[go: up one dir, main page]

WO2014042636A1 - Packet intrusion inspection in an industrial control network - Google Patents

Packet intrusion inspection in an industrial control network Download PDF

Info

Publication number
WO2014042636A1
WO2014042636A1 PCT/US2012/055058 US2012055058W WO2014042636A1 WO 2014042636 A1 WO2014042636 A1 WO 2014042636A1 US 2012055058 W US2012055058 W US 2012055058W WO 2014042636 A1 WO2014042636 A1 WO 2014042636A1
Authority
WO
WIPO (PCT)
Prior art keywords
industrial control
packets
processor
network
inspecting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2012/055058
Other languages
French (fr)
Inventor
Jr. Harry A. Brian
John W. CRAWFORD
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Siemens Corp
Original Assignee
Siemens AG
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG, Siemens Corp filed Critical Siemens AG
Priority to PCT/US2012/055058 priority Critical patent/WO2014042636A1/en
Publication of WO2014042636A1 publication Critical patent/WO2014042636A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present embodiments relate to packet intrusion detection.
  • packet intrusion detection is a technique for packet intrusion detection.
  • the preferred embodiments described below include methods, systems, instructions, and computer readable media for packet intrusion inspection.
  • the preferred embodiments described below include methods, systems, instructions, and computer readable media for packet intrusion inspection.
  • Figure 2 is a block diagram of one embodiment of a device in the industrial control network of the system of Figure 1 ;
  • Figure 3 is a flow chart diagram of one embodiment of a method for packet intrusion inspection.
  • the programmable logic controllers 20A-C are panels, rackmounted cards, computers, processors, circuits, or other programmable devices for automation of electromechanical, chemical, pneumatic, fluid, electrical, mechanical, or other processes.
  • the programmable logic controllers 20A-C control machinery on assembly lines, heating- ventilation-air conditioning (HVAC), refinery flow, mixing, or other devices or processes.
  • HVAC heating- ventilation-air conditioning
  • the programmable logic controllers 20A-C output in response to input conditions within a limited time.
  • the programmable logic controllers 20A-C may include or connect with sensors and/or actuators.
  • the sensors may be temperature, pressure, rate, current, voltage, inductance, capacitance, chemical, flow, or other sensors. Any number of sensors may be used.
  • the actuators may be magnetic, electric, pneumatic, or other devices for altering, moving, drilling, welding, mixing, spinning, changing, or otherwise actuating.
  • the sensors and actuators communicate with or are part of the field devices for control and measuring.
  • the system of the industrial control network includes one or more controller stations.
  • the control is centralized in an engineering station 26.
  • Distributed control of the system may be used, such as providing multiple engineering stations 26.
  • the engineering station 26 is a supervisory control and data acquisition (SCADA) system or other component for configuring, diagnosing, or otherwise arranging for operation of the industrial control network.
  • SCADA supervisory control and data acquisition
  • the industrial control network is configured by the engineering station, such as establishing which components communicate and which do not and establishing which components perform read actions, which components perform write actions, and which do not.
  • the network switch 28 routes all or a selected subset of the communications to the inspection processor 32. For routing all
  • the inspection processor 32 is an application specific integrated circuit, field programmable logic device, digital logic, digital circuit, or other hardware-based device.
  • the inspection processor 32 operates pursuant to firmware, software, or hardware design.
  • a Linux operating system, other operating system, or circuit design controls operation.
  • the inspection ruleset is fixed or may be programmable. Given a hardware centric implementation, more efficient or rapid inspection may occur.
  • the ruleset may be configured for a given arrangement or configuration of the industrial control network. For example, programmable logic controller 20A is to communicate with programmable logic controller 20B, but not controller 20C.
  • the ruleset may be altered by programming of the hardware device to account for this configuration.
  • the inspection processor 32 is a digital signal processor, general processor, control processor, or other processor operating pursuant to software programming without hardware design specific to the inspection purpose.
  • the inspection processor 32 is programmed to implement the ruleset.
  • only one inspection processor 32 is used.
  • the inspection processor 32 connects with one or more network switches 28. The connection is at a centralized location for inspecting all or selected traffic.
  • the inspection processor 32 may be integrated with the network switch 28.
  • more than one inspection processor 32 is provided.
  • a communications interface or communications processor is programmed to perform the inspection.
  • the communications interface or processor is paired with a programmable logic controller or other device, such as being mounted in a rack as part of, with, or adjacent to each of the programmable logic controllers 20A-C. Inspection processors 32 are thus provided for each programmable logic controller 20A-C and/or other components.
  • the inspection processor 32 is configured to inspect
  • the communications are formatted based on the communications protocol used in the industrial control network.
  • the communications protocol may be TCP/IP, Profinet, or other publically available protocol.
  • a proprietary protocol designed specifically for industrial control may be used. For example, Simatic OMS+ from Siemens Industries is used.
  • the proprietary protocol is generally only available from one source or multiple sources contractually controlled by one source.
  • the proprietary protocol or aspects of the protocol may be kept secret to prevent use by others.
  • the protocol defines the content of packets or other communication, such as providing headers and field definitions for routing and/or communicating.
  • the protocol may also provide an operating environment, such as an operating system for the field devices, such as the programmable logic controllers 20A-C and engineering stations 26.
  • the inspection is based on the protocol.
  • the protocol defines the format of the communications.
  • the inspection processor 32 parses the communications to extract information for the inspection.
  • the rulesets define the information for inspection. For example, the rules rely on end-point pairings and/or read/write operations.
  • the data associated with end-points and/or read/write commands is extracted from the communications.
  • the data from specific fields in the packets or other communications format is extracted based on the protocol.
  • the inspection is based on the operations of the components of the industrial control network. Different components are configured pursuant to the engineering of the industrial control network. For example, different programmable logic controllers 20A-C control different devices in a
  • a human machine interface 22 may write to a programmable logic controller 20A (but not another) to change a set point, but may not perform read operations.
  • a programmable logic controller 20A (but not another) to change a set point, but may not perform read operations.
  • programmable logic controller 20B may not be configured to write to another programmable logic controller 20C. Based on the engineering, different components are configured to communicate and/or perform operations in specific ways and not other ways.
  • the inspection may use the configuration information. Any operations outside the parameters established by the configuration of the industrial control network may be malformed or malicious. For example, a packet communicating between two components not configured to
  • the ruleset such as established in firmware or software provided by the engineering station 26 to the inspection processor 32, incorporates the configuration of operation of the components of the industrial control network.
  • Figure 2 shows one embodiment of one or more of the
  • programmable logic controllers 20A-C programmable logic controllers 20A-C, human-machine interface devices 22, operator stations 24, engineering station 26, network switch 28, and/or inspection processor 32.
  • Each device is the same or different.
  • the programmable logic controllers 20A-C are purpose built to withstand stresses and forces in the industrial environment and/or are computers.
  • the human-machine interface devices 22 are switches or buttons with
  • the processor 12 is a general processor, central processing unit, control processor, digital signal processor, application specific integrated circuit, field programmable gate array, digital circuit, analog circuit,
  • the processor 12 is a single device or multiple devices operating in serial, parallel, or separately.
  • the processor 12 may be a main processor of a computer, such as a laptop or desktop computer, or may be a processor for handling tasks in a purpose-built system, such as in a programmable logic controller 20A-C.
  • the processor 26 is configured by firmware, software and/or hardware.
  • the memory 14 is a system memory, random access memory, cache memory, hard drive, optical media, magnetic media, flash drive, buffer, database, combinations thereof, or other now known or later developed memory device for storing data.
  • the memory 14 stores one or more datasets representing sensor readings, set points, and/or actuator status.
  • the memory 14 may store calculated values or other information for reporting or operating in the network. For example, event data is stored.
  • the memory 34 is the memory 14 for use with the inspection processor 32.
  • the memory 34 stores a ruleset or other data used to parse and inspect communications.
  • the memory 14, memory 32, or other memory is a non-transitory computer readable storage medium storing data representing instructions executable by the programmed processor 12 or 32 for inspection of
  • Computer readable storage media include various types of volatile and nonvolatile storage media.
  • the functions, acts or tasks illustrated in the figures or described herein are executed in response to one or more sets of instructions stored in or on computer readable storage media.
  • the functions, acts or tasks are
  • processing strategies may include multiprocessing, multitasking, parallel processing, and the like.
  • the instructions are stored on a removable media device for reading by local or remote systems.
