The invention relates to an automation system.
Field devices that are used in industrial installations are already known from the prior art. Field devices are often used in process automation engineering, as well as in manufacturing automation engineering. Field devices, in principle, refer to all devices that are process-oriented and that supply or process process-relevant data or information. Field devices are thus used for detecting and/or influencing process variables. Measuring devices, or sensors, are used for detecting process variables. These are used, for example, for pressure and temperature measurement, conductivity measurement, flow measurement, pH measurement, fill level measurement etc., and detect the corresponding process variables of pressure, temperature, conductivity, pH value, fill level, flow etc. Actuators are used for influencing process variables. These are, for example, pumps or valves that can influence the flow of a fluid in a pipe or the fill level in a tank. In addition to the aforementioned measuring devices and actuators, field devices are also understood to include remote I/Os, radio adapters, or, generally, devices that are arranged at the field level.
A multitude of such field devices is produced and marketed by the Endress+Hauser group.
In modern industrial plants, field devices are usually connected to superordinate units via communication networks such as fieldbuses (Profibus®, Foundation® Fieldbus, HART®, etc.). Usually, the higher-level units are control units, such as an SPC (stored program control) or a PLC (programmable logic controller). The higher-level units are used for, among other things, process control, as well as for commissioning of the field devices. The measured values detected by the field devices, especially by sensors, are transmitted via the respective bus system to a (or possibly several) higher-level unit(s) that further process the measured values, as appropriate, and forward them to the control station of the plant. The control station serves for process visualization, process monitoring and process control via the higher-level units. In addition, data transmission from the superordinate unit via the bus system to the field devices is also required, especially for configuration and parameterization of field devices and for controlling actuators.
In addition to the process values, field devices in the automation industry also provide analysis and status data, which are of crucial importance for the maintenance and care of the assets as well as for evaluating the condition of the system parts in which they are installed.
For the best and most comprehensive analysis of the data obtained from the field devices, it is necessary to collect them centrally and make them available in a differentiated manner to the groups of people and evaluation systems that can contribute their expertise to the evaluation of the conditions of system parts and their assets. There are now service providers for the data storage, data security and data processing functions required for this, such as the company “Endress+Hauser” with its “Netilion” platform.
In order to be able to transport these data from field devices to the cloud (a cloud-capable service platform which can be contacted by means of the Internet) within the framework of the above-mentioned digital services, edge devices are used which monitor or retrieve data from the field devices and upload them to the cloud by means of the Internet.
The data are sometimes sensitive information that must not get into the hands of third parties. For this purpose, the data are transmitted between edge device and cloud via a secure connection (e.g., encrypted symmetrically or asymmetrically). If such an encryption is broken or if a third party obtains the access data for the edge device or the cloud, plant knowledge can get into the hands of unauthorized persons since the communication between edge device and cloud could be read.
The object of the present invention is therefore to increase the security of the transmission of data between an edge device and a cloud-based service platform.
The object is achieved by an automation system comprising:
The system according to the invention makes it possible to securely transmit data from field devices between an edge device and a cloud-based service platform. The essential aspect of the invention is that the edge device simulates further field devices which are not even located in the first plant part. The edge device writes these so-called virtual field devices into the live list, which is transmitted to the cloud-based service platform. The live list represents the entirety of all functional field devices in the first plant part. In addition, for each of the virtual field devices, the edge device simulates data that are transmitted to the cloud-based service platform. If an attacker succeeds in interrupting the connection between edge device and cloud-based service platform or in gaining access to the edge device via the first interface, they get a multitude of field devices and the data thereof displayed, of which only a fraction are actually field devices used in the first plant part. In this case, the attacker cannot distinguish which data actually originate from real field devices. As a result, the attacker is confused and time is gained to avert the attack, or the attacker quits the attack as a result since they cannot make use of the data.
However, only the field devices and their data that are actually contained in the first plant part are presented to the actual user of the cloud-based service platform.
Field devices that are cited in connection with the system according to the invention are already listed as examples in the introductory part of the description.
According to an advantageous embodiment of the system according to the invention, it is provided that the edge device is designed to encrypt the identifiers of the field devices and of the virtual field devices in the live list by means of a public key located on the edge device, wherein the service platform is designed to decrypt the encrypted identifiers with a public key located on the service platform, and wherein the identifiers of the virtual field devices cannot be decrypted. In this way, it is apparent to the cloud-based service platform which of the field devices are actually contained in the first plant part and which field devices are simulated by the edge device.
