Operator action authentication in an industrial control system

Description

BACKGROUND

Industrial control systems, such as standard industrial control systems (ICS) or programmable automation controllers (PAC), include various types of control equipment used in industrial production, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), programmable logic controllers (PLC), and industrial safety systems certified to safety standards such as IEC1508. These systems are used in industries including electrical, water and wastewater, oil and gas production and refining, chemical, food, pharmaceuticals and robotics. Using information collected from various types of sensors to measure process variables, automated and/or operator-driven supervisory commands from the industrial control system can be transmitted to various actuator devices such as control valves, hydraulic actuators, magnetic actuators, electrical switches, motors, solenoids, and the like. These actuator devices collect data from sensors and sensor systems, open and close valves and breakers, regulate valves and motors, monitor the industrial process for alarm conditions, and so forth.

In other examples, SCADA systems can use open-loop control with process sites that may be widely separated geographically. These systems use Remote Terminal Units (RTUs) to send supervisory data to one or more control centers. SCADA applications that deploy RTU's include fluid pipelines, electrical distribution and large communication systems. DCS systems are generally used for real-time data collection and continuous control with high-bandwidth, low-latency data networks and are used in large campus industrial process plants, such as oil and gas, refining, chemical, pharmaceutical, food and beverage, water and wastewater, pulp and paper, utility power, and mining and metals. PLCs more typically provide Boolean and sequential logic operations, and timers, as well as continuous control and are often used in stand-alone machinery and robotics. Further, ICE and PAC systems can be used in facility processes for buildings, airports, ships, space stations, and the like (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption). As industrial control systems evolve, new technologies are combining aspects of these various types of control systems. For instance, PACs can include aspects of SCADA, DCS, and PLCs.

SUMMARY

According to various embodiments of this disclosure, a secure industrial control system includes one or more communications/control modules that control or drive one or more industrial elements (e.g., input/output (I/O) modules, power modules, field devices, switches, workstations, and/or physical interconnect devices). Operator actions and/or other commands or requests can be secured via an authentication path from an action originator to a communications/control module. In implementations, the industrial control system requires an action authenticator to sign an action request generated by the action originator. The destination communications/control module is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In this manner, malicious or otherwise unauthorized action requests are not processed, and thus the system is protected from malware, spyware, unauthorized changes of control parameters, unauthorized access to data, and so forth.

In some embodiments, the communications/control module includes at least one processor and a non-transitory medium bearing a set of instructions executable by the processor. The set of instructions includes at least instructions to: receive an action request initiated by an action originator and signed by an action authenticator; verify the authenticity of the signed action request; and perform a requested action when the authenticity of the signed action request is verified.

Further, a method of authenticating a requested action is disclosed. The method includes: signing an action request with an action authenticator; sending the signed action request to a communications/control module; verifying the authenticity of the signed action request; and performing a requested action with the communications/control module when the authenticity of the signed action request is verified.

This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. (This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.)

DRAWINGS

The Detailed Description is described with reference to the accompanying figures. The use of the same reference numbers in different instances in the description and the figures may indicate similar or identical items.

FIG. 1 is a block diagram illustrating an industrial control system in accordance with example embodiments of the present disclosure.

FIG. 2 is a block diagram illustrating an action authentication path for the industrial control system in accordance with example embodiments of the present disclosure.

FIG. 3 is a block diagram further illustrating the action authentication path in accordance with example embodiments of the present disclosure.

FIG. 4 is a flow diagram illustrating a method of authenticating an action request in accordance with example embodiments of the present disclosure.

FIG. 5 is a flow diagram further illustrating the method of authenticating the action request in accordance with example embodiments of the present disclosure.

DETAILED DESCRIPTION
Overview

In industrial control systems, various industrial elements/subsystems (e.g., input/output (I/O) modules, power modules, process sensors and/or actuators, switches, workstations, and/or physical interconnect devices) are controlled or driven by control elements/subsystems (e.g., one or more communications/control modules). The control elements/subsystems operate according to programming and action requests (e.g., executable software modules, control commands, data requests, and the like) received from an action originator such as, but not limited to: an operator interface (e.g., SCADA or human machine interface (HMI)), an engineering interface, a local application, and/or a remote application. Where multiple action originators are present, the industrial control system can be vulnerable to unauthorized access to data and/or controls. Further, the industrial control system can be vulnerable to malware, spyware, or other corrupt/malicious software that can be transmitted in the form of an update, application image, control command, or the like. Simply authenticating the operator may not be enough to secure the system from malicious actors or even unintentionally unauthorized requests/commands that can be originated via a valid login or a seemingly valid (e.g., hacked) application or operator/engineering interface.

The present disclosure is directed to industrial control system communications/control modules, subsystems and techniques for preventing unauthorized action requests from being processed in an industrial control system. In embodiments, a predefined selection of operations or all operator actions and/or other control actions or requests are secured via an authentication path from an action originator to a communications/control module. In implementations, the industrial control system requires an action authenticator to sign an action request generated by the action originator. Unsigned action requests may automatically result in an error and will not be processed or executed by the communications/control module. The communications/control module is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In this manner, malicious or otherwise unauthorized action requests are not processed, and thus the system is protected from malware, spyware, unauthorized changes of control parameters, unauthorized access to data, and so forth.

Example Implementations

FIG. 1 illustrates an industrial control system 100 in accordance with an example embodiment of the present disclosure. In embodiments, the industrial control system 100 may comprise an industrial control system (ICS), a programmable automation controller (PAC), a supervisory control and data acquisition (SCADA) system, a distributed control system (DCS), programmable logic controller (PLC), and industrial safety system certified to safety standards such as IEC1508, or the like. As shown in FIG. 1, the industrial control system 100 uses a communications control architecture to implement a distributed control system that includes one or more industrial elements (e.g., input/output modules, power modules, field devices, switches, workstations, and/or physical interconnect devices) that are controlled or driven by one or more control elements or subsystems 102 distributed throughout the system. For example, one or more I/O modules 104 may be connected to one or more communications/control modules 106 making up the control element/subsystem 102. The industrial control system 100 is configured to transmit data to and from the I/O modules 104. The I/O modules 104 can comprise input modules, output modules, and/or input and output modules. For instance, input modules can be used to receive information from input devices 130 (e.g., sensors) in the process, while output modules can be used to transmit instructions to output devices (e.g., actuators). For example, an I/O module 104 can be connected to a process sensor for measuring pressure in piping for a gas plant, a refinery, and so forth and/or connected to a process actuator for controlling a valve, binary or multiple state switch, transmitter, or the like. Field devices 130 are communicatively coupled with the IO modules 104 either directly or via network connections. These devices 130 can include control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like.

