Image capture devices for a secure industrial control system

Information

  • Patent Grant
  • 11144630
  • Patent Number
    11,144,630
  • Date Filed
    Friday, December 16, 2016
    8 years ago
  • Date Issued
    Tuesday, October 12, 2021
    3 years ago
Abstract
An image capture device for a secure industrial control system is disclosed. In an embodiment, the image capture device includes: an image sensor; a signal processor coupled to the image sensor; and a controller for managing the signal processor and transmitting data associated with processed image signals to at least one of an input/output module or a communications/control module via a communications interface that couples the controller to the at least one of the input/output module or the communications/control module, wherein the controller is configured to establish an encrypted tunnel between the controller and the at least one of the input/output module or the communications/control module based upon at least one respective security credential of the image capture device and at least one respective security credential of the at least one of the input/output module or the communications/control module.
Description
BACKGROUND

Industrial control systems, such as standard industrial control systems (ICS) or programmable automation controllers (PAC), include various types of control equipment used in industrial production, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), programmable logic controllers (PLC), and industrial safety systems certified to safety standards such as IEC61508. These systems are used in industries including electrical, water and wastewater, oil and gas production and refining, chemical, food, pharmaceuticals and robotics. Using information collected from various types of sensors to measure process variables, automated and/or operator-driven supervisory commands from the industrial control system can be transmitted to various actuator devices such as control valves, hydraulic actuators, magnetic actuators, electrical switches, motors, solenoids, and the like. These actuator devices collect data from sensors and sensor systems, open and close valves and breakers, regulate valves and motors, monitor the industrial process for alarm conditions, and so forth.


In other examples, SCADA systems can use open-loop control with process sites that may be widely separated geographically. These systems use Remote Terminal Units (RTUs) to send supervisory data to one or more control centers. SCADA applications that deploy RTU's include fluid pipelines, electrical distribution and large communication systems. DCS systems are generally used for real-time data collection and continuous control with high-bandwidth, low-latency data networks and are used in large campus industrial process plants, such as oil and gas, refining, chemical, pharmaceutical, food and beverage, water and wastewater, pulp and paper, utility power, and mining and metals. PLCs more typically provide Boolean and sequential logic operations, and timers, as well as continuous control and are often used in stand-alone machinery and robotics. Further, ICE and PAC systems can be used in facility processes for buildings, airports, ships, space stations, and the like (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption). As industrial control systems evolve, new technologies are combining aspects of these various types of control systems. For instance, PACs can include aspects of SCADA, DCS, and PLCs.


Industrial systems are evolving in a similar manner to the “internet of things” but with much higher security, reliability, and throughput requirements. Security at all levels is needed. This includes edge devices, which can be a way into the system for malicious actors if left unsecured.


SUMMARY

Implementations of image capture devices (e.g., cameras) for a secure industrial control system are disclosed herein. An image capture device can include an image sensor, a signal processor coupled to the image sensor, and a controller for managing the signal processor. The controller can also be configured to transmit data associated with processed image signals to one or more devices coupled to the image capture device. For example, the controller can transmit data associated with processed image signals (e.g., encoded image frames, metadata, etc.) to an input/output module and/or a communications/control module via a communications interface that couples the controller to the input/output module and/or communications/control module. In embodiments, the controller is configured to establish an encrypted tunnel between the controller and the input/output module and/or communications/control module based upon at least one respective security credential of the image capture device and at least one respective security credential of the input/output module and/or communications/control module. The controller can also be configured to perform an authentication sequence with the input/output module and/or communications/control module utilizing the at least one respective security credential of the image capture device and the at least one respective security credential of the input/output module and/or communications/control module, whereby the image capture device can be authenticated and given permissions to transmit and/or receive information from the input/output module and/or communications/control module, and/or other components of the secure industrial control system.


This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.





DRAWINGS

The Detailed Description is described with reference to the accompanying figures. The use of the same reference numbers in different instances in the description and the figures may indicate similar or identical items.



FIG. 1 is a block diagram illustrating a secure industrial control system, in accordance with an embodiment of this disclosure.



FIG. 2 is a block diagram illustrating an image capture device for a secure industrial control system, in accordance with an embodiment of this disclosure.



FIG. 3 is a block diagram illustrating a switch fabric for a communications backplane of a secure industrial control system, in accordance with an embodiment of this disclosure.



FIG. 4 is a block diagram illustrating an action authentication path for a secure industrial control system, in accordance with an embodiment of this disclosure.



FIG. 5 is a block diagram further illustrating the action authentication path shown in FIG. 4, in accordance with an embodiment of this disclosure.



FIG. 6 is a block diagram illustrating an authentication sequence between an image capture device and an input/output module (IOM) or communications/control module (CCM) of a secure industrial control system, in accordance with an embodiment of this disclosure.





DETAILED DESCRIPTION

Overview


Industrial systems are evolving in a similar manner to the “internet of things” with high security, reliability, and throughput requirements. Security at all levels is needed. This includes edge devices, which can be a way into the system for malicious actors if left unsecured. For example, surveillance cameras, though often thought of as “security devices,” can be vulnerable access points into an industrial control system. In some instances, a counterfeit or hacked camera can be used to gain unauthorized entry to an industrial control system in order to gain access to video footage or other information, or even to introduce fictitious video footage (e.g., for purposes of tripping a false alarm, etc.). In some instances, a camera network connection can be used to worm malware into non-camera network databases, for example, as an entry point for malicious code to gain remote access, steal or tamper with control system information, and so forth.


Implementations of image capture devices (e.g., cameras) for a secure industrial control system are disclosed herein. In embodiments, an image capture device for a secure industrial control system can include an image sensor, a signal processor coupled to the image sensor, and a controller for managing the signal processor. The controller can also be configured to transmit data associated with processed image signals to one or more devices coupled to the image capture device. For example, the controller can transmit data associated with processed image signals (e.g., encoded image frames, metadata, etc.) to an input/output module and/or a communications/control module via a communications interface that couples the controller to the input/output module and/or communications/control module. In embodiments, the controller is configured to establish an encrypted tunnel between the controller and the input/output module and/or communications/control module based upon at least one respective security credential of the image capture device and at least one respective security credential of the input/output module and/or communications/control module. The controller can also be configured to perform an authentication sequence with the input/output module and/or communications/control module utilizing the respective security credential of the image capture device and the respective security credential of the input/output module and/or communications/control module, whereby the image capture device can be authenticated and given permissions to transmit and/or receive information from the input/output module and/or communications/control module, and/or other components of the secure industrial control system. For example, transmitted information can include, but is not limited to, captured images, video footage, spectral information (e.g., for fire, gas, and/or radiation detection), or combinations thereof.


Example Implementations



FIG. 1 illustrates an industrial control system 100 in accordance with an example embodiment of the present disclosure. In embodiments, the industrial control system 100 may comprise an industrial control system (ICS), a programmable automation controller (PAC), a supervisory control and data acquisition (SCADA) system, a distributed control system (DCS), programmable logic controller (PLC), and industrial safety system certified to safety standards such as IEC1508, or the like. As shown in FIG. 1, the industrial control system 100 uses a communications control architecture to implement a distributed control system that includes one or more industrial elements (e.g., input/output (I/O) modules, power modules, field devices, image capture devices (e.g., surveillance cameras, physical security cameras, specialized spectral detection cameras (e.g., for fire, gas, and/or radiation detection), etc.), switches, workstations, and/or physical interconnect devices) that are controlled or driven by one or more control elements or subsystems 102 distributed throughout the system. For example, one or more I/O modules 104 may be connected to one or more communications/control modules 106 (sometimes abbreviated as (CCMs)) making up the control element/subsystem 102.


The industrial control system 100 is configured to transmit data to and from the I/O modules 104. The I/O modules 104 can comprise input modules, output modules, and/or input and output modules. For instance, input modules can be used to receive information from input devices 130 (e.g., sensors) in the process, while output modules can be used to transmit instructions to output devices (e.g., actuators). For example, an I/O module 104 can be connected to a process sensor for measuring pressure in piping for a gas plant, a refinery, and so forth and/or connected to a process actuator for controlling a valve, binary or multiple state switch, transmitter, or the like. Field devices 130 are communicatively coupled with the IO modules 104 either directly or via network connections. These devices 130 can include control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like.


The I/O modules 104 can be used in the industrial control system 100 to collect data in applications including, but not necessarily limited to critical infrastructure and/or industrial processes, such as product manufacturing and fabrication, utility power generation, oil, gas, and chemical refining; pharmaceuticals, food and beverage, pulp and paper, metals and mining and facility and large campus industrial processes for buildings, airports, ships, and space stations (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption).


In some implementations, the I/O modules 104 can also be used to connect image capture devices 200 (e.g., cameras, such as surveillance cameras, physical security cameras, specialized spectral detection cameras, and the like) to the industrial control system 100. In other implementations, image capture devices 200 can be connected via communications/control modules 106 or other inputs to a communications backplane 116 that facilitates interconnectivity of industrial control system elements, on-site and off-site (e.g., connectivity to network 120 for enterprise systems/applications, external control systems/applications, engineering interface control systems/applications, external monitoring systems/applications, operator/administrator monitoring or control systems/applications, and the like).


As shown in FIG. 2, an image capture device 200 includes an image sensor (e.g., a CMOS image sensor, CCD image sensor, or the like) having a signal processor 206 coupled to the image sensor 204. In embodiments, the image sensor 204 can have a lens or lens assembly 202 disposed over the image sensor 204 for focusing light onto the image sensor 204. The signal processor 206 can be configured to receive image signals from the image sensor 204 and apply one or more filters, adjust gain levels, convert the image signals from an analog format to a digital format, and so forth. The image capture device 200 can further include a codec 210 for encoding the processed image signals into a data format that can be decoded by end devices in the industrial control system 100. In some embodiments, an image capture device 200 includes a video enhancer for adjusting picture attributes (e.g., brightness, contrast, etc.), for example, by boosting gain of one or more signal components before, after, or during signal processing (i.e., at the signal processor 206). The image capture device 200 further includes a controller 212 (e.g., a microcontroller, microprocessor, ASIC, programmable logic device, or the like) for managing the signal processor 206 components, circuitry, and/or modules of the image capture device 200. The controller 212 can also be configured to transmit data associated with processed image signals to one or more devices coupled to the image capture device 200. For example, the controller 212 can transmit data associated with processed image signals (e.g., encoded image frames, metadata, etc.) to an input/output module 104 and/or a communications/control module 106 via a communications interface 214 (e.g., transmitter, receiver, and/or transceiver) that couples the controller 212 to the input/output module 104 and/or communications/control module 106. In some embodiments, the input/output module 104 and/or the communications/control module 106 is configured to pre-process or post-process image signals received from the image capture device 200 before transmitting the processed image signals to another industrial element of the secure industrial control system or a network connected device. For example, the input/output module 104 and/or the communications/control module 106 can be configured to perform an additional filtering, encoding, or encryption of the processed image signals. In some embodiments, the communications interface 214 includes a port configured to receive a wired connection for coupling the image capture device 200 to an external device (e.g., IOM 104, CCM 106, or other industrial control system element). In other embodiments, the communications interface 214 can include a wireless transmitter, receiver, and/or transceiver to facilitate wireless connectivity between the image capture device 200 and an external device.


The communications interface 214 may comprise a Power Over Ethernet (POE) port for receiving power supplied by the external device. For example, the image capture device 200 may be coupled to a secure Ethernet I/O module having POE capabilities. The I/O module 104 can include the BEDROCK SIO4.E Secure Ethernet Module or the like. In some embodiments, the I/O module 104 (e.g., BEDROCK SIO4.E Secure Ethernet Module) comprises a multi-channel secure software configurable Ethernet module that can have software configurable protocols on each port, support for Ethernet I/P, Modbus TCP and OPC UA client, other Protocols including Profinet and DNP3 planned, POE available on one or more port for Ethernet powered device, and/or 10/100 Mbps half/full duplex capability. In some implementations, the image capture device 200 is configured to transmit data associated with the processed images at a baud rate in the range of approximately 9600 and 10M baud, with a frame rate of 5 to 60 fps and 240 to 1080p resolution. For example, the image capture device 200 can be configured to transmit at 15 fps, 720p at 2 Mbaud or less. These ranges are provided by way of example and should not be considered restrictions of the present disclosure.


In embodiments, the image capture device controller 212 is configured to establish an encrypted tunnel between the controller 212 and the external device (e.g., input/output module 104 or communications/control module 106) based upon at least one respective security credential of the image capture device 200 and at least one respective security credential of the external device. The controller 212 can also be configured to perform an authentication sequence with the external device utilizing the respective security credential of the image capture device 200 and the respective security credential of the external device, whereby the image capture device 200 can be authenticated and given permissions to transmit and/or receive information from the input/output module 104 and/or communications/control module 106, and/or other components of the secure industrial control system 100.


