JP2021111003A - Security monitoring system and security monitoring method - Google Patents

Abstract

To appropriately determine whether or not a cause of an incident is due to a cyber attack.SOLUTION: A security monitoring system comprises: an input unit 110 which collects process value data obtained by a control system, and collects physical data indicating a physical state about the control system; a risk digitization unit 130 which digitizes a risk based on the process value data collected by the input unit, and digitizes the risk based on the physical data; an accident information database unit 150 which accumulates information on past incidents; and an incident determination unit 140 which determines whether or not a cause of the incident is due to a cyber attack, by comparing a numerical value of the risk obtained by the risk digitization unit, and the information accumulated by the accident information database unit.SELECTED DRAWING: Figure 3

Description

The present invention relates to a security monitoring system and a security monitoring method.

In a control system that controls a plant such as a power plant, it is necessary to monitor the occurrence of an incident such as a cyber attack due to unauthorized access from the outside. In the conventional control system of this type, it is determined whether or not the cause of the incident that has occurred is a cyber attack based only on the input / output data to the control system.

Patent Document 1 describes a technique for determining whether an abnormality is a device or transmission line failure or a cyber attack when an abnormality is detected in a control system. Specifically, there is a description of a technique of adding an error detection code to the transmission data in the control system and using the error detection code on the receiving side to determine whether the data body is normal or abnormal.

JP-A-2017-192105

When an incident occurs in a control system, there are various possible causes of the incident. In order to determine whether an incident is caused by a cyber attack, the location and cause of the incident are manually collated with the communication log, operation log, and vulnerability information of the equipment. Therefore, when an incident occurs, it is necessary to identify the location and cause of the incident, and then determine the priority of the equipment to be dealt with and whether or not the plant operation can be continued. In order to identify the location and cause of such an incident, it is necessary to be familiar with the plant equipment of the relevant control system. In addition, since it is necessary to be familiar with cyber security, only a limited number of people can determine the location and cause of an incident.

As a prior art, for example, as described in Patent Document 1, it has been conventionally known to detect an abnormality at a specific location such as a transmission line by using a specific method such as an error detection code. However, in reality, there are various locations and causes of incidents, and the conventional method is insufficient as a method for determining the cause when an incident occurs.

Usually, when an incident occurs, the cause cannot be determined immediately, and it takes a lot of time to take a final action on the incident. In addition, due to the nature of control systems such as power plants and production equipment, it is important to operate them continuously, and there is also a situation in which it is desirable to avoid stopping the control system unless it is unavoidable.

An object of the present invention is to provide a security monitoring system and a security monitoring method capable of appropriately determining whether or not the cause of an incident is a cyber attack.

In order to solve the above problems, for example, the configuration described in the claims is adopted.
The present application includes a plurality of means for solving the above problems. For example, data on process values obtained by a control system and physical data indicating a physical status of the control system are collected. The input unit to be used, the risk quantification unit that quantifies the risk based on the process value data collected by the input unit, and the risk quantification unit that quantifies the risk based on the physical data, and the information about past incidents are accumulated. Incident that determines whether the cause of the incident is due to a cyber attack by comparing the numerical value of the risk obtained by the accident information database department and the risk quantification department with the information accumulated in the accident information database department. It is a security monitoring system equipped with a discrimination unit.

According to the present invention, it is possible to quickly determine the cause of an incident that has occurred and notify a control system observer or the like of the cause of the incident.
Issues, configurations and effects other than those described above will be clarified by the description of the following embodiments.

It is a block diagram which shows the configuration example of the whole control system including the security monitoring system by one Embodiment of this invention. It is a figure which shows the structural example of the control system by one Embodiment of this invention. It is a block diagram which shows the configuration example of the security monitoring system by the example of one Embodiment of this invention. It is a block diagram which shows the hardware configuration example of the security monitoring system by the example of one Embodiment of this invention. It is a flowchart which shows the operation example of the security monitoring system by one Embodiment of this invention. It is a figure which shows the calculation example of the physical information risk by one Embodiment of this invention. It is a figure which shows the example of the discrimination table of the incident discrimination part by the example of one Embodiment of this invention. It is a figure which shows the example of the display screen by the example of one Embodiment of this invention.