In implementations, the I/O modules 104 can be used the industrial control system 100 collect data in applications including, but not necessarily limited to critical infrastructure and/or industrial processes, such as product manufacturing and fabrication, utility power generation, oil, gas, and chemical refining; pharmaceuticals, food and beverage, pulp and paper, metals and mining and facility and large campus industrial processes for buildings, airports, ships, and space stations (e.g., to monitor and control Heating, Ventilation, and Air Conditioning (HVAC) equipment and energy consumption).

In implementations, an I/O module 104 can be configured to convert analog data received from the sensor to digital data (e.g., using Analog-to-Digital Converter (ADC) circuitry, and so forth). An I/O module 104 can also be connected to one or more process actuators such as a motor or a regulating valve or an electrical relay and other forms of actuators and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, or position of the regulating valve or state of the electrical relay and so forth. Further, the I/O module 104 can be configured to convert digital data to analog data for transmission to the actuator (e.g., using Digital-to-Analog (DAC) circuitry, and so forth). In implementations, one or more of the I/O modules 104 can comprise a communications module configured for communicating via a communications sub-bus, such as an Ethernet bus, an H1 field bus, a Process Field Bus (PROFIBUS), a Highway Addressable Remote Transducer (HART) bus, a Modbus, and so forth. Further, two or more I/O modules 104 can be used to provide fault tolerant and redundant connections for various field devices 130 such as control valves, hydraulic actuators, magnetic actuators, motors, solenoids, electrical switches, transmitters, input sensors/receivers (e.g., illumination, radiation, gas, temperature, electrical, magnetic, and/or acoustic sensors) communications sub-busses, and the like.

Each I/O module 104 can be provided with a unique identifier (ID) for distinguishing one I/O module 104 from another I/O module 104. In implementations, an I/O module 104 is identified by its ID when it is connected to the industrial control system 100. Multiple I/O modules 104 can be used with the industrial control 100 to provide redundancy. For example, two or more I/O modules 104 can be connected to a process sensor and/or actuator. Each I/O module 104 can include one or more ports that furnish a physical connection to hardware and circuitry included with the I/O module 104, such as a printed circuit board (PCB), and so forth. For example, each I/O module 104 includes a connection for a cable that connects the cable to a printed wiring board (PWB) in the I/O module 104.

One or more of the I/O modules 104 can include an interface for connecting to other networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a Global System for Mobile communications (GSM) network; a wireless computer communications network, such as a Wi-Fi network (e.g., a Wireless LAN (WLAN) operated using IEEE 802.11 network standards); a Personal Area Network (PAN) (e.g., a Wireless PAN (WPAN) operated using IEEE 802.15 network standards); a Wide Area Network (WAN); an intranet; an extranet; an internet; the Internet; and so on. Further, one or more of the I/O modules 104 can include a connection for connecting an I/O module 104 to a computer bus, and so forth.

The communications/control modules 106 can be used to monitor and control the I/O modules 104, and to connect two or more I/O modules 104 together. In embodiments of the disclosure, a communications/control module 106 can update a routing table when an I/O module 104 is connected to the industrial control system 100 based upon a unique ID for the I/O module 104. Further, when multiple redundant I/O modules 104 are used, each communications/control module 106 can implement mirroring of informational databases regarding the I/O modules 104 and update them as data is received from and/or transmitted to the I/O modules 104. In some embodiments, two or more communications/control module 106 are used to provide redundancy. For added security, the communications/control module 106 can be configured to perform an authentication sequence or handshake to authenticate one another at predefined events or times including such as startup, reset, installation of a new control module 106, replacement of a communications/control module 106, periodically, scheduled times, and the like.

As shown in FIGS. 2 and 3, each communications/control module 106 or any other industrial element/controller 206 (e.g., I/O module 104, field device 130 such as an actuator or sensor, physical interconnect device, switch, power module 112, or the like) can be at least partially operated according to requests/commands from an action originator 202. In implementations, the action originator 202 includes an operator interface 208 (e.g., SCADA or HMI), an engineering interface 210 including an editor 212 and a compiler 214, a local application 220, a remote application 216 (e.g., communicating through a network 218 via a local application 220), or the like. In the authentication path 200 illustrated in FIGS. 2 and 3, the industrial element/controller 206 (e.g., communications/control module 106, I/O module 104, field device 130 such as an actuator or sensor, physical interconnect device, switch, power module 112, or the like) processes an action request (e.g., request for data, control command, firmware/software update, set point control, application image download, or the like) only when the action request has been signed and/or encrypted by an action authenticator 204. This prevents unauthorized action requests from valid user profiles and further secures the system from unauthorized action requests coming from invalid (e.g., hacked) profiles.

The action authenticator 204 can either be on-site with the action originator 202 (e.g., directly connected device lifecycle management system (“DLM”) 222 or secured workstation 226) or remotely located (e.g., DLM 222 connected via the network 218). In general, the action authenticator 204 includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by the action originator 202 with the private key. The private key is stored in a memory that cannot be accessed via standard operator login. For instance, the secured workstation 226 can require a physical key, portable encryption device (e.g., smart card, RFID tag, or the like), and/or biometric input for access.

In some embodiments, the action authenticator 204 includes a portable encryption device such as a smart card 224 (which can include a secured microprocessor). The advantage of using a portable encryption device is that the entire device (including the privately stored key and processor in communication therewith) can be carried with an operator or user that has authorized access to an interface of the action originator 202. Whether the action authentication node 204 accesses the authentication path 200 via secured or unsecured workstation, the action request from the action originator 202 can be securely signed and/or encrypted within the architecture of the portable encryption device instead of a potentially less secure workstation or cloud-based architecture. This secures the industrial control system 100 from unauthorized actions. For instance, an unauthorized person would have to physically take possession of the smart card 224 before being able to authenticate any action requests sent via the action originator 202.