  • the instructions are stored in a remote location for transfer through a computer network or over telephone lines.
  • the instructions are stored within a given computer, CPU, GPU, or system.
  • the network interface 16 is a physical connector and associated electrical communications circuit for networked communications.
  • the network interface 16 is an Ethernet connector and corresponding circuit.
  • a network card is provided.
  • wireless or other wired connection is provided.
  • the engineering station 26 and field devices are configured by software and/or hardware to perform various functions.
  • the engineering station 26 is configured to download operating programs to the field devices and to set peer groups for communications between the field devices. Components not in a peer group with each other do not communicate.
  • the configuration establishes read and write operations that may be performed, by which components, and to or from which components.
  • the industrial control network may or may not connect with other networks.
  • the industrial control network When first established or commissioned, the industrial control network is a stand-alone network or not connected to devices networked with other networks. Malformed communications may be provided even in a stand-alone or known good environment.
  • the industrial control network may be connected to devices outside the network, such as to a corporate intranet or the Internet. For example, remote control or monitoring of the industrial control network is provided with communications through another network.
  • the industrial control network itself is distributed over a wide area, so already existing communications networks are used for
  • Figure 3 shows a method for packet intrusion inspection.
  • the method is implemented by the system of Figure 1 , a component of Figure 2, or another system and/or component.
  • the acts are performed in the order shown or other orders. Additional, different, or fewer acts may be provided.
  • act 44 focuses on the operation of the inspection processor. Additional or different acts are provided for the other components, such as requesting, reading, writing, responding, or other communicating.
  • components of the network are to communicate with some, but not all, of the other components.
  • a given field device communicates with another field device, but not a different field device.
  • peer groups are established.
  • the components are arranged in the peer groups.
  • the engineer assigns components to peer groups.
  • Each peer group is a collection of components (i.e., peers) that communicate with each other.
  • a given component may be in one or multiple peer groups.
  • the packets are routed through one or more network switches.
  • the network switches interconnect the various components. When a component transmits a message, the message is provided over a direct or indirect connection to the network switch.
  • the network switch identifies the destination of each packet. Based on a routing table or data indicating input/output ports connected with different components, the network switch forwards the message to the destination component or to a multi-hop route that will lead to the destination component.
  • Multiple network switches may be used. For example, different groups of components connect to different network switches.
  • the network switches may interconnect so that communications for components connected to different switches may be routed.
  • a single network switch is provided for the industrial control network. All components of the same network connect to the network switch.
  • a spanning port may be used. All incoming and/or outgoing communications from the network switch are intercepted by the spanning port. The communications are routed to the inspection component prior to or after routing by the network switch.
  • the communications are not routed to the network switch.
  • the industrial control network is configured such that each component is connected with any other components for which communication is possible.
  • communication processors, the destination component, or other processor is provided to intercept and inspect the packets.
  • the packets are inspected.
  • the inspection is performed by the inspection component.
  • the inspection component is separate from the network switch.
  • the packets routed to and/or from the network switch pass through or are copied to the inspection component.
  • other devices perform the inspection, such as using a processor integrated with the network switch, using a communication processor, or using a processor at or in components used for industrial control (e.g., programmable logic controllers).
  • the inspection component or other component examining the packets is within the industrial control network.
  • the inspection component may have access to selected ones of or all of the packets.
  • the inspection component may be configured based on the network. For example, the configuration of the network is used to establish the ruleset or values used in the ruleset for inspecting.
  • the packet inspection may be performed more efficiently using a component within the network rather than outside the network. Using a hardware/firmware component, further efficiencies may be provided.
  • Efficiency in communication may be particularly important in industrial control networks to avoid down time in manufacturing or production and/or to implement safety related processes.
  • the packets are examined for an intrusion of the industrial control network.
  • the intrusion may be due to malformed packets.
  • the programming of a component is incorrect, becomes corrupt, is modified maliciously, or is not as designed.
  • the resulting programming causes one or more packets to include incorrect commands or otherwise not be as expected.
  • the intrusion may be maliciously formed packets. Packets may be inserted from a source outside of the industrial control network. Alternatively, components of the industrial control network may be modified or
  • the packets are generated to include undesired commands or other undesired data.
  • All of the packets of the industrial control system are examined. The inspection of each packet assures that no intrusion detectable by the ruleset occurs. Using a spanning port with the network switch, all of the packets are provided to the inspection component for examination. Other routing may alternatively be used. In alternative embodiments, the packets are sampled or other selection criteria are used to inspect fewer than all the packets. For greater efficiency, sampling for examination may be used based on the assumption that intruding packets are less likely to occur just once.
  • the inspection is performed with a ruleset.
  • the inspection is configured to check for particular problems. Any number of rules may be used. Where efficiency or avoidance of delay is important, the number of rules may be limited. For example, fewer than five rules are applied. In one embodiment, only end-point and read/write rules (e.g., two rules) are used. Each inspected packet is checked for violation of each of the limited ruleset. In other embodiments, different types of packets are checked with different rules or rulesets.
  • the inspection is configured for the protocol of the network, such as a proprietary protocol.
  • the packets may be parsed.
  • the data for the field or fields checked based on the rules are extracted or identified.
  • the protocol is used to control the parsing for data.
  • the inspection is also based on the configuration of the industrial control network. Due to the nature of communications in industrial control networks, communications between components is limited.
  • components never communicate with other components. Some components only communicate with one or more, but fewer than all, other components. Any of various network communications maps are used, depending on the specific industrial process being controlled and the components used to control the specific industrial process. Communications may be unidirectional or bi-directional depending on the configuration of the industrial control system.
  • the peer grouping of communications results in various end-point to end-point communications being proper and others not being proper.
  • the inspection parses the source and destination
  • the packet passes inspection. If the source-destination pair exists in the configured communications map, the packet passes inspection. If the source-destination pair does not exist (e.g., wrong direction of communications or improper pairing), the packet does not pass inspection.
  • the read and write configuration of the components of the network may be used for inspection.
  • the packets are parsed for read or write commands.
  • the commands may be in the form of requests or messaging, or may be actual commands in the payload. If a read or write command exists, the source and destination are checked. If the source and destination pair for the type of command (e.g., write) is appropriate in the configuration of the network, the packet passes. If the source and/or the destination for the type of command are not appropriate in the configuration of the network, the packet fails the inspection.
  • the type of command e.g., write
  • an alarm is generated when an intrusion is identified. If a packet does not pass inspection, the alarm is generated.
  • the rules of the ruleset are used to indicate whether there is an intrusion.
  • the alarm is an event notice. The alarm may be logged and stored for later checking. More aggressive alarming may be used, such as outputting a warning to a panel or engineering station. Messaging may be used, such as sending a notice via email, texting, instant messaging, or other communications format.
  • the alarm is generated without blocking the intruding packets. Since packets may fail inspection for non-malicious reasons, the packets may still be useful to the network. Where the network is tied to industrial performance, blocking the packets may have adverse consequences (e.g., causing a failure in a time sensitive process or resulting in loss of revenue). Using passive inspection (e.g., not blocking) may more likely ensure worker safety in the industrial environment.
  • the packets failing inspection are blocked.
  • the packets are removed from the communications stream and not allowed to continue to the destination.
  • some intruding packets are blocked and others are not. Different rules or the way in which a given rule is violated may be mapped to blocking or not blocking for violation of the inspection.
  • Packet inspection may be used in combination with other network security. Using firewalls, virtual private network (VPN) tunneling, hardware security, and other best practices in combination with packet inspection may provide defense-in-depth for the industrial control network.
  • VPN virtual private network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Description