Hereinafter, an example of an embodiment of the present invention (hereinafter referred to as “this example”) will be described with reference to the accompanying drawings.
[Overall configuration of control system]
FIG. 1 shows the overall configuration of the control system of this example.
In the control system of this example, the plant 200 is controlled by the control server 410 installed in the control equipment room 400, and the operation status of the plant 200 and the control status in the control server 410 are set in the central monitoring room 300. It is monitored by the plant monitoring device 310. A control system network 500 is constructed between the control server 410 and the plant 200 or the plant monitoring device 310, and data transmission is performed via the control system network 500.
A security monitoring system 100 is connected to the control system network 500.

The plant 200 includes a field plant control device 210 and a plant main engine 220. Various measuring instruments are installed in the plant main engine 220, and the measurement signals measured by these measuring instruments are transmitted to the on-site plant control device 210.
The control server 410 and the plant control device 420 are for controlling the plant 200 from a remote location.

The control server 410 transmits an operation signal to the on-site plant control device 210 in the plant 200 via the plant control device 420. The field plant control device 210 controls the plant main engine 220 to a desired operating state based on the operation signal transmitted from the plant control device 420.

Further, the control server 410 collects data indicating the state of the on-site plant control device 210 and the plant main engine 220 and the measured values of the sensors installed in the plant main engine 220 via the plant control device 420, and collects these data. Hold as a process value. The process values collected by the control server 410 are stored in the security monitoring system 100.

The security device 430 collects the network load, communication type, operation history, application startup history, etc. of the control system network 500, the control server 410, and the plant monitoring device 310, and holds such information as a security status. The security status collected by the security device 430 is stored in the security monitoring system 100.

The physical server 440 collects the number of occupants, occupant information, entry / exit history, etc. from the camera 510 and the entry / exit management system 520, and holds these information as the physical status.
The camera 510 is installed in each area constituting the control system of this example. The entry / exit management system 520 manages entry / exit to / from each area constituting the control system of this example.

For example, the camera 510 is installed in the central monitoring room 300 or the control equipment room 400, and detects the number of people in the photographing area by image processing. In addition, the camera 510 determines where in the room each recognized person is, and detects the behavior of the recognized person.
The entry / exit management system 520 measures the number of people entering and leaving the central monitoring room 300 and the control equipment room 400. In addition, the entry / exit management system 520 manages whether or not a person entering or leaving the room is a person registered in advance (such as an operator engaged in plant operation work).
The camera 510 and the entrance / exit management system 520 may be provided at the place where the plant 200 is installed.

The physical server 440 sends physical data indicating the physical status collected from the camera 510 and the entry / exit management system 520 to the security monitoring system 100, and causes the security monitoring system 100 to store the physical data.

The security monitoring system 100 includes a risk quantification unit 130 and an incident determination unit 140 as arithmetic units. Further, the security monitoring system 100 includes an accident information database unit 150, a result database unit 160, and an aggregate information database unit 170 as databases for accumulating information. In the drawings, the database is abbreviated as "DB".

Further, the security monitoring system 100 includes an external input unit 110 for inputting data and an external output unit 120 for outputting data as an interface with the outside.
The external input unit 110 takes in the process value collected by the control server 410, the security status collected by the security device 430, and the physical status data collected by the physical server 440 into the security monitoring system 100. Further, the fact that an accident has occurred in the plant is also taken into the security monitoring system 100 via the external input unit 110.

Further, an external input signal operated by an input device 460 such as a keyboard and a mouse provided in the control equipment room 400 is also taken into the security monitoring system 100 via the external input unit 110. The process value, the security status, and the physical status data taken in via the external input unit 110 are stored in the aggregated information database unit 170.

The risk quantification unit 130 acquires the deviation of the process value, the security status, and the physical status from the aggregated information database unit 170, and quantifies the security risk. Specific examples of quantifying risk will be described later.

