The following relates to a method and an arrangement for securely interchanging configuration data between a first and a second apparatus, particularly apparatuses in an automation installation.
Components installed in automation installations, such as programmable logic controllers (PLC) in production and process engineering, intelligent field devices in power distribution or element controllers in railway engineering, for example, usually also contain individual programming or configuration, which is different for each device, in addition to firmware or software with an identical version for all devices in a series.
To foster simple and rapid replacement of failed devices, for example, these programming or configuration data can additionally be stored in separate external, persistent memories, such an SD card or a USB storage medium, for example. In the event of a defect, a maintenance engineer removes the defective device, takes out the external memory, plugs the latter into a substitute device and connects the latter in the installation. On starting, the substitute device reads in the data from the external memory, takes on the programming and configuration data stored thereon and is immediately operational in the same configuration as the replaced device.
The storage medium may also be permanently installed in the installation, for example in a switchgear cabinet, so that it remains in the installation when a device is removed and, when a device is plugged in/installed, is automatically connected to this device.
An external memory apparatus of this kind that can be plugged into a device or into an apparatus has the advantage that the apparatus is immediately provided with the correct, individual configuration data without administrative effort. When programming and/or configuration data are distributed over a local area network of the installation, for example, it is first necessary to establish where in the installation a new device is located and what data it needs.
On the other hand, programming and configuration data on an external plug-in memory apparatus, which are therefore detachably connectable to a device or an apparatus, can have the disadvantage that an attacker who has physical access to the detachable memories or physical access to the apparatus can manipulate these data more easily.
An aspect relates to allowing manipulation-proof interchange of configuration data between apparatuses.
The method according to embodiments of the invention for securely interchanging configuration data between a first and a second apparatus comprises the steps of:
The signature of the configuration data of the first apparatus can be used to check the integrity of the data. The means required for this purpose are provided to the second apparatus by virtue of the security token that is loaded into the second apparatus together with the signed configuration data. In the method, the external memory apparatus is used as a transmission medium for this information. It is therefore possible to ensure that the data on the external memory apparatus have not been altered. This ensures that the current configuration information is present on the external memory apparatus at any time. This particularly allows a replacement of the apparatus with a second apparatus to involve the current configuration of the first apparatus being transmitted to the second apparatus. Therefore, no additional administrative effort arises, for example by virtue of a central configuration server in which an update to the configuration data needs to be reported and the correspondingly updated configuration data need to be retrieved.
In one advantageous embodiment, the configuration data are checked by the second apparatus by means of the signature and the security token of the first apparatus and are used in the event of a successful check.
This ensures that only unaltered configuration data are loaded into the second apparatus and therefore no subsequently introduced malicious code is inserted into the configuration data. This is advantageous particularly when an external memory apparatus is used, since the latter can easily be removed from an apparatus and plugged back in following a manipulation.
In one advantageous embodiment, a digital signature for the configuration data is created in the second apparatus, after the loading and checking of the configuration data by the second apparatus, using a piece of security information of the second apparatus, and said digital signature is stored on the external memory apparatus.
This now allows the second apparatus to update configuration data that have changed again on the external memory apparatus.
In one advantageous embodiment, the piece of security information is a private key and the security token is a digital certificate.
The private key and the digital certificate are in this case elements of an asymmetric cryptographic method, for example in accordance with a public key infrastructure. In this case, the private key has an explicitly associated public key that is included in the digital certificate. Data are encrypted using the private key in this case and can be decrypted using the public key. The check on the digital certificate appended to the configuration data as a security token also allows the authenticity of the configuration data to be checked by virtue of the certificate on hand from the first apparatus being traced back to a certificate that is already on hand in the second apparatus, for example a trustworthy root certificate of the manufacturer that is rooted in the firmware. A trustworthy root certificate of this kind, particularly from the manufacturer, exists particularly in the case of devices from the same manufacturer. If a device from a different manufacturer than the first apparatus is used as substitute device, that is to say as second apparatus, then it is necessary to ensure that a suitable certificate, for example the root certificate of the manufacturer of the first apparatus, is available in the second apparatus.
