WO2025205125A1 - Concealment method, industrial equipment system, and computer program - Google Patents

Abstract

This concealment method for an industrial equipment system including a plurality of signal processing units and a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output by the plurality of signal processing units includes a change step for changing the connection relationship of the plurality of signal paths to the plurality of signal processing units within the extent that the operation of the industrial equipment system does not change.

Description

Concealment method, industrial equipment system, and computer program

This disclosure relates to a concealment method, an industrial equipment system, and a computer program.

There is semiconductor manufacturing equipment that facilitates process management through virtual experiments based on simulation models using digital twin technology (for example, Patent Document 1).

Japanese Patent Application Laid-Open No. 2022-185394

Methods for improving process efficiency through the integration of hardware and software in semiconductor manufacturing systems are a body of know-how, but there is a risk that the mechanisms by which the hardware and software interact could be revealed by analyzing the signals that flow through those signal paths. This problem of reverse engineering is not limited to semiconductor manufacturing systems, but is a problem that exists in other industrial equipment systems as well.

This disclosure provides a concealment method, industrial equipment system, and computer program that can conceal the interconnection mechanism between hardware and software in an industrial machinery system.

A concealment method according to one aspect of the present disclosure is a concealment method for an industrial equipment system including a plurality of signal processing units and a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output by the plurality of signal processing units, and includes a modification step for modifying the connection relationships of the plurality of signal paths to the plurality of signal processing units within a range that does not change the operation of the industrial equipment system.

This disclosure makes it possible to keep confidential the mechanisms by which hardware and software in industrial machinery systems work together.

1 is a block diagram illustrating an example of the configuration of a concealment system according to an embodiment of the present invention. FIG. 2 is a schematic diagram illustrating an example of a path change circuit. 1 is a block diagram illustrating an example of the configuration of an information processing device according to an embodiment of the present invention. FIG. 2 is a schematic diagram showing a signal transmission path before a path change; FIG. 10 is a schematic diagram showing a signal transmission path after a path change. FIG. 1 is a conceptual diagram showing objects and morphisms when a network of signal transmission paths is considered as a category in category theory. FIG. 10 is a conceptual diagram illustrating a method for verifying a functor that changes signal transmission paths. FIG. 10 is a schematic diagram illustrating an image of a concealment process. 10 is a flowchart showing a processing procedure for verifying and distributing change content information required for concealment; 10 is a flowchart showing a processing procedure relating to changing a signal transmission path and a software function.

The concealment method, industrial equipment system, and computer program according to embodiments of the present disclosure will be described below with reference to the drawings. Note that the present disclosure is not limited to these examples, but is defined by the claims, and is intended to include all modifications that are equivalent in meaning and scope to the claims. Furthermore, at least some of the embodiments described below may be combined in any desired manner.

<System Overview>
1 is a block diagram showing an example of the configuration of a concealment system according to this embodiment. The concealment system includes an information processing device 1 and an industrial equipment system 2 connected via a communication network N.

Industrial equipment system 2 is a system in which multiple pieces of hardware and software operate in functionally linked fashion. Each piece of functionally linked hardware inputs and outputs signals, but the signals input and output from the hardware can be intercepted from the outside and may be subject to reverse engineering. Industrial equipment system 2 has the ability to dynamically change signal transmission paths in order to conceal the mechanism by which the hardware and software work together.

The information processing device 1 is a device that creates and verifies change information that indicates how to change the signal transmission paths and software functions in the industrial equipment system 2, and distributes the verified change information to the industrial equipment system 2. Since distributing inappropriate change information could cause abnormalities in the operation of the industrial equipment system 2, the change information is verified before distribution. The industrial equipment system 2 receives the change information distributed from the information processing device 1 and changes the signal transmission paths and software functions based on the received change information. By changing the signal transmission paths and software functions of the industrial equipment system 2 periodically or when a specific event occurs, the mechanism for functional collaboration can be kept confidential.

<Industrial Equipment System 2>
The industrial equipment system 2 includes, for example, a substrate processing apparatus, a cleaning apparatus, an inspection apparatus, a conveying apparatus, etc., which perform processes such as film formation, lithography, and etching on substrates such as semiconductor wafers, glass substrates, or flat panel substrates. The industrial equipment system 2 includes, as multiple pieces of hardware, a control unit 20, a memory unit 21, an operation panel 22, a communication unit 23, path change circuits 24 and 25, multiple signal processing circuits 26, multiple sensors 27, and multiple controllers 28.

The control unit 20 is a processor equipped with one or more central processing units (CPUs), arithmetic circuits such as graphics processing units (GPUs), internal storage devices such as read-only memory (ROM) and random access memory (RAM), input/output terminals, timers, etc. The control unit 20 controls the operation of each part of the industrial equipment system 2. The functions of the control unit 20 may be realized by software, or some or all of them may be realized by hardware using a field-programmable gate array (FPGA) or an ASIC, etc.

The control unit 20 displays the names of the setting values of the industrial equipment system 2 on the display panel 22a of the operation panel 22 and accepts the setting values at the operation panel 22. The control unit 20 controls the settings and operation of the industrial equipment system 2 by outputting the accepted setting value signal (hereinafter referred to as the setting value signal) to the signal processing circuit 26 via the path change circuit 24. The control unit 20 can also display the contents of the control signal and detection value signal output from the signal processing circuit 26 and sensor 27 during equipment operation on the display panel 22a of the operation panel 22.

Meanwhile, the control unit 20 executes the computer program P2 stored in the memory unit 21 to perform processing related to the concealment of the industrial equipment system 2. Specifically, the control unit 20 can change the name of the set value in accordance with the change content information. For example, the control unit 20 can change the name of the set voltage displayed when accepting a set voltage value from "α" to "η." The names "α" and "η" are names unrelated to the content of the set value, and by periodically changing the name of the set value, the input path of the set value signal can be concealed. Similarly, the control unit 20 can change the names of the control signal and detection value signal displayed on the display panel 22a based on the change content information. By periodically changing these names, the control unit 20 can conceal the output path of the control signal and sensor signal.

In addition, the control unit 20 can change the connection relationship of the signal path 2a connecting the control unit 20, signal processing circuit 26, sensor 27, and controller 28 using the path change circuits 24 and 25. The control unit 20 changes the connection relationship in accordance with the change content information.