The incident determination unit 140 compares the risk value output by the risk quantification unit 130 with the risk value of the accident information database unit 150 in the past accident, and determines whether or not the accident that has occurred is a security incident. The determination result in the incident determination unit 140 and various data (deviation of process values, security status, physical status) before and after the occurrence of the accident are stored in the accident information database unit 150 and the result database unit 160.

Data such as process value deviation, security status, and physical status also include risk value data described later. Further, the accident information database unit 150 and the result database unit 160 include data on the causes of past accidents.
The determination result of the incident determination unit 140 is output to the display device 450 provided in the plant monitoring device 310 and the control equipment room 400 via the external output unit 120.

In the configuration shown in FIG. 1, the risk quantification unit 130, the incident determination unit 140, the accident information database unit 150, the result database unit 160, and the aggregate information database unit 170 are provided inside the security monitoring system 100. On the other hand, at least a part of the risk quantification unit 130, the incident determination unit 140, the accident information database unit 150, the result database unit 160, and the aggregate information database unit 170 is arranged outside the security monitoring system 100. You may.

[Example of plant]
FIG. 2 shows an example of the plant 200.
The example shown in FIG. 2 shows a case where the plant 200 is a power plant using a gas turbine.
The plant 200 includes a plant main engine 220 and a field plant control device 210. The plant main engine 220 here is a gas turbine generator. The plant main engine 220, which is a gas turbine generator, includes a generator 221 and a compressor 222, a combustor 223 and a turbine 224.

At the time of power generation, the air sucked by the compressor 222 is compressed into compressed air, and this compressed air is sent to the combustor 223 to be mixed with fuel and burned. The turbine 224 is rotated by the high-pressure gas generated by combustion, and the generator 221 generates electricity.

The on-site plant control device 210 controls the output of the plant main engine (gas turbine generator) 220 according to the power demand. Operation data 202 measured by a sensor (not shown) installed in the plant main engine (gas turbine generator) 220 is input to the on-site plant control device 210. The operation data 202 is data of state quantities such as intake air temperature, fuel input amount, turbine gas temperature, turbine rotation speed, generator power generation amount, and turbine vibration, and is data measured for each sampling cycle. The operation data 202 also includes meteorological information such as atmospheric temperature.

The on-site plant control device 210 uses these operation data 202 to calculate a control signal 201 for controlling the plant main engine (gas turbine generator) 220. Further, the on-site plant control device 210 performs a process of generating an alarm when the value of the operation data 202 deviates from a preset range. The alarm signal is processed as a digital signal of "1" when the operation data 202 deviates from the preset range, and "0" when the operation data 202 is within the range. When the alarm signal is "1", the operator is notified of the content of the alarm by sound or screen display.

The field plant control device 210 transmits the measured operation data 202, the control signal 201 calculated by the field plant control device 210, and the measurement signal including the alarm signal to the control server 410 via the plant control device 420. ..

When such a gas turbine generator is used as the plant main engine 220, fuel is input to the centralized information database unit 170 of the security monitoring system 100 to control at least the output of the plant main engine (gas turbine generator) 220 as an operation signal. The amount, the command value of the turbine rotation speed, and the measurement signal are saved. The stored measurement signals include at least state quantities such as intake air temperature, fuel input, turbine exhaust gas temperature, turbine speed, generator power generation, and turbine shaft vibration.

[Security monitoring system configuration]
FIG. 3 is a block diagram of the security monitoring system 100.
In FIG. 3, the outside of the security monitoring system 100 shows the flow of data input to the external input unit 110 and the flow of data output from the external output unit 120.

The process value collected by the control server 410, the security status collected by the security device 430, and the physical status data collected by the physical server 440 are supplied to the external input unit 110 of the security monitoring system 100. Further, the operation information of the input device 460 installed in the control equipment room 400 (FIG. 1) is also supplied to the external input unit 110.

The aggregated information database unit 170 stores process values, security status, and physical status data taken in via the external input unit 110.
The risk quantification unit 130 acquires the deviation of the process value, the security status, and the physical status from the aggregated information database unit 170, and performs a process of quantifying the security risk (risk quantification process). Specific examples of quantifying risk will be described later.

