| The development of manufacturing industry requires industrial Ethernet technology.Industrial Ethernet technology promotes the integration of industrial control network and information network.Numerical Controls are connected to industrial control network for communication data.Network integration brings security issue that communication data in industrial control network is more vulnerable to leaks,tampering and denial of service.Industrial control network for digital workshop locates in network integration and security issue is very important.Numerical Controls are integrated on industrial control network for digital workshop.Compared with the equipment of information system,the computing resources and storage resources of Numerical Controls are limited and communication data security requirements have their own special characteristics.The security mechanism focuses on resource cost and time cost.Aimming at security issue of industrial control network for digital workshop,defense-in-depth architecture model for digital workshop is proposed on the basis of the security requirements of communication data.Security mechanism and technology of availability,integrity and confidentiality are studied respectively in defense-in-depth architecture model from security prevention.Research on defense-in-depth architecture model of industrial control network for digital workshop builds a solid foundation for the information security of industrial control network.The main research achievemens of this dissertation are summarized as follow:1.A defense-in-depth architecture model of industrial control network for digital workshop,namely architecture model of WN-DID,is proposed.Aimming at security issues of industrial control network,prevention defense technology is adopted.Difficult point of prevention defense is effectiveness of perimeter defense.In architecture model of WN-DID,industrial control network is divided into several security zones including enterprise zone and manufacturing zone in which there is a subzone called control zone.The corresponding perimeter defense is carried out at different security zones according to the basic principle of defense in depth.Perimeter defense devices such as industrial firewall are deployed between security zones.The architecture model of WN-DID forms a foundation framework for communication data security in industrial control network and difficult point about effectiveness of perimeter defense is solved.Defense in depth is design and implementation in industrial control network for digital workshop by the architecture model of WN-DID.2.Aiming at communication data availability in architecture model of WN-DID,an access mechanism of server data based on industrial demilitarized zone is proposed,including IFW-IDMZ mechanism and IFW-IDMZ-like mechanism.Between enterprise zone and manufacturing zone in architecture model of WN-DID,industrial control firewall causes enterprise zone is unable to access server data in manufacturing zone.Difficult point of this issue is that enterprise zone is able to access server data without reducing the security of manufacturing zone.In IFW-IDMZ mechanism,by utilizing an industrial demilitarized zone in industrial firewall,data resources are shared between enterprise network and industrial networks without direct connections.To enhance the cyber security of servers such as data historian server in industrial demilitarized zone,application of paired firewalls is a variation for a single firewall.IFW-IDMZ-like mechanism in which industrial demilitarized-like zone is used between paired firewalls is proposed.To avode single point of failure,IFW-IDMZ-like mechanism is deployed standby firewall.Difficult point of both data availability and data security is solved in manufacturing zone IFW-IDMZ mechanism and IFW-IDMZ-like mechanism.The performance of industrial demilitarized zone based on main factors,namely delay,throughput,server load and server response time is simulated and analysed using the Riverbed Modeler simulation program.Access mechanism of server data based on industrial demilitarized zone achives the effect of both data availability and data security.3.Aiming at communication data integrity in architecture model of WN-DID,a lightweight digital signature mechanism based on NTRU is proposed,including NTRU-SHA mechanism and NTRU-SHA-T mechanism.Communication data integrity includes message authentication and entity authentication.Combining message authentication with entity authentication is an issue about data integrity.It is difficult point that authentication technology demands low delay.NTRU-SHA mechanism is proposed.In NTRU-SHA mechanism,message authentication codes are used for message authentication.Message authentication codes based on secure Hash algorithm are used because of security performance.In NTRU-SHA mechanism,digital signature technology is used for entity authentication.Digital signature technology uses NTRU which is lightweight asymmetric cipher to sign on message authentication codes.To improve the efficiency of digital signature,NTRU-SHA-T mechanism with truncated message authentication codes is proposed.The lightweight digital signature mechanism based on NTRU implements both message authentication and entity authentication.The less time consumption ensures performance along with communication data integrity in industrial control network for digital workshop.4.Aiming at communication data confidentiality in architecture model of WN-DID,an end-to-end lightweight hybrid cipher mechanism based on NTRU is proposed,including NTRU-AES mechanism and NTRU-RC4 mechanism.In consideration of security risk and keys management of symmetric cipher and asymmetric cipher,asymmetric cipher is used for communication data confidentiality in industrial control network for digital workshop.But speed of encryption and decryption of asymmetric cipher is lower than that of symmetric cipher.Mechanism with high speed of encryption and decryption and low security risk is a difficult point.NTRU-AES mechanism which is end-to-end lightweight hybrid cipher mechanism based on NTRU is proposed,combining advantages of asymmetric cipher mechanism with asymmetric cipher mechanism.In NTRU-AES mechanism for aperiodic data,symmetric cipher AES is used to protect communication data and lightweight asymmetric cipher NTRU is used to protect session key.To improve the efficiency of processing periodic data,NTRU-RC4 mechanism is proposed.In NTRU-RC4 mechanism,bolck cipher AES is replaced by stream cipher RC4.The end-to-end lightweight hybrid cipher mechanism improves speed of encryption and decryption and enhances security of session key.The less time consumption ensures performance along with communication data confidentiality in industrial control network for digital workshop. |
PDF Full Text Request