PACKET INTRUSION INSPECTION IN AN INDUSTRIAL CONTROL
NETWORK
BACKGROUND
[0001] The present embodiments relate to packet intrusion detection. In open network operating environments, packet intrusion detection is
performed. Many checks of the packets in TCP/IP communications may be performed in an effort to identify maliciously generated packets. The checks attempt to locate packets inserted into the communications that may be for improper purposes. Any detected intruding packets are blocked or removed. Given the latency allowed in most networks, such inspection is performed by routers or other network devices with a complex ruleset. However, the rules will not work for communications occurring pursuant to different protocols.
[0002] Industrial control systems (ICS) may communicate using proprietary protocols. Given the environment of operation of the ICS, delay is minimized. The efficiency of the industrial process, such as manufacturing, and/or safety of workers, may be impacted by any delay. Blocking of packets may also adversely affect the performance of the ICS. Since the networks for ICS are generally isolated, packet intrusion detection is not performed in an effort to avoid increasing communications latency. However, ICS are frequently connected to broader communications networks, such as corporate intranets or the Internet for communications over large distances. This may make the networks for the ICS more vulnerable to packet intrusion.
BRIEF SUMMARY
[0003] By way of introduction, the preferred embodiments described below include methods, systems, instructions, and computer readable media for packet intrusion inspection. In an industrial control network, the
communications are performed pursuant to a proprietary protocol. The communications are inspected for packet intrusion by a device within the industrial control network using the proprietary protocol and/or a configuration of the industrial control network. Given the timing requirements for industrial control systems, the inspection device may use a limited ruleset and/or be a separate, hardware-based (e.g., use firmware) device to avoid
communications delay.
[0004] In a first aspect, a method is provided for packet intrusion
inspection. Packets of data are communicated between components of an industrial control system with a proprietary protocol. The packets are routed through one or more network switches of the industrial control system. A processor separate from the network switch inspects the packets routed through the network switches. The inspecting is configured for the proprietary protocol, and the processor is within the industrial control system.
[0005] In a second aspect, a system is provided for packet intrusion inspection. An industrial control network includes one or more human machine interface devices, one or more programmable logic controllers, one or more operator stations, and one or more engineering stations. A processor of the industrial control network is configured to inspect communications within the industrial control network for packet intrusion.
[0006] In a third aspect, a non-transitory computer readable storage medium has stored therein data representing instructions executable by a programmed processor for packet intrusion inspection. The storage medium includes instructions for receiving packets for devices communicating using a proprietary protocol in an industrial control network, examining the packets for an intrusion of the industrial control network, the examining being based on the proprietary protocol and configuration of the industrial control network, and generating an alarm when an intrusion is identified.
[0007] The present invention is defined by the following claims, and nothing in this section should be taken as a limitation on those claims.
Further aspects and advantages of the invention are discussed below in conjunction with the preferred embodiments and may be later claimed independently or in combination.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] The components and the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the invention. Moreover, in the figures, like reference numerals designate corresponding parts throughout the different views.
[0009] Figure 1 is a block diagram of one embodiment of a system for packet intrusion inspection in an industrial control network; and
[0010] Figure 2 is a block diagram of one embodiment of a device in the industrial control network of the system of Figure 1 ; and
[0011] Figure 3 is a flow chart diagram of one embodiment of a method for packet intrusion inspection.
DETAILED DESCRIPTION OF THE DRAWINGS AND PRESENTLY PREFERRED EMBODIMENTS
[0012] A device of an industrial control network performs deep packet intrusion detection in a proprietary protocol environment of the industrial control network. For example, a computer board with an application specific integrated circuit, input/output ports, a power supply, and firmware
implements a stack of the proprietary protocol in hardware, making the inspection efficient.
[0013] Deep packet inspection is performed on the control protocol of the industrial control network. All traffic passes through the device. The device inspects each packet using a predefined ruleset. All correctly formed packets are permitted to pass without action. Any malformed or malicious traffic is detected. An alarm is generated and/or the traffic is logged with a timestamp and source. To prevent possible shut down of the industrial control system, the malformed or malicious traffic may be allowed to pass or not blocked.
[0014] Figure 1 shows a system for packet intrusion inspection. The system is implemented within an industrial control system using an industrial control network. The industrial control network implements industrial processes using field devices. For example, the system may monitor and control a manufacturing process using communications with field devices (e.g., programmable logic controllers or remote terminal units). The system provides control capabilities and a user interface for interacting with the control and data acquisition of the process.
[0015] The field devices are panels, programmable logic controllers, and/or remote terminal units. In the example of Figure 1 , three programmable logic controllers 20A-C, a human-machine interface device 22, and an operator station 24 are shown. Additional, different, or fewer field devices may be provided. Other controllers, monitors, or devices for monitoring physical processes or characteristics and/or controlling manufacturing, a process, or production may be used.
[0016] The human-machine interface device 22 is a panel, personal computer, portable handheld controller, safety switch, user input, display device, and/or other component for human interaction with the system. For example, the human-machine interface device 22 is a button for shutting down operation of a robotic component by an operator (e.g., a safety or emergency trigger). More than one human-machine interface device 22 may be provided.
[0017] The operator station 24 is a panel, computer, display, monitor station (e.g., bank of lights with or without associated inputs), and/or other device for monitoring performance of or a part of the industrial control process. For example, the operator station 24 includes one or more status displays indicating the operation of one or more of the programmable logic controllers 20A-C and/or any activation of the human-machine interface device 22. Sensor and/or actuator status may be displayed. The operator station 24 may include a human-machine interface device 22. More than one operation station 24 may be provided.
[0018] The programmable logic controllers 20A-C are panels, rackmounted cards, computers, processors, circuits, or other programmable devices for automation of electromechanical, chemical, pneumatic, fluid, electrical, mechanical, or other processes. For example, the programmable logic controllers 20A-C control machinery on assembly lines, heating- ventilation-air conditioning (HVAC), refinery flow, mixing, or other devices or processes. The programmable logic controllers 20A-C output in response to input conditions within a limited time.
[0019] For operating, the programmable logic controllers 20A-C may include or connect with sensors and/or actuators. The sensors may be temperature, pressure, rate, current, voltage, inductance, capacitance, chemical, flow, or other sensors. Any number of sensors may be used. The actuators may be magnetic, electric, pneumatic, or other devices for altering, moving, drilling, welding, mixing, spinning, changing, or otherwise actuating. The sensors and actuators communicate with or are part of the field devices for control and measuring.
[0020] The programmable logic controllers 20A-C may be configured to operate based on programming. The actions to perform and/or the set points for when to perform the actions may be programmed. The work flow or series of actions may be configured. Based on input at a user interface and/or a project provided over the network, the programmable logic controllers 20A-C are configured to control one or more aspects of the industrial process based on triggers and/or report events associated with the industrial process.
[0021] The system of the industrial control network includes one or more controller stations. In the example of Figure 1 , the control is centralized in an engineering station 26. Distributed control of the system may be used, such as providing multiple engineering stations 26. The engineering station 26 is a supervisory control and data acquisition (SCADA) system or other component for configuring, diagnosing, or otherwise arranging for operation of the industrial control network. The industrial control network is configured by the engineering station, such as establishing which components communicate and which do not and establishing which components perform read actions, which components perform write actions, and which do not.
[0022] The engineering station 26 is configured to establish peers between the programmable logic controllers 20A-C, human machine interface devices 22, and operator stations 24 in the industrial control network. To establish peers, the identities are read from the field devices. Messaging may be used to obtain the identities. Because the engineering station 26 has access to all of the field devices on the network, the engineering station 26 retrieves the physical or logical identifiers from each of the field devices.