Furthermore, multiple layers of security can be employed. For example, the action authenticator 204 can include a secured workstation 226 that is only accessible to sign and/or encrypt action requests via smart card access or the like. Additionally, the secured workstation 226 can be accessible via a biometric or multifactor cryptography device 228 (e.g., fingerprint scanner, iris scanner, and/or facial recognition device). In some embodiments, a multifactor cryptography device 228 requires a valid biometric input before enabling the smart card 224 or other portable encryption device to sign the action request.

The communications/control module 106 or any other industrial element/controller 206 being driven by the action originator 202 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. In some embodiments, the industrial element/controller 206 includes a storage medium 230 (e.g., SD/micro-SD card, HDD, SSD, or any other non-transitory storage device) configured to store the action request (e.g., application image, control command, and/or any other data sent by the action originator). The communications/control module 106 or any other industrial element/controller 206 further includes a processor 232 that performs/executes the action request (i.e., performs the requested action) after the signature is verified. In some embodiments, the action request is encrypted by the action originator 202 and/or the action authenticator 232 and must also be decrypted by the processor 232 before the requested action can be performed. In implementations, the communications/control module 106 or any other industrial element/controller 206 includes a virtual key switch 234 (e.g., a software module running on the processor 232) that enables the processor 232 to perform the requested action only after the action request signature is verified and/or after the action request is decrypted. In some embodiments, each and every action or each one of a selection of critical actions must clear the authentication path before being run on the communications/control module 106 or any other industrial element/controller 206.

FIGS. 4 and 5 illustrate a method 300 of authenticating an action request in accordance with exemplary embodiments of this disclosure. In implementations, the method 300 can be manifested by the industrial control system 100 and/or authentication path 200 of the industrial control system 100. The method 300 includes: (302) originating an action request (e.g., via an operator/engineering interface 208/210 or a remote/local application interface 216/220); (304) signing the action request with the action authenticator 204; (312) optionally encrypting the action request with the action authenticator 204; (306) sending or downloading the signed action request to a communications/control module 106 or any other industrial element/controller 206; (308) verifying the authenticity of the signed action request; (314) optionally decrypting the action request with the communications/control module 106 or any other industrial element/controller 206; and (310) performing a requested action with the communications/control module 106 or any other industrial element/controller 206 when the authenticity of the signed action request is verified.

For enhanced security, the communications/control module 106 or any other industrial element/controller 206 can be further configured to perform an authentication sequence with the action authenticator 204 (e.g., with a smart card 224 or the like) before the requested action is run by the communications/control module 106 or any other industrial element/controller 206. For example, the so-called “handshake” can be performed prior to step 310 or even prior to step 306. In some embodiments, the signature and verification steps 304 and 308 can be completely replaced with a more intricate authentication sequence. Alternatively, the authentication sequence can be performed as an additional security measure to augment the simpler signature verification and/or decryption measures.

In some embodiments, the authentication sequence implemented by the communications/control module 106 or any other industrial element/controller 206 can include: sending a request datagram to the action authenticator 204, the request datagram including a first nonce, a first device authentication key certificate (e.g., a first authentication certificate that contains a device authentication key), and a first identity attribute certificate; receiving a response datagram from the action authenticator 204, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate (e.g., a second authentication certificate that contains a device authentication key), and a second identity attribute certificate; validating the response datagram by verifying the first signature associated with the first and second nonces, the second device authentication key certificate, and the second identity attribute certificate; and sending an authentication datagram to the action authenticator 204 when the response datagram is valid, the authentication datagram including a second signature associated with the first and second nonces.

Alternatively, the action authenticator 204 can initiate the handshake, in which case the authentication sequence implemented by the communications/control module 106 or any other industrial element/controller 206 can include: receiving a request datagram from the action authenticator 204, the request datagram including a first nonce, a first device authentication key certificate, and a first identity attribute certificate; validating the request datagram by verifying the first device authentication key certificate and the first identity attribute certificate; sending a response datagram to the action authenticator 204 when the request datagram is valid, the response datagram including a second nonce, a first signature associated with the first and second nonces, a second device authentication key certificate, and a second identity attribute certificate; receiving an authentication datagram from the action authenticator 204, the authentication datagram including a second signature associated with the first and second nonces; and validating the authentication datagram by verifying the second signature associated with the first and second nonces.

The handshake or authentication sequence that can be implemented by the communications/control module 106 or any other industrial element/controller 206 and the action authenticator 204 is further described in co-pending U.S. Non-provisional application Ser. No. 14/519,047, titled “INDUSTRIAL CONTROL SYSTEM REDUNDANT COMMUNICATIONS/CONTROL MODULES AUTHENTICATION,” by Timothy Clish et al., filed Oct. 20, 2014, fully incorporated herein by reference. Those skilled in the art will appreciate the applicability of the handshake between redundant communications/control modules 106 to the handshake described herein between the communications/control module 106 or any other industrial element/controller 206 and the action authenticator 204.

Each of the action originator 202, the action authenticator 204, and communications/control module 106 or any other industrial element/controller 206 can include circuitry and/or logic enabled to perform the functions or operations (e.g., blocks of method 300 and the authentication sequence) described herein. For example, each of the action originator 202, the action authenticator 204, and the communications/control module 106 or any other industrial element/controller 206 can include one or more processors that execute program instruction stored permanently, semi-permanently, or temporarily by a non-transitory machine readable medium such as, but not limited to: a hard disk drive (HDD), solid-state disk (SDD), optical disk, magnetic storage device, flash drive, or SD/micro-SD card.

Referring again to FIG. 1, data transmitted by the industrial control system 100 can be packetized, i.e., discrete portions of the data can be converted into data packets comprising the data portions along with network control information, and so forth. The industrial control system 100 can use one or more protocols for data transmission, including a bit-oriented synchronous data link layer protocol such as High-Level Data Link Control (HDLC). In some embodiments, the industrial control system 100 implements HDLC according to an International Organization for Standardization (ISO) 13239 standard, or the like. Further, two or more communications/control modules 106 can be used to implement redundant HDLC. However, it should be noted that HDLC is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, the industrial control system 100 can use other various communications protocols in accordance with the present disclosure.