The storage unit 21 includes a non-volatile memory such as a hard disk or flash memory. The storage unit 21 stores the computer program P2 executed by the control unit 20, change information distributed from the information processing device 1, and other data necessary for the concealment processing of the industrial equipment system 2.

The computer program P2 may be provided by a non-transitory recording medium M2 on which the computer program is readably recorded. The storage unit 21 stores the computer program P2 read from the recording medium M2 by a reading device (not shown). The recording medium M2 may be, for example, a magnetic disk, optical disk, or semiconductor memory. The industrial equipment system 2 may also download the computer program P2 from an external server connected to the communications network N and store it in the storage unit 21. The computer program P2 may be a single computer program or may be composed of multiple computer programs, and may be executed on a single computer or on multiple computers interconnected by the communications network N.

The operation panel 22 is an interface that accepts user operations. The operation panel 22 is, for example, a touch panel device with a built-in display panel 22a. The operation panel 22 outputs a control signal to the control unit 20 according to the operation content. The display panel 22a displays images necessary for operating the industrial equipment system 2 and for concealment processing operations based on drawing data provided by the control unit 20. The operation panel 22 may also be configured with a separate input device and display device. The input device is, for example, a keyboard and a mouse. The display device is, for example, a liquid crystal display, an organic EL (Electro Luminescence) display, or a CRT display.

The communication unit 23 includes a communication circuit connected to the information processing device 1 via the communication network N. The communication unit 23 sends and receives various information in accordance with instructions from the control unit 20. For example, the control unit 20 receives change content information indicating the signal transmission path and the method for changing the calculation processing content in the signal processing circuit 26 via the communication unit 23.

The signal processing circuit 26 is connected to the control unit 20, sensor 27, and controller 28 via the path change unit and signal path 2a. The signal processing circuit 26 can also be connected to other signal processing circuits 26 via path change circuits 24 and 25. The signal processing circuit 26 receives, via path change circuits 24 and 25 and signal path 2a, the set value signal output from the control unit 20, the detected value signal output from the sensor 27, and signals output from other signal processing circuits 26. The signal processing circuit 26 also performs required arithmetic processing based on the input set value signal, detected value signal, etc., and outputs a control signal obtained by the arithmetic processing to the controller 28. The signal processing circuit 26 can also be configured to output the control signal to the control unit 20. The control unit 20 displays the content of the control signal output from the signal processing circuit 26 on the display panel 22a. The signal processing circuit 26 can also output the signal obtained by the arithmetic processing to other signal processing circuits 26 via path change circuits 24 and 25.

The content of the arithmetic processing executed by the signal processing circuit 26 can be changed by instructions from the control unit 20 based on the change content information. For example, a state in which a first arithmetic processing is executed by the first signal processing circuit 26 and a second arithmetic processing is executed by the second signal processing circuit 26 can be changed to a state in which a second arithmetic processing is executed by the first signal processing circuit 26 and a first arithmetic processing is executed by the second signal processing circuit 26. The signal processing circuit 26 can also execute dummy signal processing, which executes meaningless calculations and outputs dummy signals. A dummy signal is a signal with a meaningless value. A dummy signal may be a signal obtained by applying a predetermined function to a set value signal, a control signal, or a signal output from another signal processing circuit 26. The data of each signal may also be encrypted and output as a dummy signal. By having the signal processing circuit 26 execute dummy signal processing and output a dummy signal, the arithmetic processing operation and output of the signal processing circuit 26 can be kept confidential.

Furthermore, the terminals or communication protocols to which signals necessary for the signal processing circuit 26 to perform specific arithmetic processing should be input can also be changed by instructions from the control unit 20. For example, the signal processing circuit 26 can be changed from performing specific arithmetic processing using signals input to the first and second terminals to performing the specific processing using signals input to the second and third terminals. For example, if signals that were input to the first and second terminals are now input to the second and third terminals by the path change circuits 24, 25, the signal processing circuit 26 can change the signals to be used for the specific arithmetic processing from the signals input to the first and second terminals to the signals input to the second and third terminals.

Sensor 27 detects physical quantities necessary for controlling industrial equipment system 2, such as physical quantities indicating the state of industrial equipment system 2, and outputs a detection value signal. The detection value signal output from sensor 27 is output to signal processing circuit 26 and control unit 20 via signal path 2a and path change circuits 24 and 25. When industrial equipment system 2 is a substrate processing apparatus that performs substrate processing using plasma, sensor 27 may include, for example, a pressure sensor that detects the pressure within the chamber, a temperature sensor that detects the temperature within the chamber, and a voltage sensor and current sensor that detect the voltage and current of the RF power supply. Note that physical quantities that are commonly detected by industrial equipment system 2 include temperature, position, speed, acceleration, current, voltage, pressure, time, image data, torque, force, strain, power consumption, weight, etc. These physical quantities can be measured using a thermometer, position sensor, speed sensor, acceleration sensor, ammeter, voltmeter, pressure gauge, timer, camera, torque sensor, wattmeter, weight scale, etc.

The controller 28 is a controlled device that operates in accordance with the signal output from the signal processing circuit 26 via the path change circuit 25. If the industrial equipment system 2 is a substrate processing apparatus that performs substrate processing using plasma, the controller 28 may include, for example, an RF power supply, a flow control valve that controls the flow rate of the raw material gas, an electrostatic chuck, a heater provided on the electrostatic chuck, and an impedance matcher that matches the impedance of the RF power supply and plasma. Note that examples of controllers 28 in a general industrial equipment system 2 include power supplies, actuators, heaters, pumps, valves, light sources, heat sources, display devices, buzzers, microphones, signal transmitters, etc.

FIG. 2 is a schematic diagram showing an example of a path change circuit 24. The path change circuit 24 has multiple terminals 24a to which set value signals are input, and multiple terminals 24b connected to multiple signal processing circuits 26 and multiple sensors 27 via signal path 2a. The signal processing circuit 26 is a circuit that can arbitrarily change the connection relationship between terminals 24a and 24b.