[0023] Using the identifiers, the engineering station 26 configures the network for operation. An engineer programs the network using the engineering station 26. The programs or projects to be implemented by the various field devices are selected or created. The programs are for programming the programmable components, such as the programmable logic controllers 20A-C and/or the operator station 24. Other components (e.g., human-machine interface device 22) may have fixed programming and/or operate in a predetermined manner without programming from the engineering station 26.
[0024] The industrial control network also includes one or more network switches 28. The network switch 28 is a multi-port network bridge, server, router, processor, computer, rack-mounted card, or other device for routing communications between the field devices, engineering stations 26, and/or other networks. The network switch 28 includes a plurality of input/output ports. For example, the network switch 28 is mounted in a rack with programmable logic controllers 20A-C. Cables from sensors and actuators connect to the programmable logic controllers 20A-C. Network cables from the various field devices (e.g., programmable logic controllers 20A-C), engineering stations 26, and/or other devices connect to the input/output ports of the network switch 28. Any communications between the connected components is switched to route from one port to another.
[0025] The network switch 28 routes all or a selected subset of the communications to the inspection processor 32. For routing all
communications, a spanning port 30 is provided. The spanning port 30 connects across multiple or all of the input/output ports of the network switch 28 for intercepting or copying communications at the ports. The spanning port 30 physically mates with the ports of the network switch 28, is mounted in a rack as a separate card, or is a stand alone component. In other
embodiments, the network switch 28 routes the communications to the inspection processor 32 without the spanning port 30.
[0026] The inspection processor 32 and associated memory 34 sniff or inspect the communications. The inspection processor 32 is part of the industrial control network. For example, the inspection processor 32 is mounted in a rack with the programmable logic controllers 20A-C and/or the network switch 28. As another example, the inspection processor 32 is commissioned with or added to the industrial control network and
communicates pursuant to a proprietary protocol of the industrial control network.
[0027] In one embodiment, the inspection processor 32 is an application specific integrated circuit, field programmable logic device, digital logic, digital circuit, or other hardware-based device. The inspection processor 32 operates pursuant to firmware, software, or hardware design. A Linux operating system, other operating system, or circuit design controls operation. The inspection ruleset is fixed or may be programmable. Given a hardware centric implementation, more efficient or rapid inspection may occur. By providing some programmability, the ruleset may be configured for a given arrangement or configuration of the industrial control network. For example, programmable logic controller 20A is to communicate with programmable logic controller 20B, but not controller 20C. The ruleset may be altered by programming of the hardware device to account for this configuration.
Alternatively, the ruleset is fixed in the hardware, but refers to the memory 34 for a reference table or other data indicating variable information to be used in applying the ruleset.
[0028] In alternative embodiments, the inspection processor 32 is a digital signal processor, general processor, control processor, or other processor operating pursuant to software programming without hardware design specific to the inspection purpose. The inspection processor 32 is programmed to implement the ruleset.
[0029] The inspection processor 32 and memory 34 are on a card for rack mounting, such as a personal computer-type card. The card may be mounted in a rack with the network switch 28 and with or without other components. The card is separate from the network switch 28. Alternatively, the inspection processor 32 and the memory 34 are a stand alone device or devices or are integrated with another component of the industrial control system. In yet other embodiments, the inspection processor 32 is implemented by a processor of another component.
[0030] In one embodiment, only one inspection processor 32 is used. The inspection processor 32 connects with one or more network switches 28. The connection is at a centralized location for inspecting all or selected traffic. The inspection processor 32 may be integrated with the network switch 28. In other embodiments, more than one inspection processor 32 is provided. For example, a communications interface or communications processor is programmed to perform the inspection. The communications interface or processor is paired with a programmable logic controller or other device, such as being mounted in a rack as part of, with, or adjacent to each of the programmable logic controllers 20A-C. Inspection processors 32 are thus provided for each programmable logic controller 20A-C and/or other components.
[0031] The inspection processor 32 is configured to inspect
communications within the industrial control network for packet intrusion. The communications are formatted based on the communications protocol used in the industrial control network. The communications protocol may be TCP/IP, Profinet, or other publically available protocol. To provide for more efficient and/or reliable operation, a proprietary protocol designed specifically for industrial control may be used. For example, Simatic OMS+ from Siemens Industries is used. The proprietary protocol is generally only available from one source or multiple sources contractually controlled by one source. For example, the proprietary protocol or aspects of the protocol may be kept secret to prevent use by others. By using a purpose built proprietary protocol in an industrial control network, the communications may be handled more rapidly or efficiently than trying to conform to a communications protocol with a more general purpose. The protocol defines the content of packets or other communication, such as providing headers and field definitions for routing and/or communicating. The protocol may also provide an operating environment, such as an operating system for the field devices, such as the programmable logic controllers 20A-C and engineering stations 26.
[0032] The inspection is based on the protocol. The protocol defines the format of the communications. Using this defined format, the inspection processor 32 parses the communications to extract information for the inspection. The rulesets define the information for inspection. For example, the rules rely on end-point pairings and/or read/write operations. The data associated with end-points and/or read/write commands is extracted from the communications. The data from specific fields in the packets or other communications format is extracted based on the protocol.
[0033] The inspection is based on the operations of the components of the industrial control network. Different components are configured pursuant to the engineering of the industrial control network. For example, different programmable logic controllers 20A-C control different devices in a
manufacturing process. For the control by a given controller 20A, communications with some but not others of the controllers 20B-C or other field devices is provided. Similarly, a human machine interface 22 may write to a programmable logic controller 20A (but not another) to change a set point, but may not perform read operations. In another example, a
programmable logic controller 20B may not be configured to write to another programmable logic controller 20C. Based on the engineering, different components are configured to communicate and/or perform operations in specific ways and not other ways.
[0034] The inspection may use the configuration information. Any operations outside the parameters established by the configuration of the industrial control network may be malformed or malicious. For example, a packet communicating between two components not configured to
communicate with each other is an intrusion. As another example, a read and/or write operation not appropriate for the source or destination component is an intrusion. The ruleset, such as established in firmware or software provided by the engineering station 26 to the inspection processor 32, incorporates the configuration of operation of the components of the industrial control network.
[0035] Figure 2 shows one embodiment of one or more of the
programmable logic controllers 20A-C, human-machine interface devices 22, operator stations 24, engineering station 26, network switch 28, and/or inspection processor 32. Each device is the same or different. For example, the programmable logic controllers 20A-C are purpose built to withstand stresses and forces in the industrial environment and/or are computers. The human-machine interface devices 22 are switches or buttons with
communications capabilities, computers, or field panels. The operator stations 24 are field panels or computers. The engineering station 26 is a personal computer with one or more cards for interfacing or communicating with the other components. The network switch 28 is bridge, hub, multiplexer, computer, or other switching device. The inspection processor 32 is an application specific integrate circuit, processor, or computer.
[0036] In one embodiment, the industrial control network includes sensors, actuators, human-machine interfaces 22, operator stations 24, and/or programmable logic controllers 20A-C distributed throughout a facility. One or more racks include cards or hardware for the network switch 28, the
