Command Name = Start Process, Command Parameters = A = 80, B = 15, ..., Arrival Order = 1, Product ID = P102)" as the group of actual instructions. At this time, the Attack / Abnormality Detection Unit 803 compares the acquired set of normal orders with the set of actual orders. As a result of this comparison, the set of normal orders to be compared with the set of actual orders is an empty set, and accordingly, the Attack / Abnormality Detection Unit 803 interprets this as a mismatch between the sets of manufacturing orders and determines the current status as under attack or abnormal. In this way, in the second embodiment, it is possible to obtain a significant effect of being able to detect an attack / abnormality for a specific manufacturing order in the actual factory by using a product ID in addition to the target of the manufacturing order, even if the target of a specific manufacturing order is filtered out. Third embodiment In a third embodiment of the present invention, a description is given of a case of implementing a detection server that is capable of detecting an attack / abnormality of a manufacturing order with a specific target and a specific product ID, which is filtered out if additional information, for example a product ID, is used in addition to the target of the manufacturing order. Fig. 13 is a configuration diagram illustrating a detection server 1301 in a third embodiment of the present invention. The detection server 1301 corresponds to a specific example of the attack / abnormality detection device. In comparison to the detection server 101 from Fig. 1, the detection server 1301 differs from the detection server 101 in that the detection server 1301 further includes a timing unit 1304 and adds a product ID, a predicted time of arrival, an actual time of arrival, and a cumulative time to the data items stored by a normal command storage area 1320 and an actual command storage area 1330. Accordingly, the following description is given focusing primarily on this difference. Fig. 14 is a flowchart illustrating a series of operations of an attack / abnormality detection processing to be performed by the detection server 1301 in the third embodiment of the present invention. A description of the attack / abnormality detection processing to be performed by a target-specific command extraction unit 1302 and an attack / abnormality detection unit 1303 in the detection server 1301 will now be given with reference to the flowchart illustrated in Fig. 14. In step S301, the target-specific instruction extraction unit 1302 is started by the timing unit 1304. Then, for each instruction target, the target-specific instruction extraction unit 1302 extracts a manufacturing instruction with the lowest arrival sequence among the manufacturing instructions with an empty arrival time (1327) from the normal instruction storage area (1320) and stores the manufacturing instruction as a list of actual instructions due to arrive next. Next, in step S302, the Target-Specific Instruction Extraction Unit 1302 checks whether a manufacturing instruction exists in the list of actual instructions due to arrive next. If a manufacturing instruction exists, the Target-Specific Instruction Extraction Unit 1302 extracts one from the list, and processing proceeds to step S303. Conversely, if no manufacturing instruction exists in the list of actual instructions due to arrive next, the Target-Specific Instruction Extraction Unit 1302 terminates the sequence of processing steps. When processing moves to step S303, the target-specific instruction extraction unit 1302 adds a difference between a previously started time and a current time to the cumulative time of the manufacturing instruction being extracted in step S302. If there is a manufacturing order with the same order target and arrival sequence in the actual order storage area 1330, the target-specific order extraction unit 1302 further updates the arrival time with the cumulative time and updates the arrival time 1327 and a cumulative time 1328 of this manufacturing order from the normal order storage area 1320. Next, in step S304, an attack / abnormality detection unit 1303 checks whether the cumulative time of the manufacturing order exceeds the predicted arrival time. If the cumulative time of the manufacturing order does not exceed the predicted arrival time, the attack / abnormality detection unit 1303 determines the current status as normal, and processing proceeds to step S305. In contrast, if the cumulative time of the manufacturing order exceeds the predicted arrival time, the Attack / Anomaly Detection Unit 1303 determines the current status as under attack or abnormal, and processing proceeds to step S306. Thereafter, processing proceeds to step S307 based on any of the determination results. When processing moves to step S307, the target-specific instruction extraction unit 1302 deletes a manufacturing instruction that was a processing target from the list of actual instructions due to arrive next. Processing then returns to step S302 and repeats a series of processing steps for the next processing target instruction. A specific