The incident determination unit 140 compares the risk value output by the risk quantification unit 130 with the risk value of the accident information database unit 150 in the past accident, and determines whether or not the accident that has occurred is a security incident. The determination result in the incident determination unit 140 and various data before and after the accident occurrence are stored in the accident information database unit 150 and the result database unit 160.

The determination result of the incident determination unit 140 is output to the plant monitoring device 310 and the display device 450 via the external output unit 120. The operator of the control equipment room 400 confirms the determination result of the incident determination unit 140 by the notification by the display on the plant monitoring device 310 or the display device 450 or the like.

[Example of hardware configuration of security monitoring system]
The security monitoring system 100 can be configured by, for example, a computer.
FIG. 4 shows a hardware configuration when the security monitoring system 100 is configured by a computer.
The computer functioning as the security monitoring system 100 includes a CPU (Central Processing Unit) 11 connected to each bus, a ROM (Read Only Memory) 12, and a RAM (Random Access Memory) 13. Further, the security monitoring system 100 includes a non-volatile storage 14, a network interface 15, an input device 16, and a display device 17.

The CPU 11 is an arithmetic processing unit that reads a program code of software that executes arithmetic processing in the risk quantification unit 130 and the incident determination unit 140 from the ROM 12 and executes the arithmetic processing. Variables, parameters, etc. generated during the arithmetic processing are temporarily written in the RAM 13.

For the non-volatile storage 14, for example, a large-capacity information storage unit such as an HDD (Hard Disk Drive) or an SSD (Solid State Drive) is used. The non-volatile storage 14 stores each data constituting the accident information database unit 150, the result database unit 160, and the aggregated information database unit 170.

For the network interface 15, for example, a NIC (Network Interface Card) or the like is used.
The input device 16 performs input processing of various information necessary for setting the security monitoring system 100 and the like.
The display device 17 displays the operating status of the security monitoring system 100 and the like.

The display device 450 and the input device 460 included in the control equipment room 400 (FIG. 1) may also be connected to the computer shown in FIG. 4 to perform display processing and input processing under the control of the CPU 11.
Further, the security monitoring system 100 is configured by the computer shown in FIG. 4 as an example, and may be configured by a device other than the computer that performs arithmetic processing. For example, a part or all of the functions performed by the security monitoring system 100 may be realized by hardware such as FPGA (Field Programmable Gate Array) or ASIC (Application Specific Integrated Circuit).

[Processing of security monitoring system]
FIG. 5 is a flowchart showing a flow of processing operations performed by the security monitoring system 100.
First, the external input unit 110 captures the process value, the security status, and the physical status, and stores the captured data in the aggregated information database unit 170 (step R10).
Then, the security monitoring system 100 determines whether or not the external input unit 110 has acquired the information indicating that the accident has occurred (step R20). When it is determined in step R20 that no accident has occurred (No in step R20), the process returns to the process of capturing the process value, security status, and physical status in step R10.

Then, when it is determined in step R20 that an accident has occurred (Yes in step R20), the risk quantification unit 130 acquires the process values before and after the accident from the aggregated information database unit 170, and before and after the accident occurs. The risk is quantified from the process value (step R30). Here, the value obtained by quantifying the risk of the process value is referred to as PR.
Subsequently, the risk quantification unit 130 acquires the security status before and after the accident from the aggregated information database unit 170, and quantifies the risk of the security status (step R40). Here, the value obtained by quantifying the risk of the security situation is referred to as SR.

Further, the risk quantification unit 130 acquires the physical status before and after the accident occurrence (or at the time of the accident occurrence) from the aggregated information database unit 170, and quantifies the risk of the physical situation (step R50). Here, the value obtained by quantifying the risk of the physical situation is referred to as FR.

Next, the incident determination unit 140 compares the risk values (PR, SR, FR) quantified in steps R30, R40, and R50 with the risk values of past accidents held by the accident information database unit 150. .. In this comparison, the incident determination unit 140 determines whether or not the accident that occurred is a security incident due to a cyber attack (step R60). A specific example of determining whether or not a security incident has occurred will be described later.

