研究生: |
周曉旼 Hsiao-Min Chou |
---|---|
論文名稱: |
考量既有系統安全的Modbus存取控制閘道器設計與實作 Design and Implementation of a Modbus Access Control Gateway Considering Legacy System Security |
指導教授: |
查士朝
Shi-Cho Cha 洪政煌 Cheng-Huang Hung |
口試委員: |
李維楨
Wei-chen Lee 洪政煌 Cheng-Huang Hung 查士朝 Shi-Cho Cha |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2023 |
畢業學年度: | 111 |
語文別: | 中文 |
論文頁數: | 65 |
中文關鍵詞: | Modbus協定 、存取控制閘道器 、基於角色的存取控制 (RBAC) |
外文關鍵詞: | Modbus, Access Control Gateway, Role-Based Access Control(RBAC) |
相關次數: | 點閱:232 下載:4 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著工業4.0的興起,製造業的運作日益智慧化,尤其是在機台連網後,可以蒐集資料並進行智慧化操作。然而早期製造業更加注重工廠運作的穩定性,一旦連網,就可能面臨越來越多的網路攻擊。因而,對製造業或國家關鍵基礎設施造成不同程度的威脅。對於一般製造業及國家關鍵基礎設施,過去常使用Modbus協定。由於Modbus協定在早期制定時尚未納入資訊安全的考量,也就形成老舊系統連網的風險。因此,在不改變老舊系統的前提下,本研究提出了一種解決方案,即添加一個閘道器,以解決上述安全性問題,從而有效提升Modbus協定通訊的安全程度。
本研究提出一個存取控制閘道器,用於判斷和過濾工廠人員對可程式化邏輯控制器(programmable logic controller, PLC)裝置的操作。閘道器具備身分驗證和存取控制功能。並使用基於角色的存取控制(Role-Based Access Control, RBAC)作為存取控制模型,確保合法操作。雖然Modbus協定的維護單位後來又基於Modbus協定訂定了Modbus 安全協定(Modbus Security),但許多老舊系統並不支援。因此本研究與Modbus 安全協定的不同在於:不需要更改Modbus協定結構,仍可實現身分驗證、加密和存取控制功能。此解決方案提升了工廠操作安全性,並提供了一個有效的方法,以確保工廠人員對PLC裝置的安全操作。這一研究成果對於工業環境的數據通訊安全和存取控制管理具有重要意義。
With the rise of Industry 4.0, manufacturing operations are increasingly intelligent, particularly when machinery is networked, facilitating data collection and smart functionalities. Early manufacturing prioritized operational stability, but with modern networking, there's an amplified risk of cyberattacks, threatening both the manufacturing sector and critical national infrastructure. Historically, the Modbus protocol, developed without early cybersecurity considerations, was a staple in these sectors, introducing vulnerabilities when integrating older systems.
This research proposes an innovative solution: an access control gateway for programmable logic controller (PLC) devices. The gateway, employing Role-Based Access Control (RBAC), provides identity verification and access management. Unlike the later-introduced Modbus Security, which many legacy systems don't support, our approach enhances security without altering the original Modbus structure. This methodology not only bolsters factory operational safety but ensures secure PLC interactions, making a substantial contribution to industrial data communication security.
[1] Fortinet. (2023, June 3). 2023 年 OT 與網路資安現況調查報告. https://www.fortinet.com/content/dam/fortinet/assets/reports/zh_tw/report-state-ot-cybersecurity.pdf
[2] 資安人(2023, January 31) 駭客攻擊軍方熱成像設備!國防軍事工控資安引關注 https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10309
[3] Modbus.org. (2006, December 28). MODBUS APPLICATION PROTOCOL SPECIFICATION(V1.1b). https://modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
[4] Wikipedia contributors. (2022, December 19). OPC UA.https://zh.wikipedia.org/zh-tw/OPC_UA
[5] Wikipedia contributors. (2022, March 20). DNP3.https://en.wikipedia.org/wiki/DNP3
[6] Modbus.org. (2018, July 24). MODBUS/TCP Security (V21). https://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf
[7] Ferraiolo, D., Cugini, J., & Kuhn, D. R. (1995, December). Role-based access control (RBAC): Features and motivations. In Proceedings of 11th annual computer security application conference (pp. 241-48).
