JP2018185712A - Security monitoring system and security monitoring method - Google Patents

Abstract

[PROBLEMS] Only a field maintenance worker who uses a control system takes time to complete the handling of an incident occurring in the control system. A security monitoring device provided in a control system compares an alert collected from a control device or a security device with an abnormal scenario, and transmits an abnormal data to the system monitoring device upon detecting that an incident has occurred in the control system. To do. The system monitoring apparatus analyzes the abnormal data, handles incidents that can be handled by the system monitoring apparatus, and instructs the security monitoring apparatus to handle incidents that cannot be handled by the system monitoring apparatus. The incident management server analyzes alerts, abnormal data, and physical security history data collected through the security monitoring device, and deals with incidents that cannot be handled by the system monitoring device and security monitoring device for field maintenance personnel. Instruct. [Selection] Figure 1

Description

  The present invention relates to a security monitoring system and a security monitoring method.

  In recent years, control systems for monitoring and controlling equipment such as pumps and valves have been connected to maintenance bases and other systems via a network. A monitoring center provided at a maintenance base is increasingly using O & M (Operation & Maintenance) for remotely monitoring the operation of a control system. However, as a result of long-term maintenance, the control system is constructed by mixing old and new devices. In addition, the control system is fully protected in advance by sophisticated, sophisticated viruses, malware, unauthorized access, etc. (hereinafter referred to as “attack from the outside”) that target control system devices connected to the network. It was a difficult situation. Moreover, not only external attacks, but also program updates of equipment in the control system, or unauthorized operation and virus infection by field maintenance personnel and engineers who enter and exit the control system to collect data from the equipment when the equipment is abnormal In order to use already-used external media (hereinafter referred to as “internal attacks”), physical security systems such as entrance / exit management devices and surveillance camera devices are being introduced. However, the possibility of a security incident is becoming apparent as the control system is connected to the network, and unauthorized operations are performed by field maintenance personnel and engineers. An event that has an unpredictable effect on a control system or the like is called an incident, and particularly an incident that is a threat to the security of the control system is called a security incident. In the following description, a security incident is also referred to as an “incident”.

  As a product for responding to an incident, for example, there is SIEM (Security Information-and Event Management). The SIEM has a function of collecting logs of devices and devices in the control system and analyzing the presence or absence of incidents. In order to detect the occurrence of an incident, analyze whether the incident has an effect on the control system, or to deal with the analysis result (hereinafter referred to as “incident response”), the analyst must Advanced security knowledge is required. In the control system, incident response using SIEM is assumed to be performed by field maintenance personnel who are in charge of monitoring and control of the control system.

  However, field maintenance personnel do not necessarily have sufficient security knowledge, so they can understand the details of incidents that have occurred, distinguish between system abnormalities and incidents, and determine whether there is an impact on control system operation. It took time to work. In addition, field maintenance personnel often cannot use SIEM, which requires different operations from conventional manuals. As a result, the field maintenance staff alone took time to respond to incidents and sometimes responded incorrectly. In addition, SIEM deals only with incidents mainly caused by external attacks, and does not support analysis of internal attacks. For this reason, although it is clear that a specific device or device in the control system is caused by using SIEM, for example, an incident caused by an unauthorized operation of a field maintenance worker or engineer in the control system can be specified. It was difficult.

  Therefore, Patent Document 1 discloses a method for connecting a control system and a monitoring center in which security specialists are stationed as a technique for field maintenance personnel with little security knowledge to deal with incidents in the control system. ing. This patent document 1 uses a local prediction model that predicts an event from a monitored system, detects an abnormal state of the monitored system, analyzes the process leading to the abnormal state, An event analysis system to be presented to an engineer is disclosed.

JP-A-2016-99938

  When field maintenance personnel deal with an incident, it is required to follow a manual procedure prepared in advance for each facility on the site. On the other hand, the method of handling an incident by an engineer at a maintenance site is often different from the manual procedure. As a result, simply presenting the analysis result by the event analysis system disclosed in Patent Document 1 to the field maintenance staff takes time to complete the handling of the incident by the field maintenance staff.

  The present invention has been made in view of such a situation. For example, an object of the present invention is to deal with a detected incident by a control system that is familiar to field maintenance personnel.

A security monitoring system according to the present invention includes a control system that controls the operation of equipment, and a physical security system that is connected to the control system and that monitors and controls entry / exit of a field maintenance worker using the control system into the control system, , A physical security system that monitors and controls the entry and exit of the field maintenance personnel who use the control system via the network and the control system, and incidents that occur in the control system via the network connected to the control system An incident management server for managing
The control system includes a control device that detects an alert generated in the facility, a security device that detects an alert generated in the control system, a system monitoring device that monitors the control system and responds to an incident that occurs in the control system, and The security monitoring device that compares the alert collected from the control device or the security device with an abnormal scenario and detects that an incident has occurred in the control system, and transmits abnormal data including the contents of the incident to the system monitoring device. Prepare.
The physical security system includes an entrance / exit management device, a monitoring camera device, and a physical security server that manages the physical security history data.
The system monitoring apparatus analyzes the abnormal data, handles incidents that can be handled by the system monitoring apparatus, and instructs the security monitoring apparatus to handle incidents that cannot be handled by the system monitoring apparatus. The security monitoring apparatus deals with incidents analyzed in accordance with instructions from the system monitoring apparatus.
The incident management server analyzes alerts, abnormal data, and physical security history data collected through the security monitoring device, and deals with incidents that cannot be handled by the system monitoring device and security monitoring device for field maintenance personnel. Instruct.

According to the present invention, the field maintenance staff not only deal with incidents with the control system, but also deal with incidents that could not be dealt with in the control system in a short time according to the actions instructed by the incident management server. It becomes possible.
Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.

It is a block diagram which shows the example of whole structure of the security monitoring system which concerns on one embodiment of this invention. It is a block diagram which shows the internal structural example of each apparatus which comprises the control system which concerns on one embodiment of this invention. It is a network block diagram which shows the structural example of the subsystem which concerns on one embodiment of this invention. It is a block diagram which shows the hardware structural example of the computer which concerns on one embodiment of this invention. It is explanatory drawing which shows the structural example of the abnormal data which the security monitoring apparatus which concerns on one embodiment of this invention has. It is explanatory drawing which shows the structural example of the historical data which the security monitoring apparatus which concerns on one embodiment of this invention has. 6 is a flowchart showing a procedure in which a security monitoring apparatus according to an embodiment of the present invention collects alerts from a control device and a security device, collects history data from a physical security server, and notifies the system monitoring apparatus of abnormal data. . It is explanatory drawing which shows the example of a display of the system monitoring screen displayed on the data display and operation part of the system monitoring apparatus which concerns on one embodiment of this invention. It is a flowchart which shows the procedure in which the system monitoring apparatus which concerns on one embodiment of this invention analyzes the abnormal data received from the security monitoring apparatus. It is explanatory drawing which shows the display example of the incident list screen and the incident cause analysis screen for performing the cause analysis which the field maintenance worker which concerns on one embodiment of this invention operates and implements a security monitoring apparatus, and the countermeasure. It is a flowchart which shows the procedure of the incident analysis of the security monitoring apparatus which concerns on one embodiment of this invention, and incident response. It is a flowchart which shows the procedure in which the security monitoring apparatus which concerns on one embodiment of this invention transmits an alert, abnormality data, and physical security historical data to the incident management server of a monitoring center. It is explanatory drawing which shows the example of a display of the incident analysis screen displayed with the incident management server which concerns on one embodiment of this invention. It is explanatory drawing which shows the example of a display of the historical data display result which concerns on one embodiment of this invention. It is a flowchart which shows the procedure of the fundamental analysis and the fundamental countermeasure examination which the security expert which concerns on one embodiment of this invention implements. It is a flowchart which shows the procedure of the fundamental countermeasure examination by the fundamental analysis and countermeasure example utilization which the security expert which concerns on one embodiment of this invention implements.

  DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described with reference to the accompanying drawings. In the present specification and drawings, components having substantially the same function or configuration are denoted by the same reference numerals, and redundant description is omitted.

  FIG. 1 is a block diagram showing an example of the overall configuration of the security monitoring system 1. In this embodiment, a control system 10 that is constructed at a local site and controls the operation of the equipment 101 and an incident management server 201 of the monitoring center 20 that is constructed at a maintenance base are connected by a network N such as the Internet, and control is performed. The system 10 and a physical security server 401 of the physical security system 40 are connected by a network 108. Here, when the control system 10 and the monitoring center 20 are connected, it is possible to prevent information leakage by using a VPN (Virtual Private Network) device.

  The physical security system 40 is connected to the control system 10 via a network 113, and monitors and controls the entrance and exit of the field maintenance staff 109 and the engineer 112 into the control system 10. A physical security server 401 included in the physical security system 40 manages physical security history data (hereinafter referred to as “history data”) acquired from the entrance / exit management device 110 and the monitoring camera 111.

  The control system 10 includes a facility 101, a control device 102, a system monitoring device 103, a security device 104, a security monitoring device 105, a one-way relay device 106, and a field data management server 107. The equipment 101, the control device 102, the system monitoring device 103, the security device 104, and the security monitoring device 105 are connected via a network 108.

The facility 101 is, for example, a water treatment plant pump or valve, or a power plant turbine.
The control device 102 is a device that generically refers to a controller, a control server, a maintenance terminal, and the like that monitor the equipment 101 and control the operation of the equipment 101. When the control device 102 detects an alert generated in the facility 101, the control device 102 transmits an alert including an alert log to the security monitoring device 105.

  The system monitoring apparatus 103 monitors the control system 10 and deals with incidents occurring in the control system 10. For this reason, the system monitoring apparatus 103 collects the statuses of the control apparatus 102 and the network 108 (abnormality, operating, etc.), and displays the statuses of the control apparatus 102 and the network 108 in the system monitoring screen 30 shown in FIG. To display. For example, the field maintenance person 109 who uses the control system 10 maintains the operation of the control system 10 by operating the system monitoring device 103 to monitor and control the state of the control system 10. The field maintenance staff 109 then deals with incidents occurring in the equipment 101 etc. by referring to the manual or the like. On the other hand, if an incident that cannot be dealt with by the field maintenance person 109 alone has occurred, the field maintenance person 109 requests the security expert 202 in the monitoring center 20 to deal with the incident, and a countermeasure instructed by the security expert 202. I do.

  The security device 104 detects a security alert that occurs in the control system 10 and prevents incidents that may occur in the control system 10 in advance. When the security device 104 detects a security alert, it transmits an alert including an alert log to the security monitoring device 105. As the security device 104, for example, a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is used. The security device 104 can detect and block many unauthorized accesses from outside.

  The security monitoring device 105 compares the alert collected from the control device 102 or the security device 104 with an abnormal scenario 1053 (see FIG. 2 described later) representing the behavior of the incident. When the security monitoring apparatus 105 detects that an incident has occurred in the control system 10, it transmits abnormal data 1055 (see FIG. 2 described later) including the contents of the incident to the system monitoring apparatus 103.

  The system monitoring apparatus 103 analyzes the abnormal data 1055 and handles incidents that can be handled by the system monitoring apparatus 103. The system monitoring apparatus 103 displays a system monitoring screen 30 shown in FIG. For this reason, the field maintenance staff 109 can operate the system monitoring apparatus 103 to deal with an incident that has occurred in the control system 10 according to a manual or the like. However, the system monitoring apparatus 103 instructs the security monitoring apparatus 105 to deal with incidents that cannot be handled by the system monitoring apparatus 103.

  As described above, the physical security system 40 includes the physical security server 401 that collects and manages history data from the entrance / exit management device 110 and the monitoring camera 111 installed at the entrance of the control system 10. The entrance / exit management device 110 can control entry / exit of the field maintenance staff 109 and the engineer 112 to / from the control system 10 by a card reader, biometric authentication, or the like. The monitoring camera 111 captures the scenes of the field maintenance staff 109 and the engineer 112 entering and leaving the control system 10. The physical security system 40 may be configured separately from the control system 10 depending on the configuration of the control system 10, or may be included in the control system 10.

  The security monitoring device 105 deals with the incident analyzed according to the instruction from the system monitoring device 103. The security monitoring apparatus 105 displays an incident list screen 71 and an incident cause analysis screen 72 shown in FIG. For this reason, the field maintenance staff 109 can operate the security monitoring apparatus 105 to deal with a security incident that has occurred in the control system 10 according to a manual or the like.

  The one-way relay device 106 permits relaying of data transmitted from the control system 10 toward the incident management server 201, and disallows relaying of data transmitted from the incident management server 201 toward the control system 10. . In other words, the one-way relay device 106 can relay only data transmitted in one direction from the inside of the control system 10 to the outside to the monitoring center 20. As the one-way relay device 106, for example, a router, a firewall, or the like is used. The one-way relay device 106 can prevent unauthorized access to the control system 10 through the network N.

  The field data management server 107 is provided at a location accessible by the incident management server 201, and accumulates alerts, abnormality data 1055 (see FIG. 2 described later), and history data 1060-1 (see FIG. 6 described later). . The anomaly data 1055 includes the occurrence time of an incident (alert), the device in which the incident occurred, the incident level, the content of the incident, and the like. The history data 1060-1 includes entry / exit time, exit time, user ID, name, and the like. The field data management server 107 receives field data such as alerts collected by the security monitoring apparatus 105 via the one-way relay apparatus 106 according to the transmission program of the security monitoring apparatus 105. The on-site data managed by the on-site data management server 107 is a generic term for alerts, abnormality data 1055, and history data 1060-1 generated in the control system 10, for example.

  Here, when the number of facilities 101 to be monitored and controlled increases, the control system 10 includes a set of facilities 101, a control device 102, a system monitoring device 103, and a security device 104 (hereinafter referred to as “subsystem”). There is. In this case, the security monitoring device 105 may be installed for each subsystem, or the security monitoring device 105 may be installed by integrating a plurality of subsystems.

  The monitoring center 20 includes an incident management server 201 that manages incidents that occur in the control system 10. The incident management server 201 is operated by a security expert 202 resident in the monitoring center 20. The incident management server 201 collects alerts, abnormality data, and history data 1060-1 accumulated in the field data management server 107 through the security monitoring apparatus 105 by a dedicated program. In addition, the incident management server 201 accumulates incidents generated in a control system different from the control system 10 illustrated in FIG. 1 and countermeasures against the incidents. And the security expert 202 is based on not only the alerts collected from the field data management server 107, abnormal data and history data 1060-1, but also incidents occurring in other control systems, countermeasures for incidents, etc. The incident can be analyzed.

