CN110609533A - Safety architecture of SCADA data acquisition system - Google Patents
Safety architecture of SCADA data acquisition system Download PDFInfo
- Publication number
- CN110609533A CN110609533A CN201911052381.7A CN201911052381A CN110609533A CN 110609533 A CN110609533 A CN 110609533A CN 201911052381 A CN201911052381 A CN 201911052381A CN 110609533 A CN110609533 A CN 110609533A
- Authority
- CN
- China
- Prior art keywords
- intelligent gateway
- scada
- port
- lower computer
- data acquisition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 claims description 18
- 238000013480 data collection Methods 0.000 claims 3
- 241000700605 Viruses Species 0.000 abstract description 10
- 230000002159 abnormal effect Effects 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000000034 method Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 208000027418 Wounds and injury Diseases 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/4183—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by data acquisition, e.g. workpiece identification
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/32—Operator till task planning
- G05B2219/32404—Scada supervisory control and data acquisition
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a safety architecture of an SCADA data acquisition system, which comprises an SCADA server, an intelligent gateway and a lower computer, wherein the SCADA server is connected with a WAN port of the intelligent gateway, the lower computer is connected with an LAN port and a serial port of the intelligent gateway, the WAN port of the intelligent gateway is not communicated with networks of the LAN port and the serial port, and data acquired by the lower computer is uploaded into an address table of the intelligent gateway through the LAN port and the serial port and then is forwarded to the SCADA server through the intelligent gateway through the WAN port. The safety architecture of the SCADA data acquisition system is simple in structure, data acquired by the lower computer is stored in the address table of the intelligent gateway and then forwarded to the SCADA server, and the SCADA server cannot access the lower computer, so that even if the SCADA server is attacked and poisoned, viruses cannot spread to the lower computer, the lower computer is effectively protected, equipment faults and abnormal production caused by the fact that the lower computer is affected by the viruses are avoided, normal production is guaranteed to be continuously carried out, accidents are avoided, and production safety is improved.
Description
Technical Field
The invention relates to the technical field of data acquisition control, in particular to a safety framework of an SCADA data acquisition system.
Background
A conventional SCADA (supervisory Control And Data acquisition) system is configured as follows: the method is carried out by using a data acquisition machine (a double-network card or a multi-network card computer), taking the double-network card as an example, one network card and the acquired IP address of the PLC system are in one network segment to carry out data acquisition, and the other network segment is communicated with the SCADA server through the other network card (mostly adopting an OPCDA communication mode). In order to facilitate real-time checking of whole plant process parameters and equipment conditions, the SCADA server issues a real-time monitoring picture to an Internet network, people can access the SCADA system through the Internet, the data acquisition machine is communicated with the SCADA server in an OPC DA mode, the OPC DA communication mode is based on a Distributed Component Object Model (DCOM) and is a dynamic communication port, an external network can easily attack the SCADA server through system loopholes and port scanning, the SCADA server can access equipment such as a PLC through accessing the data acquisition machine, once the SCADA server is poisoned (attacked by the external network or a USB flash disk is inserted and the like), the PLC and an upper computer can be directly attacked through the data acquisition machine, and personnel and equipment damage accidents or plant production halt are caused.
Disclosure of Invention
The invention aims to solve the technical problems and provide a technical task for improving the prior art, and provides a safety framework of an SCADA data acquisition system, which solves the problems that the safety framework of the SCADA data acquisition system in the prior art is poor in safety, and personnel and equipment injury accidents or factory shutdown are easily caused when the safety framework is attacked.
In order to solve the technical problems, the technical scheme of the invention is as follows:
the utility model provides a SCADA data acquisition system's safety framework, includes SCADA server, intelligent gateway and lower computer, SCADA server be connected with intelligent gateway's WAN mouth, lower computer be connected with intelligent gateway's LAN mouth to intelligent gateway's WAN mouth and LAN mouth network between them are obstructed each other, the data that the lower computer was gathered are uploaded to intelligent gateway's address table in through the LAN mouth and are retransmitted to SCADA server by intelligent gateway through the WAN mouth again. The safety architecture of the SCADA data acquisition system adopts the intelligent gateway to acquire data, the data acquired by the lower computer is firstly stored in the address table of the intelligent gateway and then is forwarded to the SCADA server through the WAN port, and the SCADA server cannot access the lower computer because the network of the WAN port and the network of the LAN port of the intelligent gateway are not communicated, so that even if the SCADA server is attacked and poisoned, viruses cannot spread to the lower computer, the lower computer is effectively protected, equipment faults and abnormal production caused by the influence of the viruses on the lower computer are avoided, the continuous normal production is ensured, accidents are avoided, and the production safety is improved.