As shown in Figure 2, the path change circuit 24 can be configured, for example, by an FPGA (Field-Programmable Gate Array). It includes multiple logic blocks LB arranged in a grid, wiring W arranged vertically and horizontally surrounding each logic block LB, switch blocks SB, connection blocks CB, and input/output blocks IOB for inputting and outputting data. The logic blocks LB are circuits that include, for example, a lookup table (LUT) and perform logical operations. The switch blocks SB are located at the intersections of the wiring W and include transistors that switch the connection paths of the wiring W on and off. The connection blocks CB are located between the logic blocks LB and the wiring W and include transistors that switch the connection between the logic blocks LB and the wiring W on and off. The connection blocks CB are also located between the input/output blocks IOB and the wiring W and include transistors that switch the connection between the input/output blocks IOB and the wiring W on and off. The input/output blocks IOB are connected to terminals 24a, 24a..., 24b, 24b...

The FPGA can rewrite the circuit configuration by turning on and off the transistors that make up the LUT, switch block SB, and connection block CB of the logic block LB. The FPGA has a non-volatile circuit data memory that stores circuit data that defines the circuit configuration. The FPGA can configure a specific circuit by reading the circuit data stored in the circuit data memory and controlling the transistors that make up the LUT, switch block SB, and connection block CB of the logic block LB. The FPGA of this embodiment can change the connection paths between terminals 24a, 24a... and terminals 24b, 24b... by rewriting the circuit data. More specifically, the control unit 20 changes the signal transmission path by writing circuit data that defines the connection relationships between each terminal 24a, 24a..., 24b, 24b... to the circuit data memory based on the change content information. The control unit 20 can also write circuit data that defines the operation of the logic block LB to the circuit data memory so that the logic block LB performs signal processing to encrypt or decrypt signals. Although an FPGA has been given as an example of the path change circuit 24, the path change circuit 24 may also be configured using multiple communication paths and relays or switches that switch between the communication paths.

Note that the multiple signal paths 2a shown in FIG. 1 may be configured from multiple physical signal paths 2a, or multiple logical signal paths 2a. Multiple physical signal paths 2a are configured from the same multiple communication lines. Multiple logical signal paths 2a are logically multiplexed transmission paths of a single communication line. There are no particular limitations on the method for logically multiplexing transmission paths, but logical multiplexing can be achieved using techniques such as time multiplexing, frequency multiplexing, and code multiplexing.

Furthermore, the multiple signal processing circuits 26 shown in FIG. 1 may be an arithmetic processing unit that performs a single arithmetic processing operation, or may be configured as multiple signal processing units that perform multiple arithmetic processing operations.

The path change circuit 25 has multiple terminals connected to multiple signal processing circuits 26 and multiple sensors 27 via signal path 2a, and multiple terminals connected to multiple controllers 28 and control unit 20. The signal processing circuit 26 is a circuit that can arbitrarily change the connection relationship between each terminal. The configuration of the path change circuit 25 is similar to that of the path change circuit 24, so a detailed description will be omitted.

The path change circuits 24 and 25 enable dynamic changes to the connection relationships between the control unit 20, signal processing circuit 26, sensor 27, and controller 28, thereby making it possible to conceal the signal transmission path.

<Information processing device 1>
3 is a block diagram showing an example of the configuration of an information processing device 1 according to this embodiment. The information processing device 1 includes a processing unit 10, a storage unit 11, a display unit 12, an operation unit 13, and a communication unit 14. The information processing device 1 may be configured to perform distributed processing using multiple computers, may be realized by multiple virtual machines provided in a single server, or may be realized using a cloud server.

The processing unit 10 is a processor equipped with one or more CPUs, arithmetic circuits such as GPUs (Graphics Processing Units), GPGPUs (General-purpose computing on graphics processing units), and TPUs (Tensor Processing Units), internal storage devices such as ROMs (Read Only Memory) and RAMs (Random Access Memory), input/output terminals, timers, etc.

The storage unit 11 includes a non-volatile memory such as a hard disk or flash memory. The storage unit 11 stores the computer program P1 executed by the processing unit 10, the created change information, etc.

The computer program P1 may be provided by a non-transitory recording medium M1 on which the computer program is readably recorded. The storage unit 11 stores the computer program P1 read from the recording medium M1 by a reading device (not shown). The recording medium M1 may be, for example, a magnetic disk, optical disk, or semiconductor memory. The industrial equipment system 2 may also download the computer program P1 from an external server connected to the communications network N and store it in the storage unit 11. The computer program P1 may be a single computer program or may be composed of multiple computer programs, and may be executed on a single computer or on multiple computers interconnected by the communications network N.

The display unit 12 is a display device such as a liquid crystal display, an organic EL display, or a CRT display. Under the control of the processing unit 10, the display unit 12 displays a confidentiality dashboard screen (see Figure 8) for creating, verifying, and distributing changes to signal transmission paths and the like in order to conceal the industrial equipment system 2.

The operation unit 13 is an interface that accepts operations such as data input. The operation unit 13 includes, for example, a keyboard, mouse, and touch panel device. The operation unit 13 accepts operations related to creating, verifying, and distributing changes to signal transmission paths, etc., and sends control signals to the processing unit 10 according to the accepted operations.

The communication unit 14 has a communication circuit connected to the industrial equipment system 2 via the communication network N. The communication unit 14 sends and receives various information in accordance with instructions from the processing unit 10. For example, the control unit 20 sends change content information indicating how to change the signal transmission path, etc., to the industrial equipment system 2 via the communication unit 14.

<Method for changing signal transmission paths, etc.>
Fig. 4 is a schematic diagram showing the signal transmission path before the path is changed, and Fig. 5 is a schematic diagram showing the signal transmission path after the path is changed. Figs. 4 and 5 show an example in which the industrial equipment system 2 includes four signal processing circuits 26 and one sensor 27. Of the four signal processing circuits 26, the first signal processing circuit 26 is a circuit that performs signal processing related to control of the chamber surroundings and OES (Optical Emission Spectrometer) of the substrate processing apparatus. The second signal processing circuit 26 is a circuit that performs signal processing related to temperature control. The third and fourth signal processing circuits 26 are circuits that perform dummy processing. The sensor 27 is, for example, a temperature sensor.

In the figure, the vertically aligned squares on the right side indicate setpoint signals. Hatched squares indicate dummy setpoints. The Greek letters "α", "β", ... "λ" indicate the names given to the setpoint signals. In Figure 4, setpoint signals named "α", "γ", and "δ" are input to the signal processing circuit 26 (chamber/OES), and setpoint signals named "β", "η", and "λ" are input to the signal processing circuit 26 (temperature control). In addition, a dummy signal named "θ" is input to the signal processing circuit 26 (dummy B).