  Then, based on the analysis result of the incident analyzed by the security specialist 202, the incident countermeasures are set in the incident management server 201. After that, the security specialist 202 instructs the field maintenance staff 109 to deal with the incident that the system monitoring device 103 and the security monitoring device 105 could not handle, based on the analysis result of the incident. Incidents that could not be dealt with include incidents that could not be detected by the system monitoring device 103 and the security monitoring device 105, for example. For this reason, the security expert 202 operates the incident management server 201 to detect not only incidents that have been revealed by analyzing alerts and incidents, but also detect potential incidents, and deal with field maintenance personnel 109. I can tell you.

  The one-way relay device 106 limits the data transmission direction from the inside to the outside of the control system 10. For this reason, the incident management server 201 sends an incident countermeasure report shown in FIG. 13 to be described later to the field maintenance staff 109 to instruct the field maintenance staff 109 to deal with the incident. The incident countermeasure report is sent to the field maintenance staff 109 through a route different from, for example, telephone, FAX, electronic mail, and network N.

  FIG. 2 is a block diagram illustrating an internal configuration example of each device constituting the control system 10. In FIG. 2, the description of the equipment 101 is omitted.

The control device 102 includes a data collection / analysis unit 1021, an alert storage unit 1022, and an alert transmission unit 1023.
The data collection / analysis unit 1021 acquires an alert generated in the facility 101. The alert generated in the control device 102 indicates that, for example, another device of the control system 10 has tried to log in to the control device 102 many times, continues to send packets to a specific port, etc. This is to notify the field maintenance staff 109.
The alert storage unit 1022 stores the alert acquired by the data collection / analysis unit 1021.
The alert transmission unit 1023 transmits the alert stored in the alert storage unit 1022 to the security monitoring device 105.

The system monitoring apparatus 103 includes a data reception / analysis unit 1031, an abnormality determination unit 1032, an alert storage unit 1033, and a data display / operation unit 1034.
The data reception / analysis unit 1031 analyzes the abnormal data 1055 notified from the security monitoring apparatus 105.
The abnormality determination unit 1032 determines whether the incident that has occurred in the control system 10 is a system abnormality or a security abnormality based on the analysis result of the abnormality data 1055 notified from the security monitoring apparatus 105.
The alert storage unit 1033 stores an alert generated when the abnormality determination unit 1032 detects an abnormality.
The data display / operation unit 1034 displays a system monitoring screen 30 shown in FIG.

The security device 104 includes a data transmission / reception unit 1041, an abnormality detection unit 1042, an alert storage unit 1043, and a command transmission unit 1044.
The data transmission / reception unit 1041 transmits a security alert generated in the control system 10 to the security monitoring apparatus 105. In addition, the data transmission / reception unit 1041 receives from the security monitoring device 105 an instruction for dealing with the incident (an instruction to isolate the cause device, an instruction to isolate the attack target network, etc. shown in FIG. 11 described later).
The abnormality detection unit 1042 detects a security abnormality that has occurred in the control system 10 and generates an alert.

The alert storage unit 1043 stores an alert generated when the abnormality detection unit 1042 detects an abnormality. The alert generated by the security device 104 is, for example, on-site maintenance that an unauthorized packet is transmitted / received by a device in the control system 10 or that an unauthorized device (non-volatile memory or the like) is connected to the control device 102. This is to notify the member 109.
The command transmission unit 1044 transmits, for example, a command for disconnecting the cause device or isolating the network to the device or network instructed by the security monitoring device 105.
The physical security server 401 includes a data collection unit 4011, a data storage unit 4012, and a data transmission unit 4013.
The data collection unit 4011 collects history data from the entrance / exit management device 110 and the monitoring camera 111.
The data storage unit 4012 stores the history data acquired by the data collection unit 4011.
The data transmission unit 4013 transmits the history data stored in the data storage unit 4012 to the security monitoring device 105.

  The security monitoring apparatus 105 includes a data transmission / reception unit 1051, an alert storage unit 1052, a history data storage unit 1060, an alert analysis / determination unit 1054, an abnormal scenario 1053, a data display / operation unit 1056, an abnormality notification unit 1057, an alert notification unit 1058, A handling instruction unit 1059 is included.

The data transmission / reception unit 1051 receives an alert from the control device 102 and the security device 104.
The alert storage unit 1052 stores the alert received by the data transmission / reception unit 1051 from the control device 102.

  The abnormality scenario 1053 is data indicating the behavior of the device in the control system 10 that is a precursor to an incident. For example, when an unauthorized access, an unauthorized attack is performed on a device in the control system 10 or a virus is infected, a specific movement that is a precursor of an incident may occur before the device stops. . The specific movement that occurs in such a device is stored as an abnormal scenario 1053.

  The alert analysis / determination unit 1054 analyzes the alerts collected by the data transmission / reception unit 1051 and stored in the alert storage unit 1052. At this time, the alert analysis / determination unit 1054 refers to the abnormal scenario 1053 and compares the alert with the abnormal scenario 1053. When the alert and the abnormal scenario 1053 match, the alert analysis / determination unit 1054 can determine that an incident has occurred.

  The abnormal data 1055 is data indicating the analysis result of the alert analyzed by the alert analysis / determination unit 1054. The abnormal data 1055 includes an alert (incident) occurrence time, a target device, an incident level, and an incident description as shown in FIG.

  The data display / operation unit 1056 displays the contents of the abnormal data 1055 on the incident list screen 71 and the incident cause analysis screen 72 shown in FIG. 10 to be described later, and instructs the security device 104 to deal with the incident when an incident occurs. Send.

When the alert analysis / determination unit 1054 determines that an incident has occurred, the abnormality notification unit 1057 stores the abnormality data 1055 in the system monitoring apparatus 103 and history data 1060-1 read from the history data storage unit 1060 (described later). (See FIG. 6).
The alert notification unit 1058 notifies the site data management server 107 of the alert. This alert is accumulated in the site data management server 107.
The handling instruction unit 1059 transmits a handling instruction to the security device 104 through the data transmission / reception unit 1051.

  The history data storage unit 1060 stores the history data 1060-1 described above.

The site data management server 107 includes an alert receiving unit 1071 and an alert storage unit 1072.
The alert receiving unit 1071 receives the alert relayed from the security monitoring device 105 by the one-way relay device 106.
The alert storage unit 1072 stores the alert received by the alert receiving unit 1071.

FIG. 3 is a network configuration diagram illustrating a configuration example of the subsystem.
As described above, the control system 10 may include a subsystem including the equipment 101, the control device 102, and the security device 104 as a set. Subsystems 10 a and 10 b shown in FIG. 3 are connected to a network 108. For example, it is assumed that the operating time of the subsystems 10a and 10b is from 9:00 to 17:00, and the system monitoring time by the system monitoring device 103 is 24 hours.

  In the subsystem 10a, a control server 101a1, controllers 101b1 and 101b2, and a security device 104a1 are connected to a subnetwork 108a1. In the figure, the controllers 101b1 and 101b2 are represented as “controller 1” and “controller 2”, respectively, and will be described as “controller 1” and “controller 2” in the following description.

  In addition, in the subsystem 10b, a control server 101a2, controllers 101b3 and 101b4, and a security device 104a2 are connected to the subnetwork 108a2. In the figure, the controllers 101b3 and 101b4 are referred to as “controller 3” and “controller 4”, respectively, and will be described as “controller 3” and “controller 4” in the following description.

