面向TSN工控系统安全策略生成与优化的数字孪生框架

doi:10.16182/j.issn1004731x.joss.23-1589

摘要/Abstract

摘要：

TSN工控系统多业务流融合的特点使得建立精确的数学模型非常困难。为保证安全策略与系统实时运行的协调，提出一种服务于安全策略生成与优化的“物理层-数据层-孪生层-服务层”四层双闭环数字孪生框架。通过服务层的初步安全策略生成与孪生层的部署验证间迭代优化构成的内闭环，实现最优安全策略生成；通过物理层与孪生体间构成的外闭环，实现安全策略动态调整。将工业领域控制器和电机间的确定性通信过程作为实验对象，验证了框架的有效性。

关键词: 数字孪生框架, TSN工控系统, 安全策略决策, 自适应优化, 建模与仿真

Abstract:

The characteristic of multi-service flow integration in TSN industrial control systems makes it very difficult to establish an accurate mathematical model. In order to ensure the coordination between the security policy and the real-time operation of the system, a four-layer double-closed-loop digital twin framework of "physical layer-data layer-twin layer-service layer" serving the generation and optimization of security policies is proposed. The optimal security policy generation is achieved through the internal closed loop composed of iterative optimization between the initial security policy generation at the service layer and the deployment verification at the twin layer. The deterministic communication process between the controller and the motor in the industrial field is taken as the experimental object to verify the effectiveness of the framework.

Key words: digital twin framework, TSN industrial control system, security policy decision-making, adaptive optimization, modeling and simulation

中图分类号:

TP391.9

张会迈,胡晓娅,周纯杰 . 面向TSN工控系统安全策略生成与优化的数字孪生框架[J]. 系统仿真学报, 2025, 37(4): 861-874.

Zhang Huimai,Hu Xiaoya,Zhou Chunjie . Digital Twin Framework for the Generation and Optimization of Security Policies for TSN Industrial Control Systems[J]. Journal of System Simulation, 2025, 37(4): 861-874.

图/表 19

图1

图2

图3

图4

图5

图6

表1

贝叶斯博弈模型参数

参数	表达式
博弈参与者	$P = {P A, P D}$ ，其中， $P A$ 是攻击者， $P D$ 是防御者
状态节点	$S = {s 1, s 2, ⋯, s n}$
防御者类型	$T D = {T D, 1, T D, 2}$ (根据时间敏感度分类)
攻击者类型	$T A = {T A, 1, T A, 2}$ (网络破坏和数据破坏)
防御者视角预测	$P A : P (T A \| T D)$
攻击者策略	$G A = {G A, 1, G A, 2, ⋯, G A, L}$
防御者策略	$G D = {G D, 1, G D, 2, ⋯, G D, M}$
攻击者收益	$U A = U A (T D, T A, G D, G A)$
防御者收益	$U D = U D (T D, T A, G D, G A)$