inspection processor 32, and/or programmable logic controllers 20A-C. The engineering stations 26 may be computers positioned in a room with or remote from the rack mounted components. Cables connect the components, but wireless communications may be used.
[0037] The components include a processor 12, memory 14, and network interface 16. Additional, different, or fewer parts may be provided. For example, a memory 14 or processor 12 are not provided in a human-machine interface 24. As another example, a display is provided for the engineering station 26 and/or operator station 24. Any type of display may be used, such as LEDs, monitor, LCD, projector, plasma display, CRT, or printer.
[0038] The processor 12 is a general processor, central processing unit, control processor, digital signal processor, application specific integrated circuit, field programmable gate array, digital circuit, analog circuit,
combinations thereof, or other now known or later developed device for use in the industrial control network. The processor 12 is a single device or multiple devices operating in serial, parallel, or separately. The processor 12 may be a main processor of a computer, such as a laptop or desktop computer, or may be a processor for handling tasks in a purpose-built system, such as in a programmable logic controller 20A-C. The processor 26 is configured by firmware, software and/or hardware.
[0039] The memory 14 is a system memory, random access memory, cache memory, hard drive, optical media, magnetic media, flash drive, buffer, database, combinations thereof, or other now known or later developed memory device for storing data. The memory 14 stores one or more datasets representing sensor readings, set points, and/or actuator status. The memory 14 may store calculated values or other information for reporting or operating in the network. For example, event data is stored. The memory 34 is the memory 14 for use with the inspection processor 32. The memory 34 stores a ruleset or other data used to parse and inspect communications.
[0040] The memory 14, memory 32, or other memory is a non-transitory computer readable storage medium storing data representing instructions executable by the programmed processor 12 or 32 for inspection of
communications, communicating, or operating in the industrial control network. The instructions for implementing the processes, methods and/or techniques discussed herein are provided on computer-readable storage media or memories, such as a cache, buffer, RAM, removable media, hard drive or other computer readable storage media. Computer readable storage media include various types of volatile and nonvolatile storage media. The functions, acts or tasks illustrated in the figures or described herein are executed in response to one or more sets of instructions stored in or on computer readable storage media. The functions, acts or tasks are
independent of the particular type of instructions set, storage media, processor or processing strategy and may be performed by software, hardware, integrated circuits, firmware, micro code and the like, operating alone, or in combination. Likewise, processing strategies may include multiprocessing, multitasking, parallel processing, and the like.
[0041] In one embodiment, the instructions are stored on a removable media device for reading by local or remote systems. In other embodiments, the instructions are stored in a remote location for transfer through a computer network or over telephone lines. In yet other embodiments, the instructions are stored within a given computer, CPU, GPU, or system.
[0042] The network interface 16 is a physical connector and associated electrical communications circuit for networked communications. The network interface 16 is an Ethernet connector and corresponding circuit. For example, a network card is provided. Alternatively, wireless or other wired connection is provided.
[0043] Referring again to Figure 1 , the components are connected through one or more communications networks. For example, a field network interconnects the field devices. The field network may be wired and/or wireless. Any communications format may be used. The field devices communicate to indicate events and to implement control, such as
determining the status of operation of one programmable logic controller 20A to control another device with another programmable logic controller 20B.
[0044] For establishing communications, the engineering station 26 and field devices are configured by software and/or hardware to perform various functions. The engineering station 26 is configured to download operating programs to the field devices and to set peer groups for communications between the field devices. Components not in a peer group with each other do not communicate. The configuration establishes read and write operations that may be performed, by which components, and to or from which components.
[0045] The industrial control network may or may not connect with other networks. When first established or commissioned, the industrial control network is a stand-alone network or not connected to devices networked with other networks. Malformed communications may be provided even in a stand-alone or known good environment. The industrial control network may be connected to devices outside the network, such as to a corporate intranet or the Internet. For example, remote control or monitoring of the industrial control network is provided with communications through another network. As another example, the industrial control network itself is distributed over a wide area, so already existing communications networks are used for
communications between components of the industrial control network. As a result, an opportunity for malicious communications is possible. While less likely due to use of proprietary communications protocol, the risk is to be further mitigated by deep packet inspection.
[0046] Figure 3 shows a method for packet intrusion inspection. The method is implemented by the system of Figure 1 , a component of Figure 2, or another system and/or component. The acts are performed in the order shown or other orders. Additional, different, or fewer acts may be provided. For example, act 44 focuses on the operation of the inspection processor. Additional or different acts are provided for the other components, such as requesting, reading, writing, responding, or other communicating.
[0047] In act 40, components of the industrial control system
communicate. The communication is of signals. For example, data is transmitted to one component and received by another component. The data is formatted as packets, but other formats of communication may be used. The format is based on the protocol being used, such as a proprietary protocol of an industrial control network. For example, the packets include fields identifying the source of the packet and a destination for the packet. Other fields may be provided. For example, read and/or write commands are included in specific fields or a general payload field. The format of the data for the commands may be established by the protocol. The packets are transmitted from one component to another based on the protocol for programming and operating the components (e.g., programmable logic controllers) of the industrial control network. Using the common format, devices receiving the packets may use or respond to the messaging of the packet.
[0048] Based on the design of the industrial control network and
corresponding programming, components of the network are to communicate with some, but not all, of the other components. To operate, a given field device communicates with another field device, but not a different field device. In the aggregate throughout the network, peer groups are established. The components are arranged in the peer groups. The engineer assigns components to peer groups. Each peer group is a collection of components (i.e., peers) that communicate with each other. A given component may be in one or multiple peer groups.
[0049] As the components operate pursuant to the programming, messages (e.g., requests, responses, broadcasts, transmissions) are generated. One or more of the components of the industrial control network determine that communication is to occur with a peer. The message in the appropriate format with the desired data is transmitted. After any switching, routing or hopping, the packet is received by the destination component. The destination component parses the message and acts appropriately. For example, a programmable logic controller receives a message to write a new set point for operating. The new set point is established. As another example, the programmable logic controller receives a request for information on a status of an actuator from a different programmable logic controller. In response to this read request, the status information is returned in another packet. Any communications and corresponding purposes may be provided.
[0050] In act 42, the packets are routed through one or more network switches. The network switches interconnect the various components. When a component transmits a message, the message is provided over a direct or indirect connection to the network switch. The network switch identifies the destination of each packet. Based on a routing table or data indicating input/output ports connected with different components, the network switch forwards the message to the destination component or to a multi-hop route that will lead to the destination component.
[0051] Multiple network switches may be used. For example, different groups of components connect to different network switches. The network switches may interconnect so that communications for components connected to different switches may be routed. In one embodiment, a single network switch is provided for the industrial control network. All components of the same network connect to the network switch.
[0052] The communications are routed to and from the network switch through one or more ports, such as Ethernet ports or other ports for computer networking. For example, each component connects to a separate
input/output port. In another example, each component connects to a separate pair of ports, one input and one output. The communications from different components are provided through different ports of the network switch.