If there is already a first digital signature for at least one first subset of the configuration data, then in one advantageous embodiment a second digital signature is created just for a subset of the configuration data for which there is not yet a signature, using a piece of security information of the first apparatus, or a digital signature is created for all the subsets of the configuration data and the signatures that are already present, using a piece of security information of the first apparatus.
In both cases, it is ensured that it is not the case that any subset of the configuration data is without a digital signature and therefore the integrity and authenticity thereof cannot be checked. If such unsigned subsets of the configuration data are accepted by a second apparatus, for example, then misconfiguration or manipulation of the second apparatus can become possible.
In one advantageous embodiment, the configuration data are stored on the external memory apparatus in encrypted fashion. However, this requires an appropriate key to be on hand in the firmware of a first and a second apparatus, for example, or such a key to be able to be requested from a central component.
The arrangement according to embodiments of the invention for securely interchanging configuration data comprises an apparatus having configuration data of the apparatus, a piece of security information for at least one asymmetric cryptographic method, a cryptographic computation unit, and also a memory apparatus detachably connected to the apparatus, wherein the cryptographic computation unit is set up to create a digital signature for the configuration data and to store the configuration data, the digital signature and a security token of the piece of security information in the external memory apparatus.
In such an arrangement, when the apparatus is replaced, the external memory apparatus can be detached, for example removed, and connected to a substitute apparatus, which therefore takes on the exact same configuration that the replaced apparatus had. Therefore, the administrative effort when replacing an apparatus is minimized and misconfigurations are avoided.
In one advantageous embodiment, the digital signature is created using a private key of the piece of security information of the apparatus, and the security token is present as a digital certificate having a public key of the apparatus.
The use of a digital certificate allows not only the integrity of the configuration data but also the authenticity thereof to be checked, and therefore makes it possible to ensure that the configuration data are issued by the certificate owner cited in the certificate.
In one advantageous embodiment, the cryptographic computation unit is set up to follow a change in the configuration data in the apparatus by computing a new digital signature and by storing the changed configuration data and the new digital signature on the external memory apparatus.
In one advantageous embodiment, the cryptographic computation unit is set up to read in secure configuration data from the external memory apparatus, to check the secure configuration data by means of the digital signature and the security token that are included in the secure configuration data, and to use the secure configuration data in the apparatus in the event of a successful check.
The signature can ensure that no manipulated data are transferred to the second apparatus.
In one advantageous embodiment, the cryptographic computation unit is set up to create a digital signature for the secure configuration data using a piece of security information of the apparatus and to store said digital signature on the external memory apparatus.
This allows the configuration data of the apparatus to be able to be updated at any time and allows said configuration data to be stored on the external memory apparatus in secure fashion.
In one advantageous embodiment, the cryptographic computation unit is set up to follow a renewal of the certificate of the apparatus by computing a new digital signature and by storing the new digital signature and the renewed certificate on the external memory apparatus.
A computer program product (non-transitory computer readable storage medium having instructions, which when executed by a processor, perform actions) according to the invention can be loaded directly into a memory of a digital computer and comprises program code sections that are suitable for performing the aforementioned method steps. Accordingly, a data storage medium according to embodiments of the invention is claimed that stores said computer program product.
Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:
Mutually corresponding parts are provided with the same reference symbols in all the figures.
When the second apparatus starts, it checks the configuration data by means of the digital signature and the security token that has been appended to the configuration data. This is shown in dashed lines as method step 14. Advantageously, the second apparatus uses the configuration data only in the event of a successful check 15. It is therefore possible for a change of the configuration data on the external memory apparatus to be checked and for the uploading of such manipulated configuration data to be avoided.
In one advantageous embodiment, the successful check on the authenticity and integrity of the configuration data in the second apparatus is preceded by only some of the configuration data being used by the second apparatus, for example in order to load further data via a network, and the check is carried out or repeated later.