The control unit 20 can change the names of the set values and change the signal transmission path in accordance with the change content information as described above. In Figure 5, set value signals named "η", "α", and "δ" are input to the signal processing circuit 26 (chamber/OES), and set value signals named "γ", "β", and "θ" are input to the signal processing circuit 26 (temperature control). In addition, a dummy set value named "γ" is input to the signal processing circuit 26 (dummy B).

Note that signal processing circuit 26 (temperature control) outputs a signal to sensor 27 (temperature sensor) and signal processing circuit 26 (dummy B). Signal processing circuit 26 (dummy B) outputs a signal to signal processing circuit 26 (dummy A).

In the figure, the vertically aligned circles on the left side indicate the output paths of signals output from the signal processing circuit 26 and sensor 27. The hatched circles are dummy output paths, and the signals output to these output paths are not used to control the industrial equipment system 2. The signal processing circuit 26 (chamber/OES) shown in Figure 4 outputs signals to "i" and "iii". The sensor 27 (temperature sensor) outputs detection signals to "iv" and "v", which in turn output the detection signal to dummy output path "vii". The signal processing circuit 26 (dummy A) outputs a dummy signal to "vi".

The control unit 20 can change the signal transmission path based on the change content information as described above. In Figure 5, the signal processing circuit 26 (chamber/OES) outputs signals to "ii" and "vi". The sensor 27 (temperature sensor) outputs detection signals to "i" and "iv". The signal processing circuit 26 (dummy A) outputs dummy signals to "iii" and "vii".

In this way, the control unit 20 can change the names of the setting values based on the change content information. The control unit 20 can also change the signal transmission paths of various signals. By changing the names of the setting values and changing the signal transmission paths, the connection relationships of the signal paths 2a connecting the various pieces of hardware can be kept confidential. Although not shown in Figures 4 and 5, the content of the signal processing performed by each signal processing circuit 26 may be swapped, changed, or added.

<Operational Guarantee Based on Category Theory>
Although confidentiality can be achieved by changing the signal transmission path, it is necessary to strictly guarantee that the functionality of the industrial equipment system 2 is not impaired. If the signal path is interrupted midway or if a necessary or unnecessary signal is input to the signal processing circuit 26, serious malfunctions may occur, so mathematically strict guarantees are required. Therefore, we consider using mathematical category theory to guarantee that the signal transmission paths before and after the change are topologically equivalent.

Figure 6 is a conceptual diagram showing objects and arrows when a network of signal transmission paths is considered as a category in category theory. In the following, unlike the usual notation in category theory, arrows are expressed using their start and end points, as in "start point --> end point," for simplicity. Generally, there can be multiple arrows with the same start and end points, but the same considerations can be applied to multiple arrows with the same start and end points. The signal transmission path connecting the control unit 20, signal processing circuit 26, sensor 27, and controller 28 via path change circuits 24 and 25 and signal path 2a can be considered as a network connecting multiple nodes with links corresponding to signal path 2a. More abstractly, this network can be considered as a category in mathematical category theory. In Figure 6, the circles represented by capital letters represent objects, and the arrows connecting two objects represent arrows. There are no particular limitations on how the objects are set, but for example, the terminals of the control unit 20 that outputs the setting signal, the terminals of the path change circuits 24 and 25, the terminals of the signal processing circuit 26, and the terminals of the sensor 27 can be set as objects in the category. The morphism corresponds to the signal path 2a that connects the terminals. The morphism of the network of signal transmission paths satisfies the composition rule, satisfies the associative law, and can be thought of as an identity morphism. Since it satisfies the definition of a category, the network can be considered a category.

In the upper diagram of Figure 6, the area surrounded by the thick dashed line represents the regular signal transmission path related to the operation of the industrial equipment system 2. The objects and arrows outside the thick dashed line represent signal transmission paths where dummy processing and dummy signal transmission take place.

Changes to signal transmission paths and processing content can be thought of as a functor that maps the objects and arrows of the category of the network before the route change to the objects and arrows of the category of the network after the route change. The following operations can be considered as methods for changing the network or category of a signal transmission path. For example, as shown in Figure 6, the network or category of a signal transmission path can be changed by adding or deleting nodes and links that constitute a detour route. The network or category of a signal transmission path can also be changed by adding or deleting nodes and links that transmit dummy signals. The network or category of a signal transmission path can also be changed by adding or deleting nodes and links that parallelize the signal path. The network or category of a signal transmission path can also be changed by dividing one node into multiple nodes connected in series and merging the multiple nodes connected in series into a single node. The network or category of a signal transmission path can also be changed by adding or deleting encryption nodes that encrypt signals and decryption nodes that decrypt encrypted signals.

(Labeling functors)
Symbols (labels) that uniquely represent the nodes and links that make up the signal transmission path network are assigned to the nodes and links. The functor can be expressed as information that associates labels representing the nodes and links before the route change with labels representing the nodes and links after the route change (labeling). The change content information includes information on the labeled functor.
for example,
(1) A functor that does not change the signal transmission path can be expressed as {A=A}-{B=B}-...-{K=K}-{f=f}-{g=g}...{p=p}.
(2) The functor that swaps links can be expressed as {A=A}-{B=B}-...-{K=K}-{f=q-A-l}-[g=g]-...-{p=p}. This expresses that link f is changed to link q → node A → link l.
(3) The functor that swaps nodes can be expressed as {A = A} - [B = B - q - A] - ... - {K = K} - {f = l} - [g = g] - ... - {p = p}. Node B is changed to node B → link q → node A, and node f is changed to node l.

The correspondence between nodes and links before and after a route change can be expressed as {label before conversion = label after conversion}. The label on the left, associated with the "=" in curly brackets, represents the node or link before the change, and the label on the right represents the node or link after the change.

(Guaranteeing network identity through category theory)
If it is possible to create a functor that does not change the connection relationships of multiple signal paths 2a, the control unit 20 can use the functor to safely change the connection relationships of signal paths 2a by mapping the area before the route change to the area after the route change.