[0053] For inspection, the network switch routes or transmits the communications to an inspection component. The inspection component may return the communications to the network switch for then routing to a destination. Alternatively, the inspection component intercepts the inputs or outputs of the network switch in series with the network switch. Where the inspection components are provided with the other components, routing to the destination also provisions the communication for inspection. In other embodiments, the network switch copies the communications. One copy is routed to the destination and another copy is routed to the inspection component.
[0054] To more efficiently route to the inspection component, a spanning port may be used. All incoming and/or outgoing communications from the network switch are intercepted by the spanning port. The communications are routed to the inspection component prior to or after routing by the network switch.
[0055] In alternative embodiments, the communications are not routed to the network switch. For example, the industrial control network is configured such that each component is connected with any other components for which communication is possible. To inspect in this arrangement, communication processors, the destination component, or other processor is provided to intercept and inspect the packets.
[0056] In act 44, the inspection component receives the packets. The packets are received in one or more ports. The same or other ports are used for transmitting the packets back to the network switch or other components. Where the packets are copies, output ports for the packets of communications between other components may not be provided.
[0057] The packets communicated using the protocol, such as the proprietary protocol, are received by the inspection component. The inspection component implements a Profinet, proprietary or other protocol stack of the industrial control system for receiving and processing the packets.
[0058] In act 46, the packets are inspected. The inspection is performed by the inspection component. The inspection component is separate from the network switch. The packets routed to and/or from the network switch pass through or are copied to the inspection component. In other embodiments, other devices perform the inspection, such as using a processor integrated with the network switch, using a communication processor, or using a processor at or in components used for industrial control (e.g., programmable logic controllers).
[0059] The inspection component or other component examining the packets is within the industrial control network. By being within the network, the inspection component may have access to selected ones of or all of the packets. By being within the network, the inspection component may be configured based on the network. For example, the configuration of the network is used to establish the ruleset or values used in the ruleset for inspecting. The packet inspection may be performed more efficiently using a component within the network rather than outside the network. Using a hardware/firmware component, further efficiencies may be provided.
Efficiency in communication may be particularly important in industrial control networks to avoid down time in manufacturing or production and/or to implement safety related processes.
[0060] The packets are examined for an intrusion of the industrial control network. The intrusion may be due to malformed packets. For example, the programming of a component is incorrect, becomes corrupt, is modified maliciously, or is not as designed. The resulting programming causes one or more packets to include incorrect commands or otherwise not be as expected.
[0061] The intrusion may be maliciously formed packets. Packets may be inserted from a source outside of the industrial control network. Alternatively, components of the industrial control network may be modified or
reprogrammed without authorization. The packets are generated to include undesired commands or other undesired data.
[0062] All of the packets of the industrial control system are examined. The inspection of each packet assures that no intrusion detectable by the ruleset occurs. Using a spanning port with the network switch, all of the packets are provided to the inspection component for examination. Other routing may alternatively be used. In alternative embodiments, the packets are sampled or other selection criteria are used to inspect fewer than all the packets. For greater efficiency, sampling for examination may be used based on the assumption that intruding packets are less likely to occur just once.
[0063] The inspection is performed with a ruleset. The inspection is configured to check for particular problems. Any number of rules may be used. Where efficiency or avoidance of delay is important, the number of rules may be limited. For example, fewer than five rules are applied. In one embodiment, only end-point and read/write rules (e.g., two rules) are used. Each inspected packet is checked for violation of each of the limited ruleset. In other embodiments, different types of packets are checked with different rules or rulesets.
[0064] The inspection is configured for the protocol of the network, such as a proprietary protocol. Using the protocol, the packets may be parsed. The data for the field or fields checked based on the rules are extracted or identified. The protocol is used to control the parsing for data.
[0065] The inspection is also based on the configuration of the industrial control network. Due to the nature of communications in industrial control networks, communications between components is limited. Some
components never communicate with other components. Some components only communicate with one or more, but fewer than all, other components. Any of various network communications maps are used, depending on the specific industrial process being controlled and the components used to control the specific industrial process. Communications may be unidirectional or bi-directional depending on the configuration of the industrial control system.
[0066] The peer grouping of communications results in various end-point to end-point communications being proper and others not being proper. In one example rule, the inspection parses the source and destination
information from the packet. If the source-destination pair exists in the configured communications map, the packet passes inspection. If the source- destination pair does not exist (e.g., wrong direction of communications or improper pairing), the packet does not pass inspection.
[0067] Another way in which the inspection may be based on the configuration of the network is read and write commands. Some components write information to other components, such as one component writing a set point to another component. Other components do not write to any or some of the other components. Similarly, some components perform read commands from other components. Some components are not read from and/or do not read from other components.
[0068] The read and write configuration of the components of the network may be used for inspection. The packets are parsed for read or write commands. The commands may be in the form of requests or messaging, or may be actual commands in the payload. If a read or write command exists, the source and destination are checked. If the source and destination pair for the type of command (e.g., write) is appropriate in the configuration of the network, the packet passes. If the source and/or the destination for the type of command are not appropriate in the configuration of the network, the packet fails the inspection.
[0069] Using a limited rule set, just end-point and read/write rules are applied. Additional rules may also be applied. In alternative embodiments, other rules are used in addition to or instead of the end-point and/or read/write rules. The ruleset is kept limited, such as fewer than five, to increase efficiency. A greater number of rules (e.g., tens or hundreds) may be used.
[0070] In act 48, an alarm is generated when an intrusion is identified. If a packet does not pass inspection, the alarm is generated. The rules of the ruleset are used to indicate whether there is an intrusion. [0071] The alarm is an event notice. The alarm may be logged and stored for later checking. More aggressive alarming may be used, such as outputting a warning to a panel or engineering station. Messaging may be used, such as sending a notice via email, texting, instant messaging, or other communications format.
[0072] The alarm is generated without blocking the intruding packets. Since packets may fail inspection for non-malicious reasons, the packets may still be useful to the network. Where the network is tied to industrial performance, blocking the packets may have adverse consequences (e.g., causing a failure in a time sensitive process or resulting in loss of revenue). Using passive inspection (e.g., not blocking) may more likely ensure worker safety in the industrial environment.
[0073] In other embodiments, the packets failing inspection are blocked. The packets are removed from the communications stream and not allowed to continue to the destination. In yet other embodiments, some intruding packets are blocked and others are not. Different rules or the way in which a given rule is violated may be mapped to blocking or not blocking for violation of the inspection.
[0074] Packet inspection may be used in combination with other network security. Using firewalls, virtual private network (VPN) tunneling, hardware security, and other best practices in combination with packet inspection may provide defense-in-depth for the industrial control network.
[0075] While the invention has been described above by reference to various embodiments, it should be understood that many changes and modifications can be made without departing from the scope of the invention. It is therefore intended that the foregoing detailed description be regarded as illustrative rather than limiting, and that it be understood that it is the following claims, including all equivalents, that are intended to define the spirit and scope of this invention.