  The field maintenance staff 109 monitors the status of the devices in the subsystems 10 a and 10 b and the sub networks 108 a 1 and 108 a 2 connected to the network 108 through the system monitoring device 103. For example, an incident may occur in the controller 1 to attack a device in the subsystem 10a or a device in the subsystem 10b. At this time, the system monitoring device 103 displays a device that is attacking or performing a suspicious operation and the status of the subsystem that includes the device. Then, the field maintenance staff 109 who operates the system monitoring apparatus 103 can perform control to disconnect the apparatus that is the source of the incident from the subsystem.

Next, the hardware configuration of the computer C configuring each device of the security monitoring system 1 will be described.
FIG. 4 is a block diagram illustrating a hardware configuration example of the computer C.

  The computer C is hardware used as a so-called computer. The computer C includes a CPU (Central Processing Unit) C1, a ROM (Read Only Memory) C2, and a RAM (Random-access Memory) C3 connected to the bus C4. Further, the computer C includes a display unit C5, an operation unit C6, a nonvolatile storage C7, and a network interface C8.

  The CPU C1 reads out the program code of software that implements each function according to the present embodiment from the ROM C2, and executes it. In the RAM C3, variables, parameters and the like generated during the arithmetic processing are temporarily written. The display unit C5 is, for example, a liquid crystal display monitor, and displays a result of processing performed by the computer C. For example, a keyboard, a mouse, or the like is used for the operation unit C6, and the field maintenance staff 109 or the security specialist 202 can perform predetermined operation input and instructions. The system monitoring device 103, the security monitoring device 105, and the incident management server 201 are provided with a display unit C5 and an operation unit C6. However, the display unit C5 and the operation unit C6 may not be provided in the control device 102, the security device 104, the one-way relay device 106, and the field data management server 107.

  As the nonvolatile storage C7, for example, an HDD (Hard Disk Drive), an SSD (Solid State Drive), a flexible disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a magnetic tape, a nonvolatile memory, or the like is used. It is done. In addition to the OS (Operating System) and various parameters, a program for causing the computer C to function is recorded in the nonvolatile storage C7. The ROM C2 and the non-volatile storage C7 record programs and data necessary for the operation of the CPU C1, and are computer-readable non-transitory recording media storing programs executed by the computer C. Used as an example. Therefore, this program is permanently stored in the ROM C2 and the non-volatile storage C7.

  For example, a network interface card (NIC) or the like is used as the network interface C8, and various types of data can be transmitted and received between devices via a LAN (local-area network) connected to a terminal, a dedicated line, or the like. It is.

FIG. 5 is an explanatory diagram showing a configuration example of the abnormal data 1055 that the security monitoring apparatus 105 has.
The abnormal data 1055 shown in FIG. 5 includes a time 1055-1, a target device 1055-2, an incident level 1055-3, and an incident description 1055-4.

  The time 1055-1 stores the alert occurrence time transmitted from the control device 102 and the security device 104, that is, the incident occurrence time. The target device 1055-2 stores an IP (Internet Protocol) address of the incident occurrence source. The incident level 1055-3 stores a level determined by the severity of the incident. The incident description 1055-4 stores a description of the incident.

  For example, when the alert occurrence time is “January 30, 2017 15:30:50” by the abnormal data 1055, for an apparatus assigned “192.168.1.55” as an IP address, It indicates that an incident with an incident level of “3” has occurred. The content of the incident indicates that an unauthorized device is connected to a device assigned with “192.168.1.55” as an IP address.

  The incident level definition data shown in the lower part of FIG. 5 stores incident contents and definitions for each incident level. The incident level definition data is stored in, for example, the data reception / analysis unit 1031 of the system monitoring apparatus 103. The incident level definition data includes an incident level 1055-3, an incident 1055-3-1, and a system definition 1055-3-2.

  The incident level 1055-3 is uniquely determined by the incident 1055-3-1 derived by comparing the abnormal scenario 1053 with the alert acquired from the control device 102 or the security device 104 and stored in the alert storage unit 1052. Is done. For example, incident level “1” indicates a minor incident (minor failure), and incident levels “2” and “3” indicate a heavier incident (major failure). In the present embodiment, three types of incident levels “1” to “3” are defined, but more types of incident levels may be defined.

  The system definition 1055-3-2 is data for the system monitoring apparatus 103 to recognize the abnormal data 1055 transmitted from the security monitoring apparatus 105 to the system monitoring apparatus 103. For example, “warning”, “abnormal”, and the like are stored in the system definition 1055-3-2.

FIG. 6 is an explanatory diagram showing a configuration example of history data 1060-1 included in the security monitoring apparatus 105.
The history data 1060-1 includes an entry / exit time 1060-1-1, an exit time 1060-1-2, a user ID 1060-1-3, and a name 1060-1-4.
The entry / exit time 1060-1-1 is the time when the on-site maintenance staff 109 and the engineer 112 entered / exited the control system 10, and the exit time 1060-1-2 was the exit of the on-site maintenance staff 109 / engineer 112 from the control system 10. It's time. The user ID 1060-1-3 is the ID of the ID card uniquely lent to the field maintenance staff 109 and the engineer 112, and the name 1060-1-4 is the name of the user associated with the ID card or ID. It is.

  7 shows a procedure in which the security monitoring device 105 collects alerts from the control device 102 and the security device 104, collects history data 1060-1 from the physical security server 401, and notifies the system monitoring device 103 of abnormal data 1055. It is a flowchart to show. The control device 102, the security device 104, and the physical security server 401 transmit alerts and history data 1060-1 to the security monitoring device 105 in the same procedure. Here, a process in which the control device 102 transmits an alert and the physical security server 401 transmits history data 1060-1 will be described, and a description of a process in which the security device 104 transmits an alert will be omitted.

  First, the data collection / analysis unit 1021 of the control device 102 acquires an alert, and the history data 1060-1 is collected by the data collection unit 4011 of the physical security server 401 (S1). Next, the data collection / analysis unit 1021 of the control device 102 checks whether there is an untransmitted alert in the security monitoring device 105. The data transmission unit 4013 of the data collection unit 4011 of the physical security server 401 checks whether there is unsent history data 1060-1 in the security monitoring device 105 (S2). If there is an untransmitted alert (YES in S2), the alert transmitter 1023 transmits an alert to the security monitoring device 105 (S3). If there is untransmitted history data 1060-1 (YES in S2), the data transmission unit 4013 transmits the history data 1060-1 to the security monitoring device 105 (S3). If there is no unsent alert and history data 1060-1 (NO in S2), the data collection / analysis unit 1021 again waits for the acquisition of the alert, and the data collection unit 4011 acquires the history data 1060-1 again. Wait for.

  Next, the alert analysis / determination unit 1054 of the security monitoring apparatus 105 acquires and analyzes the alert transmitted from the control apparatus 102 and the history data 1060-1 transmitted from the physical security server 401 (S4). Then, the alert analysis / determination unit 1054 compares the alert and history data 1060-1 with the abnormal scenario 1053, and checks whether there is an incident (S5). The method of comparing the alert and history data 1060-1 with the abnormal scenario 1053 is performed based on, for example, whether or not the change in the alert and history data 1060-1 matches the change defined in the abnormal scenario 1053.

  When the alert analysis / determination unit 1054 determines that there is no incident (NO in S5), the alert analysis / determination unit 1054 again waits for acquisition of the alert and history data 1060-1. On the other hand, when the alert analysis / determination unit 1054 determines that there is an incident (YES in S5), the abnormality notification unit 1057 notifies the system monitoring device 103 of the abnormality data 1055 (S6).