Furthermore, the intelligent gateway forwards data to the SCADA server through a WAN port by adopting an OPC UA communication protocol, the OPC UA does not depend on DCOM, but is based on a Service Oriented Architecture (SOA), the use of the OPCUA is simpler and more convenient, and the OPC UA effectively integrates the existing OPC specifications (DA, A & E, HDA, commands, complex data and object types) to form the existing new OPC UA specification. OPC UA offers a consistent, complete address space and service model, and OPC UA access specifications explicitly propose a standard security model, each OPC UA application having to execute OPC UA security protocols, which reduces maintenance and extra configuration costs while improving interoperability. The underlying communication technology for passing messages between OPC UA applications provides encryption functionality and tagging techniques that ensure message integrity and also prevent leakage of information.
Furthermore, the intelligent gateway forwards the data to the SCADA server by adopting a customizable fixed port of an OPC UA communication protocol, and the fixed port can be customized, so that main virus propagation ports such as dangerous ports 3389, 445 and the like can be effectively avoided, and the communication safety is improved by adopting an encryption technology.
Furthermore, the lower computer comprises one or more of a PLC, an RTU, a PAC, a frequency converter, an electric comprehensive protection instrument and an intelligent instrument, the lower computer performs data acquisition and control, various input devices (DI, AI and the like) are arranged on the lower computer to perform data acquisition, various output devices (DO, AO and the like) are arranged on the lower computer to control the field devices, and the lower computer receives monitoring of the upper computer and transmits various field data to the upper computer.
Furthermore, the intelligent gateway is connected with a plurality of lower computers through LAN ports, and can acquire various data simultaneously.
Furthermore, the SCADA server is connected with a WAN port of the intelligent gateway through the switch.
Furthermore, the lower computer is connected with the LAN port of the intelligent gateway through the switch.
Furthermore, the intelligent gateway is also provided with a serial port for connecting with the lower computer and is connected with a serial port communication device.
Compared with the prior art, the invention has the advantages that:
the safety architecture of the SCADA data acquisition system is simple in structure, data acquired by a lower computer is stored in an address table of an intelligent gateway and then forwarded to the SCADA server, the SCADA server cannot access the lower computer, so that even if the SCADA server is attacked and poisoned, viruses cannot spread to the lower computer, the lower computer is effectively protected, the safety operation of the lower computers such as a PLC (programmable logic controller) and the like cannot be influenced by poisoning of the SCADA server, equipment failure and abnormal production caused by the fact that the lower computer is affected by the viruses are avoided, normal production is guaranteed to be continuously carried out, accidents are avoided, the production safety is improved, communication is carried out in an OPC UA (optical proximity router) mode, a communication port can be customized, and an encryption technology is.
Drawings
Fig. 1 is a schematic structural diagram of a security architecture of a SCADA data acquisition system.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
According to the safety architecture of the SCADA data acquisition system disclosed by the embodiment of the invention, the SCADA server cannot access the bottom PLC, the bottom PLC cannot be influenced when the SCADA server is attacked, the safety of the bottom PLC is effectively improved, and the influence on normal production and accidents are avoided.
As shown in fig. 1, a safety architecture of a SCADA data acquisition system mainly includes a SCADA server, an intelligent gateway and a lower computer, the SCADA server is connected with a WAN port of the intelligent gateway, the lower computer is connected with a LAN port of the intelligent gateway, the lower computer and the LAN port of the intelligent gateway are in the same network segment, the intelligent gateway is further provided with a serial port for connecting with the lower computer (serial port device), the lower computer can be one or more of a PLC, an RTU, a PAC, a frequency converter, an electrical integrated protection and an intelligent instrument, the lower computer can also be a serial port communication device, the WAN port of the intelligent gateway is not communicated with the network of the LAN and the serial port, data acquired by the lower computer is uploaded to an address table of the intelligent gateway through the LAN port, the intelligent gateway forwards the data to the SCADA server through a WAN port and a fixed port of an OPC UA communication protocol (the port can be customized, avoid a main virus propagation port) and an encryption technology, a security policy is set at the SCADA server, only the port is allowed to communicate with the SCADA server, and the SCADA server cannot access the lower computer, so that even if the SCADA server is attacked and poisoned, the virus cannot spread to the lower computer, the lower computer is effectively protected, and equipment failure and abnormal production caused by the influence of the virus on the lower computer are avoided.