Claims

I (WE) CLAIM:
1 . A method for packet intrusion inspection, the method comprising:
communicating (40) packets of data between components of an industrial control system with a proprietary protocol;
routing (42) the packets through one or more network switch (28)es of the industrial control system; and
inspecting (46) the packets with a processor (32) separate from the network switch (28), the inspecting (46) being configured for the proprietary protocol and the processor (32) being within the industrial control system.
2. The method of claim 1 wherein communicating (40) the packets comprises communicating (40) between one or more programmable logic controllers (20A-C), one or more operator stations (24), and one or more engineering stations (26).
3. The method of claim 1 wherein communicating (40) the packets comprises transmitting the packets in a format dictated by the proprietary protocol, the proprietary protocol for programming and operating
programmable logic controllers (20A-C) of the industrial control system.
4. The method of claim 1 wherein routing (42) comprises routing (42) all of the packets of the industrial control network through a single network switch (28), and wherein inspecting (46) comprises inspecting (46) all of the packets.
5. The method of claim 1 wherein routing (42) comprises routing (42) through multiple input or output ports of the network switch (28) wherein a spanning port (30) connects the multiple input or output ports with the processor (32), and wherein inspecting (46) comprises inspecting (46) the packets from the spanning port (30).
6. The method of claim 1 wherein inspecting (46) with the processor (32) comprises inspecting (46) with the processor (32) comprising an application specific integrated circuit executing an inspection ruleset pursuant to firmware.
7. The method of claim 1 wherein inspecting (46) with the processor (32) comprises inspecting (46) with the processor (32) on a card separate from the network switch (28).
8. The method of claim 1 wherein inspecting (46) comprises inspecting (46) all of the packets of the industrial control system.
9. The method of claim 1 wherein inspecting (46) comprises parsing fields pursuant to the proprietary protocol, confirming end-points of each packet are peers, and confirming read packets and write packets are for the components of the industrial control system configured to have read and write functions, respectively.
10. The method of claim 9 wherein the confirming acts of the inspecting (46) consists only of the confirming the end-points and the confirming the read and write packets.
1 1 . The method of claim 1 wherein inspecting (46) comprises inspecting (46) for intrusion with a ruleset limited to fewer than five rules.
12. The method of claim 1 further comprising:
generating (48) an alarm without blocking for one of the packets violating the inspecting (46).
13. A system for packet intrusion inspection, the system comprising:
an industrial control network comprising one or more human machine interface devices (22), one or more programmable logic controllers (20A-C), one or more operator stations (24), and one or more engineering stations (26); and a processor (32) of the industrial control network, the processor (32) configured to inspect communications within the industrial control network for packet intrusion.
14. The system of claim 13 wherein the processor (32) comprises an application specific integrated circuit operating pursuant to firmware, the firmware configured to perform the inspection based on operation of the devices, controllers, and stations of the industrial control network.
15. The system of claim 13 wherein the processor (32) is configured to inspect the communications based on a proprietary protocol for the
communications.
16. The system of claim 13 wherein the processor (32) is configured to inspect the communications for sources or destinations that are not paired for operation of the industrial control network and for read or write operations from the devices, controllers, or stations not assigned to read or write, respectively, for operation of the industrial control network.
17. The system of claim 13 wherein the processor (32) is on a card;
further comprising:
a network switch (28) with a spanning port (30), the spanning port (30) communicatively connected to the card such that all of the communications of the industrial control network are routed to the card.
18. In a non-transitory computer readable storage medium having stored therein data representing instructions executable by a programmed processor (32) for packet intrusion inspection, the storage medium comprising
instructions for:
receiving (44) packets for devices communicating (40) using a proprietary protocol in an industrial control network;
examining (46) the packets for an intrusion of the industrial control network, the examining being based on the proprietary protocol and configuration of the industrial control network; and generating (48) an alarm when an intrusion is identified.
19. The non-transitory computer readable storage medium of claim 18 wherein generating (48) comprises generating (48) the alarm without blocking the packets.
20. The non-transitory computer readable storage medium of claim 18 wherein examining (46) comprises examining (46) for incorrect endpoint pairings and incorrect read or write operations in each packet based on the configuration of the industrial control network.
PCT/US2012/055058 2012-09-13 2012-09-13 Packet intrusion inspection in an industrial control network Ceased WO2014042636A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2012/055058 WO2014042636A1 (en) 2012-09-13 2012-09-13 Packet intrusion inspection in an industrial control network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2012/055058 WO2014042636A1 (en) 2012-09-13 2012-09-13 Packet intrusion inspection in an industrial control network