  FIG. 8 is an explanatory diagram showing a display example of the system monitoring screen 30 displayed on the data display / operation unit 1034 of the system monitoring apparatus 103. The system monitoring screen 30 is implemented as one function of the data display / operation unit 1034 of the system monitoring apparatus 103.

  The system monitoring screen 30 displays a display time 31, legend information 32, a system monitoring area 33, and the like. The system monitoring area 33 shows a state in which a monitoring / operation terminal, a maintenance terminal, and a system monitoring device are connected to the network 1 (network 108 shown in FIG. 3). In the system monitoring area 33, the control server, the controller 1, the controller 2, and the security device 104 are shown connected to the network 2 (subnetwork 108a1 shown in FIG. 3). Note that the monitoring / operation terminal, the maintenance terminal, the control server, and the controllers 1 and 2 displayed in the system monitoring area 33 are all examples of the control device 102 shown in FIG. The system monitoring device 103 is a monitoring / operation terminal, maintenance terminal, control server, controllers 1 and 2, various alerts generated from the security device 104, abnormal data based on history data generated from the entrance / exit management device 110, etc. And the status of each device (major failure, minor failure, network abnormality, other abnormality, etc.) is displayed on the system monitoring screen 30.

  The field maintenance person 109 who operates the system monitoring apparatus 103 looks at the system monitoring screen 30 and confirms what kind of abnormality has occurred in the apparatus in which the alert has occurred. Then, when the field maintenance worker 109 clicks an icon indicating a control server, for example, detailed information 34 shown at the bottom of FIG. 8 is displayed. In the following description, a state in which a screen is displayed when a certain icon is clicked is represented by a dashed arrow. The detailed information 34 displays the type of abnormality, the name of the device in which the abnormality has occurred, and the content of the abnormality. Thereby, the field maintenance staff 109 can know the details of the abnormality and can deal with the abnormality.

  FIG. 9 is a flowchart illustrating a procedure in which the system monitoring apparatus 103 analyzes the abnormal data 1055 received from the security monitoring apparatus 105. 9, the security monitoring apparatus 105 is coupled to the connector B in FIG. 7, and the system monitoring apparatus 103 is coupled to the connector C in FIG.

  First, in the system monitoring apparatus 103, the data reception / analysis unit 1031 analyzes the abnormal data 1055 notified from the security monitoring apparatus 105. Then, the data reception / analysis unit 1031 refers to the incident level definition data, and assigns information indicating an abnormality of the system monitoring apparatus 103 to the abnormality data 1055 according to the incident level 1055-3 of the abnormality data 1055 (S11). . Examples of information indicating an abnormality of the system monitoring apparatus 103 include a minor failure and a major failure.

  Next, the data display / operation unit 1034 updates the display content of the system monitoring screen 30 based on the abnormality data 1055 to which information indicating abnormality is assigned (S12). Thereby, information (for example, legend information 32) indicating an abnormality detected by each device is displayed on the icon of each device.

  Then, the field maintenance worker 109 determines whether a system abnormality has occurred in the control system 10 based on the display content of the system monitoring screen 30 (S13). Here, an abnormality occurring in the control system 10 is referred to as a “system abnormality”. The system abnormality represents, for example, an incident that has occurred in the facility 101, and is an abnormality that can be dealt with as usual by the field maintenance staff 109 using a manual or the like. When the field maintenance person 109 determines that a system abnormality has occurred (YES in S13), the field maintenance person 109 deals with the system abnormality through the system monitoring screen 30 (S14).

  On the other hand, if the field maintenance worker 109 determines that an abnormality other than the system abnormality, that is, a security abnormality has occurred (NO in S13), the security monitoring device 105 takes action. The security abnormality is an abnormality that needs to be dealt with by the security monitoring apparatus 105. For this reason, the field maintenance staff 109 takes measures against the security abnormality in the security monitoring apparatus 105 as shown in FIG.

  FIG. 10 is an explanatory diagram showing a display example of an incident list screen 71 and an incident cause analysis screen 72 for performing cause analysis performed by the field maintenance staff 109 by operating the security monitoring apparatus 105 and coping with the cause analysis. The incident list screen 71 is displayed when the field maintenance worker 109 starts the execution program of the security monitoring apparatus 105.

  The incident list screen 71 shown in the upper part of FIG. 10 is a screen that displays the incident source identified by the security monitoring apparatus 105 and the range in which the incident occurred. The incident list screen 71 displays the occurrence time indicating the incident occurrence time, the occurrence location indicating the incident occurrence location, the incident level indicating the level of the incident that has occurred, and the content of the incident that has occurred. The incident occurrence time is equal to the alert occurrence time generated in the facility 101 or the security device 104, but may be a different time.

  A cause analysis button 711 is displayed on the upper right of the incident list screen 71. When the field maintenance worker 109 clicks the cause analysis button 711, one of the incident cause analysis screens 72 shown in the lower left or lower right of FIG. 10 is displayed according to the contents of the incident. The incident cause analysis screen 72 is used by the field maintenance staff 109 to perform the cause analysis of the incident.

  The incident cause analysis screen 72 displays a drop-down list for selecting a device in which an incident has occurred (referred to as “target device”). When the field maintenance worker 109 selects the target device 721-1 from the drop-down list, one of the incident transition areas 721-2 and 722-2 is displayed on the incident cause analysis screen 72. Which of the incident transition areas 721-2 and 722-2 is displayed on the incident cause analysis screen 72 depends on the actually occurring incident, in this example, the attack. Then, based on the result of the incident cause analysis performed through the incident cause analysis screen 72, the security monitoring device 105 instructs the security device 104 to deal with the incident.

  The incident transition area 721-2 shows how the target device attacks the same network. For example, the target device attacks the same network when the controller 1 of the subsystem 10a illustrated in FIG. 3 attacks the controller 2 connected to the same subnetwork 108a1. The controller 1 indicates that 16 incidents have occurred. A device that is connected to the subnetwork 108a1 to which the controller 1 is connected and is under attack is indicated by the same circle icon as the controller 1. When the incident transition area 721-2 is displayed, the field maintenance staff 109 takes action by clicking the button 721-3 for disconnecting the cause device. As a result, in the security device 104, the device that caused the incident (referred to as “cause device”) is disconnected from the network, and the cause device can prevent attacks on other devices in the same network.

  The incident transition area 722-2 illustrates a situation in which the target device attacks another network. That the target device attacks another network is, for example, that the controller 1 of the subsystem 10a illustrated in FIG. 3 attacks the controller 4 connected to the subnetwork 108a2 of the other subsystem 10b. A device that is connected to a subnetwork different from the subnetwork 108a1 to which the controller 1 is connected and is under attack is indicated by a square icon different from that of the controller 1. When the incident transition area 722-2 is displayed, the field maintenance person 109 clicks a button 721-4 for isolating the network and takes action. As a result, the security device 104 isolates the network targeted by the causal device and prevents the causal device from attacking other networks.

  FIG. 11 is a flowchart showing procedures for incident analysis and incident handling by the security monitoring apparatus 105. 11, the security device 104 is coupled to the connector A in FIG. 7, and the security monitoring device 105 is coupled to the connector D in FIG.

  First, the field maintenance worker 109 operates the security monitoring device 105 to start a security monitoring screen (not shown) (S21), and displays an incident list screen 71 (S22). The incident list screen 71 is a screen that is displayed on the security monitoring apparatus 105 after transitioning from the security monitoring screen.