表1

图7

图8

表2

图9

图10

表3

表4

图11

图12

图13

图14

图15

参考文献 19

1	Petnga L, Austin M. An Ontological Framework for Knowledge Modeling and Decision Support in Cyber-physical Systems[J]. Advanced Engineering Informatics, 2016, 30(1): 77-94.
2	Hao Jianye, Kang E, Sun Jun, et al. An Adaptive Markov Strategy for Defending Smart Grid False Data Injection from Malicious Attackers[J]. IEEE Transactions on Smart Grid, 2018, 9(4): 2398-2408.
3	Huang Kaixing, Zhou Chunjie, Qin Yuanqing, et al. A Game-theoretic Approach to Cross-layer Security Decision-making in Industrial Cyber-physical Systems[J]. IEEE Transactions on Industrial Electronics, 2020, 67(3): 2371-2379.
4	李洋, 刘天莺, 朱建明, 等. 基于Q学习与贝叶斯博弈的物联网安全[J]. 计算机工程与设计, 2022, 43(4): 901-906.
	Li Yang, Liu Tianying, Zhu Jianming, et al. Security of Internet of Things Based on Q-learning and Bayesian Game[J]. Computer Engineering and Design, 2022, 43(4): 901-906.
5	Hu Bowen, Zhou Chunjie, Tian Yuchu, et al. Decentralized Consensus Decision-making for Cybersecurity Protection in Multimicrogrid Systems[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2021, 51(4): 2187-2198.
6	朱美潘, 杨健晖, 李欣格, 等. 云环境下工业信息物理系统现场层安全策略决策方法[J]. 控制与决策, 2024, 39(1): 281-290.
	Zhu Meipan, Yang Jianhui, Li Xinge, et al. A Security Decision-making Approach for Field Layer of Cloud-integrated Industrial Cyber-physical Systems[J]. Control and Decision, 2024, 39(1): 281-290.
7	Grieves M, Vickers J. Digital Twin: Mitigating Unpredictable, Undesirable Emergent Behavior in Complex Systems[M]//Franz-Josef Kahlen, Flumerfelt S, Anabela Alves. Transdisciplinary Perspectives on Complex Systems: New Findings and Approaches. Cham: Springer International Publishing, 2017: 85-113.
8	陶飞, 刘蔚然, 张萌, 等. 数字孪生五维模型及十大领域应用[J]. 计算机集成制造系统, 2019, 25(1): 1-18.
	Tao Fei, Liu Weiran, Zhang Meng, et al. Five-dimension Digital Twin Model and Its Ten Applications[J]. Computer Integrated Manufacturing Systems, 2019, 25(1): 1-18.
9	孙滔, 周铖, 段晓东, 等. 数字孪生网络(DTN): 概念、架构及关键技术[J]. 自动化学报, 2021, 47(3): 569-582.
	Sun Tao, Zhou Cheng, Duan Xiaodong, et al. Digital Twin Network (DTN): Concepts, Architecture, and Key Technologies[J]. Acta Automatica Sinica, 2021, 47(3): 569-582.
10	张仁斌, 赵季翔, 杨戬, 等. 基于容器的轻量级工业控制系统网络安全测试床研究[J]. 计算机应用研究, 2021, 38(2): 506-509.
	Zhang Renbin, Zhao Jixiang, Yang Jian, et al. Research on Lightweight ICS Cyber Security Testbed Based on Container[J]. Application Research of Computers, 2021, 38(2): 506-509.
11	Pfister P, Wymore M L, Jacobson D, et al. Design and Implementation of a Cyber Physical Testbed for Security Training[C]///Proceedings of the 12th USENIX Conference on Cyber Security Experimentation and Test. USA: USENIX Association, 2019: 1.
12	孙健, 翟健宏. 工控网络仿真靶场虚拟化场景的构建[J]. 智能计算机与应用, 2021, 11(9): 191-195, 199.
	Sun Jian, Zhai Jianhong. A Virtual Scene Construction of Industrial Control Network Simulated Range[J]. Intelligent Computer and Applications, 2021, 11(9): 191-195, 199.
13	Ayyalusamy V, Sivaneasan B, Kandasamy N K, et al. Hybrid Digital Twin Architecture for Power System Cyber Security Analysis[C]//2022 IEEE PES Innovative Smart Grid Technologies - Asia (ISGT Asia). Piscataway: IEEE, 2022: 270-274.
14	Francia Guillermo, Hall Gregory. Digital Twins for Industrial Control Systems Security[C]//2021 International Conference on Computational Science and Computational Intelligence (CSCI). Piscataway: IEEE, 2021: 801-805.
15	Murillo Andrés F, Rueda Sandra. Access Control Policies for Network Function Virtualization Environments in Industrial Control Systems[C]//2020 4th Conference on Cloud and Internet of Things (CIoT). Piscataway: IEEE, 2020: 17-24.
16	徐博, 杜鑫, 周纯杰. 数字孪生视角下基于LSTM的工控系统异常检测方法[J]. 信息安全研究, 2022, 8(6): 578-585.
	Xu Bo, Du Xin, Zhou Chunjie. Anomaly Detection Method of Industrial Control System Based on LSTM from the Perspective of Digital Twins[J]. Journal of Information Security Research, 2022, 8(6): 578-585.
17	Falk Jonathan, Hellmanns David, Carabelli Ben, et al. NeSTiNg: Simulating IEEE Time-sensitive Networking (TSN) in OMNeT++[C]//2019 International Conference on Networked Systems (NetSys). Piscataway: IEEE, 2019: 1-8.
18	Hang Nianzhi, Ye Feng, Cheng Zheyuan, et al. Simulating and Evaluating Privacy Issues in Distributed Microgrids: A Cyber-physical Co-simulation Platform[C]//IECON 2021-47th Annual Conference of the IEEE Industrial Electronics Society. Piscataway: IEEE, 2021: 1-6.
19	Allaoua Ammar, Toufik Madani Layadi, Colak Ilhami, et al. Design and Simulation of Smart-grids Using OMNeT++/Matlab-simulink Co-simulator[C]//2021 10th International Conference on Renewable Energy Research and Application (ICRERA). Piscataway: IEEE, 2021: 141-145.