Publications (1)

Publication Number Publication Date
WO2014042636A1 true WO2014042636A1 (en) 2014-03-20

Family

ID=47010729

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2012/055058 Ceased WO2014042636A1 (en) 2012-09-13 2012-09-13 Packet intrusion inspection in an industrial control network

Country Status (1)

Country Link
WO (1) WO2014042636A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160094578A1 (en) * 2014-09-30 2016-03-31 Schneider Electric USA, Inc. Scada intrusion detection systems
EP3200419A1 (en) * 2016-01-26 2017-08-02 Siemens Aktiengesellschaft Automation network comprising a safety monitoring system and data processing device and monitoring method for an automation network
WO2020014614A1 (en) * 2018-07-13 2020-01-16 Raytheon Company Policy engine for cyber anomaly detection
CN113645241A (en) * 2021-08-11 2021-11-12 杭州安恒信息技术股份有限公司 An intrusion detection method, device and equipment for an industrial control proprietary protocol

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060053491A1 (en) * 2004-03-01 2006-03-09 Invensys Systems, Inc. Process control methods and apparatus for intrusion detection, protection and network hardening
US20090271504A1 (en) * 2003-06-09 2009-10-29 Andrew Francis Ginter Techniques for agent configuration

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090271504A1 (en) * 2003-06-09 2009-10-29 Andrew Francis Ginter Techniques for agent configuration
US20060053491A1 (en) * 2004-03-01 2006-03-09 Invensys Systems, Inc. Process control methods and apparatus for intrusion detection, protection and network hardening

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERIC D. KNAPP: "Industrial Network Security. Securing critical infrastructure networks for smart grid, SCADA, and other indurstial control systems", 2011, SYNGRESS, ISBN: 978-1-59749-645-2, XP002687973 *
IGOR NAI FOVINO ET AL: "Modbus/DNP3 State-Based Intrusion Detection System", ADVANCED INFORMATION NETWORKING AND APPLICATIONS (AINA), 2010 24TH IEEE INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 20 April 2010 (2010-04-20), pages 729 - 736, XP031682596, ISBN: 978-1-4244-6695-5 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160094578A1 (en) * 2014-09-30 2016-03-31 Schneider Electric USA, Inc. Scada intrusion detection systems
EP3002648A3 (en) * 2014-09-30 2016-06-29 Schneider Electric USA, Inc. Scada intrusion detection systems
US9660994B2 (en) 2014-09-30 2017-05-23 Schneider Electric USA, Inc. SCADA intrusion detection systems
EP3200419A1 (en) * 2016-01-26 2017-08-02 Siemens Aktiengesellschaft Automation network comprising a safety monitoring system and data processing device and monitoring method for an automation network
WO2020014614A1 (en) * 2018-07-13 2020-01-16 Raytheon Company Policy engine for cyber anomaly detection
US11463407B2 (en) * 2018-07-13 2022-10-04 Raytheon Company Policy engine for cyber anomaly detection
CN113645241A (en) * 2021-08-11 2021-11-12 杭州安恒信息技术股份有限公司 An intrusion detection method, device and equipment for an industrial control proprietary protocol
CN113645241B (en) * 2021-08-11 2022-11-25 杭州安恒信息技术股份有限公司 Intrusion detection method, device and equipment for industrial control proprietary protocol

Similar Documents

Publication Publication Date Title
US10673871B2 (en) Autonomous edge device for monitoring and threat detection
JP6749106B2 (en) Anomaly detection in an industrial communication network, anomaly detection system, and method for anomaly detection
Morris et al. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems
US10110561B2 (en) Firewall with application packet classifer
US11190486B2 (en) Automatic security response using one-way links
US11579592B2 (en) Systems and methods for control system security
US11671320B2 (en) Virtual supervisory control and data acquisition (SCADA) automation controller
EP2767057B1 (en) Process installation network intrusion detection and prevention
WO2014042636A1 (en) Packet intrusion inspection in an industrial control network
EP3729773B1 (en) One-way data transfer device with onboard system detection
US10320747B2 (en) Automation network and method for monitoring the security of the transfer of data packets
CN105074833B (en) Device for detecting unauthorized manipulation of the system state of a control and regulation unit and nuclear installation having the device
US10594611B2 (en) Filtering a data packet by means of a network filtering device
Colelli et al. Securing connection between IT and OT: the Fog Intrusion Detection System prospective
Penera et al. Packet scheduling attacks on shipboard networked control systems
JP7692813B2 (en) Variable-level consistency checking of communications in process control environments
WO2020166329A1 (en) Control system
JP2023126177A (en) Method and apparatus for detecting infrastructure anomalies in a network
US11768479B2 (en) System and method for secure connections in a high availability industrial controller
JP2020061717A (en) Abnormality factor determination device, control system, and abnormality factor determination method
Meshram et al. Poet: A self-learning framework for profinet industrial operations behaviour
US20240195755A1 (en) Network Tapped Data Diode
US12413609B2 (en) Anomaly inspection appliance and anomaly inspection method based on correlations of packets
JP2019080211A (en) Countermeasure planning system and monitoring device for control system
Sand Incident handling, forensics sensors and information sources in industrial control systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12770341

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12770341

Country of ref document: EP

Kind code of ref document: A1