description of an operational processing procedure for detecting an attack / abnormality in the third embodiment is given by using examples of instruction storage areas from Fig. 15 and Fig. 16.0082 Fig. 15 is a diagram illustrating how an instruction storage area 1510 is stored, as a specific example for the instruction storage area 1310 in the third embodiment of the present invention. First, a description of an example of operational processing for detecting an attack / abnormality for the instruction storage area 1510 illustrated in Fig. 15 is given. It is assumed that a normal instruction storage area 1520 stores a result of the target-specific instruction extraction unit 1302, which interprets a manufacturing instruction transmitted by a factory simulator 1351, extracts an instruction target 1521, an instruction name 1522, an instruction parameter 1523, a product ID 1525 and a predicted arrival time 1526, and assigns these data elements to an arrival sequence 1524. Meanwhile, it is assumed that an actual instruction storage area 1530 stores a result of the target-specific instruction extraction unit 1302, which interprets a manufacturing instruction transmitted by an actual factory 1352, extracts an instruction target 1531, an instruction name 1532, an instruction parameter 1533 and a product ID 1535, and assigns these data elements to an arrival sequence 1534. Now, a description of an operation is given based on an example of a normal state in which three manufacturing instructions are stored in the Normal Instruction storage area 1520 and one manufacturing instruction is stored in an Actual Instruction storage area 1530. Fig. 16 is a diagram illustrating how an updated instruction storage area 1610 is stored after receiving an additional manufacturing instruction from the actual factory 1352 in a state of the example for the instruction storage area 1510 illustrated in Fig. 15, as a special example for the instruction storage area 1310 of the third embodiment of the present invention. In particular, the example for instruction storage area 1610 corresponds to a state in which the target-specific instruction extraction unit 1302 receives an additional manufacturing instruction “(instruction target = Plant 1, instruction name = Finish Process, instruction parameters = C = 100, D = 0, ..., arrival sequence = 2, product ID = P001)” from the actual factory 1352 and stores the additional manufacturing instruction in an actual instruction storage area 1630 in the state of the example for instruction storage area 1510 illustrated in Fig. 15. If the timer unit 1304 requests the target-specific command extraction unit 1302 to start processing the detection of an attack / anomaly related to exceeding a time limit, in this case the target-specific command extraction unit 1302 obtains "(command target = Annex 1, command name = Terminate Process, command parameters = C = 100, D = 0, ..., arrival sequence = 2, product ID = P001, predicted arrival time = 120, arrival time = (empty), cumulative time = 10), (command target = Annex 2, command name = Start Process, command parameters = A = 150, B = 50, ..., arrival sequence = 1, product ID = P002, predicted arrival time = 150, arrival time = (empty), cumulative time = 100)" from the normal command storage area 1620. If the time difference between the last start of the timing unit 1304 and the current time is 90, the target-specific command extraction unit 1302 obtains, as a result of an update of the arrival time and cumulative time, “(command target = Plant 1, command name = End Process, command parameters = C = 100, D = 0, ..., arrival sequence = 2, product ID = P001, predicted arrival time = 120, arrival time = 100, cumulative time = 100), (command target = Plant 2, command name = Start Process, command parameters = A = 150, B = 50, ..., arrival sequence = 1, product ID = P002, predicted arrival time = 150, arrival time = (empty), cumulative time = 190)”. At this time, the cumulative time exceeds the predicted arrival time for "(command target = Plant 2, command name = Start Process, command parameters = A = 150, B = 50, ..., arrival sequence = 1, product ID = P002, predicted arrival time = 150, arrival time = (blank), cumulative time = 190)." Accordingly, the Attack / Anomaly Detection Unit 1303 determines the current status as under attack or abnormal. In this way, the third embodiment makes it possible to obtain a significant effect of being able to detect an attack / abnormality based on a difference between the predicted arrival time and the cumulative time by using the predicted arrival time, the arrival time, and the cumulative time of a specific manufacturing instruction, even when the manufacturing instruction target and the product ID are filtered out. Reference numeral list
[139] 101 Detection server, 102 Target-specific instruction extraction unit, 103 Attack / abnormality detection unit, 110 Instruction storage area, 120 Normal instruction storage area, 130 Actual instruction storage area, 151 Factory simulator, 152 Actual factory, 301 Computing device, 302 External storage device, 303 Main memory device, 304 Communication device, 305 Bus.