If the accident that occurred in step R60 is a security incident (Yes in step R60), the security incident occurrence data is output from the external output unit 120 to the plant monitoring device 310 and the display device 450 (step R71). The plant monitoring device 310 and the display device 450 that have received the security incident occurrence data display the security incident occurrence.

On the other hand, if the accident that occurred in step R60 is not a security incident (No in step R60), the external output unit 120 outputs data indicating that the accident that occurred is not a security incident to the plant monitoring device 310 and the display device 450. (Step R72). The plant monitoring device 310 and the display device 450 that have received the data of the accident occurrence that is not a security incident display the accident occurrence that is not a security incident.

After outputting the data in step R71 or R72, the incident determination unit 140 sends the security incident determination result and the risk values of the process value, security status, and physical status before and after the accident to the result database unit 160, and these data. Is saved (step R80).

Subsequently, the incident determination unit 140 sends the security incident determination result, the process value before and after the accident, the security status, and the risk value of the physical status to the accident information database unit 150, and stores the accident information. Accumulation processing is performed (step R90).
After that, the process returns to the data collection and storage process in step R10.

[Physical situation risk calculation process]
FIG. 6 shows an example in which the risk quantification unit 130 calculates the risk from the physical data showing the physical situation.
FIG. 6A shows an example of calculating the risk value according to the number of occupants in the central monitoring room 300 and the control equipment room 400 recognized by the entry / exit management system 520 and the attributes of the occupants.
As a risk value according to the attributes of the occupants, the registrant who has been registered in advance to enter the central monitoring room 300 and the control equipment room 400 has a risk value of "2" per person. In addition, the risk value per person is set to "5" for non-registered persons who have not been registered in advance for entering the central monitoring room 300 and the control equipment room 400.

For example, when 7 registrants are present, the risk value is 2 × 7 and is set to “14”. In addition, when four non-registered persons are present in the room, the risk value is set to "20" with 4 x 5 persons. When registrants and non-registrants are mixed, the risk values obtained by each number are totaled.

FIG. 6B shows the number of people in the central monitoring room 300 and the control equipment room 400 recognized by the camera 510, and the number of people in the central monitoring room 300 and the control equipment room 400 recognized by the entry / exit management system 520. An example of calculating the risk value when there is a difference from the number of people in the above is shown.
In this case, when the difference in the number of people is 0, the risk value is "0", when the difference in the number of people is 1 to 3, the risk value is "5", and the difference in the number of people is 4 to 6 people. In the case of, the risk value is set to "10", and when the difference in the number of people is 7 or more, the risk value is set to "20".

FIG. 6C shows an example of calculating the risk value according to the behavior of the occupant recognized by the camera 510.
In this case, when the occupant is operating the plant monitoring device 310, the risk value per person is set to "5". Further, when a resident is working in the vicinity of the plant monitoring device 310, the risk value per person is set to "1". Further, when the occupant is working at a place other than the plant monitoring device 310, the risk value per person is set to "0".

FIG. 6D shows an example of calculating a risk value according to other actions.
For example, when a person recognized by the entrance / exit management system 520 or the camera 510 is registered as a night worker and enters the room in the daytime, the risk value per person is set to "5". Similarly, when a person recognized by the entrance / exit management system 520 or the camera 510 is registered as a daytime worker and enters the room at night, the risk value per person is set to "5".
Further, when a non-registered person who is not registered as an operator (operator) operates the plant monitoring device 310, the risk value per person is set to "10".

The risk quantification unit 130 calculates the risk values of the situations shown in FIGS. 6 (a) to 6 (d), respectively, and obtains the total risk value. The total risk value is sent to the incident determination unit 140.
In addition, the risk quantification unit 130 also calculates the risk value for the process value and the security status according to each status. For example, when the deviation from the standard value is large as the process value, the risk value is increased. Further, as a security status, the status of the control system network 500 is monitored, and when a situation with a large network load occurs, the risk value is increased. Judging the risk based on the deviation of the process value and the network load is an example, and for the process value and the security status, an appropriate risk value is set by various conventionally known judgment processes.