As discussed in further detail below, the respective security credential of the image capture device 200 can comprise a unique security credential provisioned for the image capture device 200 by a key management entity 124. For example, the unique security credential can be provisioned at a respective point of manufacture (of the image capture device 200) from the key management entity 124. In some embodiments, the respective security credential is modifiable, revocable, and/or authenticatable by the key management entity 124 at a site different from the respective point of manufacture (e.g., when the image capture device 200 is installed in the industrial control system 100). Additionally or alternatively, the respective security credential may be modifiable, revocable, and/or authenticatable by the external device (e.g., the input/output module 104 or the communications/control module 106) or by another industrial control system element in communication with the image capture device 200.


In some embodiments, the image capture device 200 may include a specialty camera. For example, the one or more processed image signals include spectral data detected by the image sensor 204. The controller 212 can be configured to transmit the spectral data for monitoring one or more industrial control system environmental conditions. For example, the image capture device 200 may be configured to monitor one or more industrial control system environmental conditions, including, but not limited to, environmental presence of one or more of: fire, dust, smoke, micro-particles, heat, moisture, elevated pressure, gas, radiation, or the like. In some embodiments, the image sensor 204 can comprise a thermal image sensor, night vision image sensor, UV light sensor, infrared light sensor, or the like. In implementations, spectral data detected by the image capture device 200 can trigger an alarm/alert (e.g., responsive to detecting a fire, gas leak, etc.).


Referring again to FIG. 1, I/O modules 104 can be configured to convert analog data received from sensors to digital data (e.g., using Analog-to-Digital Converter (ADC) circuitry, and so forth). An I/O module 104 can also be connected to one or more process actuators such as a motor or a regulating valve or an electrical relay and other forms of actuators and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, or position of the regulating valve or state of the electrical relay and so forth. Further, the I/O module 104 can be configured to convert digital data to analog data for transmission to the actuator (e.g., using Digital-to-Analog (DAC) circuitry, and so forth). In implementations, one or more of the I/O modules 104 can comprise a communications module configured for communicating via a communications sub-bus, such as an Ethernet bus, an H1 field bus, a Process Field Bus (PROFIBUS), a Highway Addressable Remote Transducer (HART) bus, a Modbus, and so forth. Further, two or more I/O modules 104 can be used to provide fault tolerant and redundant connections for various field devices 130 such as control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like.


Each I/O module 104 can be provided with a unique identifier (ID) for distinguishing one I/O module 104 from another I/O module 104. In implementations, an I/O module 104 is identified by its ID when it is connected to the industrial control system 100. Multiple I/O modules 104 can be used with the industrial control 100 to provide redundancy. For example, two or more I/O modules 104 can be connected to a process sensor and/or actuator. Each I/O module 104 can include one or more ports that furnish a physical connection to hardware and circuitry included with the I/O module 104, such as a printed circuit board (PCB), and so forth. For example, each I/O module 104 includes a connection for a cable that connects the cable to a printed wiring board (PWB) in the I/O module 104.


One or more of the I/O modules 104 can include an interface for connecting to other networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a Global System for Mobile communications (GSM) network; a wireless computer communications network, such as a Wi-Fi network (e.g., a Wireless LAN (WLAN) operated using IEEE 802.11 network standards); a Personal Area Network (PAN) (e.g., a Wireless PAN (WPAN) operated using IEEE 802.15 network standards); a Wide Area Network (WAN); an intranet; an extranet; an internet; the Internet; and so on. Further, one or more of the I/O modules 104 can include a connection for connecting an I/O module 104 to a computer bus, and so forth.


The communications/control modules 106 can be used to monitor and control the I/O modules 104, and to connect two or more I/O modules 104 together. In embodiments of the disclosure, a communications/control module 106 can update a routing table when an I/O module 104 is connected to the industrial control system 100 based upon a unique ID for the I/O module 104. Further, when multiple redundant I/O modules 104 are used, each communications/control module 106 can implement mirroring of informational databases regarding the I/O modules 104 and update them as data is received from and/or transmitted to the I/O modules 104. In some embodiments, two or more communications/control module 106 are used to provide redundancy. For added security, redundant communications/control modules 106 can be configured to perform an authentication sequence or handshake to authenticate one another at predefined events or times including such as startup, reset, installation of a new control module 106, replacement of a communications/control module 106, periodically, scheduled times, and the like.


In some implementations, data transmitted by the industrial control system 100 can be packetized, i.e., discrete portions of the data can be converted into data packets comprising the data portions along with network control information, and so forth. The industrial control system 100 can use one or more protocols for data transmission, including a bit-oriented synchronous data link layer protocol such as High-Level Data Link Control (HDLC). In some embodiments, the industrial control system 100 implements HDLC according to an International Organization for Standardization (ISO) 13239 standard, or the like. Further, two or more communications/control modules 106 can be used to implement redundant HDLC. However, it should be noted that HDLC is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, the industrial control system 100 can use other various communications protocols in accordance with the present disclosure.


One or more of the communications/control module 106 can be configured for exchanging information with components used for monitoring and/or controlling the field devices 130 (e.g., sensor and/or actuator instrumentation) connected to the industrial control system 100 via the I/O modules 104, such as one or more control loop feedback mechanisms/controllers. In implementations, a controller can be configured as a microcontroller/Programmable Logic Controller (PLC), a Proportional-Integral-Derivative (PID) controller, and so forth. In some embodiments, the I/O modules 104 and the communications/control modules 106 include network interfaces, e.g., for connecting one or more I/O modules 104 to one or more controllers via a network. In implementations, a network interface can be configured as a Gigabit Ethernet interface for connecting the I/O modules 104 to a Local Area Network (LAN). Further, two or more communications/control modules 106 can be used to implement redundant Gigabit Ethernet. However, it should be noted that Gigabit Ethernet is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, a network interface can be configured for connecting the communications/control modules 106 to other various networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a GSM network; a wireless computer communications network, such as a Wi-Fi network (e.g., a WLAN operated using IEEE 802.11 network standards); a PAN (e.g., a WPAN operated using IEEE 802.15 network standards); a WAN; an intranet; an extranet; an internet; the Internet; and so on. Additionally, a network interface can be implemented using a computer bus. For example, a network interface can include a Peripheral Component Interconnect (PCI) card interface, such as a Mini PCI interface, and so forth. Further, the network can be configured to include a single network or multiple networks across different access points.


The industrial control system 100 can receive electrical power from multiple sources. For example, AC power is supplied from a power grid 108 (e.g., using high voltage power from AC mains). AC power can also be supplied using local power generation (e.g., an on-site turbine or diesel local power generator 110). A power supply 112 is used to distribute electrical power from the power grid 108 to automation equipment of the industrial control system 100, such as controllers, I/O modules, and so forth. A power supply 112 can also be used to distribute electrical power from the local power generator 110 to the industrial control system equipment. The industrial control system 100 can also include additional (backup) power supplies configured to store and return DC power using multiple battery modules. For example, a power supply 112 functions as a UPS. In embodiments of the disclosure, multiple power supplies 112 can be distributed (e.g., physically decentralized) within the industrial control system 100.


In some embodiments, the control elements/subsystems and/or industrial elements (e.g., the I/O modules 104, the communications/control modules 106, the power supplies 112, and so forth) are connected together by one or more backplanes 114. For example, communications/control modules 106 can be connected to I/O modules 104 by a communications backplane 116. Further, power supplies 112 can be connected to I/O modules 104 and/or to communications/control modules 106 by a power backplane 118. In some embodiments, physical interconnect devices (e.g., switches, connectors, or cables such as, but not limited to, those described in U.S. Non-provisional application Ser. No. 14/446,412, which is incorporated herein by reference in its entirety) are used to connect to the I/O modules 104, the communications/control modules 106, the power supplies 112, and possibly other industrial control system equipment. For example, a cable can be used to connect a communications/control module 106 to a network 120, another cable can be used to connect a power supply 112 to a power grid 108, another cable can be used to connect a power supply 112 to a local power generator 110, and so forth.


The communications backplane 116 includes switch fabric 300 facilitating interconnectivity of industrial control system elements coupled via the communications backplane 116. For example, the communications backplane 116 can physically and communicatively couple the communications/control module 106 to the I/O module 104, and can further couple these industrial control system elements to the network 120 (e.g., providing access to enterprise devices, engineering control interfaces/applications, and so forth). The image capture device 200 (and other devices 130) can be coupled to the communications backplane 116 directly or via a communications/control module 106 or I/O module 104 in order to facilitate access to high speed secure communication through the switch fabric 300.


In embodiments, the switch fabric 300 comprises a serial communications interface 302 and a parallel communications interface 304 for furnishing communications between a number of communications/control modules 106, I/O modules 104, image capture devices 200, field devices 130, and/or other elements of the industrial control system 100. Various elements can be connected to the industrial control system 100 using one or more electromagnetic connectors. For instance, each I/O module 104 can include or can be coupled to one or more electromagnetic connectors or connector assemblies, with core members extending through coils. In some embodiments, the coils can be implemented as planar windings on a circuit board. When included in an I/O module 104, the circuit board can be “floated” against a partial spring load, allowing for some movement of the circuit board perpendicular to the plane of a core member, e.g., to compensate for tolerances across the circuit board. For example, a self-holding spring loading mechanism can be provided in the module to provide a constant downward pressure to facilitate mating of the electromagnetic connection, compensating for stacked tolerances of the module, PCB, and baseplate/support frame and ensuring a constant mating of both halves of an electromagnetic connector assembly.


In some embodiments, a “tongue and groove” configuration can be used that provides inherent fastening and support in three planes. For example, a printed circuit board included within an I/O module 104 can be configured to slide along and between two track segments in a direction perpendicular to the plane of a core member. Further, a core member can be mechanically isolated from (e.g., not touching) the circuit board. It should be noted that the implementation with planar primary and secondary windings is provided by way of example only and is not necessarily meant to be restrictive of the present disclosure. Thus, other implementations can use other coil configurations, such as wire wound coils, and so forth. For example, the primary coil may comprise a planar winding, and the secondary coil may comprise a wire wound coil. Further, the primary coil may comprise a wire wound coil, and the secondary coil may comprise a planar winding. In other implementations, primary and secondary coils may both comprise wire wound coils.


The switch fabric 300 may be configured for use with any systems technology, such as telecommunications network technology, computer network technology, process control systems technology, and so forth. For example, the switch fabric 300 may be used with a distributed control system comprised of controller elements and subsystems, where the subsystems are controlled by one or more controllers distributed throughout the system. The switch fabric 300 includes a serial communications interface 302 and a parallel communications interface 304 for furnishing communications with a number of slave devices.


The serial communications interface 302 may be implemented using a group of connectors connected in parallel with one another. In some embodiments, the connectors may be configured as electromagnetic connectors/connector assemblies (e.g., as previously described). For example, the serial communications interface 302 may be implemented using a multidrop bus 306, or the like. In implementations, the multidrop bus 306 may be used for configuration and diagnostic functions of the I/O modules 104/slave devices. The parallel communications interface 304 allows multiple signals to be transmitted simultaneously over multiple dedicated high speed parallel communication channels. For instance, the parallel communications interface 304 may be implemented using a cross switch 308, or the like.


In an embodiment shown in FIG. 3, the parallel communications interface 304 may be implemented using a four (4) wire full duplex cross switch 308 with a dedicated connection to each I/O module 104/slave device. In implementations, each connection may be furnished using one or more electromagnetic connectors/connector assemblies (e.g., as previously described). The cross switch 308 can be implemented as a programmable cross switch connecting point-to-point busses and allowing traffic between the I/O modules 104/slave devices. The cross switch 308 may be configured by a master device, such as a communications/control module 106. For example, the communications/control module 106/master device may configure one or more sets of registers included in the cross switch 308 to control traffic between the I/O modules 104/slave devices. In implementations, a communications/control module 106/master device may comprise a rule set dictating how the I/O modules 104/slave devices are interconnected. For example, a communications/control module 106/master device may comprise a set of registers, where each register defines the operation of a particular switch (e.g., with respect to how packets are forwarded, and so forth). Thus, the cross switch 308 may not necessarily auto-configure, instead implementing a configuration provided by a communications/control module 106/the master device. However, this configuration is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, in other implementations, the cross switch 308 may auto-configure.