One or more of the communications/control module 106 can be configured for exchanging information with components used for monitoring and/or controlling the field devices 130 (e.g., sensor and/or actuator instrumentation) connected to the industrial control system 100 via the I/O modules 104, such as one or more control loop feedback mechanisms/controllers. In implementations, a controller can be configured as a microcontroller/Programmable Logic Controller (PLC), a Proportional-Integral-Derivative (PID) controller, and so forth. In some embodiments, the I/O modules 104 and the communications/control modules 106 include network interfaces, e.g., for connecting one or more I/O modules 104 to one or more controllers via a network. In implementations, a network interface can be configured as a Gigabit Ethernet interface for connecting the I/O modules 104 to a Local Area Network (LAN). Further, two or more communications/control modules 106 can be used to implement redundant Gigabit Ethernet. However, it should be noted that Gigabit Ethernet is provided by way of example only and is not meant to be restrictive of the present disclosure. Thus, a network interface can be configured for connecting the communications/control modules 106 to other various networks including, but not necessarily limited to: a wide-area cellular telephone network, such as a 3G cellular network, a 4G cellular network, or a GSM network; a wireless computer communications network, such as a Wi-Fi network (e.g., a WLAN operated using IEEE 802.11 network standards); a PAN (e.g., a WPAN operated using IEEE 802.15 network standards); a WAN; an intranet; an extranet; an internet; the Internet; and so on. Additionally, a network interface can be implemented using a computer bus. For example, a network interface can include a Peripheral Component Interconnect (PCI) card interface, such as a Mini PCI interface, and so forth. Further, the network can be configured to include a single network or multiple networks across different access points.

The industrial control system 100 can receive electrical power from multiple sources. For example, AC power is supplied from a power grid 108 (e.g., using high voltage power from AC mains). AC power can also be supplied using local power generation (e.g., an on-site turbine or diesel local power generator 110). A power supply 112 is used to distribute electrical power from the power grid 108 to automation equipment of the industrial control system 100, such as controllers, I/O modules, and so forth. A power supply 112 can also be used to distribute electrical power from the local power generator 110 to the industrial control system equipment. The industrial control system 100 can also include additional (backup) power supplies configured to store and return DC power using multiple battery modules. For example, a power supply 112 functions as a UPS. In embodiments of the disclosure, multiple power supplies 112 can be distributed (e.g., physically decentralized) within the industrial control system 100.

In some embodiments, the control elements/subsystems and/or industrial elements (e.g., the I/O modules 104, the communications/control modules 106, the power supplies 112, and so forth) are connected together by one or more backplanes 114. For example, communications/control modules 106 can be connected to I/O modules 104 by a communications backplane 116. Further, power supplies 112 can be connected to I/O modules 104 and/or to communications/control modules 106 by a power backplane 118. In some embodiments, physical interconnect devices (e.g., switches, connectors, or cables such as, but not limited to, those described in U.S. Non-provisional application Ser. No. 14/446,412) are used to connect to the I/O modules 104, the communications/control modules 106, the power supplies 112, and possibly other industrial control system equipment. For example, a cable can be used to connect a communications/control module 106 to a network 120, another cable can be used to connect a power supply 112 to a power grid 108, another cable can be used to connect a power supply 112 to a local power generator 110, and so forth.

In some embodiments, the industrial control system 100 implements a secure control system. For example, the industrial control system 100 includes a security credential source (e.g., a factory 122) and a security credential implementer (e.g., a key management entity 124). The security credential source is configured to generate a unique security credential (e.g., a key, a certificate, etc., such as a unique identifier, and/or a security credential). The security credential implementer is configured to provision the control elements/subsystems and/or industrial elements (e.g., cables, devices 130, I/O modules 104, communications/control modules 106, power supplies 112, and so forth) with a unique security credential generated by the security credential source.

Multiple (e.g., every) device 130, I/O module 104, communications/control module 106, power supply 112, physical interconnect devices, etc., of the industrial control system 100 can be provisioned with security credentials for providing security at multiple (e.g., all) levels of the industrial control system 100. Still further, the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, can be provisioned with the unique security credentials (e.g., keys, certificates, etc.) during manufacture (e.g., at birth), and can be managed from birth by a key management entity 124 of the industrial control system 100 for promoting security of the industrial control system 100.

In some embodiments, communications between the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, of the industrial control system 100 includes an authentication process. The authentication process can be performed for authenticating control elements/subsystem and/or industrial elements including the sensors and/or actuators and so forth, implemented in the industrial control system 100. Further, the authentication process can utilize security credentials associated with the element and/or physical interconnect device for authenticating that element and/or physical interconnect device. For example, the security credentials can include encryption keys, certificates (e.g., public key certificates, digital certificates, identity certificates, security certificates, asymmetric certificates, standard certificates, non-standard certificates) and/or identification numbers.

In implementations, multiple control elements/subsystems and/or industrial elements of the industrial control system 100 are provisioned with their own unique security credentials. For example, each element of the industrial control system 100 may be provisioned with its own unique set(s) of certificates, encryption keys and/or identification numbers when the element is manufactured (e.g., the individual sets of keys and certificates are defined at the birth of the element). The sets of certificates, encryption keys and/or identification numbers are configured for providing/supporting strong encryption. The encryption keys can be implemented with standard (e.g., commercial off-the-shelf (COTS)) encryption algorithms, such as National Security Agency (NSA) algorithms, National Institute of Standards and Technology (NIST) algorithms, or the like.

Based upon the results of the authentication process, the element being authenticated can be activated, partial functionality of the element can be enabled or disabled within the industrial control system 100, complete functionality of the element can be enabled within the industrial control system 100, and/or functionality of the element within the industrial control system 100 can be completely disabled (e.g., no communication facilitated between that element and other elements of the industrial control system 100).

In embodiments, the keys, certificates and/or identification numbers associated with an element of the industrial control system 100 can specify the original equipment manufacturer (OEM) of that element. As used herein, the term “original equipment manufacturer” or “OEM” can be defined as an entity that physically manufactures the device (e.g., element) and/or a supplier of the device such as an entity that purchases the device from a physical manufacturer and sells the device. Thus, in embodiments, a device can be manufactured and distributed (sold) by an OEM that is both the physical manufacturer and the supplier of the device. However, in other embodiments, a device can be distributed by an OEM that is a supplier, but is not the physical manufacturer. In such embodiments, the OEM can cause the device to be manufactured by a physical manufacturer (e.g., the OEM can purchase, contract, order, etc. the device from the physical manufacturer).