  Next, the field maintenance worker 109 checks whether or not a serious incident has occurred according to the incident level displayed on the incident list screen 71 (S23). A serious incident is, for example, an incident with a high incident level (“3”).

  When the field maintenance worker 109 determines that a serious incident has not occurred (NO in S23), the process returns to step S22 and continues monitoring the incident list screen 71. On the other hand, if the field maintenance worker 109 determines that a serious incident has occurred (YES in S23), the cause maintenance button 711 is clicked to display the incident cause analysis screen 72 (S24).

  Next, the field maintenance worker 109 checks on the incident cause analysis screen 72 whether or not the cause of the incident is in the specific device (S25). The specific device is, for example, a device in the control system 10 that is considered to have a high possibility of causing an incident when the security monitoring device 105 detects the occurrence of an incident. At the time of step S25, it is unknown whether the specific device is the cause device.

  If there is a cause of the incident occurrence in the specific device, it is determined whether or not to disconnect the specific device from the network 108 in the subsequent processing. On the other hand, when there is no cause for the occurrence of an incident in the specific device, for example, when only an abnormality occurs in the data flowing in the network 108, it is not necessary to disconnect the specific device from the network 108 in the subsequent processing.

  For this reason, when the field maintenance worker 109 determines that the cause of the incident is not in the specific device (NO in S25), the process ends. In addition, it returns to step S24 and the field maintenance worker 109 may continue confirmation of the incident cause analysis screen 72. FIG.

  On the other hand, when the field maintenance worker 109 determines that the cause of the incident is the specific device (YES in S25), the security monitoring device 105 checks whether or not the attack is in the same network (S26). When it is determined that the attack is not within the same network (NO in S26), the process proceeds to step S29. On the other hand, if the attack is in the same network (YES in S26), the field maintenance staff 109 determines whether or not there is an impact on the business by disconnecting the specific device that caused the incident, that is, the cause device from the network. Confirm (S27).

  For example, when the controllers 1 to 3 are connected to the network 2 as shown in the system monitoring area 33 of FIG. is there. For this reason, the field maintenance worker 109 can determine that the controller 1 can be disconnected if the operation is not affected even if the controller 1 is disconnected. On the other hand, if the field maintenance worker 109 determines that disconnecting the controller 1 has an effect on the business, it can determine that the controller 1 is not disconnected from the network 2.

  If the cause of the device is affected by the disconnection of the cause device (YES in S27), the process is terminated without disconnecting the cause device. On the other hand, if the work is not affected even if the cause device is disconnected (NO in S27), the field maintenance staff 109 instructs the security device 104 to disconnect the cause device from the security monitoring device 105 (S28). The cause device disconnection instruction is performed when the field maintenance staff 109 clicks the button 721-3 for disconnecting the cause device shown in FIG. 10 displayed on the security monitoring device 105. The security device 104 then disconnects the cause device in accordance with the instruction from the security monitoring device 105 (S33). As a result, an attack on the other device cannot be performed from the cause device.

  When the security monitoring apparatus 105 determines in step S26 that the attack is not within the same network (NO in S26), the field maintenance staff 109 checks whether or not the attack is on another network. If the attack is on another network (YES in S29), the field maintenance staff 109 determines whether or not the isolation of the other network that is the attack target has an effect on the business (S30). If isolation of another network has an effect on the business (YES in S30), this process is terminated without isolating the other network.

  If the isolation of the other network does not affect the business (NO in S30), the field maintenance staff 109 issues an instruction to the security device 104 to isolate the other network attacked by the cause device (S31). The instruction to isolate the other network is made when the field maintenance staff 109 clicks the button 721-4 for isolating the network shown in FIG. 10 displayed on the security monitoring apparatus 105. Then, the security device 104 isolates the other network in accordance with the instruction from the security monitoring device 105 (S34). Thereby, other networks can be protected from attacks. And after NO of step S31 or step S29, the field maintenance worker 109 terminates a security monitoring screen (S32).

  FIG. 12 is a flowchart illustrating a procedure in which the security monitoring apparatus 105 transmits alert, abnormality data 1055, and history data 1060-1 to the incident management server 201 of the monitoring center 20.

  First, the alert notification unit 1058 of the security monitoring apparatus 105 acquires an alert from the alert storage unit 1052. The abnormality notification unit 1057 acquires the abnormality data 1055 and acquires the history data 1060-1 from the history data storage unit 1060 (S41). Then, the alert notification unit 1058 checks whether there is an untransmitted alert in the monitoring center 20, and the abnormality notification unit 1057 determines whether there is abnormal data 1055 and history data 1060-1 that have not been transmitted to the monitoring center 20. It is checked whether or not (S42).

  If there is an unsent alert (YES in S42), the alert notification unit 1058 of the security monitoring device 105 reads the alert stored in the alert storage unit 1052, and transmits the alert to the one-way relay device 106. When there is untransmitted abnormality data 1055 and history data 1060-1, the abnormality notification unit 1057 transmits the abnormality data 1055 and history data 1060-1 to the one-way relay device 106 (S43). On the other hand, if there is no untransmitted alert, abnormal data 1055, and history data 1060-1 (NO in S42), the process returns to step S41, and the alert notification unit 1058 and the abnormal notification unit 1057 enter a data transmission wait state.

  Next, the alert, abnormality data 1055, and history data 1060-1 transmitted from the security monitoring device 105 are relayed to the field data management server 107 by the one-way relay device 106 (S44). Alerts, abnormality data 1055, and history data 1060-1 relayed from the one-way relay device 106 are accumulated in the field data management server 107 (S45).

  The incident management server 201 of the monitoring center 20 determines whether it is time to acquire the alert, abnormality data 1055, and history data 1060-1 from the site data management server 107 (S46). The time at which the alert, abnormal data 1055, and history data 1060-1 are acquired may be, for example, a fixed time or time every 30 minutes.

  If it is time to acquire the alert, abnormality data 1055 and history data 1060-1 from the site data management server 107 (YES in S46), the incident management server 201 sends an alert, abnormality data 1055 and Queries the presence / absence of history data 1060-1. Then, the incident management server 201 acquires alert, abnormality data 1055, and history data 1060-1 from the site data management server 107 (S47). At this time, the incident management server 201 confirms whether the unacquired alert, abnormality data 1055, and history data 1060-1 are accumulated in the site data management server 107, and the unacquired alert, abnormality data 1055, and history data 1060- 1 is acquired from the field data management server 107. Then, the incident management server 201 stores the alert, abnormal data 1055, and history data 1060-1 in a storage unit (not shown) provided in the incident management server 201 (S48).

  On the other hand, if it is not time to acquire the alert, abnormal data 1055, and history data 1060-1 (NO in S46), the incident management server 201 will again acquire the alert, abnormal data 1055, and history data 1060-1. Wait until acquisition. The incident management server 201 receives the alert, abnormality data 1055, and history data 1060-1 from the field data management server 107 immediately after the alert, abnormality data 1055, and history data 1060-1 are accumulated in the field data management server 107. You may get it.

Here, even if an incident is dealt with each time an incident occurs by the security monitoring device 105, the system monitoring device 103, and the security device 104, the following situations (1) to (5) may occur.
(1) Incidence has frequently occurred recently.
(2) There are many attacks originating from a specific device.
(3) A specific device is frequently targeted for attack.
(4) There are many specific attacks.
(5) There are many specific attacks at other sites.