For two different signal transmission path networks N1 and N2, a faithfully filled functor F that transforms N1 into N2 does not essentially damage the network structure if the functor F has a right adjoint functor and the adjoint units are naturally isomorphic. In other words, if a faithfully filled functor has a right adjoint functor such that the adjoint units are naturally isomorphic, then even if the signal transmission path network is changed using that functor, the signal transmission path is equivalent and the operation of the industrial equipment system 2 will not change. "Naturally isomorphic adjoint units" means that if any object O1 or arrow A1 is moved by a functor (left adjoint functor), and the object O2 or arrow A2 moved by the functor is moved to object O1' or A1' by a right adjoint functor, then object O1 or arrow A1 and object O1' or A1' are naturally isomorphic. "Faithfully filled" means that the mapping by the functor is bijective.

Figure 7 is a conceptual diagram showing a method for verifying a functor that modifies signal transmission paths. In the network of signal transmission paths in industrial equipment system 2, setpoint signals "α" and "β" are input to signal processing circuits 26 "1" and "2," and the processed control signals are securely transmitted to controllers 28 "I" and "II." Nodes depicted as squares and circles represent objects, and arrows represent arrows. Since signal path 2a, which is located along the path, is physically susceptible to eavesdropping, we want to prevent an eavesdropper from obtaining enough information to perform reverse engineering. Therefore, the control unit 20 dynamically modifies the signal transmission path. The upper diagram in Figure 7 shows the network before the path modification, and the lower diagram in Figure 7 shows the network after the path modification. As shown in Figure 7, the signal transmission path is modified by the functor. In the example shown in Figure 7, the modification of the signal transmission path has resulted in the signal flowing through signal path 2a "i" no longer flowing, and instead, the signal now flows through signal path 2a "k." Dynamically modifying the signal transmission path network makes it possible to conceal the connection relationship of signal path 2a.

Next, we will explain how to check whether changes to signal transmission lines will cause any problems. By checking whether the functor that shifts the category of the signal transmission line network is a faithfully fulfilling functor for which a right adjoint functor exists, we can check whether the networks are equivalent.

The morphism of the category C, which is the network before the change, is as follows: For simplicity of explanation, the morphism will be explained here with the set value signal as the starting point and the controller 28 as the end point.
α → i → 1 → p → I
β → i → 1 → p → I
β → j → 2 → 1 → II

The morphism of the category C', which is the network before the change, is as follows.
α → j → 1 → p → I
β → j → 1 → p → I
β → k → 2 → 1 → II

The functor F that maps category C to category C' is as follows. Note that functors that do not change objects or morphisms are omitted. A functor for object A is represented as F _A , and a functor for morphism A→B is represented as F _A→B , where the object or morphism it acts on is represented by a subscript.

The functor E that maps category C' to category C is as follows:

The above functor F is a faithfully filled functor because it transfers objects and arrows one-to-one. Furthermore, the objects and arrows transferred by functor EF are naturally isomorphic to the objects and arrows in the original category, so there exists a right adjoint E for functor F. Therefore, it can be seen that the network of signal transmission lines transferred by functor F is equivalent to the signal transmission lines before the route change.

<Procedure for verifying and distributing change information>
9 is a flowchart showing the procedure for verifying and distributing the change information required for the encryption of the device configuration on the display unit 12 (step S111).

The device configuration encryption dashboard 3 includes a confidentiality target device display section 31, an encryption details display section 32, an encryption operation section 33, and an encryption status list 34.

The anonymization target equipment display unit 31 displays information such as the name and model number of the industrial equipment system 2 that is the anonymization target. The encryption details display unit 32 displays details of the anonymization process performed on the industrial equipment system 2 that is the anonymization target, such as an ID that identifies the change content information and the date of the most recent anonymization process. The encryption operation unit 33 displays an ID that identifies the change content information and the creation and distribution status of the change content information. The creation and distribution of change content information is broadly carried out in the following steps: "Create," "Verify," "Review," and "Distribute." The encryption operation unit 33 has a "Create Encryption Rule" button 33a, a "Automatic Encryption Rule Verification" button 33b, a "Request Encryption Rule Review" button 33c, and a "Distribute" button 33d, corresponding to these steps. The "Create Encryption Rule" button 33a is a button for starting the creation of change content information. The "Automatic Encryption Rule Verification" button 33b is a button for verifying whether the created change content information is problem-free based on knowledge of category theory. The "Request Encryption Rule Review" button 33c is a button for requesting a final review of the change information after it has been created and verified from the reviewer. The "Distribute" button 33d is a button for distributing the change information that has been verified and reviewed to the industrial equipment system 2 that is to be kept confidential.

Next, the processing unit 10 creates a functor related to change information for modifying the communication transmission path, etc., and labels it (step S112). For example, when the "Create Encryption Rule" button 33a is operated, the processing unit 10 creates change information for modifying the signal transmission path. The timing for creating the change information in the information processing device 1 is not particularly limited, but it may be created periodically, or creation of the change information may be triggered by receiving a notification of an abnormality in the industrial equipment system 2. Abnormalities in the industrial equipment system 2 include, for example, a state in which a signal flowing through the signal path 2a is intercepted or abnormal equipment operation is performed. The industrial equipment system 2 can detect signal interception by, for example, monitoring the modulation pattern of the signal flowing through the signal line, the signal characteristics, the characteristics of the electromagnetic waves emitted from the signal line, etc. The industrial equipment system 2 can also detect abnormal equipment operation by monitoring operation of the operation panel 22 at an unusual frequency or operation using an abnormal procedure. If an abnormality is detected, the industrial equipment system 2 sends data notifying the abnormality to the information processing device 1, as there is a risk of reverse engineering. The information processing device 1 can recognize abnormalities in the industrial equipment system 2 based on the data transmitted from the industrial equipment system 2.

The processing unit 10 creates a functor that associates symbols representing each object and arrow (node and link) that make up the network of the signal transmission path before the change with symbols representing each object and arrow (node and link) that make up the network of the signal transmission path after the change.

For example, the processing unit 10 creates a functor of changes such as swapping two randomly selected signal transmission paths, creating a detour, or branching or parallelizing a signal path, with one path being created as an input path to a dummy signal processing circuit 26. A detour is, for example, a path in which a certain set value signal is input as a dummy to a dummy signal processing circuit 26, which then outputs the set value signal as is to the path change circuits 24, 25, and the set value signal returned from the dummy signal processing circuit 26 is input to the signal processing circuit 26 to which it was originally intended.