Additionally, where the OEM comprises a supplier that is not the physical manufacturer of the device, the device can bear the brand of the supplier instead of brand of the physical manufacturer. For example, in embodiments where an element (e.g., a communications/control module 106) is associated with a particular OEM that is a supplier but not the physical manufacturer, the element's keys, certificates and/or identification numbers can specify that origin. During authentication of an element of the industrial control system 100, when a determination is made that an element being authenticated was manufactured or supplied by an entity that is different than the OEM of one or more other elements of the industrial control system 100, then the functionality of that element can be at least partially disabled within the industrial control system 100. For example, limitations can be placed upon communication (e.g., data transfer) between that element and other elements of the industrial control system 100, such that the element cannot work/function within the industrial control system 100. When one of the elements of the industrial control system 100 requires replacement, this feature can prevent a user of the industrial control system 100 from unknowingly replacing the element with a non-homogenous element (e.g., an element having a different origin (a different OEM) than the remaining elements of the industrial control system 100) and implementing the element in the industrial control system 100. In this manner, the techniques described herein can prevent the substitution of elements of other OEM's into a secure industrial control system 100. In one example, the substitution of elements that furnish similar functionality in place of elements provided by an originating OEM can be prevented, since the substituted elements cannot authenticate and operate within the originating OEM's system. In another example, a first reseller can be provided with elements having a first set of physical and cryptographic labels by an originating OEM, and the first reseller's elements can be installed in an industrial control system 100. In this example, a second reseller can be provided with elements having a second (e.g., different) set of physical and cryptographic labels by the same originating OEM. In this example, the second reseller's elements may be prevented from operating within the industrial control system 100, since they may not authenticate and operate with the first reseller's elements. However, it should also be noted that the first reseller and the second reseller may enter into a mutual agreement, where the first and second elements can be configured to authenticate and operate within the same industrial control system 100. Further, in some embodiments, an agreement between resellers to allow interoperation can also be implemented so the agreement only applies to a specific customer, group of customers, facility, etc.

In another instance, a user can attempt to implement an incorrectly designated (e.g., mismarked) element within the industrial control system 100. For example, the mismarked element can have a physical indicia marked upon it which falsely indicates that the element is associated with the same OEM as the OEM of the other elements of the industrial control system 100. In such instances, the authentication process implemented by the industrial control system 100 can cause the user to be alerted that the element is counterfeit. This process can also promote improved security for the industrial control system 100, since counterfeit elements are often a vehicle by which malicious software can be introduced into the industrial control system 100. In embodiments, the authentication process provides a secure air gap for the industrial control system 100, ensuring that the secure industrial control system is physically isolated from insecure networks.

In implementations, the secure industrial control system 100 includes a key management entity 124. The key management entity 124 can be configured for managing cryptographic keys (e.g., encryption keys) in a cryptosystem. This managing of cryptographic keys (e.g., key management) can include the generation, exchange, storage, use, and/or replacement of the keys. For example, the key management entity 124 is configured to serve as a security credentials source, generating unique security credentials (e.g., public security credentials, secret security credentials) for the elements of the industrial control system 100. Key management pertains to keys at the user and/or system level (e.g., either between users or systems).

In embodiments, the key management entity 124 comprises a secure entity such as an entity located in a secure facility. The key management entity 124 can be remotely located from the I/O modules 104, the communications/control modules 106, and the network 120. For example, a firewall 126 can separate the key management entity 124 from the control elements or subsystems 102 and the network 120 (e.g., a corporate network). In implementations, the firewall 126 can be a software and/or hardware-based network security system that controls ingoing and outgoing network traffic by analyzing data packets and determining whether the data packets should be allowed through or not, based on a rule set. The firewall 126 thus establishes a barrier between a trusted, secure internal network (e.g., the network 120) and another network 128 that is not assumed to be secure and trusted (e.g., a cloud and/or the Internet). In embodiments, the firewall 126 allows for selective (e.g., secure) communication between the key management entity 124 and one or more of the control elements or subsystems 102 and/or the network 120. In examples, one or more firewalls can be implemented at various locations within the industrial control system 100. For example, firewalls can be integrated into switches and/or workstations of the network 120.

The secure industrial control system 100 can further include one or more manufacturing entities (e.g., factories 122). The manufacturing entities can be associated with original equipment manufacturers (OEMs) for the elements of the industrial control system 100. The key management entity 124 can be communicatively coupled with the manufacturing entity via a network (e.g., a cloud). In implementations, when the elements of the industrial control system 100 are being manufactured at one or more manufacturing entities, the key management entity 124 can be communicatively coupled with (e.g., can have an encrypted communications pipeline to) the elements. The key management entity 124 can utilize the communications pipeline for provisioning the elements with security credentials (e.g., inserting keys, certificates and/or identification numbers into the elements) at the point of manufacture.

Further, when the elements are placed into use (e.g., activated), the key management entity 124 can be communicatively coupled (e.g., via an encrypted communications pipeline) to each individual element worldwide and can confirm and sign the use of specific code, revoke (e.g., remove) the use of any particular code, and/or enable the use of any particular code. Thus, the key management entity 124 can communicate with each element at the factory where the element is originally manufactured (e.g., born), such that the element is born with managed keys. A master database and/or table including all encryption keys, certificates and/or identification numbers for each element of the industrial control system 100 can be maintained by the key management entity 124. The key management entity 124, through its communication with the elements, is configured for revoking keys, thereby promoting the ability of the authentication mechanism to counter theft and re-use of components.

In implementations, the key management entity 124 can be communicatively coupled with one or more of the control elements/subsystems, industrial elements, and/or the network 120 via another network (e.g., a cloud and/or the Internet) and firewall. For example, in embodiments, the key management entity 124 can be a centralized system or a distributed system. Moreover, in embodiments, the key management entity 124 can be managed locally or remotely. In some implementations, the key management entity 124 can be located within (e.g., integrated into) the network 120 and/or the control elements or subsystems 102. The key management entity 124 can provide management and/or can be managed in a variety of ways. For example, the key management entity 124 can be implemented/managed: by a customer at a central location, by the customer at individual factory locations, by an external third party management company and/or by the customer at different layers of the industrial control system 100, and at different locations, depending on the layer.