The parallel communications interface 304 may be used for data collection from the I/O modules 104/slave devices. Further, because each I/O module 104/slave device has its own private bus to the communications/control module 106/master device, each I/O module 104/slave device can communicate with the communications/control module 106 at the same time. Thus, the total response time for the industrial control system 100 (i.e., switch fabric 300) may be limited to that of the slowest I/O module 104/slave device, instead of the sum of all slave devices, as in the case of a typical multidrop bus.


In implementations, the switch fabric 300, the serial communications interface 302, and the parallel communications interface 304 may be implemented in a single, monolithic circuit board, e.g., with multiple E-shaped core members of electromagnetic connectors extending through the circuit board. In implementations, the core members may be mechanically isolated from the circuit board (e.g., not touching the circuit board). However, this configuration is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, the serial communications interface 302 and the parallel communications interface 304 may be implemented using different arrangements of multiple components, such as multiple discrete semiconductor devices for implementing the serial communications interface 302 and the parallel communications interface 304 separately, and so forth.


The switch fabric 300 may be configured for connecting one or more I/O modules 104 (e.g., as slave devices) and transmitting data to and from the I/O modules 104. The I/O modules 104 may comprise input modules, output modules, and/or input and output modules. For instance, input modules can be used to receive information from input instruments in the process or the field, while output modules can be used to transmit instructions to output instruments in the field. For example, an I/O module 104 can be connected to an image capture device 200 for detecting image signals, spectral data, etc., or to a process sensor, such as a sensor for measuring pressure in piping for a gas plant, a refinery, and so forth. In implementations, the I/O modules 104 can be used the industrial control system 100 collect data in applications including, but not necessarily limited to critical infrastructure and/or industrial processes, such as product manufacturing and fabrication, utility power generation, oil, gas, and chemical refining; pharmaceuticals, food and beverage, pulp and paper, metals and mining and facility and large campus industrial processes for buildings, airports, ships, and space stations (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption).


Data transmitted using the switch fabric 300 may be packetized, i.e., discrete portions of the data may be converted into data packets comprising the data portions along with network control information, and so forth. The industrial control system 100/switch fabric 300 may use one or more protocols for data transmission, including a bit-oriented synchronous data link layer protocol such as High-Level Data Link Control (HDLC). In a specific instance, the industrial control system 100/switch fabric 300 may implement HDLC according to an International Organization for Standardization (ISO) 13239 standard, or the like. Further, two or more communications/control modules 106 can be used to implement redundant HDLC. However, it should be noted that HDLC is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, the industrial control system 100 may use other various communications protocols in accordance with the present disclosure.


The industrial control system 100 implements a secure control system, as described in U.S. patent application Ser. No. 14/469,931 (issued as U.S. Pat. No. 9,191,203) and International Application No. PCT/US2013/053721, which are entirely incorporated herein by reference. For example, the industrial control system 100 includes a security credential source (e.g., a factory 122) and a security credential implementer (e.g., a key management entity 124). In embodiment, a device lifetime management system can comprise the security credential implementer and the key management entity. The security credential source is configured to generate unique security credentials (e.g., keys, certificates, etc., such as a unique identifier, and/or a security credential). The security credential implementer is configured to provision the control elements/subsystems and/or industrial elements (e.g., cables, devices 130, I/O modules 104, communications/control modules 106, power supplies 112, and so forth) with a unique security credential generated by the security credential source.


Multiple (e.g., every) device 130, I/O module 104, communications/control module 106, power supply 112, physical interconnect devices, etc., of the industrial control system 100 can be provisioned with security credentials for providing security at multiple (e.g., all) levels of the industrial control system 100. Still further, the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, can be provisioned with the unique security credentials (e.g., keys, certificates, etc.) during manufacture (e.g., at birth), and can be managed from birth by a key management entity 124 of the industrial control system 100 for promoting security of the industrial control system 100. For example, the key management entity 124 can provision unique security credentials for components (e.g., for image capture devices 200 and other industrial control system elements) at respective manufacturing sites, and the key management entity 124 can be further configured to authenticate, revoke, or modify the security credentials when the components are implemented at a site different from each component's respective manufacturing site (e.g., when the component is installed/used in the industrial control system 100)


In some embodiments, communications between the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, of the industrial control system 100 includes an authentication process. The authentication process can be performed for authenticating control elements/subsystem and/or industrial elements including the sensors and/or actuators and so forth, implemented in the industrial control system 100. Further, the authentication process can utilize security credentials associated with the element and/or physical interconnect device for authenticating that element and/or physical interconnect device. For example, the security credentials can include encryption keys, certificates (e.g., public key certificates, digital certificates, identity certificates, security certificates, asymmetric certificates, standard certificates, non-standard certificates) and/or identification numbers.


In implementations, multiple control elements/subsystems and/or industrial elements of the industrial control system 100 are provisioned with their own unique security credentials. For example, each element of the industrial control system 100 may be provisioned with its own unique set(s) of certificates, encryption keys and/or identification numbers when the element is manufactured (e.g., the individual sets of keys and certificates are defined at the birth of the element). The sets of certificates, encryption keys and/or identification numbers are configured for providing/supporting strong encryption. The encryption keys can be implemented with standard (e.g., commercial off-the-shelf (COTS)) encryption algorithms, such as National Security Agency (NSA) algorithms, National Institute of Standards and Technology (NIST) algorithms, or the like.


Based upon the results of the authentication process, the element being authenticated can be activated, partial functionality of the element can be enabled or disabled within the industrial control system 100, complete functionality of the element can be enabled within the industrial control system 100, and/or functionality of the element within the industrial control system 100 can be completely disabled (e.g., no communication facilitated between that element and other elements of the industrial control system 100). In this regard, each element (e.g., a communications/control module 102, an I/O module 104, or the like) may be configured to authenticate, revoke, or modify a security credential of another industrial control system element (e.g., device 130, an image capture device 200, etc.) based upon success or failure of the authentication sequence utilizing respective security credentials of the industrial control system elements.


In embodiments, the industrial control system elements can establish secure communication paths or “tunnels” for securely transmitting information based upon the respective security credentials of the elements. For example, communications can be signed or encrypted by a first (transmitting) element and authenticated (e.g., verified or decrypted) by a second (receiving) element based upon the respective security credentials. In embodiments, an image capture device 200 can be configured to communicate data associated with processed image signals (e.g., image frames, spectral data, metadata, etc.) to a communications/control module 106 or an I/O module 104 (or other component of the industrial control system 100) via a secure tunnel. In some embodiments, the image capture device 200 only communicates information to a communications/control module 106 or an I/O module 104 (or other component of the industrial control system 100) after successfully authenticating or being authenticated by the receiving device.


In embodiments, the keys, certificates and/or identification numbers associated with an element of the industrial control system 100 can specify the original equipment manufacturer (OEM) of that element. As used herein, the term “original equipment manufacturer” or “OEM” can be defined as an entity that physically manufactures the device (e.g., element) and/or a supplier of the device such as an entity that purchases the device from a physical manufacturer and sells the device. Thus, in embodiments, a device can be manufactured and distributed (sold) by an OEM that is both the physical manufacturer and the supplier of the device. However, in other embodiments, a device can be distributed by an OEM that is a supplier, but is not the physical manufacturer. In such embodiments, the OEM can cause the device to be manufactured by a physical manufacturer (e.g., the OEM can purchase, contract, order, etc. the device from the physical manufacturer).


Additionally, where the OEM comprises a supplier that is not the physical manufacturer of the device, the device can bear the brand of the supplier instead of brand of the physical manufacturer. For example, in embodiments where an element (e.g., a communications/control module 106) is associated with a particular OEM that is a supplier but not the physical manufacturer, the element's keys, certificates and/or identification numbers can specify that origin. During authentication of an element of the industrial control system 100, when a determination is made that an element being authenticated was manufactured or supplied by an entity that is different than the OEM of one or more other elements of the industrial control system 100, then the functionality of that element can be at least partially disabled within the industrial control system 100. For example, limitations can be placed upon communication (e.g., data transfer) between that element and other elements of the industrial control system 100, such that the element cannot work/function within the industrial control system 100. When one of the elements of the industrial control system 100 requires replacement, this feature can prevent a user of the industrial control system 100 from unknowingly replacing the element with a non-homogenous element (e.g., an element having a different origin (a different OEM) than the remaining elements of the industrial control system 100) and implementing the element in the industrial control system 100. In this manner, the techniques described herein can prevent the substitution of elements of other OEM's into a secure industrial control system 100. In one example, the substitution of elements that furnish similar functionality in place of elements provided by an originating OEM can be prevented, since the substituted elements cannot authenticate and operate within the originating OEM's system. In another example, a first reseller can be provided with elements having a first set of physical and cryptographic labels by an originating OEM, and the first reseller's elements can be installed in an industrial control system 100. In this example, a second reseller can be provided with elements having a second (e.g., different) set of physical and cryptographic labels by the same originating OEM. In this example, the second reseller's elements may be prevented from operating within the industrial control system 100, since they may not authenticate and operate with the first reseller's elements. However, it should also be noted that the first reseller and the second reseller may enter into a mutual agreement, where the first and second elements can be configured to authenticate and operate within the same industrial control system 100. Further, in some embodiments, an agreement between resellers to allow interoperation can also be implemented so the agreement only applies to a specific customer, group of customers, facility, etc.


In another instance, a user can attempt to implement an incorrectly designated (e.g., mismarked) element within the industrial control system 100. For example, the mismarked element can have a physical indicia marked upon it which falsely indicates that the element is associated with the same OEM as the OEM of the other elements of the industrial control system 100. In such instances, the authentication process implemented by the industrial control system 100 can cause the user to be alerted that the element is counterfeit. This process can also promote improved security for the industrial control system 100, since counterfeit elements are often a vehicle by which malicious software can be introduced into the industrial control system 100. In embodiments, the authentication process provides a secure air gap for the industrial control system 100, ensuring that the secure industrial control system is physically isolated from insecure networks.


In implementations, the secure industrial control system 100 includes a key management entity 124. The key management entity 124 can be configured for managing cryptographic keys (e.g., encryption keys) in a cryptosystem. This managing of cryptographic keys (e.g., key management) can include the generation, exchange, storage, use, and/or replacement of the keys. For example, the key management entity 124 is configured to serve as a security credentials source, generating unique security credentials (e.g., public security credentials, secret security credentials) for the elements of the industrial control system 100. Key management pertains to keys at the user and/or system level (e.g., either between users or systems).


In embodiments, the key management entity 124 comprises a secure entity such as an entity located in a secure facility. The key management entity 124 can be remotely located from the I/O modules 104, the communications/control modules 106, and the network 120. For example, a firewall 126 can separate the key management entity 124 from the control elements or subsystems 102 and the network 120 (e.g., a corporate network). In implementations, the firewall 126 can be a software and/or hardware-based network security system that controls ingoing and outgoing network traffic by analyzing data packets and determining whether the data packets should be allowed through or not, based on a rule set. The firewall 126 thus establishes a barrier between a trusted, secure internal network (e.g., the network 120) and another network 128 that is not assumed to be secure and trusted (e.g., a cloud and/or the Internet). In embodiments, the firewall 126 allows for selective (e.g., secure) communication between the key management entity 124 and one or more of the control elements or subsystems 102 and/or the network 120. In examples, one or more firewalls can be implemented at various locations within the industrial control system 100. For example, firewalls can be integrated into switches and/or workstations of the network 120.


The secure industrial control system 100 can further include one or more manufacturing entities (e.g., factories 122). The manufacturing entities can be associated with original equipment manufacturers (OEMs) for the elements of the industrial control system 100. The key management entity 124 can be communicatively coupled with the manufacturing entity via a network (e.g., a cloud). In implementations, when the elements of the industrial control system 100 are being manufactured at one or more manufacturing entities, the key management entity 124 can be communicatively coupled with (e.g., can have an encrypted communications pipeline or tunnel to) the elements. The key management entity 124 can utilize the communications pipeline for provisioning the elements with security credentials (e.g., inserting keys, certificates and/or identification numbers into the elements) at the point of manufacture.


Further, when the elements are placed into use (e.g., activated), the key management entity 124 can be communicatively coupled (e.g., via an encrypted communications pipeline) to each individual element worldwide and can confirm and sign the use of specific code, revoke (e.g., remove) the use of any particular code, and/or enable the use of any particular code. Thus, the key management entity 124 can communicate with each element at the factory where the element is originally manufactured (e.g., born), such that the element is born with managed keys. A master database and/or table including all encryption keys, certificates and/or identification numbers for each element of the industrial control system 100 can be maintained by the key management entity 124. The key management entity 124, through its communication with the elements, is configured for revoking keys, thereby promoting the ability of the authentication mechanism to counter theft and re-use of components.