业务流	优先级	描述
网络控制流	P₇	CNC与交换机间网络探测、配置下发
等时流	P₆	控制器到电机之间传输的业务流
音视频流	P₄	摄像机产生的音视频传输给服务器和监控工作站
突发事件流	P₂	工程师站或操作员站下发的参数配置流或运行控制流
尽力而为流	P₀	数据服务器和传感器、控制器间的业务流

状态描述	攻击手段	描述	防御手段	描述
S₁系统正常运行	a₁	获取AH1用户权限	d₁	AH1设置登录验证
	a₂	获取AH2用户权限	d₂	AH2设置登录验证
	a₃	获取AH2管理权限
S₂获取AH1用户权限/S₃获取AH2用户权限	a₄	获取监控工作站权限	d₃	工程师站数字认证
	a₅	获取操作员站权限	d₄	操作员站数字认证
	a₆	获取工程师站权限	d₅	监控工作站数字认证
	a₇	获取CNC权限	d₆	CNC数据包过滤
			d₇	数据包过滤
			d₈	断开连接
S₄获取监控工作站权限	a₈	实施DDos攻击	d₉	视频监控服务器访问控制
S₄获取监控工作站权限	a₉	利用漏洞操作现场监控设备	d₁₀	重启设备
S₅获取CNC权限	a₁₀	篡改数据库数据	d₁₁	重启设备
S₅获取CNC权限	a₁₁	篡改下发配置信息	d₁₂	断开连接
S₆获取工程师站用户权限/S₇获取操作员站根权限	a₁₂	伪装主时钟	d₁₃	控制器与电机间数据加密RSA
	a₁₃	篡改控制器数据	d₁₄	控制器与电机间数据加密AES
	a₁₄	实施DDos攻击	d₁₅	工程师站与控制器间数据加密RSA
	a₁₅	篡改业务流优先级	d₁₆	工程师站与控制器间数据加密AES
	a₁₆	中间人攻击伪装控制器

[1]	谢旭, 邱晓刚, 包亦正, 许凯. 动态数据驱动仿真综述[J]. 系统仿真学报, 2024, 36(8): 1832-1842.
[2]	任乾坤, 熊鑫立, 刘京菊, 姚倩. 网络空间安全中的数字孪生技术研究[J]. 系统仿真学报, 2024, 36(8): 1944-1957.
[3]	马善智, 王宏亮, 何华, 伦伟成. 基于PERT和ABMS的装备体系保障效能评估方法研究[J]. 系统仿真学报, 2023, 35(9): 1837-1846.
[4]	刘名远, 谢家翔, 吴豪, 付建林, 丁国富. 基于有限状态机的车间逻辑建模与仿真研究[J]. 系统仿真学报, 2023, 35(4): 853-861.
[5]	李柳臻, 金超, 林廷宇, 朱耀琴. 基于EFSM的智能车间制造系统生产物流建模与仿真[J]. 系统仿真学报, 2023, 35(12): 2655-2668.
[6]	王灿, 纪浩然, 郭齐胜, 董志明, 谭亚新, 穆歌. 基于DoDAF的陆上智能突击系统作战概念系统开发[J]. 系统仿真学报, 2023, 35(11): 2397-2409.
[7]	李锋, 魏莹. 社会学习和参照点效应对企业产品决策的影响[J]. 系统仿真学报, 2022, 34(2): 234-246.
[8]	樊长佳, 杜炎秋, 梁笛, 胡凯, 黄葭燕. COVID-19期间上海市应急医疗资源配置建模与仿真[J]. 系统仿真学报, 2022, 34(1): 93-103.
[9]	司光亚, 王艳正. 新一代大型计算机兵棋系统面临的挑战与思考[J]. 系统仿真学报, 2021, 33(9): 2010-2016.
[10]	李文翔, 李晔, 董洁霜, 李一鸣. 引入碳交易机制的新能源汽车发展路径研究[J]. 系统仿真学报, 2021, 33(6): 1451-1465.
[11]	王凌, 吴楚格, 范文慧. 边缘计算资源分配与任务调度优化综述[J]. 系统仿真学报, 2021, 33(3): 509-520.
[12]	李锋, 魏莹. 复杂网络对羊群效应现象影响的仿真研究[J]. 系统仿真学报, 2021, 33(3): 539-553.
[13]	张琪, 曾俊杰, 许凯, 秦龙, 尹全军. 基于机器学习的计算机生成兵力行为建模研究综述[J]. 系统仿真学报, 2021, 33(2): 280-287.
[14]	周玉臣, 林圣琳, 马萍, 李伟, 杨明. 武器装备效能评估研究进展[J]. 系统仿真学报, 2020, 32(8): 1413-1424.
[15]	熊勇, 梁萱卓, 张加. 实现船舶稳性的多油舱自适应调度算法及仿真[J]. 系统仿真学报, 2020, 32(6): 1060-1070.