Varying levels of security (e.g., scalable, user-configured amounts of security) can be provided by the authentication process. For example, a base level of security can be provided which authenticates the elements and protects code within the elements. Other layers of security can be added as well. For example, security can be implemented to such a degree that a component, such as the communications/control module 106, cannot power up without proper authentication occurring. In implementations, encryption in the code is implemented in the elements, while security credentials (e.g., keys and certificates) are implemented on the elements. Security can be distributed (e.g., flows) through the industrial control system 100. For example, security can flow through the industrial control system 100 all the way to an end user, who knows what a module is designed to control in that instance. In embodiments, the authentication process provides encryption, identification of devices for secure communication and authentication of system hardware or software components (e.g., via digital signature).

In implementations, the authentication process can be implemented to provide for and/or enable interoperability within the secure industrial control system 100 of elements manufactured and/or supplied by different manufacturers/vendors/suppliers (e.g., OEMs). For example, selective (e.g., some) interoperability between elements manufactured and/or supplied by different manufacturers/vendors/suppliers can be enabled. In embodiments, unique security credentials (e.g., keys) implemented during authentication can form a hierarchy, thereby allowing for different functions to be performed by different elements of the industrial control system 100.

The communication links connecting the components of the industrial control system 100 can further employ data packets, such as runt packets (e.g., packets smaller than sixty-four (64) bytes), placed (e.g., injected and/or stuffed) therein, providing an added level of security. The use of runt packets increases the level of difficulty with which outside information (e.g., malicious content such as false messages, malware (viruses), data mining applications, etc.) can be injected onto the communications links. For example, runt packets can be injected onto a communication link within gaps between data packets transmitted between the action originator 204 and the communications/control module 106 or any other industrial element/controller 206 to hinder an external entity's ability to inject malicious content onto the communication link.

Generally, any of the functions described herein can be implemented using hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, manual processing, or a combination thereof. Thus, the blocks discussed in the above disclosure generally represent hardware (e.g., fixed logic circuitry such as integrated circuits), software, firmware, or a combination thereof. In the instance of a hardware configuration, the various blocks discussed in the above disclosure may be implemented as integrated circuits along with other functionality. Such integrated circuits may include all of the functions of a given block, system, or circuit, or a portion of the functions of the block, system, or circuit. Further, elements of the blocks, systems, or circuits may be implemented across multiple integrated circuits. Such integrated circuits may comprise various integrated circuits, including, but not necessarily limited to: a monolithic integrated circuit, a flip chip integrated circuit, a multichip module integrated circuit, and/or a mixed signal integrated circuit. In the instance of a software implementation, the various blocks discussed in the above disclosure represent executable instructions (e.g., program code) that perform specified tasks when executed on a processor. These executable instructions can be stored in one or more tangible computer readable media. In some such instances, the entire system, block, or circuit may be implemented using its software or firmware equivalent. In other instances, one part of a given system, block, or circuit may be implemented in software or firmware, while other parts are implemented in hardware.

Although the subject matter has been described in language specific to structural features and/or process operations, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims

1. A secure industrial control system, comprising: an action originator configured to transmit an action request received at the action originator;an action authenticator located physically remotely from the action originator and including at least one processor in communication with a storage medium having a private key provisioned by the key management entity stored thereon configured to: receive the action request from the action originator,determine whether the received action request is an authorized action request independent of the action originator,sign the received action request with the private key thereby generating a signed version of the action request based on the determinationtransmit the action request; anda communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to: receive the action request from the action authenticator, the action request forming a part of a request datagram, the request datagram comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate;authenticate the received action request based on a determination of whether the received action is the signed version of the action request, wherein authenticating the received action request further comprises:verifying that the request datagram is valid;sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; andexecute the action request based on whether the received action request is an authenticated action request, wherein the action request includes operator control actions, including: reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface or an engineering interface.
2. The industrial control system of claim 1, wherein the action originator comprises at least one of: an operator interface, an engineering interface, a local application interface, and a remote application interface.
3. The secure industrial control system of claim 1, wherein the action authenticator comprises a portable encryption device that includes the at least one processor in communication with the storage medium having the private key stored thereon.
4. The secure industrial control system of claim 3, wherein the processor comprises an encrypted microprocessor.
5. The secure industrial control system of claim 3, wherein the portable encryption device comprises a smart card.
6. The secure industrial control system of claim 1, wherein the action authenticator comprises a secured workstation.
7. The secure industrial control system of claim 6, wherein the secured workstation is accessible via at least one of: a physical key, a portable encryption device, and a biometric cryptography device.
8. The secure industrial control system of claim 1, wherein the action authenticator is configured to encrypt the action request prior to transmission of the action request to the communication/control module.
9. The secure industrial control system of claim 1, wherein the communications/control module further includes a virtual key switch that enables the at least one processor to execute the action request upon authentication of the action request as the signed version of the action request.
10. The secure industrial control system of claim 1, wherein the communications/control module and the action authenticator are further configured to perform an authentication sequence.
11. The secure industrial control system of claim 1, wherein the one or more industrial elements further include at least one of: a communications/control module, a power module, a field device, a switch, a workstation, and a physical interconnect device.
12. A communications/control module, comprising: at least one processor; anda non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to:receive an action request initiated at an action originator, the action request forming a part of a request datagram, the request comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate, wherein: an unsigned version of the action request is transmitted from the action originator to an action authenticator located physically remotely from the action originator,the action authenticator determines whether the received action request is an authorized action request independent of the action originator, wherein the determination further comprises:verifying that the request datagram is valid;sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce, whereinthe action authenticator generates a signed version of the action request based on the determination, andthe action authenticator transmits the action request to the communication/control module;determine an authenticity of the received action request based on whether the received action request is the signed version of the action request; andperform an action associated with the received action request based on the determination, wherein the action request includes at least one operator control action provided at the action originator, and wherein the action originator includes at least one of: an operator interface, an engineering interface, a local application interface, and a remote application interface.
13. The communications/control module of claim 12, further comprising: a virtual key switch that enables the at least one processor to run execute the received action request upon a determination that the received action request is a signed version of the action request.
14. The communications/control module of claim 12, wherein the received action request is an encrypted version of the action request and the set of instructions further includes instructions to decrypt the encrypted version of the action request.
15. The communications/control module of claim 12, wherein the instructions to execute the action request upon a determination that the action request is a signed version of the action request includes: instructions to control a communicatively coupled industrial element including at least one of: a communications/control module, an input/output module, a power module, a field device, a switch, a workstation, and a physical interconnect device.
16. A method of executing a requested action in a secure industrial control system, comprising: receiving an action request at an action originator, the action request forming a part of a request datagram, the request comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate;transmitting the action request from the action originator;receiving the action request from the action originator at an action authenticator located physically remotely from the action originator;determining whether the action request is an authorized action request at the action authenticator independent of the action originator;signing the action request at the action authenticator based on the determination, the action authenticator including at least one processor in communication with a storage medium having a private key stored thereon, the at least one processor being configured to sign the action request with the private key based on the determination thereby generating a signed version of the action request;receiving the action request at a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor for controlling communications with the one or more industrial elements;determining whether the action request is a signed version of the action request at the communication/control module; authenticating, at the communications/control module, the action request based on the determination, wherein authenticating the action request further comprises:verifying that the request datagram is valid;sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; andexecuting the action request, via the communications/control module, only if the action request is authenticated, wherein the action request includes operator control actions, including: reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface, and an engineering interface.
17. The method of claim 16, wherein the action request is encrypted by the action authenticator prior to transmission to the communication/control module.
18. The method of claim 16, wherein the action authenticator comprises at least one of: a portable encryption device, a secured workstation, and a device lifecycle management system.
19. The method of claim 16, wherein executing the action request further includes: controlling an industrial element according to the action request, the industrial element including at least one of: a communications/control module, an input/output module, a power module, a field device, a switch, a workstation, and a physical interconnect device.
20. The secure industrial control system of claim 1, wherein the communications/control module and the at least one input/output module are configured to receive respective first and second unique security credentials at respective points of manufacture from the key management entity, the first and second unique security credentials being stored in respective memories of the communications/control module and the at least one input/output module, wherein at least one of the first and second unique security credentials is at least one of modifiable, revocable, or authenticatable by the key management entity at a site different from the respective point of manufacture of the respective one of the communications/control module and the at least one input/output module.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation-in-part of International Application No. PCT/US2013/053721, filed Aug. 6, 2013, and titled, “SECURE INDUSTRIAL CONTROL SYSTEM.” The present application is also a continuation-in-part under 35 U.S.C. § 120 of U.S. patent application Ser. No. 14/469,931, filed Aug. 27, 2014, and titled “SECURE INDUSTRIAL CONTROL SYSTEM.” The present application is also a continuation-in-part under 35 U.S.C. § 120 of U.S. patent application Ser. No. 14/446,412, filed Jul. 30, 2014, and titled “INDUSTRIAL CONTROL SYSTEM CABLE,” which claims priority under 35 U.S.C. § 119(e) of U.S. Provisional Application Ser. No. 62/021,438, filed Jul. 7, 2014, and titled “INDUSTRIAL CONTROL SYSTEM CABLE.” U.S. Provisional Application Ser. No. 62/021,438; U.S. patent application Ser. Nos. 14/446,412 and 14/469,931; and International Application No. PCT/US2013/053721 are herein incorporated by reference in their entireties.

US Referenced Citations (242)