In implementations, the key management entity 124 can be communicatively coupled with one or more of the control elements/subsystems, industrial elements, and/or the network 120 via another network (e.g., a cloud and/or the Internet) and firewall. For example, in embodiments, the key management entity 124 can be a centralized system or a distributed system. Moreover, in embodiments, the key management entity 124 can be managed locally or remotely. In some implementations, the key management entity 124 can be located within (e.g., integrated into) the network 120 and/or the control elements or subsystems 102. The key management entity 124 can provide management and/or can be managed in a variety of ways. For example, the key management entity 124 can be implemented/managed: by a customer at a central location, by the customer at individual factory locations, by an external third party management company and/or by the customer at different layers of the industrial control system 100, and at different locations, depending on the layer.


Varying levels of security (e.g., scalable, user-configured amounts of security) can be provided by the authentication process. For example, a base level of security can be provided which authenticates the elements and protects code within the elements. Other layers of security can be added as well. For example, security can be implemented to such a degree that a component, such as the communications/control module 106, cannot power up without proper authentication occurring. In implementations, encryption in the code is implemented in the elements, while security credentials (e.g., keys and certificates) are implemented on the elements. Security can be distributed (e.g., flows) through the industrial control system 100. For example, security can flow through the industrial control system 100 all the way to an end user, who knows what a module is designed to control in that instance. In embodiments, the authentication process provides encryption, identification of devices for secure communication and authentication of system hardware or software components (e.g., via digital signature).


In implementations, the authentication process can be implemented to provide for and/or enable interoperability within the secure industrial control system 100 of elements manufactured and/or supplied by different manufacturers/vendors/suppliers (e.g., OEMs). For example, selective (e.g., some) interoperability between elements manufactured and/or supplied by different manufacturers/vendors/suppliers can be enabled. In embodiments, unique security credentials (e.g., keys) implemented during authentication can form a hierarchy, thereby allowing for different functions to be performed by different elements of the industrial control system 100.


The communication links connecting the components of the industrial control system 100 can further employ data packets, such as runt packets (e.g., packets smaller than sixty-four (64) bytes), placed (e.g., injected and/or stuffed) therein, providing an added level of security. The use of runt packets increases the level of difficulty with which outside information (e.g., malicious content such as false messages, malware (viruses), data mining applications, etc.) can be injected onto the communications links. For example, runt packets can be injected onto a communication link within gaps between data packets transmitted between the action originator 204 and the communications/control module 106 or any other industrial element/controller 206 to hinder an external entity's ability to inject malicious content onto the communication link.


As shown in FIGS. 4 and 5, the I/O module 104, communications/control module 106, or any other industrial element/controller 406 can be at least partially operated according to requests/commands from an action originator 402. For example, the action originator 402 can access data from and/or send instructions/requests associated with setting or adjusting one or more system variables for the image capture device 200 or a field device 130 coupled to the IOM 104 or CCM 106. In implementations, the action originator 402 includes an operator interface 408 (e.g., SCADA or HMI), an engineering interface 410 including an editor 412 and a compiler 414, a local application 420, a remote application 416 (e.g., communicating through a network 418 via a local application 420), or the like. In the authentication path 400 illustrated in FIGS. 4 and 5, the industrial element/controller 406 (e.g., IOM 104 or CCM 106) processes an operator action (e.g., request for data, instruction to change/adjust one or more system variables, engineering interface command, control command, firmware/software update, set point control, application image download, or the like) only when the operator action has been signed and/or encrypted by an action authenticator 404 or a communication (e.g., authentication message) associated with the operator action is signed and/or encrypted. This prevents unauthorized operator actions from valid user profiles and further secures the system from unauthorized action requests coming from invalid (e.g., hacked) profiles. In embodiments, an action authentication process is implemented as described in U.S. patent application Ser. No. 14/519,066, which is incorporated herein by reference in its entirety.


The action authenticator 404 may include a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by the action originator 402 with the private key. The private key can be stored in a memory that cannot be accessed via standard operator login. For instance, the secured workstation 426 can require a physical key, portable encryption device (e.g., smart card, RFID tag, or the like), and/or biometric input for access. In embodiments, the private key (e.g., security credential) can be provisioned by an onsite or offsite key management entity (e.g., onsite device lifecycle management system (“DLM”) 422) or a remotely located DLM 422 connected via the network 418).


In some embodiments, the action authenticator 404 includes a portable encryption device such as a smart card 424 (which can include a secured microprocessor). The advantage of using a portable encryption device is that the entire device (including the privately stored key and processor in communication therewith) can be carried with an operator or user that has authorized access to an interface of the action originator 402. Whether the action authentication node 404 accesses the authentication path 400 via secured or unsecured workstation, the action request from the action originator 402 can be securely signed and/or encrypted within the architecture of the portable encryption device instead of a potentially less secure workstation or cloud-based architecture. This secures the industrial control system 100 from unauthorized actions. For instance, an unauthorized person would have to physically take possession of the smart card 424 before being able to authenticate any action requests sent via the action originator 402.


Furthermore, multiple layers of security can be employed. For example, the action authenticator 404 can include a secured workstation 426 that is only accessible to sign and/or encrypt action requests via smart card access or the like. Additionally, the secured workstation 426 can be accessible via a biometric or multifactor cryptography device 428 (e.g., fingerprint scanner, iris scanner, and/or facial recognition device). In some embodiments, a multifactor cryptography device 428 requires a valid biometric input before enabling the smart card 424 or other portable encryption device to sign the action request.


The industrial element/controller 406 being driven by the action originator 402 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In some embodiments, the industrial element/controller 406 includes a storage medium 430 (e.g., SD/micro-SD card, HDD, SSD, or any other non-transitory storage device) configured to store the action request (e.g., application image, control command, and/or any other data sent by the action originator). The industrial element/controller 406 further includes a processor 432 (e.g., microcontroller, microprocessor, ASIC, or the like) that performs/executes code associated with the operator action (i.e., performs a requested action) after authenticating the operator action or communication associated therewith. In some embodiments, the operator action is encrypted by the action originator 402 and/or the action authenticator 432 and must also be decrypted by the processor 432 before the requested action can be performed. In implementations, the industrial element/controller 406 includes a virtual key switch 434 (e.g., a software module running on the processor 432) that enables the processor 432 to execute the operator action only after authenticating the operator action or communication associated therewith. For example, the virtual key switch 434 can be configured to selectively enable/disable one or more operating modes of the processor 432 (e.g., safe mode, standard operational mode, secure operating mode, etc.). In some embodiments, each and every action or each one of a selection of critical actions must clear the authentication path before being run on by the industrial element/controller 406. For example, the can include any change of parameters/process variables or data requests sent for the image capture device 200 or a field device 130.


As discussed above, for further security, the image capture device 200 can be configured to perform an authentication sequence or handshake to authenticate with an external device (e.g., IOM 104 or CCM 106) that the image capture device 200 is connected to. The authentication can occur at predefined events or times including such as startup, reset, installation of an image capture device 200, replacement of an image capture device 200, periodically, at scheduled times, and so forth. By causing the image capture device 200 to authenticate with external devices to which the image capture device 200 is coupled, counterfeit or maliciously introduced image capture devices 200 can be avoided. In implementations, the external device can at least partially disable a feature of the image capture device 200 or prevent communications with the image capture device 200 when the authentication is unsuccessful.



FIG. 6 shows example datagrams 500 transmitted between an image capture device 200 and an external device (e.g., IOM 104 or CCM 106) in performance of the authentication sequence. To initiate the authentication sequence, the external device is configured to transmit a request datagram 502 to the image capture device 200. In implementations, the request datagram 502 includes a first plain text nonce (NonceA), a first device authentication key certificate (CertDAKA) containing a first device authentication key (DAKA), and a first identity attribute certificate (IACA). In some embodiments, the external device is configured to generate the first nonce (NonceA) with a true random number generator (hereinafter “TRNG”) and concatenate or otherwise combine the first nonce (NonceA), the first device authentication key certificate (CertDAKA), and the first identity attribute certificate (IACA) to generate the request datagram 502. In some embodiments, the first device authentication key certificate (CertDAKA) and the first identity attribute certificate (IACA) are locally stored by the external device. For example, the certificates may be stored in a local memory (e.g., ROM, RAM, flash memory, or other non-transitory storage medium) of an I/O module 104 or communications/control module 106.


The image capture device 200 is configured to validate the request datagram by verifying the first device authentication key certificate (CertDAKA) and the first identity attribute certificate (IACA) with public keys that are generated by a device lifecycle management system (DLM) or derived utilizing crypto library functions. In this regard, the public keys may be stored in SRAM or another local memory of the image capture device 200 and used with crypto library functions to verify or cryptographically sign exchanged data, such as the nonces exchanged between the external device and the image capture device 200. In some embodiments, the image capture device 200 may verify the certificates with an elliptic curve digital signing algorithm (hereinafter “ECDSA”) or other verification operation. In some embodiments, the image capture device 200 may be further configured to validate the certificate values from plain text values by verifying the following: certificate type is device authentication key (hereinafter “DAK”) or identity attribute certificate (hereinafter “IAC”) for each certificate; IAC names match, DAK certificate module type matches module type argument; and/or microprocessor serial number (hereinafter “MPSN”) of each certificate in the message payload match each other. In some embodiments, the image capture device 200 may be further configured to verify the DAK and IAC certificates are not in a local revocation list (e.g., a list or database including revoked and/or invalid certificates). When the image capture device 200 fails to validate the request datagram, the image capture device 200 may generate an error message, partially or completely disable the external device, and/or discontinue or restrict communications to/from the external device.


Responsive to a valid request datagram 502, the image capture device 200 is configured to transmit a response datagram 504 to the external device. In implementations, the response datagram 504 includes a second plain text nonce (NonceB), a first signature associated with the first and second nonces (SigB[NonceA∥NonceB]), a second device authentication key certificate (certDAKB) containing a second device authentication key (DAKB), and a second identity attribute certificate (IACB). In some embodiments, the image capture device 200 is configured to generate the second nonce (NonceB) with a TRNG, concatenate or otherwise combine the first nonce (NonceA) and the second nonce (NonceB), and sign the concatenated/combined nonces with a private key (e.g., DAK) that is locally stored by the image capture device 200. The image capture device 200 is further configured to concatenate or otherwise combine the second nonce (NonceB), the first signature associated with the first and second nonces (SigB[NonceA∥NonceB]), the second device authentication key certificate (certDAKB), and the second identity attribute certificate (IACB) to generate the response datagram 504. In some embodiments, the second device authentication key certificate (CertDAKB) and the second identity attribute certificate (IACB) are locally stored by the image capture device 200. For example, the certificates may be stored in a local memory (e.g., ROM, RAM, flash memory, or other non-transitory storage medium) of the image capture device 200.


The external device is configured to validate the response datagram by verifying the second device authentication key certificate (CertDAKB) and the second identity attribute certificate (IACB) with public keys that are locally stored or retrieved from a crypto library utilizing ECDSA or another verification operation. In some embodiments, the external device may be further configured to validate the certificate values from plain text values by verifying the following: IAC & DAK certificates have matching MPSNs, IAC names match, certificate types are correct on both certificates (IAC & DAK), the correct issuer name is on both certificates, DAK module type is the correct type (e.g., check to see if module type=communications/control module). In some embodiments, the external device may be further configured to verify the DAK and IAC certificates are not in a local revocation list.


To validate the response datagram, the external device may be further configured to verify the first signature associated with the first and second nonces (sigB[NonceA∥NonceB]). In some embodiments, the external device is configured to verify the first signature (sigB[NonceA∥NonceB]) by concatenating the first locally stored nonce (NonceA) and the second plaintext nonce (NonceB) received from the image capture device 200, verifying the first cryptographic signature (sigB[NonceA∥NonceB]) with a public device authentication key (e.g., using DAKB from certDAKB), and comparing the locally generated concatenation of the first nonce and the second nonce with the cryptographically verified concatenation of the first nonce and the second nonce. When the external device fails to validate the response datagram, the external device may generate an error message, partially or completely disable the image capture device 200, and/or discontinue or restrict communications to/from the image capture device 200.


The external device is further configured to transmit an authentication datagram 506 to the image capture device 200 when the response datagram 504 is valid. In implementations, the authentication datagram 506 includes a second signature associated with the first and second nonces (sigA[NonceA∥NonceB]). In some embodiments, the external device is configured to sign the locally generated concatenation of the first and second nonces a private key (e.g., DAK) that is locally stored by the external device. When the response datagram is invalid, the authentication datagram 506 may be replaced with a “failed” authentication datagram 506 including a signature associated with the second nonce and an error reporting (e.g., “failure”) message (sigA[NonceB∥Error]) generated by the external device.