  For this reason, the security monitoring system 1 not only enables incident analysis and response by the security monitoring device 105, but also enables fundamental analysis and examination of root countermeasures by the security expert 202 using the incident management server 201. And The incident management server 201 not only accumulates alerts, abnormality data 1055, and history data 1060-1 acquired from the security monitoring apparatus 105 over a long period of time, but also accumulates data of other control systems 10. For this reason, the security expert 202 can use the incident management server 201 to examine a wide range, detailed analysis, and countermeasures for the incident that has occurred, using the knowledge and know-how possessed by the security expert 202 itself. It becomes. Below, the incident analysis screen used in order to perform the fundamental analysis performed by the security expert 202 of the monitoring center 20 and examination of a fundamental countermeasure is demonstrated.

  FIG. 13 is an explanatory diagram showing a display example of an incident analysis screen displayed on the incident management server 201.

  The incident analysis screen 1001 is displayed on the incident management server 201 when the security expert 202 activates the execution program in the incident management server 201. The incident analysis screen 1001 is used by the security expert 202 to analyze an incident. First, on the incident analysis screen 1001, only the site name 1002 and the target device 1003 are displayed.

In the site name 1002, a site name (customer name) uniquely given to the control system 10 is displayed. In this example, “customer 1” is displayed as the site name.
In the target device 1003, information for specifying a device (target device) for which the security expert 202 intends to analyze an incident is displayed. As information for specifying the target device, for example, there are an IP address and a device name which are dynamically given to the device.

  An incident list 1004 and an incident transition area 1005 are displayed on the incident analysis screen 1001 as information about incidents that have occurred in the target device 1003 selected by the security expert 202 to confirm the contents of the incident. The incident list 1004 is a list of incidents that have occurred in the control system 10. For example, incidents that have occurred in the control server selected by the target device 1003 are shown.

  In the incident list 1004, the time when the incident occurred in the apparatus selected by the security expert 202 in the target apparatus 1003, the incident level, and the contents of the incident are displayed. From the incident list 1004, for example, it is understood that the content of the incident whose incident level is “3” at the time “January 10, 2017 12:35:40” “a large number of packets have been transmitted from the specific device”.

  In the incident transition area 1005, the incident level displayed in the incident list 1004 and the number of incidents are displayed. The arrows in the figure indicate the incident origin and that another incident has occurred due to the influence of the origin. Due to the incident transition area 1005, one incident with the incident level “1” has occurred in the control server, and 16 incidents with the incident level “3” have occurred due to the influence of the incident with the incident level “1”. Is shown.

  When the security expert 202 clicks the display button 1005-1 at the origin that is added to the incident origin in the incident transition area 1005, an incident transition area 1006 (displayed by the origin) that visualizes the transition of the incident is displayed. Is done. It can be seen from the incident transition area 1006 that the source of the incident that occurred in the control server is the maintenance terminal. The incident transition area 1006 causes one maintenance terminal to generate one incident with an incident level of “1” and 10 incidents with an incident level of “3”. It is shown that it became the origin of

  Then, together with the incident transition area 1006, a fundamental countermeasure setting screen 1008 is displayed. The root countermeasure setting screen 1008 is used to set information on an incident source and a root countermeasure to the incident origin. The root countermeasure setting screen 1008 displays a drop-down list in which information about the target device, root cause, root countermeasure, etc. can be set. The security expert 202 refers to the incident transition area 1005 and the incident transition area (displayed by the source) 1006 and clicks a setting button 1008-1 on the root countermeasure setting screen 1008, so that the target device, root cause, and root countermeasure are selected. Set. For example, since the root cause of the incident that occurred in the maintenance terminal is a virus infection, a setting is made so that virus removal is the root countermeasure.

  When the security expert 202 clicks the case search button 1007-1 at the lower right of the incident transition area 1006, similar root cause search results 1009-1 are displayed under the incident transition area 1006. The similar root cause search result 1009-1 displays the root causes of incidents that occurred in the past that are similar to the root cause of the incident that occurred this time. Then, information indicating what root cause has been adopted in the past and set on the root countermeasure setting screen 1008 is shown. Similar root cause search results 1009-1 indicate that “the target device was infected with a virus” in the past was adopted and set 10 times as the root cause.

  When the security expert 202 clicks a history data display button 1007-2 at the lower right of the incident transition area 1006, a history data display result 1009-2 shown in FIG. 14 is displayed.

FIG. 14 is an explanatory diagram of a display example of the history data display result 1009-2.
In the history data display result 1009-2, history data 1060-1 near the time of the incident list 1004 is displayed based on the history data 1060-1 acquired from the physical security server 401 of the physical security system 40. That is, the history data display result 1009-2 displays the result of searching the history data 1060-1 with the incident occurrence time displayed in the incident list 1004. The history data display result 1009-2 displays the engineer 112 who was near the device in which the incident occurred. The security expert 202 can determine whether or not there has been an internal attack by analyzing the history data and the incident occurrence history.

  Further, when the security expert 202 sets the basic countermeasure on the fundamental countermeasure setting screen 1008 and clicks the report output button 1008-2, a report output result 1010 is output. The report output result 1010 is not only displayed in the incident analysis screen 1001 but may be printed on paper or the like. The report output result 1010 displays an incident countermeasure report indicating how to deal with the incident. As a result, the on-site maintenance staff 109 at the local site can know the root cause and the countermeasure of the incident examined by the security expert 202. Then, the field maintenance worker 109 can take measures to remove the virus from the maintenance terminal, for example, according to the report output result 1010.

(Basic analysis, preparation of countermeasure examples)
FIG. 15 is a flowchart showing a procedure of fundamental analysis and examination of fundamental countermeasures performed by the security expert 202. The following processing is performed when the security specialist 202 operates the incident management server 201.

  First, the security expert 202 in the monitoring center 20 inputs basic information (S51). The basic information is, for example, information on devices constituting the control system 10.

  Next, the incident management server 201 displays the incident analysis screen 1001 (S52). Then, the security expert 202 uses the incident analysis screen 1001 to examine the cause of the incident and a countermeasure (S53).

  Next, the security expert 202 inputs the cause of the incident on the incident analysis screen 1001 (S54), presses the report output button 1008-2, and outputs a report (S55). The field maintenance staff 109 actually takes action by the control system 10 provided at the site based on the output report (S56).

  Then, the security expert 202 determines whether or not the countermeasure has been completed at the local site (S57). If the security expert 202 determines that the countermeasure has been completed (YES in S57), the process ends. On the other hand, if it is determined that the countermeasure has not been completed (NO in S57), the security expert 202 returns to step S51 and analyzes the incident again.

  FIG. 16 is a flowchart showing a procedure of fundamental countermeasure examination by fundamental analysis and utilization of countermeasure examples carried out by the security expert 202 of the monitoring center 20. The following processing is also performed by operating the incident management server 201 by the security expert 202. Steps S61 and S62 shown in FIG. 16 are the same processes as S51 and S52 shown in FIG.

  The incident analysis screen 1001 displayed in step S62 displays incidents that occurred in the past similar to the incident that occurred this time and countermeasures that have been taken in the past (S63). Then, the security expert 202 examines the cause and countermeasure of the incident based on the display content of the incident analysis screen 1001 (S64), and outputs a report (S65). The field maintenance staff 109 actually takes action by the control system 10 provided at the site based on the output report (S56).

