摘要
针对Modbus TCP协议设计存在的安全问题,基于密码学原理提出一种安全的Modbus协议(Modbus-E协议):采用对称密钥和数字签名技术实现数据的保密性和可认证性,利用同步性原理和哈希函数的单向性原理保证数据的唯一性,通过"白名单"方法保证指令的可控性,最终在不增加通信过程的情况下实现安全通信。通过实验验证和分析,Modbus-E协议能够防止攻击者针对指令的认证类攻击、中间人攻击及重放攻击,与已有方法相比,该方法安全性更高,可以全面提高Modbus TCP通信的安全性。
Considering the security problem in the design of Modbus TCP protocol,this paper proposes a secure protocol( Modbus-E) based on the principle of cryptography. It uses symmetric key and digital signature technology to ensure the confidentiality and authentication of the data,uses the synchronization principle and the mono-direction principle of the hash function to ensure the uniqueness of the data,uses the method of "white list " to guarantee the controllability of instruction, without increasing communication process. Through experimental verification and analysis,Modbus-E protocol can prevent the authentication attack,man-in-the-middle attack and replay attack of the instruction from the attacker.Compared with existing methods,this method is more secure and can comprehensively improve the security of Modbus TCP communication.
引文
[1]徐凤亮,史斌斌. Modbus/TCP协议的分析与应用[J].科教文汇,2009(27):223.
[2]杨金奇,刘学军.工业以太网技术及应用现状与发展[J].四川工业学院学报,2002,21(3):34-37.
[3]王昱镔,陈思,程楠.工业控制系统信息安全防护研究[J].信息网络安全,2016(9):35-39.
[4]陈星,贾卓生.工业控制网络的信息安全威胁与脆弱性分析与研究[J].计算机科学,2012(A2):188-190.
[5]詹乃松,乔振亚.工业控制系统信息安全防护的研究[J].网络空间安全,2017(12):66-70.
[6]杨静. SCADA系统的Modbus/TCP协议安全研究[D].北京:北京工业大学,2016.
[7]Fovino I N,Carcano A,Masera M,et al. Design And Implementation Of A Secure Modbus Protocol[J]. International Conference on Critical Infrastruc,2009(311):83-96.
[8] Hayes G,El-Khatib K. Securing modbus transactions using hashbased message authentication codes and stream transmission control protocol[C]. 2013 Third International Conference on Communications and Information Technology. Seoul,2013:146-155.
[9]Phan,R. C.-W. Authenticated Modbus Protocol for Critical Infrastructure Protection[J]. IEEE Transactions on Power Delivery,2012,27(3):1687-1689.
[10]Shahzad A,Musa S,Aborujilah A,et al. Secure Cryptography Testbed Implementation for SCADA Protocols Security[C]. 2013 International Conference on Advanced Computer Science Applications and Technologies. Sarawak,2013.
[11]吕雪峰,蒋烈辉,孟奂.基于MODBUS的SCADA系统网络威胁与入侵检测[J].计算机工程与应用,2017,53(24):122-128.
[12]张玉鹏,温蜜,李婧,等.面向Modbus的安全认证通信机制分析[J].上海电力学院学报,2017,33(4):372-377.
[13]刘飞,张仁斌,李钢,等.基于哈希链与同步性机制的Modbus/TCP安全认证协议[J].计算机应用研究,2018,35(4):1169-1173.
[14]张仁斌,李思娴,刘飞,等.基于modbus功能码细粒度过滤算法的研究[J].计算机应用研究,2018,35(1):277-281.
[15]万明,尚文利,曾鹏,等.基于功能码深度检测的Modbus/TCP通信访问控制方法[J].信息与控制,2016,45(2):248-256.