Responsive to the authentication datagram 506, the image capture device 200 may be further configured to transmit a responsive authentication datagram 508 to the external device. In implementations, the responsive authentication datagram 508 includes a signature associated with the first nonce and an error reporting (e.g., “success” or “failure”) message (sigB[NonceA∥Error]) generated by the image capture device 200. In some embodiments, the image capture device 200 is configured to validate the authentication datagram 506 by verifying the second signature associated with the first and second nonces (sigA[NonceA∥NonceB]). In some embodiments, the image capture device 200 is configured to verify the second signature (sigA[NonceA∥NonceB]) by concatenating the first plaintext nonce (NonceA) received from the external device and the second locally stored nonce (NonceB), verifying the second cryptographic signature (sigA[NonceA∥NonceB]) with a public device authentication key (e.g., using DAKA from certDAKA), and comparing the locally generated concatenation of the first nonce and the second nonce with the cryptographically verified concatenation of the first nonce and the second nonce. In addition to the error reporting message, when the image capture device 200 fails to validate the authentication datagram, the image capture device 200 may partially or completely disable the external device, and/or discontinue or restrict communications to/from the external device.


In some implementations, the roles of the image capture device 200 and external device, as described above, can be reversed. In some implementations, the external device and the image capture device are arranged according to a “master-slave” configuration, where the master (e.g., the external device) may be configured to authenticate the slave (e.g., the image capture device 200). In the event of a failed authentication, the master may at least partially disable or restrict communications to/from the unauthenticated slave. Alternatively, a failed authentication may result in both devices or a pseudo-secondary device being partially or completely disabled. For example, for enhanced security, the external device (e.g., IOM 104 or CCM 106) and the image capture device 200 can be disabled should they fail to successfully complete the authentication sequence.


Each of the industrial control system elements described herein may include circuitry and/or logic enabled to perform the functions described herein. For example, each industrial control system element (e.g., IOM 104, CCM, 106, image capture device 200, and so forth) may include a processor configured to execute program instructions stored permanently, semi-permanently, or temporarily by a non-transitory machine readable medium such as a hard disk drive (HDD), solid-state disk (SDD), optical disk, magnetic storage device, flash drive, or the like. Furthermore, as described above, the industrial control elements herein can be provisioned with unique security credentials, either when placed in use or at birth (e.g., at the site of manufacture) by the key management entity 124 (which may be the same key management entity for all industrial control system elements). These security credentials can be stored in secure memory of each device (e.g., in an encrypted memory). Moreover, authentication of any operator action, request, datagram, and the like can occur within the confines of each industrial control system element (e.g., using the embedded security credential(s) and processor of each element, rather than via an external authenticator). In this regard, intrinsic security can be implemented at each level/layer of the industrial control system 100.


It should be understood that any of the functions described herein can be implemented using hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, manual processing, or a combination thereof. Thus, the blocks, operations, functions, or steps discussed in the above disclosure generally represent hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, or a combination thereof. In the instance of a hardware configuration, the various blocks discussed in the above disclosure may be implemented as integrated circuits along with other functionality. Such integrated circuits may include all of the functions of a given block, system, or circuit, or a portion of the functions of the block, system, or circuit. Further, elements of the blocks, systems, or circuits may be implemented across multiple integrated circuits. Such integrated circuits may comprise various integrated circuits, including, but not necessarily limited to: a monolithic integrated circuit, a flip chip integrated circuit, a multichip module integrated circuit, and/or a mixed signal integrated circuit. In the instance of a software implementation, the various blocks discussed in the above disclosure represent executable instructions (e.g., program code) that perform specified tasks when executed on a processor. These executable instructions can be stored in one or more tangible computer readable media. In some such instances, the entire system, block, or circuit may be implemented using its software or firmware equivalent. In other instances, one part of a given system, block, or circuit may be implemented in software or firmware, while other parts are implemented in hardware.


Although the subject matter has been described in language specific to structural features and/or process operations, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims
  • 1. An image capture device for a secure industrial control system, comprising: an image sensor;a signal processor coupled to the image sensor; anda controller for managing the signal processor and transmitting data associated with processed image signals to at least one of an input/output module or a communications/control module via a communications interface that couples the controller to the at least one of the input/output module or the communications/control module, wherein the controller is configured to establish an encrypted tunnel between the controller and the at least one of the input/output module or the communications/control module based upon a unique security credential of the image capture device and a unique security credential of the at least one of the input/output module or the communications/control module,wherein the image capture device is provisioned with the unique security credential at a point of manufacture of the image capture device by a key management entity, andwherein the unique security credential of the image capture device is at least one of modifiable or revocable, by the at least one of the input/output module or the communications/control module.
  • 2. The image capture device of claim 1, wherein the controller is further configured to perform an authentication sequence with the at least one of the input/output module or the communications/control module utilizing the at unique security credential of the image capture device and the unique security credential of the at least one of the input/output module or the communications/control module.
  • 3. The image capture device of claim 1, wherein the security credential of the image capture device is at least one of modifiable, revocable, or authenticatable by the key management entity at a site different from the respective point of manufacture of the image capture device.
  • 4. The image capture device of claim 1, wherein the unique security credential of the image capture device is authenticatable by the at least one of the input/output module or the communications/control module.
  • 5. The image capture device of claim 1, wherein the communications interface is configured to connect the controller, via the at least one of the input/output module or the communications/control module, to a communications backplane including a serial communications interface and a parallel communications interface.
  • 6. The image capture device of claim 5, wherein the communications interface comprises a Power Over Ethernet (POE) port for receiving power supplied by the at least one of the input/output module or the communications/control module.
  • 7. The image capture device of claim 1, wherein the one or more processed image signals include spectral data detected by the image sensor.
  • 8. The image capture device of claim 7, wherein the controller is configured to transmit the spectral data for monitoring one or more industrial control system environmental conditions including an environmental presence of one or more of: fire, dust, smoke, micro-particles, heat, moisture, elevated pressure, gas, or radiation.
  • 9. A secure industrial control system, comprising: a communications/control module provisioned with a first unique security credential;an input/output module provisioned with a second unique security credential;a communications backplane that physically and communicatively couples the communications/control module to the input/output module; andan image capture device provisioned with a third unique security credential and comprising: an image sensor;a signal processor coupled to the image sensor; anda controller for managing the signal processor and transmitting data associated with processed image signals to at least one of the input/output module or the communications/control module via a communications interface that couples the controller to the at least one of the input/output module or the communications/control module,wherein the controller is configured to establish an encrypted tunnel between the controller and the at least one of the input/output module or the communications/control module based upon the third unique security credential of the image capture device and at least one of the first and second unique security credentials associated with the at least one of the input/output module or the communications/control module,wherein the image capture device is provisioned with the third unique security credential at a point of manufacture of the image capture device from a key management entity, andwherein the third unique security credential of the image capture device is at least one of modifiable or revocable by the at least one of the input/output module or the communications/control module.
  • 10. The secure industrial control system of claim 9, wherein the controller is further configured to perform an authentication sequence with the at least one of the input/output module or the communications/control module based on the third unique security credential of the image capture device and at least one of the first and second unique security credentials associated with the at least one of the input/output module or the communications/control module.
  • 11. The secure industrial control system of claim 9, wherein the third unique security credential of the image capture device is at least one of modifiable, revocable, or authenticatable by the key management entity at a site different from the respective point of manufacture.
  • 12. The secure industrial control system of claim 9, wherein the third unique security credential of the image capture device is authenticatable by the at least one of the input/output module or the communications/control module.
  • 13. The secure industrial control system of claim 9, wherein the communications interface is configured to connect the controller, via the at least one of the input/output module or the communications/control module, to the communications backplane, wherein the communications backplane includes a serial communications interface and a parallel communications interface.
  • 14. The secure industrial control system of claim 13, wherein the communications interface comprises a Power Over Ethernet (POE) port for receiving power supplied by the at least one of the input/output module or the communications/control module.
  • 15. The secure industrial control system of claim 9, wherein the one or more processed image signals include spectral data detected by the image sensor.
  • 16. The secure industrial control system of claim 15, wherein the controller is configured to transmit the spectral data for monitoring one or more industrial control system environmental conditions including an environmental presence of one or more of: fire, dust, smoke, micro-particles, heat, moisture, elevated pressure, gas, or radiation.
  • 17. The secure industrial control system of claim 9, wherein at least one of the communications/control module or the input/output module is configured to pre-process or post-process image signals received from the image capture device before transmitting the image signals to another industrial element of the secure industrial control system or a network connected device.
  • 18. A secure industrial control system, comprising: a communications/control module provisioned with a first unique security credential;an input/output module provisioned with a second unique security credential;a communications backplane that physically and communicatively couples the communications/control module to the input/output module, the communications backplane including a serial communications interface for connecting the input/output module to the communications/control module and a parallel communications interface configured for separately connecting the input/output module to the communications/control module; andan image capture device provisioned with a third unique security credential and comprising: an image sensor;a signal processor coupled to the image sensor; anda controller for managing the signal processor and transmitting data associated with processed image signals to at least one of the input/output module or the communications/control module via a communications interface that couples the controller to the at least one of the input/output module or the communications/control module based upon the third unique security credential and at least one of the first and second unique security credentials associated with the at least one of the input/output module or the communications/control module,wherein the image capture device is provisioned with the third unique security credential at a point of manufacture of the image capture device from a key management entity, andwherein the third unique security credential of the image capture device is at least one of modifiable or revocable by the at least one of the input/output module or the communications/control module.
CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation-in-part of U.S. patent application Ser. No. 14/942,304, filed Nov. 16, 2015, and titled “SECURE INDUSTRIAL CONTROL SYSTEM,” which is a continuation of U.S. patent application Ser. No. 14/469,931 (issued as U.S. Pat. No. 9,191,203), filed Aug. 27, 2014, and titled “SECURE INDUSTRIAL CONTROL SYSTEM,” which is a continuation of International Application No. PCT/US2013/053721, filed Aug. 6, 2013, and titled “SECURE INDUSTRIAL CONTROL SYSTEM.” The present application is also a continuation-in-part of U.S. patent application Ser. No. 14/519,066, filed Oct. 20, 2014, and titled “OPERATOR ACTION AUTHENTICATION IN AN INDUSTRIAL CONTROL SYSTEM.” The present application is also a continuation-in-part of U.S. patent application Ser. No. 15/287,937, filed Oct. 7, 2016, and titled “INDUSTRIAL CONTROL SYSTEM REDUNDANT COMMUNICATIONS/CONTROL MODULES AUTHENTICATION, which is a continuation of U.S. patent application Ser. No. 14/519,047 (issued as U.S. Pat. No. 9,467,297), filed Oct. 20, 2014, and titled “INDUSTRIAL CONTROL SYSTEM REDUNDANT COMMUNICATIONS/CONTROL MODULES AUTHENTICATION.” The present application is also a continuation-in-part of U.S. patent application Ser. No. 14/597,498, filed Jan. 15, 2015, and titled “ELECTROMAGNETIC CONNECTOR,” which is a continuation of U.S. patent application Ser. No. 13/341,143, filed Dec. 30, 2011, and titled “ELECTROMAGNETIC CONNECTOR.” The present application is also a continuation-in-part of U.S. patent application Ser. No. 15/247,998, filed Aug. 26, 2016, and titled “SWITCH FABRIC HAVING A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE, which is a continuation of U.S. patent application Ser. No. 14/501,974 (issued as U.S. Pat. No. 9,436,641), filed Sep. 30, 2014, and titled “SWITCH FABRIC HAVING A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE,” which is a continuation of U.S. patent application Ser. No. 13/341,161 (issued as U.S. Pat. No. 8,862,802), filed Dec. 30, 2011, and titled “SWITCH FABRIC HAVING A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE.” The present application is also a continuation-in-part of U.S. patent application Ser. No. 15/289,613, filed Oct. 10, 2016, and titled “COMMUNICATIONS CONTROL SYSTEM WITH A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE, which is a continuation of U.S. patent application Ser. No. 14/502,006 (issued as U.S. Pat. No. 9,465,762), filed Sep. 30, 2014, and titled “COMMUNICATIONS CONTROL SYSTEM WITH A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE,” which is a continuation of U.S. patent application Ser. No. 13/341,176 (U.S. Pat. No. 8,868,813), filed Dec. 30, 2011, and titled “COMMUNICATIONS CONTROL SYSTEM WITH A SERIAL COMMUNICATIONS INTERFACE AND A PARALLEL COMMUNICATIONS INTERFACE.” Each of the patents and patent applications cross-referenced above is incorporated herein by reference in its entirety.