  After that, as in step S57 in FIG. 15, the security expert 202 determines whether or not the countermeasure has been completed at the local site (S67). If the countermeasure has been completed, the processing is terminated and the countermeasure is completed. If not, the process returns to step S61 to analyze the incident again.

  In the security monitoring system 1 according to the embodiment described above, when an incident occurs in the control system 10, an alert is transmitted from the control device 102 and the security device 104 to the security monitoring device 105. Also, history data 1060-1 is transmitted from the physical security server 401 to the security monitoring apparatus 105. The security monitoring device 105 compares the alert collected from the control device 102 and the security device 104 and the history data 1060-1 collected from the physical security server 401 with the abnormal scenario 1053, and detects the presence or absence of an incident. If the incident is related to the control device 102, the system monitoring device 103 is instructed to deal with the incident. If the incident is related to security, the security device 104 is instructed to deal with the incident. Thus, it becomes possible to detect an incident in the same procedure as other abnormality detection that occurs in the control system 10 that the field maintenance staff 109 is familiar with, and the field maintenance staff 109 promptly copes with the incident that occurred in the control system 10. It becomes possible to do. Further, since it is known which apparatus or device should handle the incident, the field maintenance staff 109 can quickly handle the incident using the control system 10 that is familiar to the user.

  In addition, incidents that cannot be dealt with by the field maintenance staff 109 alone are analyzed by a security expert 202 who operates the incident management server 201 based on dealing with incidents that have been made in the past. As described above, the field maintenance staff 109 and the security expert 202 can share the alert, the abnormality data 1055, and the history data 1060-1. Then, effective countermeasures are instructed from the security specialist 202 to the field maintenance staff 109. The countermeasure instructed by the security specialist 202 is the same as or similar to the existing system monitoring method performed in the control system 10 operated by the field maintenance staff 109. For this reason, the field maintenance worker 109 can quickly deal with the incident by the method instructed by the security expert 202. In this way, the field maintenance staff 109 and the security specialist 202 can cooperate to deal with the incident.

  Further, the incident management server 201 and the site data management server 107 are connected by a secure network N such as VPN. A one-way relay device 106 provided between the security monitoring device 105 and the field data management server 107 prevents unauthorized access from outside the control system 10. For this reason, it is possible to prevent an unauthorized process from being performed on each device in the control system 10 by a third party.

  Note that the control system 10 may not include the one-way relay device 106 and the on-site data management server 107. In this case, the security monitoring apparatus 105 may transmit the alarm and abnormality data 1055 and the history data 1060-1 to the incident management server 201 every time an alarm occurs.

And this invention is not restricted to embodiment mentioned above, Of course, unless it deviates from the summary of this invention described in the claim, other various application examples and modifications can be taken.
For example, the above-described embodiment is a detailed and specific description of the configuration of the apparatus and the system in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to one having all the described configurations. In addition, a part of the configuration of the embodiment described here can be replaced with the configuration of the other embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Is possible. Moreover, it is also possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

DESCRIPTION OF SYMBOLS 1 ... Security monitoring system, 10 ... Control system, 20 ... Monitoring center, 30 ... System monitoring screen, 40 ... Physical security system, 71 ... Incident list screen, 72 ... Incident cause analysis screen, 101 ... Equipment, 102 ... Control device, DESCRIPTION OF SYMBOLS 103 ... System monitoring apparatus, 104 ... Security apparatus, 105 ... Security monitoring apparatus, 106 ... One-way relay apparatus, 107 ... Field data management server, 108 ... Network, 109 ... Field maintenance worker, 201 ... Incident management server, 202 ... Security Expert, 401 ... physical security server, 1001 ... incident analysis screen

Claims (7)

A control system that controls the operation of the facility; a physical security system that is connected to the control system and that monitors and controls entry and exit of the field maintenance personnel using the control system; and a network connected to the control system. An incident management server that is connected and manages incidents that occur in the control system,
The control system includes:
A control device for detecting an alert generated in the facility;
A security device for detecting the alert generated in the control system;
A system monitoring device that monitors the control system and handles the incident occurring in the control system;
The alert collected from the control device or the security device is compared with an abnormal scenario representing the behavior of the incident, and when the control system detects that the incident has occurred, abnormal data including the content of the incident is obtained. A security monitoring device for transmitting to the system monitoring device,
The physical security system is:
A physical security server for managing physical security history data acquired from an entrance / exit management device or a monitoring camera device;
The system monitoring device analyzes the abnormality data, handles the incident that can be handled by the system monitoring device, and instructs the security monitoring device to deal with the incident that cannot be handled by the system monitoring device,
The security monitoring device deals with the incident analyzed according to instructions from the system monitoring device,
The incident management server
Analyzing the alert, the abnormal data and the physical security history data collected through the security monitoring device, to the field maintenance staff to the incident that could not be dealt with by the system monitoring device and the security monitoring device Security monitoring system that directs countermeasures. The incident management server accumulates the incident generated in a control system different from the control system, and a countermeasure for the incident, and is analyzed by a security expert who operates the incident management server. The security monitoring system according to claim 1, wherein a response to the incident is set based on an analysis result. And a one-way relay device that permits relaying of data transmitted from the control system to the incident management server and disallows relaying of data transmitted from the incident management server to the control system. The security monitoring system according to claim 2. Further, the control system includes a site data management server that is provided at a location accessible by the incident management server and stores the alert and the abnormal data.
The security monitoring system according to claim 3, wherein the incident management server acquires the alert and the abnormal data from the field data management server at a predetermined timing. The incident management server displays an incident analysis screen for a security expert to analyze the incident, and the incident analysis screen displays a transition of the incident along with a list of the incidents generated in the control system. The security monitoring system according to claim 4, further comprising: a screen, information on the incident source, and a screen for setting a fundamental response to the incident source. The security monitoring device identifies the source of the incident and the range in which the incident has occurred, displays the source of the incident and the range in which the incident has occurred on an incident list screen, and analyzes the cause of the incident Display the incident cause analysis screen where
The security monitoring system according to claim 4, wherein the security monitoring apparatus instructs the security device to deal with the incident based on a result of the cause analysis of the incident performed through the incident cause analysis screen. A control system that controls the operation of the facility; a physical security system that is connected to the control system and that monitors and controls entry and exit of the field maintenance personnel using the control system; and a network connected to the control system. An incident management server for managing incidents that are connected and occur in the control system, and a security monitoring method performed by a security monitoring system comprising:
The control system includes:
A control device for detecting an alert generated in the facility, a security device for detecting the alert generated in the control system, a system monitoring device for monitoring the incident generated in the control system and dealing with the incident And a security monitoring device,
When the security monitoring device compares the alert collected from the control device or the security device with an abnormal scenario representing the behavior of the incident, and detects that the incident has occurred in the control system, Transmitting abnormal data including contents to the system monitoring device;
The physical security system managing physical security history data acquired from an entrance / exit management device or a monitoring camera device;
The system monitoring device analyzes the abnormal data, takes action on the incident that can be handled by the system monitoring device, and instructs the security monitoring device to deal with the incident that cannot be handled by the system monitoring device When,
The security monitoring device responding to the incident analyzed according to instructions from the system monitoring device;
The incident management server analyzes the alert, the abnormality data, and the physical security history data collected through the security monitoring device, and copes with the system maintenance device and the security monitoring device with respect to the field maintenance staff. And a step of instructing a response to the incident that could not be completed.

Images