[Example of discrimination in the incident discrimination unit]
FIG. 7 is an example of a determination table in which the incident determination unit 140 determines whether or not the accident that has occurred is a security incident.
The incident determination unit 140 matches the three risk values of the process value, the security status, and the physical status obtained from the risk quantification unit 130 with the risk values of past accidents stored in the accident information database unit 150. Or determine if there is something similar. Then, the incident determination unit 140 determines the possibility of a security accident due to a cyber attack based on the combination of whether or not the three risk values match the risk values at the time of the past accident. In the example of the discrimination table shown in FIG. 7, as the discrimination processing of the possibility of the security accident, discrimination is performed in five stages of no possibility, low possibility, medium possibility, high possibility, and maximum possibility.

“X” in the discrimination table of FIG. 7 indicates a case where the risk value obtained from the risk quantification unit 130 and the risk value in a past accident do not match, and “○” is obtained from the risk quantification unit 130. It shows the case where the risk value given and the risk value in the past accident match. The agreement here includes not only the case where the risk values are completely matched, but also the case where the risk values are almost matched.

Hereinafter, an example of discrimination in each state shown in FIG. 7 will be described.
State 1 of the discrimination table of FIG. 7 indicates a case where the risk value of the deviation of the process value does not match (x), the risk value of the security situation does not match (x), and the risk value of the physical situation does not match (x). In the case of this state 1, the incident determination unit 140 determines that there is no possibility of a security accident due to a cyber attack.

The state 2 of the discrimination table of FIG. 7 indicates when the risk values of the deviations of the process values match (◯), the risk values of the security status do not match (x), and the risk values of the physical status do not match (x). In this state 2, the incident determination unit 140 determines that the possibility of a security accident due to a cyber attack is low.

The state 3 of the discrimination table in FIG. 7 indicates when the risk values of the deviation of the process values do not match (x), the risk values of the security status match (◯), and the risk values of the physical status do not match (x). In the case of this state 3, the incident determination unit 140 determines that the possibility of a security accident due to a cyber attack is medium. In this state 3, there is a possibility that the security status is erroneously detected, so the possibility is set to medium.

The state 4 of the discrimination table of FIG. 7 indicates when the risk values of the deviation of the process values do not match (x), the risk values of the security status do not match (x), and the risk values of the physical status match (◯). In the case of this state 4, the incident determination unit 140 determines that the possibility of a security accident due to a cyber attack is low.

The state 5 of the discrimination table in FIG. 7 indicates when the risk values of the deviations of the process values match (◯), the risk values of the security status match (◯), and the risk values of the physical status do not match (×). In the case of this state 5, the incident determination unit 140 determines that there is a high possibility of a security accident due to a cyber attack.

The state 6 of the discrimination table in FIG. 7 indicates when the risk values of the deviations of the process values match (◯), the risk values of the security status do not match (x), and the risk values of the physical status match (◯). In the case of this state 6, the incident determination unit 140 determines that there is a high possibility of a security accident due to a cyber attack.

The state 7 of the discrimination table in FIG. 7 indicates when the risk values of the deviations of the process values do not match (x), the risk values of the security status match (◯), and the risk values of the physical status match (◯). In the case of this state 6, the incident determination unit 140 determines that there is a high possibility of a security accident due to a cyber attack.

The state 8 of the discrimination table of FIG. 7 indicates when the risk values of the deviations of the process values match (◯), the risk values of the security status match (◯), and the risk values of the physical status match (◯). In the case of this state 6, the incident determination unit 140 determines that the possibility of a security accident due to a cyber attack is maximum.

The result of the possibility of the security accident determined by the incident determination unit 140 in this way is displayed on the plant monitoring device 310 and the display device 450. When sending the result of the possibility of this security accident to the plant monitoring device 310 and the display device 450, data such as the deviation of the process value used for the determination, the security status, and the physical status are also sent to the plant monitoring device 310 and the display device 450. It is displayed on the display device 450. Further, when the incident determination unit 140 can determine the cause of the incident, the cause of the incident is also sent to the plant monitoring device 310 and the display device 450 for display.