US Referenced Citations (306)
Number Name Date Kind
1778549 Conner Oct 1930 A
1961013 Saraceno May 1934 A
2540575 Finizie Feb 1951 A
3702983 Chace et al. Nov 1972 A
4079440 Ohnuma et al. Mar 1978 A
4082984 Iwata Apr 1978 A
4337499 Cronin et al. Jun 1982 A
4403286 Fry et al. Sep 1983 A
4508414 Kusui et al. Apr 1985 A
4628308 Robert Dec 1986 A
4656622 Lea Apr 1987 A
4672529 Kupersmit Jun 1987 A
4691384 Jobe Sep 1987 A
4789792 Ruedi Dec 1988 A
4882702 Stuger et al. Nov 1989 A
4929939 Varma et al. May 1990 A
4932892 Hatch Jun 1990 A
5013247 Watson May 1991 A
5128664 Bishop Jul 1992 A
5229652 Hough Jul 1993 A
5325046 Young et al. Jun 1994 A
5378166 Gallagher, Sr. Jan 1995 A
5385487 Beitman Jan 1995 A
5385490 Demeter et al. Jan 1995 A
5388099 Poole Feb 1995 A
5422558 Stewart Jun 1995 A
5469334 Balakrishnan Nov 1995 A
5519583 Kolling et al. May 1996 A
5546463 Caputo et al. Aug 1996 A
5590284 Crosetto Dec 1996 A
5602754 Beatty et al. Feb 1997 A
5603044 Annapareddy et al. Feb 1997 A
5719483 Abbott et al. Feb 1998 A
5724349 Cloonan et al. Mar 1998 A
5735707 O'Groske et al. Apr 1998 A
5757795 Schnell May 1998 A
5773962 Nor Jun 1998 A
5860824 Fan Jan 1999 A
5896473 Kaspari Apr 1999 A
5909368 Nixon et al. Jun 1999 A
5951666 Ilting et al. Sep 1999 A
5958030 Kwa Sep 1999 A
5963448 Flood Oct 1999 A
5980312 Chapman et al. Nov 1999 A
6009410 LeMole et al. Dec 1999 A
6046513 Jouper et al. Apr 2000 A
6124778 Rowley et al. Sep 2000 A
6178474 Hamano et al. Jan 2001 B1
6218740 Mildice Apr 2001 B1
6219789 Little et al. Apr 2001 B1
6220889 Ely et al. Apr 2001 B1
6347963 Falkenberg et al. Feb 2002 B1
6393565 Lockhart et al. May 2002 B1
6435409 Hu Aug 2002 B1
6453416 Epstein Sep 2002 B1
6480963 Tachibana et al. Nov 2002 B1
6490176 Holzer et al. Dec 2002 B2
6574681 White et al. Jun 2003 B1
6597683 Gehring et al. Jul 2003 B1
6643777 Chu Nov 2003 B1
6680904 Kaplan et al. Jan 2004 B1
6695620 Huang Feb 2004 B1
6799234 Moon et al. Sep 2004 B1
6812803 Goergen Nov 2004 B2
6814580 Li et al. Nov 2004 B2
6828894 Sorger et al. Dec 2004 B1
6840795 Takeda et al. Jan 2005 B1
6988162 Goergen Jan 2006 B2
7164255 Hui Jan 2007 B2
7172428 Huang Feb 2007 B2
7200692 Singla et al. Apr 2007 B2
7234963 Huang Jun 2007 B1
7254452 Davlin et al. Aug 2007 B2
7402074 LeBlanc et al. Jul 2008 B2
7415368 Gilbert et al. Aug 2008 B2
7426585 Rourke Sep 2008 B1
7460482 Pike Dec 2008 B2
7510420 Mori Mar 2009 B2
7526676 Chou et al. Apr 2009 B2
7529862 Isani et al. May 2009 B2
7536548 Batke et al. May 2009 B1
7554288 Gangstoe et al. Jun 2009 B2
7587481 Osburn, III Sep 2009 B1
7614909 Lin Nov 2009 B2
7619386 Sasaki et al. Nov 2009 B2
7622994 Galal Nov 2009 B2
7660998 Walmsley Feb 2010 B2
7670190 Shi et al. Mar 2010 B2
7685349 Allen et al. Mar 2010 B2
7730304 Katsube et al. Jun 2010 B2
7746846 Boora et al. Jun 2010 B2
7761640 Hikabe Jul 2010 B2
7774074 Davlin et al. Aug 2010 B2
7788431 Deshpande et al. Aug 2010 B2
7790304 Hendricks et al. Sep 2010 B2
7811136 Hsieh et al. Oct 2010 B1
7815471 Wu Oct 2010 B2
7822994 Hamaguchi Oct 2010 B2
7839025 Besser et al. Nov 2010 B2
7872561 Matumoto Jan 2011 B2
7948758 Buhler et al. May 2011 B2
7960870 Besser et al. Jun 2011 B2
7971052 Lucas et al. Jun 2011 B2
8013474 Besser et al. Sep 2011 B2
8019194 Morrison et al. Sep 2011 B2
8032745 Bandholz et al. Oct 2011 B2
8062070 Jeon et al. Nov 2011 B2
8125208 Gyland Feb 2012 B2
8132231 Amies et al. Mar 2012 B2
8143858 Tsugawa et al. Mar 2012 B2
8149587 Baran et al. Apr 2012 B2
8157569 Liu Apr 2012 B1
8181262 Cooper et al. May 2012 B2
8189101 Cummings et al. May 2012 B2
8212399 Besser et al. Jul 2012 B2
8266360 Agrawal Sep 2012 B2
8281386 Milligan et al. Oct 2012 B2
8287306 Daugherty et al. Oct 2012 B2
8295770 Seil et al. Oct 2012 B2
8310380 Aria et al. Nov 2012 B2
8380905 Djabbari et al. Feb 2013 B2
8390441 Covaro et al. Mar 2013 B2
8465762 Lee et al. Jun 2013 B2
8480438 Mattson Jul 2013 B2
8560147 Taylor et al. Oct 2013 B2
8587318 Chandler et al. Nov 2013 B2
8651874 Ku et al. Feb 2014 B2
8677145 Kerry et al. Mar 2014 B2
8694770 Osburn, III Apr 2014 B1
8777671 Huang Jul 2014 B2
8862802 Calvin et al. Oct 2014 B2
8868813 Calvin et al. Oct 2014 B2
8971072 Calvin et al. Mar 2015 B2
9071082 Nishibayashi et al. Jun 2015 B2
9318917 Kubota et al. Apr 2016 B2
9436641 Calvin et al. Sep 2016 B2
9465762 Calvin et al. Oct 2016 B2
9467297 Clish et al. Oct 2016 B2
9812803 Toyoda et al. Nov 2017 B2
10103875 Roth et al. Oct 2018 B1
20020070835 Dadafshar Jun 2002 A1
20020080828 Ofek et al. Jun 2002 A1
20020080829 Ofek et al. Jun 2002 A1
20020084698 Kelly et al. Jul 2002 A1
20020086678 Salokannel et al. Jul 2002 A1
20020095573 O'Brien Jul 2002 A1
20020097031 Cook et al. Jul 2002 A1
20020116619 Maruyama et al. Aug 2002 A1
20020124198 Bormann et al. Sep 2002 A1
20020171525 Kobayashi et al. Nov 2002 A1
20020182898 Takahashi et al. Dec 2002 A1
20020189910 Yano et al. Dec 2002 A1
20030005289 Gougeon et al. Jan 2003 A1
20030040897 Murphy et al. Feb 2003 A1
20030074489 Steger et al. Apr 2003 A1
20030094855 Lohr et al. May 2003 A1
20030105601 Kobayashi et al. Jun 2003 A1
20030137277 Mori et al. Jul 2003 A1
20030166397 Aura Sep 2003 A1
20030202330 Lopata et al. Oct 2003 A1
20030204756 Ransom et al. Oct 2003 A1
20050001589 Edington et al. Jan 2005 A1
20050019143 Bishman Jan 2005 A1
20050091432 Adams et al. Apr 2005 A1
20050102535 Patrick et al. May 2005 A1
20050144437 Ransom et al. Jun 2005 A1
20050144440 Catherman et al. Jun 2005 A1
20050162019 Masciarelli et al. Jul 2005 A1
20050182876 Kim et al. Aug 2005 A1
20050189910 Hui Sep 2005 A1
20050198522 Shaw et al. Sep 2005 A1
20050229004 Callaghan Oct 2005 A1
20060015590 Patil et al. Jan 2006 A1
20060020782 Kakii Jan 2006 A1
20060108972 Araya May 2006 A1
20060119315 Sasaki et al. Jun 2006 A1
20060155990 Katsube et al. Jul 2006 A1
20060156415 Rubinstein et al. Jul 2006 A1
20070072442 DiFonzo et al. Mar 2007 A1
20070076768 Chiesa et al. Apr 2007 A1
20070123304 Pattenden et al. May 2007 A1
20070123316 Little May 2007 A1
20070143838 Milligan et al. Jun 2007 A1
20070174524 Kato et al. Jul 2007 A1
20070177298 Jaatinen et al. Aug 2007 A1
20070192134 Littenberg et al. Aug 2007 A1
20070194944 Galera Aug 2007 A1
20070214296 Takamatsu et al. Sep 2007 A1
20070229302 Penick et al. Oct 2007 A1
20070260897 Cochran et al. Nov 2007 A1
20080067874 Tseng Mar 2008 A1
20080077976 Schulz Mar 2008 A1
20080123669 Oliveti et al. May 2008 A1
20080140888 Blair et al. Jun 2008 A1
20080181316 Crawley et al. Jul 2008 A1
20080189441 Jundt et al. Aug 2008 A1
20080194124 Di Stefano Aug 2008 A1
20080303351 Jansen et al. Dec 2008 A1
20090036164 Rowley Feb 2009 A1
20090061678 Minoo et al. Mar 2009 A1
20090066291 Tien et al. Mar 2009 A1
20090083843 Wilkinson, Jr. et al. Mar 2009 A1
20090091513 Kuhn Apr 2009 A1
20090092248 Rawson Apr 2009 A1
20090121704 Shibahara May 2009 A1
20090204458 Wiese et al. Aug 2009 A1
20090217043 Metke et al. Aug 2009 A1
20090222885 Batke et al. Sep 2009 A1
20090234998 Kuo Sep 2009 A1
20090239468 He et al. Sep 2009 A1
20090245245 Malwankar et al. Oct 2009 A1
20090254655 Kidwell et al. Oct 2009 A1
20090256717 Iwai Oct 2009 A1
20090278509 Boyles et al. Nov 2009 A1
20090287321 Lucas et al. Nov 2009 A1
20090288732 Gielen Nov 2009 A1
20100052428 Imamura et al. Mar 2010 A1
20100066340 Delforge Mar 2010 A1
20100082869 Lloyd et al. Apr 2010 A1
20100122081 Sato et al. May 2010 A1
20100148721 Little Jun 2010 A1
20100149997 Law et al. Jun 2010 A1
20100151816 Besehanic et al. Jun 2010 A1
20100153751 Tseng Jun 2010 A1
20100197366 Pattenden et al. Aug 2010 A1
20100197367 Pattenden et al. Aug 2010 A1
20100233889 Kiani et al. Sep 2010 A1
20100262312 Kubota et al. Oct 2010 A1
20110010016 Giroti Jan 2011 A1
20110038114 Pance et al. Feb 2011 A1
20110066309 Matsuoka et al. Mar 2011 A1
20110074349 Ghovanloo Mar 2011 A1
20110080056 Low et al. Apr 2011 A1
20110082621 Berkobin et al. Apr 2011 A1
20110089900 Hogari Apr 2011 A1
20110140538 Jung et al. Jun 2011 A1
20110150431 Klappert Jun 2011 A1
20110185196 Asano et al. Jul 2011 A1
20110196997 Ruberg et al. Aug 2011 A1
20110197009 Agrawal Aug 2011 A1
20110202992 Xiao et al. Aug 2011 A1
20110285847 Riedel Nov 2011 A1
20110291491 Lemmens et al. Dec 2011 A1
20110296066 Xia Dec 2011 A1
20110313547 Hernandez et al. Dec 2011 A1
20120028498 Na et al. Feb 2012 A1
20120046015 Little Feb 2012 A1
20120053742 Tsuda Mar 2012 A1
20120102334 O'Loughlin et al. Apr 2012 A1
20120124373 Dangoor et al. May 2012 A1
20120143586 Vetter et al. Jun 2012 A1
20120159210 Hosaka Jun 2012 A1
20120236769 Powell et al. Sep 2012 A1
20120242459 Lambert Sep 2012 A1
20120265361 Billingsley et al. Oct 2012 A1
20120271576 Kamel et al. Oct 2012 A1
20120274273 Jacobs et al. Nov 2012 A1
20120282805 Ku et al. Nov 2012 A1
20120284354 Mukundan et al. Nov 2012 A1
20120284514 Lambert Nov 2012 A1
20120295451 Hyun-Jun et al. Nov 2012 A1
20120297101 Neupartl et al. Nov 2012 A1
20120311071 Karaffa et al. Dec 2012 A1
20120322513 Pattenden et al. Dec 2012 A1
20120328094 Pattenden et al. Dec 2012 A1
20130011719 Yasui et al. Jan 2013 A1
20130026973 Luke et al. Jan 2013 A1
20130031382 Jau et al. Jan 2013 A1
20130070788 Deiretsbacher et al. Mar 2013 A1
20130170258 Calvin et al. Jul 2013 A1
20130173832 Calvin et al. Jul 2013 A1
20130211547 Buchdunger et al. Aug 2013 A1
20130212390 Du et al. Aug 2013 A1
20130224048 Gillingwater et al. Aug 2013 A1
20130233924 Burns Sep 2013 A1
20130244062 Teramoto et al. Sep 2013 A1
20130290706 Socky et al. Oct 2013 A1
20130291085 Chong et al. Oct 2013 A1
20140015488 Despesse Jan 2014 A1
20140068712 Frenkel et al. Mar 2014 A1
20140075186 Austen Mar 2014 A1
20140091623 Shippy et al. Mar 2014 A1
20140095867 Smith et al. Apr 2014 A1
20140097672 Takemura et al. Apr 2014 A1
20140129162 Hallman et al. May 2014 A1