Furthermore, the processing unit 10 may make a change to add nodes and links to which dummy signals are input. Furthermore, the processing unit 10 may make a change to add dummy signal processing that executes meaningless dummy signal processing. Furthermore, the processing unit 10 may make a change to add a functional unit that encrypts and decrypts signals along the signal transmission path. For example, a circuit that performs encryption or decryption may be configured inside the path change circuits 24 and 25, or the signal processing content may be changed so that encryption or decryption is performed in the signal processing circuit 26.

In addition, the processing unit 10 may convert information related to the category and functor of the labeled signal transmission path network into a representation for a processing system suitable for processing category theory. For example, it may convert it into a representation that runs on Haskell.

Furthermore, the processing unit 10 may be configured to use a machine learning model to create a functor that changes the signal transmission path network. For example, training data is prepared that includes multiple data sets that associate data indicating the signal transmission path network before the change with a functor that represents a functor that maps from that network to the signal transmission path network after the change, with equivalence guaranteed. Then, a machine learning model such as a large-scale language model or a deep neural network model is trained so that when data indicating the signal transmission path network before the change is input, a functor that transfers to an equivalent network is output.

The processing unit 10 can input data representing the network of the signal transmission path before the change into the trained machine learning model and output a functor. The machine learning model may also be trained so that when data representing the network before the change is input, data representing the network after the change is output. In this case, the processing unit 10 creates a functor that associates the objects and morphisms that make up each network, in other words, the nodes and links, based on the data representing the networks before and after the change, i.e., pre-change information.

Furthermore, functors that represent methods of changing communication transmission paths, etc., can be created manually.

The functor created in step S112 does not guarantee the equivalence of the network before and after the change, so steps S113 to S115 are used to confirm that no problems will arise from the change to the signal transmission path.

When the "Automatic Encryption Rule Verification" button 33b is operated, the processing unit 10 executes the processing of steps S113 to S117 related to the verification of the functor. The processing unit 10 determines whether the created functor is a faithfully filled functor (step S113). In other words, it determines whether the nodes and links representing the signal transmission paths before the change and the nodes and links representing the signal transmission paths changed by the functor have a bijective relationship. If it is determined that the functor is not faithfully filled (step S113: NO), the processing unit 10 returns the processing to step S112 and creates the functor again.

If it is determined that the functor is faithfully full (step S113: YES), the processing unit 10 creates a right adjoint functor for the created functor (step S114) and determines whether a right adjoint functor has been created such that the adjoint units are naturally isomorphic (step S115).

If it is determined that the creation of the right adjoint functor has failed (step S115: NO), the processing unit 10 returns the process to step S112 and starts the creation of the functor again. If it is determined that the creation of the right adjoint functor has been successful (step S115: YES), the processing unit 10 creates name change information indicating how to change the names of the setting values, sensor values, and control values to be displayed on the display panel 22a of the industrial equipment system 2 (step S116). The name change information is information that associates various setting values with the names of each setting value. The processing unit 10 may create the name change information by randomly associating setting values with names. The method of changing the association between setting values and names is not particularly limited.

Then, the processing unit 10 stores the change content information, including information about the created functor and name change information, in the storage unit 11 (step S117).

If the "Request Encryption Rule Review" button 33c is operated after completing the verification of the change information including the functor, the processing unit 10 will notify the reviewer of a request to review the created and verified change information. If the reviewer responds that the review is complete, the processing unit 10 will store data indicating that the review of the change information has been completed.

Next, the processing unit 10 determines whether to distribute the change information (step S118). Specifically, the processing unit 10 determines whether the "Distribute" button 33d on the anonymization dashboard screen has been operated by the anonymization officer. If it is determined that the distribution operation has not been performed (step S118: NO), the processing unit 10 terminates the processing without performing distribution. The anonymization officer can distribute the change information stored in the memory unit 11 to the industrial equipment system 2 by operating the distribution button on the anonymization dashboard screen at any time. If it is determined that the distribution operation has been performed (step S118: YES), the processing unit 10 encrypts the change information and distributes the encrypted change information to the industrial equipment system 2 (step S119), and terminates the processing. Note that the processing of steps S113 to S115 can also be modified as follows. For example, after completing the processing of step S112, the processing unit 10 may be configured to determine whether the created functor is invertible. In other words, the processing unit 10 determines whether an inverse functor exists or whether an inverse functor can be created. If it is determined that the functor is not invertible, the processing unit 10 returns the process to step S112. If it is determined that the functor is invertible, the processing unit 10 executes the processes from step S116 onwards.

<Processing procedure for changing signal transmission paths, etc.>
10 is a flowchart showing a processing procedure for changing the signal transmission path and the software function. The control unit 20 of the industrial equipment system 2 receives the change content information distributed from the information processing device 1 (step S131), decodes the received change content information, and stores it in the storage unit 21 (step S132).

Next, the control unit 20 detects an abnormality or determines whether a predetermined change period has arrived (step S133). An abnormality may occur when the signal flowing through the signal path 2a is intercepted, or when an abnormal device operation is performed. Basically, the control unit 20 changes the signal transmission path when it receives change content information. However, when an unexpected abnormality is detected or if the signal transmission path has not been changed for a long period of time, it is desirable for the industrial equipment system 2 to initiate processing related to changing the signal transmission path. Step S133 is processing for this purpose, but is not essential.

If it is determined that there is no abnormality and the specified change period has not arrived (step S133: NO), the control unit 20 ends the process. If an abnormality is detected or the specified change period has arrived (step S133: YES), the control unit 20 determines whether or not it is OK to change the signal transmission path (step S134). For example, the control unit 20 displays on the display of the operation panel 22 that the signal transmission path will be changed, and accepts a user operation to start the change on the operation panel 22. If the process of changing the signal transmission path, etc., is started at an inappropriate time, such as while the industrial equipment system 2 is operating, problems may occur, so it is desirable to start the change of the signal transmission path only after the user has performed a final confirmation. Step S134 is a process to ensure that the signal transmission path change is executed at the appropriate time.

If a change start operation is performed, the control unit 20 determines that it is OK to start changing the signal transmission path. If a change start operation for the signal transmission path is not performed (step S134: NO), the control unit 20 ends processing. If a change start operation for the signal transmission path is performed (step S134: YES), the control unit 20 changes the signal transmission path of the input signal based on the functor information included in the change content information (step S135). In other words, the control unit 20 changes the signal transmission path of the path change circuit 24.