[8] Wikipedia contributors. (2023, July 7). Next-generation firewall. https://en.wikipedia.org/wiki/Next-generation_firewall
[9] Modbus.org. (1996, June). Modicon Modbus Protocol Reference Guide. https://modbus.org/docs/PI_MBUS_300.pdf
[10] Modbus.org. (2006, October 24). MODBUS MESSAGING ON TCP/IP IMPLEMENTATION GUIDE (V1.0b). https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf
[11] Wikipedia contributors. (2022, December 20). 循環冗餘校驗. https://zh.wikipedia.org/zh-tw/%E5%BE%AA%E7%92%B0%E5%86%97%E9%A4%98%E6%A0%A1%E9%A9%97
[12] Wikipedia contributors. (2022, May 22). 縱向冗餘校驗. https://zh.wikipedia.org/zh-tw/%E7%BA%B5%E5%90%91%E5%86%97%E4%BD%99%E6%A0%A1%E9%AA%8C
[13] Xuan, L., & Yongzhong, L. (2019, June). Research and implementation of Modbus TCP security enhancement protocol. In Journal of Physics: Conference Series (Vol. 1213, No. 5, p. 052058). IOP Publishing.
[14] Nyasore, O. N., Zavarsky, P., Swar, B., Naiyeju, R., & Dabra, S. (2020, May). Deep packet inspection in industrial automation control system to mitigate attacks exploiting modbus/TCP vulnerabilities. In 2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing,(HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS) (pp. 241-245). IEEE.
[15] Lin, Y. C., Lin, C. F., & Chen, K. H. (2021, October). Security Enhancement of Industrial Modbus Message Transmission with Proxy Approach. In 2021 IEEE 3rd Eurasia Conference on IOT, Communication and Engineering (ECICE) (pp. 90-95). IEEE.
[16] Martins, T., & Oliveira, S. V. G. (2022). Enhanced Modbus/TCP Security Protocol: Authentication and Authorization Functions Supported. Sensors, 22(20), 8024.
[17] Liu, Z., Liang, T., Wang, W., Sun, R., & Li, S. (2023). Design and Implementation of a Lightweight Security-Enhanced Scheme for Modbus TCP Protocol. Security and Communication Networks, 2023.
[18] Hu, V. C., Kuhn, R., & Yaga, D. (2017). Verification and test methods for access control policies/models. NIST Special Publication, 800, 192.
[19] Sandhu, R., Ferraiolo, D., & Kuhn, R. (2000, July). The NIST model for role-based access control: towards a unified standard. In ACM workshop on Role-based access control (Vol. 10, No. 344287.344301).
[20] Yuan, E., & Tong, J. (2005, July). Attributed based access control (ABAC) for web services. In IEEE International Conference on Web Services (ICWS'05). IEEE.
[21] Morabito, R., Petrolo, R., Loscrì, V., & Mitton, N. (2018). LEGIoT: A lightweight edge gateway for the Internet of Things. Future Generation Computer Systems, 81, 1-15.
[22] Liu, C., Su, Z., Xu, X., & Lu, Y. (2022). Service-oriented industrial internet of things gateway for cloud manufacturing. Robotics and Computer-Integrated Manufacturing, 73, 102217.
[23] Rahmani, A. M., Gia, T. N., Negash, B., Anzanpour, A., Azimi, I., Jiang, M., & Liljeberg, P. (2018). Exploiting smart e-Health gateways at the edge of healthcare Internet-of-Things: A fog computing approach. Future Generation Computer Systems, 78, 641-658.
[24] Sandhu, R. (1996, December). Rationale for the RBAC96 family of access control models. In Proceedings of the first ACM Workshop on Role-based access control (pp. 9-es)