20140131450 Jeff et al. May 2014 A1
20140142725 Boyd May 2014 A1
20140280520 Baier et al. Sep 2014 A1
20140285318 Audeon et al. Sep 2014 A1
20140312913 Kikuchi et al. Oct 2014 A1
20140327318 Calvin et al. Nov 2014 A1
20140335703 Calvin et al. Nov 2014 A1
20140341220 Lessmann Nov 2014 A1
20150019790 Calvin et al. Jan 2015 A1
20150046701 Rooyakkers et al. Feb 2015 A1
20150048684 Rooyakkers et al. Feb 2015 A1
20150115711 Kouroussis et al. Apr 2015 A1
20150303729 Kasai et al. Oct 2015 A1
20150365240 Callaghan Dec 2015 A1
20160065656 Patin et al. Mar 2016 A1
20160069174 Cannan et al. Mar 2016 A1
20160141894 Beaston May 2016 A1
20160172635 Stimm et al. Jun 2016 A1
20160224048 Rooyakkers et al. Aug 2016 A1
20160301695 Trivelpiece et al. Oct 2016 A1
20180190427 Rooyakkers et al. Jul 2018 A1
Foreign Referenced Citations (167)
Number Date Country
2162746 Apr 1994 CN
1408129 Apr 2003 CN
1440254 Sep 2003 CN
2596617 Dec 2003 CN
1571335 Jan 2005 CN
1702582 Nov 2005 CN
1839581 Sep 2006 CN
1864305 Nov 2006 CN
2899151 May 2007 CN
101005359 Jul 2007 CN
101069407 Nov 2007 CN
101262401 Sep 2008 CN
101322089 Dec 2008 CN
101349916 Jan 2009 CN
101447861 Jun 2009 CN
101533380 Sep 2009 CN
101576041 Nov 2009 CN
201515041 Jun 2010 CN
101809557 Aug 2010 CN
201590580 Sep 2010 CN
101919139 Dec 2010 CN
101977104 Feb 2011 CN
102035220 Apr 2011 CN
102236329 Nov 2011 CN
102237680 Nov 2011 CN
202205977 Apr 2012 CN
102480352 May 2012 CN
1934766 Jun 2012 CN
102546707 Jul 2012 CN
102809950 Dec 2012 CN
102812578 Dec 2012 CN
103064032 Apr 2013 CN
203180248 Sep 2013 CN
103376766 Oct 2013 CN
103682883 Mar 2014 CN
103701919 Apr 2014 CN
203645015 Jun 2014 CN
104025387 Sep 2014 CN
203932181 Nov 2014 CN
104185969 Dec 2014 CN
104297691 Jan 2015 CN
104505894 Apr 2015 CN
204243110 Apr 2015 CN
105278327 Jan 2016 CN
105556762 May 2016 CN
104025387 Jul 2018 CN
102013213550 Jan 2015 DE
473336 Apr 1992 EP
0507360 Oct 1992 EP
1176616 Jan 2002 EP
1241800 Sep 2002 EP
1246563 Oct 2002 EP
1571559 Jul 2005 EP
1877915 Jan 2008 EP
1885085 Feb 2008 EP
1885085 Jun 2008 EP
2179364 Apr 2010 EP
2317743 May 2011 EP
2450921 May 2012 EP
2557657 Feb 2013 EP
2557670 Feb 2013 EP
2613421 Oct 2013 EP
2777796 Sep 2014 EP
2806319 Nov 2014 EP
S59-074413 May 1984 JP
S59177226 Nov 1984 JP
H0163190 Apr 1989 JP
04245411 Sep 1992 JP
H05346809 Dec 1993 JP
07075143 Mar 1995 JP
07105328 Apr 1995 JP
07320963 Dec 1995 JP
08037121 Feb 1996 JP
08-098274 Apr 1996 JP
08241824 Sep 1996 JP
08322252 Dec 1996 JP
09182324 Jul 1997 JP
11-89103 Mar 1999 JP
11098707 Apr 1999 JP
11-235044 Aug 1999 JP
H11230504 Aug 1999 JP
H11312013 Nov 1999 JP
2000041068 Feb 2000 JP
2000252143 Sep 2000 JP
2001242971 Sep 2001 JP
2001292176 Oct 2001 JP
2001307055 Nov 2001 JP
2002134071 May 2002 JP
2002280238 Sep 2002 JP
2002343655 Nov 2002 JP
2002359131 Dec 2002 JP
3370931 Jan 2003 JP
2003047912 Feb 2003 JP
2003068543 Mar 2003 JP
2003142327 May 2003 JP
2003152703 May 2003 JP
2003152708 May 2003 JP
2003216237 Jul 2003 JP
2004501540 Jan 2004 JP
2004303701 Oct 2004 JP
2004532596 Oct 2004 JP
2005038411 Feb 2005 JP
2005513956 May 2005 JP
2005151720 Jun 2005 JP
2005250833 Sep 2005 JP
2005275777 Oct 2005 JP
2005531235 Oct 2005 JP
2005327231 Nov 2005 JP
2005332406 Dec 2005 JP
2006060779 Mar 2006 JP
2006180460 Jul 2006 JP
2006223950 Aug 2006 JP
2006238274 Sep 2006 JP
2006254650 Sep 2006 JP
2007034711 Feb 2007 JP
2007096817 Apr 2007 JP
2007519150 Jul 2007 JP
2007238696 Sep 2007 JP
2007252081 Sep 2007 JP
2007535235 Nov 2007 JP
2008008361 Jan 2008 JP
2008215028 Sep 2008 JP
2008257707 Oct 2008 JP
2008538668 Oct 2008 JP
4245411 Mar 2009 JP
2009157913 Jul 2009 JP
2009163909 Jul 2009 JP
2009538112 Oct 2009 JP
2010011351 Jan 2010 JP
2010503134 Jan 2010 JP
4439340 Mar 2010 JP
2010515407 May 2010 JP
2010135903 Jun 2010 JP
2011078249 Apr 2011 JP
2011217037 Oct 2011 JP
2011223544 Nov 2011 JP
5013019 Aug 2012 JP
2012190583 Oct 2012 JP
2012195259 Oct 2012 JP
2013021798 Jan 2013 JP
2013031358 Feb 2013 JP
2013170258 Sep 2013 JP
2013192389 Sep 2013 JP
2014507721 Mar 2014 JP
2014080952 May 2014 JP
2015023375 Feb 2015 JP
2016512039 Apr 2016 JP
6189479 Aug 2017 JP
20020088540 Nov 2002 KR
20050014790 Feb 2005 KR
1020060034244 Apr 2006 KR
100705380 Apr 2007 KR
100807377 Feb 2008 KR
201310344 Mar 2013 TW
2005070733 Aug 2005 WO
2005081659 Sep 2005 WO
2006059195 Jun 2006 WO
2007041866 Apr 2007 WO
2007148462 Dec 2007 WO
2008083387 Jul 2008 WO
2009032797 Mar 2009 WO
2011104935 Sep 2011 WO
2013033247 Mar 2013 WO
2013102069 Jul 2013 WO
2014179556 Nov 2014 WO
2014179566 Nov 2014 WO
2015020633 Feb 2015 WO
Non-Patent Literature Citations (145)
Entry
Roman Kleinerman; Daniel Feldman (May 2011), Power over Ethernet (PoE): An Energy-Efficient Alternative (PDF), Marvell, retrieved Sep. 25, 2018 @ http://www.marvell.com/switching/assets/Marvell-PoE-An-Energy-Efficient-Alternative.pdf (Year: 2011).
CGI, White Paper on “Public Key Encryption and Digital Signature: How do they work?”, 2004 (refer to pp. 3-4).
“Introduction to Cryptography”, Network Associates, Inc., PGP 6.5.1, 1990-1999, Retrieved @ [ftp://ftp.pgpi.org/pub/pgp/6.5/docs/English/IntroToCrypto.pdf] on Mar. 17, 2016 (refer to pp. 16-20).
Stouffer, K. et al., “Guide to Industrial Control Systems (ICS) Security”, NIST, Special Pub. 800-82, Jun. 2011 (refer to pp. 2-1 to 2-10).
Molva, R. Ed et al., “Internet security architecture”, Computer Networks, Elsevier Science Publishers B. V., Amsterdam, NL, vol. 31, No. 8, Apr. 23, 1999, pp. 787-804, XP004304518.
Rodrigues, Aniket et al., “SCADA security device”, Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW '11, Jan. 1, 2011, p. 1, XP55230335, New York, New York, USA.
Rodrigues, A., “SCADA Security Device: Design and Implementation”, Master of Science Thesis, Wichita State University, Dec. 2011.
Zafirovic-Vukotic, M. et al., “Secure SCADA network supporting NERC CIP”, Power & Energy Society General Meeting, 2009, PES '09, IEEE, Piscataway, NJ, USA, Jul. 26, 2009, pp. 1-8, XP031538542.
European Search Report dated Dec. 2, 2015 for EP Application No. 14196408.0.
International Search Report and Written Opinion of the International Searching Authority dated Apr. 29, 2013, International Application No. PCT/US2012/072056.
Office Action dated Aug. 3, 2016 for Chinese Appln. No. 201280065564.2.
Office Action dated Dec. 2, 2016 for JP Appln. No. 2014-550508.
Office Action dated May 17, 2013 for U.S. Appl. No. 13/341,161.
Partial Supplementary European Search Report dated Nov. 10, 2015 in Application # EP12862174.5.
Office Action for Japanese Application No. 2016-512039, dated Feb. 5, 2019.
International Search Report and Written Opinion for PCT/US2014/036368, dated Sep. 12, 2014.
Office Action for Chinese Appln No. 201380079515.9, dated Nov. 16, 2017.
Office Action for Chinese Appln No. 201380079515.9 dated Aug. 7, 2018.
Office Action for Chinese Appln No. 201380079515.9, dated Feb. 25, 2019.
Supplementary Search Report in European Application No. 13890953.6, dated Jan. 26, 2017.
Office Action for Japanese Application No. 2016-533280, dated Jun. 28, 2017.
Office Action for Japanese Application No. 2016-533280, dated Apr. 11, 2018.
Office Action for Japanese Application No. 2016-533280, dated Jan. 7, 2019.
International Search Report and Written Opinion for PCT/US2013/053721, dated May 12, 2014.
Office Action for Chinese Appln No. 201380079514.4, dated Feb. 5, 2018.
Office Action for Chinese Appln No. 201380079514.4, dated Nov. 5, 2018.
Examination Report for European Application No. 13891327.2, dated Sep. 26, 2018.
Supplementary Search Report for European Application No. 13891327.2, dated Jan. 10, 2017.
Reason for Rejection in Japanese Patent Application No. 2016-533279, dated Aug. 13, 2018.
Notice of Reasons for Rejection in Japanese Patent Application No. 2016-533279, dated Jul. 13, 2017.
Notice of Reason for Rejection in Japanese Patent Application No. 2016-533279, dated Mar. 1, 2018.
Fabien Fleuot, “Raspberry Pi + Mihini, Controlling an off-the-grid Electrical Installation, Part I,” Apr. 11, 2014, XP055290314.
Siemens, “Uninterruptible 24 V DC Power Supply High-Performance, communicative and integrated in TIA,” Mar. 31, 2015, XP055290324.
Office Action for Canadian Application No. 2,875,517, dated May 4, 2015.
Office Action for Chinese Application No. 201410802889.5, dated Jul. 26, 2018.
Search Report for European Application No. 14196406.4, dated Nov. 4, 2015.
Extended Search Report for European Application No. 16165112.0, dated Sep. 6, 2016.
Examination Report for European Application No. 16165112.0, dated Feb. 16, 2018.
Notice of Reason for Rejection for Japanese Application No. 2014-243827, dated Jan. 24, 2019.
Office Action for Chinese Application No. 2015103905202.2, dated Jun. 20, 2018.
Office Action for Chinese Application No. 2015103905202.2, dated Mar. 6, 2019.
Search Report for European Application No. 15175744.0, dated Apr. 26, 2016.
Partial Search Report for European Application No. 15175744.0, dated Dec. 14, 2015.
Office Action for Canadian Application No. 2,875,518, dated Jun. 3, 2015.
Office Action for Canadian Application No. 2,875,518, dated Apr. 22, 2016.
Office Action for Canadian Application No. 2,875,515, dated Jul. 5, 2017.
Office Action for Canadian Application No. 2,875,515, dated Feb. 10, 2017.
Office Action for Canadian Application No. 2,875,515, dated Jun. 1, 2016.
Office Action for Canadian Application No. 2,875,515, dated Oct. 6, 2016.
Office Action for Chinese Application No. 201410799473.2, dated Oct. 12, 2018.
Examination Report for European Application No. 14196409.8, dated Jan. 22, 2018.
Search Report for European Application No. 14196409.8, dated May 19, 2016.
Notice of Reason for Rejection for Japanese Application No. 2014-243830, dated Sep. 21, 2018.