According to an advantageous embodiment of the system according to the invention, it is provided that the service platform is designed to simulate at least one second plant part with a multitude of further virtual field devices, to generate data for the further virtual field devices, to enter the identifiers of the further virtual field devices and the generated data into the live list and to make available the live list via a second interface, especially, an interface for application programming. This ensures further confusion of the attacker. If the attacker succeeds in gaining access to the cloud-based service platform via the second interface, they are overwhelmed by an additional multitude of further field devices and data. It is not even apparent to the attacker of which plant parts the plant actually consists. However, even in this case, only the field devices and their data that are actually contained in the first plant part, but none of the virtual or further virtual field devices, are presented to the actual user of the cloud-based service platform.
According to an advantageous embodiment of the system according to the invention, it is provided that the edge device or the service platform comprises an algorithm, especially, an AI algorithm, which is designed to analyze historical data of the field devices and to generate the data of the virtual field devices based on the analysis. As a result, the data of the virtual field devices are simulated similarly to the field devices actually used, e.g., in similar value ranges or similar trends. As a result, the security level is increased since the data of the virtual field devices are thus very plausible and practically no longer distinguishable from the field devices actually used.
According to an advantageous alternative embodiment of the system according to the invention, it is provided that the edge device or the service platform comprises an algorithm, especially, an AI algorithm, and at least one model of a field device type, wherein the model has at least one specific attribute of the corresponding field device type, and wherein the algorithm is designed to generate the data of the virtual field devices by using the model. The AI algorithm is trained in advance on various field device types and their specific attributes by means of training data. In doing so, the configuration and the parameterization of field devices actually used in the first plant part and having the same or a similar field device type can advantageously be included in order to increase the plausibility level. Specific attributes are, for example, value ranges, units of the measured values, specific decay or start-up behavior, etc.
According to an advantageous development of the system according to the invention, it is provided that the edge device has a first monitoring entity, which is designed to detect external access or an external request via the first interface to at least one of the virtual field devices and to create a first report. This makes it possible to determine that an unauthorized person has accessed the edge device: the actual user of the cloud-based service platform does not obtain access to the virtual field devices since they are not presented to him, and can therefore also not make any requests to these virtual field devices.
According to an advantageous embodiment of the system according to the invention, it is provided that the service platform has a second monitoring entity, which is designed to detect external access or an external request via the second interface to at least one of the further virtual field devices and to create a second report. Analogously to what is described in the previous paragraph, unauthorized access to the cloud-based service platform can thereby be detected.
According to an advantageous embodiment of the system according to the invention, it is provided that the first report and/or the second report contain information about the identifier of the virtual field device or of the further virtual field device, the time stamp of the access or of the request, and/or the type of the access or of the request. As a result, the attack can be analyzed and a possible extent can be traced.
According to an advantageous embodiment of the system according to the invention, it is provided that the first monitoring entity and/or the second monitoring entity are designed to detect further accesses or requests to further virtual field devices after the detection and to insert them into the first report or into the second report or into a further report. This allows the attackers behavior and, in some circumstances, also their strategy and/or their origin to be analyzed.
According to a first alternative of the system according to the invention, it is provided that the first monitoring entity and/or the second monitoring entity are designed to transmit the first report or the second report and/or the further report to the higher-level unit via a second communication channel.
According to an advantageous embodiment of the first alternative of the system according to the invention, it is provided that the higher-level unit is designed to evaluate the first report or the second report and/or the further report and to carry out at least one action based on the evaluation. In this way, it is possible to respond to the attack directly at the field level.
According to a further alternative of the system according to the invention, it is provided that the system comprises an evaluation unit, especially, a cloud-based evaluation unit, wherein the first monitoring entity and/or the second monitoring entity are designed to transmit the first report or the second report and/or the further report to the evaluation unit via a third communication channel.
According to an advantageous embodiment of the second alternative of the system according to the invention, it is provided that the evaluation unit is designed to evaluate the first report or the second report and/or the further report and to propose, based on the evaluation of the higher-level unit, at least one action to be carried out.
In all cases, it is essential that the reports are transmitted via communication channels different from the first communication channel. To the attacker who wrongly believes that they are safe, it is not apparent that their attack has already been detected and analyzed or that actions are being prepared. It may also be provided to thereby deliberately prolong the attack in order to obtain data of the attacker or the identity thereof and the location of the attack or the IP address thereof.
According to an advantageous embodiment of the system according to the invention, it is provided that the action is at least one of the following:
As a whole, an attack can be effectively determined and actions can be taken without the attacker being able to obtain actual data from the field devices of the first plant part.
The invention is explained in greater detail with reference to the following figures. Illustrated are:
Schematically shown in
The field devices FG are in communication with one another and with a higher-level unit ÜE, especially, a control unit (e.g., an SPC) or a gateway via a communication network. All higher-level units shown in
In order to monitor, record and further process data of the field devices FG even outside of the plant context, they are transmitted to a cloud-based service platform SP. One or more applications with which the monitoring and further processing of the data is made possible are executed on the cloud-based service platform SP. A user can connect by means of the Internet via a PC or a mobile terminal to the cloud-based service platform and, after successful authentication, can access the applications and the data of the field devices.