[Example of display screen]
FIG. 8 shows an example of the display screen 450a of the display device 450. The display screen 450a shows an example when an abnormality occurs.
In the result display field 451 of the display screen 450a, the date and time when the abnormality occurred, the name and IP address of the device in which the abnormality occurred, the network where the abnormality was detected, the level of the abnormality, and the cause of the abnormality are displayed.
In the place of the abnormality level of the result display column 451, any one of the five stages (no possibility, low possibility, medium possibility, high possibility, maximum possibility) determined by the discrimination table of FIG. 7 is displayed. Will be done.

In the deviation display column 452 of the related process value when an abnormality occurs on the display screen 450a, the deviation of the process value related to the occurrence of the abnormality is displayed in the section before and after the occurrence of the abnormality. Further, in the deviation display column 452 of the related process value, the cause of the abnormality (infected with malware) is displayed in characters at the place where the abnormality has occurred. The cause of the abnormality can be estimated by the incident determination unit 140 from the causes of past accidents stored in the accident information database unit 150.

Changes in the target security status when an abnormality occurs on the display screen 450a In the display column 453, changes in the target security status (network flow rate, etc.) are displayed in sections before and after the occurrence of the abnormality.
Details of the physical status at the time of the occurrence of the abnormality are displayed in the display column 454 of the physical status at the time of the occurrence of the abnormality on the display screen 450a.
For example, in the physical status display field 454, the number of people recognized by the camera, the number of people recognized by the entrance / exit management system, the number of people involved in the room (number of registrants), and the number of guests in the room (number of non-registered people). ) Is displayed. Further, in the physical status display column 454, the total value of the physical status risks obtained based on the number of these people and the like is displayed. As explained in FIG. 6, when determining the risk of the physical situation, not only the number of each person but also the risk value depending on the behavior and time zone of the occupants is determined and added. ..

Further, on the display screen 450a shown in FIG. 8, an example of displaying the occurrence of an abnormality is used. However, for example, when it is determined that there is no possibility of a security accident, only characters such as "no possibility of security accident" are displayed. It may be displayed with, and some or all of the other display may be omitted.

Further, the display screen 450a showing the occurrence of an abnormality may display trend graphs of operation signals and measurement signals and information of various databases so that the operator can grasp the state of the plant 200 and the plant control device 420. Further, the information displayed by the plant monitoring device 310 is displayed in accordance with the alarm display function and the device status display function of the plant monitoring device 310.

As explained above, according to the security monitoring system of this example, the possibility of a security accident due to a cyber attack can be appropriately determined by calculating the risk value based not only on the process value and security status but also on the physical status. Will be.
For example, in the case of the power plant shown in FIG. 2, even if the value of the operation signal transmitted to the power plant is within the normal operating range, there is a possibility of a cyber attack in which the value of the operation signal changes suddenly. When an abnormality is detected, it becomes possible to know the possibility that the abnormality is due to a cyber attack.
Therefore, the operator who has confirmed the possibility of a cyber attack can quickly deal with the abnormal condition and can perform appropriate operations to avoid the turbine failure.

In addition, the security monitoring system of this example has risk values for fluctuations in process values, security status, and physical status as information on past incidents accumulated by the accident information database unit 150. It is possible to make a simple and accurate judgment about an incident by calculation using a risk value. Further, since the accident information database unit 150 also has data on the causes of past accidents, it is possible to identify the cause and notify the operator and the like of the cause.

Furthermore, when obtaining risk figures for each of the process value, security status, and physical status, it is possible to obtain more accurate risk values not only at the time of the incident but also from the period before and after the incident. You will be able to obtain it.

[Modification example]
The present invention is not limited to the above-described embodiment, and includes various modifications. For example, in the above-described embodiment, the example is applied to the control system of the power plant, but the security monitoring system of the present invention can be applied to various control systems other than the power plant.

Further, the risk value setting process shown in FIG. 6 and the number of steps for determining the possibility of a cyber attack shown in FIG. 7 are suitable examples, respectively, and other processes may be performed. good. For example, in the example of FIG. 6, when setting the risk value, the occupants are divided into two groups, registrants and non-registrants, but the registrants are divided into a plurality of groups based on the conditions such as years of experience. , Different risk values may be set for each group.