Office Action for Canadian Application No. 2,920,133, dated Jan. 30, 2017.
Office Action for Canadian Application No. 2,920,133, dated Oct. 19, 2016.
Search Report for European Application No. 16154943.1, dated Jun. 17, 2016.
Partial European Search Report in European Application No. 17208183.8, dated Mar. 28, 2018.
Examination Report in European Application No. 17206183.8, dated Jun. 22, 2018.
Examination Report in European Application No. 17208183.8, dated Feb. 27, 2019.
Office Action for Chinese Appln. No. 201610239130.X, dated Feb. 14, 2018.
Office Action for Chinese Appln. No. 201610239130.X, dated Aug. 2, 2017.
Office Action for CN Appln. No. 201410182071.8, dated Mar. 1, 2017.
Office Action for Chinese Application No. 201280065564.2, dated Feb. 28, 2017.
Office Action for Chinese Application No. 201280065564.2, dated Oct. 19, 2017.
European Search Report in Application No. 12862174.5, dated Feb. 15, 2016.
European Search Report in Application No. 17178867.2, dated Nov. 2, 2017.
Office Action for Japanese Application No. 2014-550508, dated Sep. 15, 2017.
Baran, M.E. et al., “Overcurrent Protection on Voltage-Source-Converter-Based Multiterminal DC Distribution Systems,” IEEE Transactions on Power Delivery, Jan. 2007.
Office Action for Chinese Application No. 201410383686.7, dated May 31, 2017.
Office Action for Chinese Application No. 201410383686.7, dated Feb. 23, 2018.
Office Action for Chinese Application No. 201480034066.0, dated May 3, 2017.
Search Report and Opinion for European Application No. 14166908.8, dated Jan. 7, 2015.
Extended Search Report for European Application No. 14180106.8, dated Jul. 13, 2015.
Examination Report for European Application No. 14180106.8, dated Jun. 28, 2017.
Supplementary Search Report for European Application No. 14791210.9, dated Dec. 6, 2016.
Office Action for Japanese Application No. 2014-080952, dated May 2, 2018.
Office Action for Japanese Application No. 2014-080952, dated Jan. 7, 2019.
Office Action for Japanese Application No. 2014-159475, dated Jul. 18, 2018.
Office Action for Japanese Application No. 2014-159475, dated Feb. 15, 2019.
Office Action for Japanese Application No. 2016-512039, dated Jun. 5, 2018.
Canadian Office Action for Application No. 2920133 dated Jan. 30, 2017.
Chinese Office Action for Application No. 2920133 dated Oct. 19, 2016.
Supplementary European Search Report for European Patent Application No. EP 13890953 dated Feb. 6, 2017, 9 pages.
Supplementary Search Report for European Application No. 14791210.9, dated Dec. 16, 2016.
Siemens AG: “ERTEC 400 | Enhanced Real-Time Ethernet Controller | Handbuch”,no. Version 1.2.2 pp. 1-98, XP002637652, Retrieved from the Internet: Url:http:llcache.automation.siemens.com|dniiDUI DUxNDgzNwAA_21631481_HBIERTEC400_Handbuch_V122.pdf [retrieved on May 2, 2011].
Decision of Rejection for Chinese Application No. 2015103905202.2, dated Nov. 5, 2019.
European Search Report for European Application No. 14196406.4, dated Sep. 23, 2015.
European Search Report for EP Application No. 14196408.0, dated Nov. 24, 2015.
European Search Report dated Nov. 4, 2015 in Application No. EP14196406.4.
Examination Report for European Application No. 17178867.2, dated Mar. 13, 2019.
Examination Report for European Patent Application No. 16165112.0, dated Apr. 17, 2019.
Partial Search Report for European Applicaton No.15175744.0, dated Dec. 14, 2015.
Examination Report for European Patent Application No. 16154943.1, dated May 16, 2019.
Examination Report for European Patent Application No. 17208183.8, dated Oct. 29, 2019.
Extended European Search Report for European Patent Application No. EP14180106.8, dated 31 Aug. 12, 2015.
Extended European Search Report for European Patent Application No. EP 14196409 dated May 31, 2016, 10 pages.
Extended European Search Report for European Patent Application No. EP 16154943 dated Jun. 29, 2016, 9pages.
Extended European Search Report for European Patent Application No.EP 18176358 dated Sep. 11, 2018, 11 pages.
International Search Report and Written Opinion dated May 12, 2014 in International Application# PCT/US2013/053721.
Notice of Reason for Rejection for Japanese Patent Application No. 2014-243830, dated Jul. 10, 2019.
Notice of Reason for Rejection for JP Patent Application No. 2018-109151, dated Jun. 25, 2019.
Office Action for Canadian Application No. 2,875,515, dated Feb. 17, 2016.
Office Action for Chinese Application No. 2015103905202.2, dated Aug. 6, 2019.
Office Action for Chinese Patent Application 201410802889.5, dated May 7, 2019.
Office Action for Canadian Application No. 2,920,133, dated Apr. 14, 2016.
Office Action for Chinese Patent Application No. 20141079999.2, dated Jul. 3, 2019.
Office Action for Chinese Patent Application No. 201610236358.3, dated Sep. 4, 2019.
Office Action from Chinese Patent Application 201410802889.5, dated Dec. 4, 2019.
Office Action from Chinese Paten Application No. 201610229230.4, dated Oct. 24, 2019.
Office Action for Japanese Application No. 2015-136186, dated Oct. 10, 2019.
Partial Supplementary European Search Report in Application No. 12862174.5, dated Nov. 3, 2015.
Decision of Rejection for Patent Application No. 2014-243827, dated Nov. 28, 2019.
Notice of Reason for Rejection for Patent Application No. 2016-021763, dated Nov. 27, 2019.
European search report for European Patent Application No. EP14196406 dated Oct. 2, 2015, 6 pages.
Roman Kleinerman, Daniel Feldman (May 2011), Power over Ethernet (PoE): An Energy-Efficient Alternative (PDF), Marvell, retrieved Sep. 9, 2018 © http://www.marvell.com/switching/assets/Marveii-PoE-An-Energy-Efficient-Aiternative.pdf (Year: 2011).
Partial European Search Report for European Patent Application No. EP 15175744 dated Jan. 4, 2016, 7 pages.
Examination Report for European Application No. 16165112.0, dated Apr. 17, 2019.
Office Action from EP Application No. 14196406.4, dated Jul. 29, 2019.
Decision of Rejection for Japanese Application No. 2014-243830, dated Mar. 18, 2020.
Final Decision for Rejection for Japanese Patent Application No. 2016-021763, dated Jul. 31, 2020.
Office Action for Chinese Patent Application No. 201610236358.3, dated Jun. 24, 2020.
Reason for Rejection for Japanese Patent Application No. 2015-136186, dated May 7, 2020.
Summons to attend oral proceedings for European Application No. 14196409.8, dated Nov. 13, 2019.
Notice of Reason for Rejection for Japanese Application No. 2016-080207, dated Jun. 4, 2020.
Office Action for Japanese Application No. 2016-533280, dated Jun. 29, 2020,.
Office Action from Chinese Patent Application No. 201610229230.4, dated Jul. 15, 2020.
Reason for Rejection for Japanese Appiication No. 2015-136186, dated May 7, 2020.
Extended European Search Report for European Application No. 20150993.2, dated Apr. 29, 2020.
Notice of Reason for Rejection for Japanese Application No. 2016-080207, dated Feb. 4, 2021.
Notice of Reason for Rejection for Japanese Application No. 2014-243827, dated Feb. 1, 2021.
Office Action for Chinese Patent Application No. 201610236358.3, dated Jan. 25, 2021.
Chinese Office Action for Application No. 202010105899.9, dated Dec. 3, 2020.
European Examination Report for Application No. 14196406.4, dated May 12, 2020.
European Search Report for Application No. 20173319.3, dated Nov. 24, 2020.
Hosseinabady, Mohammad, et al., “Using the inter- and intra-switch regularity in NoC switch testing,” Design, Automation & Test in Europe Conference & Exhibition: Nice, France, Apr. 16-20, 2007, IEEE Service Center, Apr. 16, 2007 (XP058290046).
Chen, et al., “Active Diagnosability of Discrete Event Systems and its Application to Battery Fault Diagnosis,” IEEE Transactions on Control Systems Technology, vol. 22, No. 5, Sep. 2014.
Examination Report for European Application No. 14196406.4, dated Mar. 31, 2021.
Extended European Search Report for European Application No. 20201403.0, dated Apr. 7, 2021.
Extended European Search Reported for European Application No. 20201403.1, dated Apr. 29, 2021.
Fang et al., “Application of expert diagnosis system in rechargeable battery,” Department of Computer Science, Qinghua University, Beijing, China, vol. 26, No. 3, Jun. 2002.
Generex System Gmbh, “BACS—Battery Analysis & Care System,” Aug. 17, 2014 , XP055290320, Retrieved from the Internet: URL:HTTP://web.archive.org/we/2040929060116/http://www.generex.de/generex/download/datasheets/datasheet_BACS_C20_de.pdf.
Notice of Reasons for Rejection for Japanese Patent Application No. 2020-035778, dated Apr. 15, 2021.
Office Action for Chinese Application No. 201610229230.4, dated Mar. 18, 2021.
Reason for Rejection for Japanese Application No. 2020-061935, dated Mar. 31, 2021.
Office Action for Chinese Application No. 201711349441.2, dated May 27, 2021.
Related Publications (1)
Number Date Country
20170147807 A1 May 2017 US
Continuations (11)
Number Date Country
Parent 14469931 Aug 2014 US
Child 14942305 US
Parent PCT/US2013/053721 Aug 2013 US
Child 14469931 US
Parent 14519047 Oct 2014 US
Child 15287937 US
Parent 15381667 US
Child 15287937 US
Parent 13341143 Dec 2011 US
Child 14597498 US
Parent 15381667 US
Child 14597498 US
Parent 14501974 Sep 2014 US
Child 15247998 US
Parent 13341161 Dec 2011 US
Child 14501974 US
Parent 15381667 US
Child 14501974 US
Parent 14502006 Sep 2014 US
Child 15289613 US
Parent 13341176 Dec 2011 US
Child 14502006 US
Continuation in Parts (7)
Number Date Country
Parent 14942305 Nov 2015 US
Child 15381667 US
Parent 15381667 US
Child PCT/US2013/053721 US
Parent 14519066 Oct 2014 US
Child 15381667 US
Parent 15287937 Oct 2016 US
Child 14519066 US
Parent 14597498 Jan 2015 US
Child 15381667 US
Parent 15247998 Aug 2016 US
Child 15381667 US
Parent 15289613 Oct 2016 US
Child 15381667 US