Next, the control unit 20 changes the processing content to be executed by the signal processing circuits 26 as necessary, based on the functor information included in the change content information (step S136). In other words, if the change content information describes a change to the signal processing content, the control unit 20 changes the processing content to be executed by each signal processing circuit 26. Changes to the processing content also include changes to the terminals to which signals used for processing are input.

Next, the control unit 20 changes the signal transmission path of the output signal based on the functor information included in the change content information (step S137). In other words, the control unit 20 changes the signal transmission path of the path change circuit 25.

Next, the processing unit 10 changes the name of the setting value, sensor value, or control value displayed on the operation panel 22 based on the name change information included in the change content information (step S138), and then ends the processing.

As described above, the concealment method, industrial equipment system 2, and computer programs P1 and P2 according to this embodiment make it possible to conceal the mechanism by which the hardware and software of an industrial equipment system work together.

By dynamically changing the connection relationships of the signal paths 2a connecting the control unit 20, multiple signal processing circuits 26, multiple sensors 27, and multiple controllers 28, it is possible to conceal the functional connections within the industrial equipment system 2. For example, the signal paths can be changed by adding or removing detours to the signal transmission paths, adding or removing signal paths 2a through which dummy signals are transmitted, paralleling or merging signal paths, etc.

The control unit 20 can conceal the functional connections within the industrial equipment system 2 by changing the functions of the signal processing circuit 26.

By mixing in dummy signals, the control unit 20 can conceal the functional connections within the industrial equipment system 2.

By providing a dummy signal processing circuit 26, the control unit 20 can conceal the functional connections within the industrial equipment system 2.

The control unit 20 can conceal the functional connections within the industrial equipment system 2 by changing the names of the signals displayed on the display panel 22a of the industrial equipment system 2.

By distributing change information from the information processing device 1 of the person who manages the production of multiple industrial equipment systems 2 to each industrial equipment system 2 and changing the connection relationships of the signal transmission paths in each industrial equipment system 2, it is possible to keep the internal functional connections of the industrial equipment systems 2 confidential.

The control unit 20 can change the signal transmission path in a way that does not cause abnormalities in the operation of the industrial equipment system 2 by verifying whether the signal transmission path networks before and after the change are in an equivalence relationship in category theory.

By changing the signal transmission path periodically or when an abnormality is detected, the information processing device 1 and the industrial equipment system 2 can more reliably keep the functional connections within the industrial equipment system 2 confidential.

In this embodiment, the industrial equipment system 2 has been described as a single device as shown in FIG. 1, but the industrial equipment system 2 may also be a system connecting multiple devices. In other words, the technology of this embodiment can also be applied to cases where the connection relationships of the signal paths 2a connecting multiple devices are to be kept confidential. For example, in an industrial equipment system 2 in which multiple substrate processing apparatuses of the same type are connected via signal paths 2a and each substrate processing apparatus performs optimization operations by sending and receiving signals, know-how related to the interaction between each substrate processing apparatus can be kept confidential by changing the connection relationships of the signal transmission paths connecting each substrate processing apparatus. Furthermore, in an industrial equipment system 2 in which multiple devices of different types are connected via signal paths 2a and each apparatus performs optimization operations by sending and receiving signals, know-how related to the interaction between each apparatus can be kept confidential by changing the connection relationships of the signal transmission paths connecting each apparatus.

Furthermore, the information processing device 1 may be configured to store multiple pieces of change information in the memory unit 11 in advance, and to transmit the change information stored in the memory unit 11 to the industrial equipment system 2 when an abnormality is detected in the industrial equipment system 2. Further, the industrial equipment system 2 may be configured to store multiple pieces of change information in the memory unit 21 in advance, and to change the connection relationship of the signal transmission path based on the change information stored in the memory unit 11 when an abnormality is detected in the industrial equipment system 2. When an abnormality that could lead to the risk of reverse engineering is detected, such as interception of the signal path 2a or abnormal operation of the operation panel 22, the signal transmission path network can be changed, thereby concealing the cooperation between the hardware and software of the industrial equipment system 2.

The embodiments disclosed herein are illustrative in all respects and should not be considered limiting. The technical features described in each embodiment may be combined with one another, and the scope of the present disclosure is intended to include all modifications within the scope of the claims and equivalents thereto. The sequence shown in each embodiment is not limited, and, to the extent that there is no contradiction, each processing step may be executed in a different order, and multiple processes may be executed in parallel. The entity that performs each process is not limited, and, to the extent that there is no contradiction, the processing of each device may be executed by another device.

The matters described in each embodiment can be combined with each other. Furthermore, the independent claims and dependent claims described in the claims can be combined with each other in any and all combinations, regardless of the citation format. Furthermore, the claims use a format in which a claim cites two or more other claims (multi-claim format), but this is not limited to this. A format in which multiple claims cite at least one other multiple claim (multi-multi-claim) can also be used.