Further, in the above-described embodiment, as the physical situation, the number of people and actions detected from the image taken by the camera, which is a security device, and the number of registrants and non-registered persons detected by the entry / exit management system are used. .. On the other hand, the physical condition may be detected only from either the physical condition detected from the image taken by the camera or the physical condition detected by the entry / exit management system.

Alternatively, the physical status may be detected from a device other than the camera or the entry / exit management system. For example, the operation status of the input device 460 such as the keyboard and mouse installed in the control equipment room 400 shown in FIG. 1 is detected, and the risk value of the physical status is calculated from the magnitude of the operation amount of operating the keyboard and mouse. You may.

In addition, the above-described embodiment examples have been described in detail in order to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the described configurations.
Further, in the above-described embodiment, the apparatus or system configuration may be changed, and some processing procedures may be omitted or replaced without changing the gist of the present invention.
In addition, information such as a program that performs face recognition processing can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or an optical disk.

Furthermore, in the block diagrams such as FIGS. 1 and 3, only the control lines and information lines considered necessary for explanation are shown, and the product does not necessarily show all the control lines and information lines. do not have. In practice, it can be considered that almost all configurations are interconnected. Further, in the flowchart shown in FIG. 5, a plurality of processes may be executed at the same time or the processing order may be changed as long as the processing results are not affected.

11 ... Central processing unit (CPU), 12 ... ROM, 13 ... RAM, 14 ... Non-volatile storage, 15 ... Input device, 16 ... Display device, 100 ... Security monitoring system, 110 ... External input unit, 120 ... External output unit , 130 ... Risk quantification department, 140 ... Incident determination unit, 150 ... Accident information database department, 160 ... Result database department, 170 ... Aggregate information database department, 200 ... Plant, 210 ... On-site plant control device, 220 ... Plant main engine, 300 ... Central monitoring room, 310 ... Plant monitoring device, 400 ... Control equipment room, 410 ... Control server, 420 ... Plant control device, 430 ... Security equipment, 440 ... Physical server, 450 ... Display device, 460 ... Input device, 510 ... camera, 520 ... entry / exit management system

Claims (9)

An input unit that collects process value data obtained by the control system and also collects physical data indicating the physical status of the control system.
A risk quantification unit that quantifies the risk based on the process value data collected by the input unit and quantifies the risk based on the physical data.
Accident information database department that accumulates information about past incidents,
An incident determination unit that determines whether or not the cause of an incident is due to a cyber attack by comparing the value of the risk obtained by the risk quantification unit with the information accumulated in the accident information database unit. Security monitoring system with. The information about the past incidents accumulated in the accident information database section includes the fluctuation of the process value before and after the occurrence of the past incidents that occurred in the control system, the security status, and the risk numerical value for each of the physical status. , The security monitoring system according to claim 1, which has information on the causes of past incidents. The security monitoring system according to claim 1, further comprising a result database unit in which the results determined by the incident determination unit are accumulated. The security monitoring system according to claim 3, wherein the result database unit sends the incident cause determined by the incident determination unit and the risk numerical value before and after the occurrence of the incident to the accident information database unit. The security monitoring system according to claim 1, wherein the risk quantification unit quantifies the risk based on the process value data from the fluctuation of the process value before and after the occurrence of the incident. The security monitoring system according to claim 1, wherein the risk quantification unit quantifies the risk based on the physical data from the information detected by the security device before and after the occurrence of the incident. The risk quantification unit quantifies the risk of the physical situation based on the camera image of the area managed by the control system before and after the occurrence of the incident or the entry / exit management information of the area managed by the control system. Item 6. The security monitoring system according to item 6. The security monitoring system according to any one of claims 1 to 7, further comprising a display unit that displays the determination result of the incident determination unit. An input process that collects process value data obtained by the control system and also collects physical data indicating the physical status of the control system.
A risk quantification process that quantifies the risk based on the process value data collected by the input process and quantifies the risk based on the physical data.
Accident information storage processing that accumulates information about past incidents,
An incident determination process for determining whether or not the cause of an incident is due to a cyber attack by comparing the value of the risk obtained by the risk quantification process with the information accumulated by the accident information accumulation process. Security monitoring methods including.

Images