The intelligent gateway supports various mainstream PLC communication equipment (such as AB, Siemens, Schneider and the like), Modbus TCP and other serial port communication equipment (such as equipment supporting RS485 and Modbus RTU communication), places the acquired data into an address table of the intelligent gateway, and forwards the data to the SCADA server by using an OPC UA communication protocol.
The intelligent gateway is connected with a plurality of lower computers through LAN ports, and can acquire various data at the same time, the SCADA server is connected with the WAN port of the intelligent gateway through a switch, and the lower computers are connected with the LAN port of the intelligent gateway through the switch.
The above is only a preferred embodiment of the present invention, and it should be noted that the above preferred embodiment should not be considered as limiting the present invention, and the protection scope of the present invention should be subject to the scope defined by the claims. It will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the spirit and scope of the invention, and these modifications and adaptations should be considered within the scope of the invention.
Claims (8)
1. The safety architecture of the SCADA data acquisition system is characterized by comprising an SCADA server, an intelligent gateway and a lower computer, wherein the SCADA server is connected with a WAN port of the intelligent gateway, the lower computer is connected with a LAN port of the intelligent gateway, networks of the WAN port of the intelligent gateway and the LAN port of the intelligent gateway are not communicated with each other, and data acquired by the lower computer are uploaded into an address list of the intelligent gateway through the LAN port and then forwarded to the SCADA server through the WAN port by the intelligent gateway.
2. A security architecture for a SCADA data collection system according to claim 1 wherein said intelligent gateway forwards data to a SCADA server via a WAN port using OPC UA communication protocol.
3. A security architecture for a SCADA data collection system according to claim 2, wherein said intelligent gateway uses a customizable fixed port of OPC UA communication protocol to forward data to the SCADA server.
4. A security architecture for a SCADA data acquisition system according to any of claims 1 to 3 in which the lower computers comprise one or more of a PLC, an RTU, a PAC, a frequency converter, an electrical complex, and a smart meter.
5. A security architecture for a SCADA data acquisition system according to any of claims 1 to 3 characterized in that the intelligent gateway is connected with several lower computers through LAN ports.
6. A secure architecture for a SCADA data acquisition system according to any of claims 1 to 3, characterized in that the SCADA server is connected to the WAN port of the intelligent gateway through a switch.
7. A security architecture for a SCADA data acquisition system according to any of claims 1 to 3 characterized in that the lower computer is connected to the LAN port of the intelligent gateway through a switch.