The means for solving the problems of the present disclosure are described below.
(Appendix 1)
A method for concealing an industrial equipment system including a plurality of signal processing units and a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output from the plurality of signal processing units, the method comprising:
a changing step of changing a connection relationship of the plurality of signal paths to the plurality of signal processing units within a range where an operation of the industrial equipment system does not change.
(Appendix 2)
2. The method for concealing information according to claim 1, further comprising: changing functions of the plurality of signal processing units.
(Appendix 3)
The concealment method according to claim 1 or 2, wherein the signal includes a signal of a sensor value output from a sensor provided in the industrial equipment system and a signal of a plurality of setting values set in the industrial equipment system.
(Appendix 4)
4. The method according to claim 1, wherein the signal includes a dummy signal.
(Appendix 5)
The plurality of signal processing units include:
5. The concealment method according to claim 1, further comprising a dummy signal processing unit that performs dummy signal processing.
(Appendix 6)
6. The concealment method according to claim 1, further comprising: changing a name of a signal displayed on a display panel of the industrial equipment system.
(Appendix 7)
The changing step includes:
the concealment method according to any one of Supplementary Note 1 to Supplementary Note 6, wherein a connection relationship between the plurality of signal processing units and the plurality of signal paths is regarded as a category in category theory, and the connection relationship is changed by mapping the connection relationship between the plurality of signal paths to a category different from the category using a functor that does not change the connection relationship between the plurality of signal paths.
(Appendix 8)
The concealment method according to Supplementary Note 7, further comprising a step of determining whether the functor is a faithfully full functor for which there exists a right adjoint functor such that the units of the adjoint are naturally isomorphic, thereby determining whether the functor does not change the operation of the industrial equipment system.
(Appendix 9)
The changing step includes:
9. The concealment method according to any one of Supplementary Note 1 to Supplementary Note 8, wherein a connection relationship between the plurality of signal processing units and the plurality of signal paths is considered as a network including a plurality of nodes and links connecting the nodes, and the connection relationship is changed by adding or deleting nodes and links that configure detour paths, adding or deleting nodes and links that transmit dummy signals, adding or deleting nodes and links that parallelize signal paths, dividing one node into a plurality of nodes connected in series, merging a plurality of nodes connected in series into one node, and adding or deleting an encryption node that encrypts a signal and a decryption node that decrypts the encrypted signal.
(Appendix 10)
The changing step includes:
the connection relationship between the plurality of signal processing units and the plurality of signal paths is regarded as a network including a plurality of nodes and links connecting the nodes, and change content information is created in which symbols representing the nodes and links before the change correspond to symbols representing the nodes and links after the change;
The concealment method according to any one of Supplementary Note 1 to Supplementary Note 9, further comprising: changing the connection relationship based on the change content information.
(Appendix 11)
an information processing device external to the industrial equipment system creating the change content information and distributing it to the industrial equipment system;
a step in which the industrial equipment system receives the change content information distributed from the information processing device,
The changing step includes:
The concealment method according to claim 10, further comprising changing the connection relationship based on the received change content information.
(Appendix 12)
The changing step includes:
12. The concealment method according to any one of Supplementary Note 1 to Supplementary Note 11, wherein a connection relationship of the plurality of signal paths to the plurality of signal processing units is changed when it is detected that a signal transmitted through the signal path is being read from outside, when an abnormal operation of the industrial equipment system is detected, or when a predetermined change period has arrived.
(Appendix 13)
A plurality of signal processing units;
a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output from the plurality of signal processing units;
a path change circuit that changes the paths of the plurality of signal paths;
a control unit that causes the path change circuit to change the connection relationships of the plurality of signal paths to the plurality of signal processing units within a range that does not change operation related to signal processing.
(Appendix 14)
A computer program that causes a computer to execute processing related to concealment of an industrial equipment system including a plurality of signal processing units and a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output from the plurality of signal processing units,
The computer,
A computer program for executing a process of changing the connection relationships of the plurality of signal paths to the plurality of signal processing units within a range where the operation of the industrial equipment system does not change.

1: Information processing device 2: Industrial equipment system 2a: Signal path 20: Control units 24, 25: Path change circuit 26: Signal processing circuit P1, P2: Computer program

Claims (14)

A method for concealing an industrial equipment system including a plurality of signal processing units and a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output from the plurality of signal processing units, the method comprising:
a changing step of changing a connection relationship of the plurality of signal paths to the plurality of signal processing units within a range where an operation of the industrial equipment system does not change. The method according to claim 1 , further comprising changing functions of the plurality of signal processing units. The concealment method according to claim 1 , wherein the signals include a signal of a sensor value output from a sensor provided in the industrial equipment system and a signal of a plurality of setting values set in the industrial equipment system. The encryption method according to claim 1 , wherein the signal includes a dummy signal. The plurality of signal processing units include:
The concealment method according to claim 1 , further comprising a dummy signal processing unit that performs dummy signal processing. The concealment method according to claim 1 , further comprising: changing a name of a signal displayed on a display panel of the industrial equipment system. The changing step includes:
2. The concealment method according to claim 1, wherein a connection relationship between the plurality of signal processing units and the plurality of signal paths is regarded as a category in category theory, and the connection relationship is changed by mapping the connection relationship between the plurality of signal paths to a category different from the category using a functor that does not change the connection relationship between the plurality of signal paths. The concealment method according to claim 7, further comprising a step of determining whether the functor is a faithfully full functor for which there exists a right adjoint functor such that the units of the adjoint are naturally isomorphic, thereby determining whether the functor does not change the operation of the industrial equipment system. The changing step includes:
2. The concealment method according to claim 1, wherein the connection relationship between the plurality of signal processing units and the plurality of signal paths is considered as a network including a plurality of nodes and links connecting the nodes, and the connection relationship is changed by adding or deleting nodes and links that configure detour routes, adding or deleting nodes and links that transmit dummy signals, adding or deleting nodes and links that parallelize signal paths, dividing one node into a plurality of nodes connected in series, merging a plurality of nodes connected in series into one node, and adding or deleting an encryption node that encrypts a signal and a decryption node that decrypts the encrypted signal. The changing step includes:
the connection relationship between the plurality of signal processing units and the plurality of signal paths is regarded as a network including a plurality of nodes and links connecting the nodes, and change content information is created in which symbols representing the nodes and links before the change correspond to symbols representing the nodes and links after the change;
The concealment method according to claim 1 , further comprising: changing the connection relationship based on the change content information. an information processing device external to the industrial equipment system creating the change content information and distributing it to the industrial equipment system;
a step in which the industrial equipment system receives the change content information distributed from the information processing device,
The changing step includes:
The concealment method according to claim 10 , further comprising: changing the connection relationship based on the received change content information. The changing step includes:
2. The concealment method according to claim 1, wherein a connection relationship of the plurality of signal paths to the plurality of signal processing units is changed when it is detected that a signal transmitted through the signal path is being read from outside, when an abnormal operation of the industrial equipment system is detected, or when a predetermined change period has arrived. A plurality of signal processing units;
a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output from the plurality of signal processing units;
a path change circuit that changes the paths of the plurality of signal paths;
a control unit that causes the path change circuit to change the connection relationships of the plurality of signal paths to the plurality of signal processing units within a range that does not change operation related to signal processing. A computer program that causes a computer to execute processing related to concealment of an industrial equipment system including a plurality of signal processing units and a plurality of signal paths for transmitting signals input to the plurality of signal processing units and signals output from the plurality of signal processing units,
The computer,
A computer program for executing a process of changing the connection relationships of the plurality of signal paths to the plurality of signal processing units within a range where the operation of the industrial equipment system does not change.