In order to transmit the data of the field devices FG, an edge device ED is provided, which is arranged at the field level in the first plant part AT1. The edge device is either connected to the higher-level unit ÜE or to a network segment of the communication network. The edge device ED is designed to extract data of the field devices from the data traffic of the communication network and to thus monitor the data, or to actively request the data from the field devices FG and/or the higher-level unit ÜE. For this purpose, the edge device ED has profiles or so-called microservices, which specify to the edge device ED which data of which field devices FG are to be monitored or queried at what frequency and, where applicable, how they are to be processed before the transmission to the cloud-based service platform SP.
The data of the field devices FG are transmitted via a first communication channel KK1 by means of the Internet. Specifically, the data are exchanged between a first interface API1 of the edge device ED and a second interface API2 of the cloud-based service platform SP. For this purpose, the data of the field devices FG are compiled in a so-called live list prior to the transmission. The live list contains all field devices FG currently active or defined in the edge device ED, and the current data thereof.
The data traffic via the first communication channel KK1 between edge device ED and cloud-based service platform SP is encrypted. For this purpose, the edge device ED1 has a private key KY for encryption. For decryption, the cloud-based service platform SP has a public key KY′ corresponding to the private key KY.
For an attacker AG, there are several potential points of attack in this system in order to obtain the data of the field devices FG:
The concept according to the invention for reducing the risk of an external attack is illustrated below. The concept is less about the aspect of making unauthorized access more difficult but rather about confusing the attacker, in the event that the attacker has gained unauthorized access, to the extent that they do not know what to do with the data obtained.
For this purpose, the edge device ED creates a multitude of further field devices FG′ (shown as shaded circles in
So that the degree of confusion is as high as possible, the following two aspects are particularly important:
In order to create further confusion and to thus increase security, the cloud-based service platform creates a multitude of further virtual plant parts AT2′, AT3′, AT4′. Each of these plant parts AT2′, AT3′, AT4′ in turn has a multitude of virtual field devices FG″ and virtual higher-level units for which data are again simulated. It is not apparent to the attacker which plant part AT1 is actually really present in the plant.
The system according to the invention furthermore also provides for detecting an attack of an unauthorized person. For this purpose, the edge device ED has a first monitoring entity IN1, and the cloud-based service platform SP has a second monitoring entity IN2. The first monitoring entity IN1 checks which field devices FG, FG′ are being accessed externally. The second monitoring entity IN2 checks which data of which field devices FG, FG′, FG″ are being accessed on the cloud-based service platform SP. If one of the two monitoring instances IN1, IN2 detects that access or an access request to a virtual field device FG′ or a further virtual field device FG′ is taking place, the respective monitoring entity IN1, IN2 detecting this process creates a first or a second report RP1, RP2; the first monitoring entity IN1 creates the first report RP1, the second monitoring unit IN2 accordingly creates the second report RP2. A report RP1, RP2 contains information about the identifier of the virtual field device FG′ or of the further virtual field device FG″ that has been accessed, as well as the date and time of access.
The corresponding report RP1, RP2 is transmitted from the edge device ED or the cloud-based service platform SP to the higher-level unit ÜE of the first plant part AT1 via a second communication channel KK2 different from the first communication channel KK1.
Alternatively, the corresponding report RP1, RP2 is transmitted from the edge device ED or the cloud-based service platform SP to an evaluation unit AE via a third communication channel KK3 different from the first communication channel KK1. This evaluation unit AE can be established especially as an application on the cloud-based service platform.
As a result of the communication channels KK2, KK3 different from the first communication channel KK1, the attacker AE does not find out that their unauthorized access has already been detected. The attacker AE can thus be analyzed further or a counter-attack can be started without the attacker AE noticing. For example, their position and/or their IP address can be detected.
The higher-level unit ÜE and/or the evaluation unit AE evaluates the corresponding report RP1, RP2 and ascertains an action in order to further protect the plant part AT1 or the field devices FG thereof. For example, depending on the type of access to the virtual field devices FG′, FG″, it may be provided to inform the plant personnel, to shut down corresponding plant parts and/or to change or restrict access authorization to the edge device ED and/or to the cloud-based service platform SP.
Through the system according to the invention, which implements a honeypot mechanism for the plant, an attacker can effectively be prevented from reading plant-relevant data, or appropriate actions can be proposed and carried out for further prevention.
Number | Date | Country | Kind |
---|---|---|---|
10 2020 134 439.2 | Dec 2020 | DE | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2021/083405 | 11/29/2021 | WO |