The authenticity of the data is checked by virtue of the security token on hand, for example a certificate already on hand from the first device, being traced back to a trustworthy root certificate rooted in the firmware of the second apparatus. Usually, apparatuses in the same series and in the same version from a manufacturer are equipped with a standard certificate of the manufacturer. Therefore, such a root certificate of the manufacturer is suitable for securing the configuration data. Following a successful check, the second apparatus can use a piece of security information of its own to perform a new signature for the data and to replace the signature and associated security token on the eternal memory apparatus.
The first and also the second apparatus can preferably use a signature certificate as a security token for signing the data on the external memory apparatus. Such a signature certificate can also be used for signing measurement or logging data or else control commands. It is not necessary to use a separate certificate for the digital signature of the configuration data. If the apparatus has no such certificate, it is also possible to use another, arbitrary certificate in principle, for example for setting up a secure TLS connection. Such a certificate is not necessarily provided for such data signature, but can nevertheless be used, since this can easily be taken into consideration for the implementation of the function for use and checking of the certificate.
The same configuration data 203 are obtained when the external memory apparatus is connected to a second apparatus and, after the signature and the security token are checked, the configuration data, in this case subset B, are signed using the security information and the security token of the second apparatus and both items of data are appended. In this case, the security token Cert(c) then corresponds to the security token or the digital certificate of the second apparatus.
The internal memory 102 is connected to a cryptographic computation unit 101. The cryptographic computation unit 101 signs the configuration data 103 using the private key 104, that is to say that a digital signature is formed. Subsequently, the configuration data 103, the digital signature and the security token 105 are stored on the external memory apparatus as configuration data 201. If the configuration data of the first apparatus 100 change, then the changed configuration data are signed again and are updated on the external memory apparatus 200, as already described.
If the device 100 is replaced by a second apparatus 300, then the external memory apparatus 200 is detached from the first apparatus and connected to the second apparatus 300, see connection in dashed lines. A second apparatus 300 differs from the first apparatus particularly by virtue of an apparatus-specific private key 104′ of the second apparatus and a correspondingly different security token 105′ or digital certificate 105′.
The second apparatus 300 now reads the configuration data 201 from the external memory apparatus 200, and checks the digital signature using the included public key that is in the certificate. The authenticity of the configuration data is checked by tracing back the digital certificate 105 to a common root certificate. If both the authenticity and integrity of the configuration data are confirmed, the second apparatus 300 loads the configuration data into the internal memory 102 and therefore has the exact same configuration 103 as the first apparatus 100. Subsequently, the cryptographic computation apparatus 101 generates a digital signature for the configuration data 103 using the private key 104′ of the second apparatus 300 and stores said digital signature on the external memory apparatus together with the certificate 105′ of the second apparatus 300. It is therefore possible for the second apparatus again to update its own configuration at any time on the external memory apparatus 200.
Security tokens or operative certificates 105, 105′ that are on hand on the first and second apparatuses 100, 300, for example for a measurement data signature, communication or the like, can also be used for securing the externally stored configuration data. This achieves protection for the configuration data on the external memory apparatus 200 against manipulation in the event of physical access. Furthermore, no additional administrative effort is required for a maintenance engineer or for a superordinate configuration server, for example, in order to provide a substitute apparatus having the exact same configuration as the apparatus to be replaced.
All the features described and/or depicted can be advantageously combined with one another within the scope of the invention. The invention is not restricted to the exemplary embodiments described.
Number | Date | Country | Kind |
---|---|---|---|
10 2015 213 412.1 | Jul 2015 | DE | national |
This application claims priority to PCT Application No. PCT/EP2016/062656, having a filing date of Jun. 3, 2016, based off of German application No. DE 102015213412.1 having a filing date of Jul. 16, 2015 the entire contents of both of which are hereby incorporated by reference.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2016/062656 | 6/3/2016 | WO | 00 |