8. A security architecture for a SCADA data collection system according to any one of claims 1 to 3, characterized in that the intelligent gateway is further provided with a serial port for connecting with a lower computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911052381.7A CN110609533A (en) | 2019-10-31 | 2019-10-31 | Safety architecture of SCADA data acquisition system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911052381.7A CN110609533A (en) | 2019-10-31 | 2019-10-31 | Safety architecture of SCADA data acquisition system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110609533A true CN110609533A (en) | 2019-12-24 |
Family
ID=68895823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911052381.7A Pending CN110609533A (en) | 2019-10-31 | 2019-10-31 | Safety architecture of SCADA data acquisition system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110609533A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910963A (en) * | 2021-01-18 | 2021-06-04 | 翰克偲诺水务集团有限公司 | Method and system for cross-domain data interaction between local area network and Internet of water treatment equipment |
| CN114296389A (en) * | 2021-12-27 | 2022-04-08 | 中国市政工程华北设计研究总院有限公司 | Distributed intelligent control all-in-one machine |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105530240A (en) * | 2015-11-27 | 2016-04-27 | 机械工业仪器仪表综合技术经济研究所 | Method for automatically mapping multiple industrial protocols to OPC UA address space |
| CN107567604A (en) * | 2015-03-27 | 2018-01-09 | 布勒有限公司 | It is used for the method and system of the process control of equipment in the Machine To Machine network based on OPC UA |
| CN107852359A (en) * | 2015-08-20 | 2018-03-27 | 三菱日立电力系统株式会社 | Security system, communication control method |
| CN108494672A (en) * | 2018-04-17 | 2018-09-04 | 上海振华重工(集团)股份有限公司 | A kind of industrial communication gateway, industrial data security isolation system and method |
| CN108833269A (en) * | 2018-06-26 | 2018-11-16 | 中国兵器装备集团自动化研究所 | A kind of intelligent things gateway towards industry spot |
| CN109194528A (en) * | 2018-10-30 | 2019-01-11 | 浙江理工大学 | A kind of Knitting Machinery data gateway and control method based on OPC UA |
-
2019
- 2019-10-31 CN CN201911052381.7A patent/CN110609533A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107567604A (en) * | 2015-03-27 | 2018-01-09 | 布勒有限公司 | It is used for the method and system of the process control of equipment in the Machine To Machine network based on OPC UA |
| CN107852359A (en) * | 2015-08-20 | 2018-03-27 | 三菱日立电力系统株式会社 | Security system, communication control method |
| CN105530240A (en) * | 2015-11-27 | 2016-04-27 | 机械工业仪器仪表综合技术经济研究所 | Method for automatically mapping multiple industrial protocols to OPC UA address space |
| CN108494672A (en) * | 2018-04-17 | 2018-09-04 | 上海振华重工(集团)股份有限公司 | A kind of industrial communication gateway, industrial data security isolation system and method |
| CN108833269A (en) * | 2018-06-26 | 2018-11-16 | 中国兵器装备集团自动化研究所 | A kind of intelligent things gateway towards industry spot |
| CN109194528A (en) * | 2018-10-30 | 2019-01-11 | 浙江理工大学 | A kind of Knitting Machinery data gateway and control method based on OPC UA |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910963A (en) * | 2021-01-18 | 2021-06-04 | 翰克偲诺水务集团有限公司 | Method and system for cross-domain data interaction between local area network and Internet of water treatment equipment |
| CN114296389A (en) * | 2021-12-27 | 2022-04-08 | 中国市政工程华北设计研究总院有限公司 | Distributed intelligent control all-in-one machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hadeli et al. | Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration | |
| CN103545924B (en) | Secondary device state on_line monitoring method | |
| CN105914890B (en) | A kind of automation of transformation substations control system | |
| CN110326268A (en) | Transparent fireproof wall for the equipment that keeps the scene intact | |
| CN110609533A (en) | Safety architecture of SCADA data acquisition system | |
| CN112583796A (en) | Method and system for accessing terminal equipment to power Internet of things and Internet of things management platform | |
| CN108769076A (en) | Data collecting system, method and device with network isolation function | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| CN111083047B (en) | Gateway based on internet of things multi-protocol communication | |
| CN202363972U (en) | Remote operation and maintenance platform of substation secondary system | |
| Chromik et al. | Bro in SCADA: Dynamic intrusion detection policies based on a system model | |
| CN205210638U (en) | A monitoring system and remote monitering system for becoming oar system | |
| CN114448085A (en) | IOT gateway for industrial control system, associated apparatus, system and method | |
| CN202652270U (en) | Database audit system | |
| CN104656572A (en) | Internet of Things household control system based on handheld terminal | |
| KR20080093685A (en) | Open gateway server | |
| CN106100932A (en) | A kind of substation data processing system based on data sharing | |
| CN111399463A (en) | Industrial network data one-way isolation method and device | |
| CN206440993U (en) | Operation of industrial installation monitoring system | |
| CN215871444U (en) | Safety protection system of power plant | |
| CN105897789A (en) | High-voltage frequency-converter remote monitoring system based on Internet | |
| CN114363347A (en) | Self-adaptive industrial equipment data acquisition method and system | |
| CN112448951B (en) | Mobile substation protection system | |
| CN203933682U (en) | Telemechanical communication security instrument | |
| CN112367224A (en) | Terminal monitoring device, system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191224 |
|
| RJ01 | Rejection of invention patent application after publication |