Claims
Attack / abnormality detection device (101, 801, 1301) configured to detect an attack or abnormality contained in a manufacturing order in an actual factory, the attack / abnormality detection device comprising: a storage unit (110, 510, 610, 710, 810, 1010, 1210, 1310, 1510, 1610); an order extraction unit (102, 802, 1302);and a detection unit (103, 803, 1303), wherein the storage unit includes a normal order storage area (120, 520, 620, 720, 820, 1020, 1120, 1220, 1320, 1520, 1620) that stores a set of normal manufacturing orders, and an actual order storage area (130, 530, 630, 730, 830, 1030, 1130, 1230, 1330, 1530, 1630) that stores a set of actual manufacturing orders transmitted from the actual factory, wherein the order extraction unit is configured to: receive an actual manufacturing order containing an order target, an order name, and an order parameter from the actual factory;Assigning an actual manufacturing instruction that has the same instruction target to an arrival sequence number in the order in which the actual manufacturing instruction was received, and storing the actual manufacturing instruction in the actual instruction storage area as an element of the set of actual manufacturing instructions; extracting, when the actual manufacturing instruction has just been received, elements that have the same instruction target as an instruction target contained in the actual manufacturing instruction just received, as a group of normal instructions from the set of normal manufacturing instructions stored in the normal instruction storage area as a configuration that includes an instruction target, an instruction name, an instruction parameter, and an arrival sequence;and extracting elements that have the same instruction target as the instruction target contained in the actual manufacturing instruction just received, as a group of actual instructions from the set of actual manufacturing instructions stored in the actual instruction storage area, wherein the detection unit is configured to perform an initial detection processing of comparing the group of normal instructions and the group of actual instructions extracted by the instruction extraction unit with each other for each arrival sequence in order to detect the attack or abnormality. Attack / abnormality detection device according to claim 1, wherein the command extraction unit is configured to: receive, as a result of a simulation by a factory simulator, a normal manufacturing order with the same command target, command name, and command parameters as a command target, command name, and command parameters of an actual manufacturing order transmitted by the actual factory when an operation of the actual factory is normal; and assign a normal manufacturing order having the same command target to an arrival sequence number in the order of receipt of the normal manufacturing order and store the normal manufacturing order in the normal command storage area as an element of the set of normal manufacturing orders. Attack / abnormality detection device according to claim 1 or 2, wherein both the actual manufacturing instruction and the normal manufacturing instruction received by the instruction extraction unit contain identification information for identifying a target to which a manufacturing instruction is to be applied, in addition to the instruction target, wherein the instruction extraction unit is configured to: extract, when the actual manufacturing instruction just received is temporarily determined to be normal as a result of an execution of the first detection processing by the detection unit and the actual manufacturing instruction is just being received, elements with the same identification information as the identification information contained in the actual manufacturing instruction just received, as a second group of normal instructions from the set of normal manufacturing instructions,which are stored in the normal instruction storage area as a configuration that includes an instruction target, an instruction name, an instruction parameter, an arrival order, and identification information; and extracting elements that have the same identification information as the identification information contained in the actual manufacturing instruction just received, as a second set of actual instructions from the set of actual manufacturing instructions stored in the actual instruction storage area as a configuration that includes an instruction target, an instruction name, an instruction parameter, an arrival order, and identification information, wherein the detection unit is configured to: perform a second detection processing of comparing the second set of normal instructions and the second set of actual instructions,which were extracted by the order extraction unit; and finally, determine that the actual manufacturing order just received is normal if the second set of actual orders matches the second set of normal orders or is a subset thereof. Attack / abnormality detection device according to any one of claims 1 to 3, further comprising a timing unit (1304) configured to measure an arrival time for an actual manufacturing order due to arrive next, wherein the normal manufacturing order received by the order extraction unit includes a predicted arrival time, wherein the order extraction unit is configured to extract a normal order corresponding to the actual manufacturing order due to arrive next from the set of normal manufacturing orders stored in the normal order storage area, together with a corresponding predicted arrival time, and wherein the detection unit is configured to detect that a reception error of an actual normal order has occurred when the reception of the actual manufacturing order due to arrive next has failed.even if the corresponding predicted arrival time was exceeded. Attack / abnormality detection program for causing a computer to function as the command extraction unit and the detection unit contained in the attack / abnormality detection device according to any one of claims 1 to 4. Attack / abnormality detection method to be performed by an attack / abnormality detection device configured to detect an attack or abnormality contained in a manufacturing order in an actual factory, wherein the attack / abnormality detection method comprises: a first step of receiving from the actual factory an actual manufacturing order containing an order target, an order name, and an order parameter; a second step of assigning an actual manufacturing order having the same order target to an arrival sequence number in the order of receiving the actual manufacturing order and storing the actual manufacturing order in an actual order storage area as one element of a set of actual manufacturing orders;a third step of pre-storing a normal set of manufacturing instructions into a normal instruction storage area as a configuration that includes an instruction target, an instruction name, an instruction parameter, and an arrival order; a fourth step of extracting, when the actual manufacturing instruction has just been received, elements that have the same instruction target as an instruction target contained in the actual manufacturing instruction just received, as a group of normal instructions from the set of normal manufacturing instructions stored in the normal instruction storage area in the third step;a fifth step of extracting elements that have the same instruction target as the instruction target contained in the actual manufacturing instruction just received, as a group of actual instructions from the set of actual manufacturing instructions stored in the actual instruction memory area; and a sixth step of performing an initial detection processing of comparing the group of normal instructions extracted in the fourth step and the group of actual instructions extracted in the fifth step with each other for each arrival sequence, in order to detect the attack or abnormality. Attack / abnormality detection method according to claim 6, wherein each normal manufacturing instruction stored in the normal instruction storage area as the set of normal manufacturing instructions in the third step further includes a predicted time of arrival, and wherein the attack / abnormality detection method further comprises: a seventh step of extracting a normal instruction corresponding to an actual manufacturing instruction due to arrive next from the set of normal manufacturing instructions stored in the normal instruction storage area in the third step, together with a corresponding predicted time of arrival; and an eighth step of detecting that a reception error of an actual normal instruction has occurred if the reception of the actual manufacturing instruction due to arrive next has failed, even if the corresponding predicted time of arrival has been exceeded.