Number	Name	Date	Kind
4628308	Robert	Dec 1986	A
4672529	Kupersmit	Jun 1987	A
4882702	Struger et al.	Nov 1989	A
4929939	Varma et al.	May 1990	A
5385487	Beitman	Jan 1995	A
5385490	Demeter et al.	Jan 1995	A
5388099	Poole	Feb 1995	A
5422558	Stewart	Jun 1995	A
5546463	Caputo	Aug 1996	A
5602754	Beatty et al.	Feb 1997	A
5603044	Annapareddy et al.	Feb 1997	A
5719483	Abbott et al.	Feb 1998	A
5724349	Cloonan et al.	Mar 1998	A
5773962	Nor	Jun 1998	A
5860824	Fan	Jan 1999	A
5909368	Nixon et al.	Jun 1999	A
5951666	Ilting et al.	Sep 1999	A
5958030	Kwa	Sep 1999	A
5963448	Flood et al.	Oct 1999	A
6009410	LeMole et al.	Dec 1999	A
6046513	Jouper et al.	Apr 2000	A
6124778	Rowley et al.	Sep 2000	A
6178474	Hamano et al.	Jan 2001	B1
6219789	Little et al.	Apr 2001	B1
6220889	Ely et al.	Apr 2001	B1
6393565	Lockhart et al.	May 2002	B1
6435409	Hu	Aug 2002	B1
6453416	Epstein	Sep 2002	B1
6480963	Tachibana et al.	Nov 2002	B1
6490176	Holzer et al.	Dec 2002	B2
6574681	White et al.	Jun 2003	B1
6643777	Chu	Nov 2003	B1
6695620	Huang	Feb 2004	B1
6799234	Moon et al.	Sep 2004	B1
6812803	Goergen	Nov 2004	B2
6814580	Li et al.	Nov 2004	B2
6988162	Goergen	Jan 2006	B2
7164255	Hui	Jan 2007	B2
7172428	Huang	Feb 2007	B2
7234963	Huang	Jun 2007	B1
7415368	Gilbert	Aug 2008	B2
7426585	Rourke	Sep 2008	B1
7460482	Pike	Dec 2008	B2
7510420	Mori	Mar 2009	B2
7526676	Chou et al.	Apr 2009	B2
7529862	Isani et al.	May 2009	B2
7536548	Batke et al.	May 2009	B1
7587481	Osburn, III	Sep 2009	B1
7614909	Lin	Nov 2009	B2
7619386	Sasaki et al.	Nov 2009	B2
7622994	Galal	Nov 2009	B2
7660998	Walmsley	Feb 2010	B2
7670190	Shi et al.	Mar 2010	B2
7746846	Boora et al.	Jun 2010	B2
7761640	Hikabe	Jul 2010	B2
7774074	Davlin et al.	Aug 2010	B2
7790304	Hendricks et al.	Sep 2010	B2
7811136	Hsieh et al.	Oct 2010	B1
7815471	Wu	Oct 2010	B2
7822994	Hamaguchi	Oct 2010	B2
7839025	Besser et al.	Nov 2010	B2
7872561	Matumoto	Jan 2011	B2
7948758	Buhler et al.	May 2011	B2
7960870	Besser et al.	Jun 2011	B2
7971052	Lucas et al.	Jun 2011	B2
8013474	Besser et al.	Sep 2011	B2
8019194	Morrison et al.	Sep 2011	B2
8032745	Bandholz et al.	Oct 2011	B2
8062070	Jeon et al.	Nov 2011	B2
8132231	Amies et al.	Mar 2012	B2
8143858	Tsugawa et al.	Mar 2012	B2
8149587	Baran et al.	Apr 2012	B2
8157569	Liu	Apr 2012	B1
8181262	Cooper et al.	May 2012	B2
8189101	Cummings et al.	May 2012	B2
8212399	Besser et al.	Jul 2012	B2
8266360	Agrawal	Sep 2012	B2
8295770	Seil et al.	Oct 2012	B2
8310380	Aria et al.	Nov 2012	B2
8380905	Djabbari et al.	Feb 2013	B2
8390441	Covaro et al.	Mar 2013	B2
8465762	Lee et al.	Jun 2013	B2
8480438	Mattson	Jul 2013	B2
8560147	Taylor et al.	Oct 2013	B2
8587318	Chandler et al.	Nov 2013	B2
8677145	Maletsky et al.	Mar 2014	B2
8694770	Osburn, III	Apr 2014	B1
8777671	Huang	Jul 2014	B2
8862802	Calvin et al.	Oct 2014	B2
8868813	Calvin et al.	Oct 2014	B2
8971072	Calvin et al.	Mar 2015	B2
9318917	Kubota et al.	Apr 2016	B2
9436641	Calvin et al.	Sep 2016	B2
9465762	Calvin et al.	Oct 2016	B2
9467297	Clish et al.	Oct 2016	B2
9812803	Toyoda et al.	Nov 2017	B2
10103875	Roth	Oct 2018	B1
20020070835	Dadafshar	Jun 2002	A1
20020080828	Ofek et al.	Jun 2002	A1
20020080829	Ofek et al.	Jun 2002	A1
20020084698	Kelly et al.	Jul 2002	A1
20020095573	O'Brien	Jul 2002	A1
20020097031	Cook et al.	Jul 2002	A1
20020116619	Maruyama	Aug 2002	A1
20020171525	Kobayashi et al.	Nov 2002	A1
20020182898	Takahashi et al.	Dec 2002	A1
20020189910	Yano et al.	Dec 2002	A1
20030005289	Gougeon	Jan 2003	A1
20030040897	Murphy et al.	Feb 2003	A1
20030074489	Steger et al.	Apr 2003	A1
20030094855	Lohr et al.	May 2003	A1
20030105601	Kobayashi et al.	Jun 2003	A1
20030137277	Mori et al.	Jul 2003	A1
20030166397	Aura	Sep 2003	A1
20030202330	Lopata et al.	Oct 2003	A1
20030204756	Ransom	Oct 2003	A1
20050001589	Edington et al.	Jan 2005	A1
20050019143	Bishman	Jan 2005	A1
20050102535	Patrick et al.	May 2005	A1
20050144437	Ransom	Jun 2005	A1
20050182876	Kim et al.	Aug 2005	A1
20050189910	Hui	Sep 2005	A1
20050229004	Callaghan	Oct 2005	A1
20060015590	Patil et al.	Jan 2006	A1
20060020782	Kakii	Jan 2006	A1
20060119315	Sasaki et al.	Jun 2006	A1
20060155990	Katsube et al.	Jul 2006	A1
20060156415	Rubinstein et al.	Jul 2006	A1
20070072442	DiFonzo et al.	Mar 2007	A1
20070076768	Chiesa et al.	Apr 2007	A1
20070123304	Pattenden et al.	May 2007	A1
20070123316	Little	May 2007	A1
20070143838	Milligan et al.	Jun 2007	A1
20070174524	Kato et al.	Jul 2007	A1
20070177298	Jaatinen et al.	Aug 2007	A1
20070194944	Galera et al.	Aug 2007	A1
20070214296	Takamatsu et al.	Sep 2007	A1
20070260897	Cochran et al.	Nov 2007	A1
20080067874	Tseng	Mar 2008	A1
20080077976	Schulz	Mar 2008	A1
20080140888	Blair et al.	Jun 2008	A1
20080181316	Crawley et al.	Jul 2008	A1
20080189441	Jundt et al.	Aug 2008	A1
20080303351	Jansen et al.	Dec 2008	A1
20090036164	Rowley	Feb 2009	A1
20090061678	Minoo et al.	Mar 2009	A1
20090066291	Tien et al.	Mar 2009	A1
20090083843	Wilkinson, Jr.	Mar 2009	A1
20090091513	Kuhn	Apr 2009	A1
20090092248	Rawson	Apr 2009	A1
20090121704	Shibahara	May 2009	A1
20090204458	Wiese	Aug 2009	A1
20090217043	Metke	Aug 2009	A1
20090222885	Batke et al.	Sep 2009	A1
20090234998	Kuo	Sep 2009	A1
20090239468	He et al.	Sep 2009	A1
20090254655	Kidwell et al.	Oct 2009	A1
20090256717	Iwai	Oct 2009	A1
20090278509	Boyles et al.	Nov 2009	A1
20090287321	Lucas et al.	Nov 2009	A1
20090288732	Gielen	Nov 2009	A1
20100052428	Imamura et al.	Mar 2010	A1
20100066340	Delforge	Mar 2010	A1
20100082869	Lloyd et al.	Apr 2010	A1
20100122081	Sato et al.	May 2010	A1
20100148721	Little	Jun 2010	A1
20100149997	Law et al.	Jun 2010	A1
20100151816	Besehanic et al.	Jun 2010	A1
20100153751	Tseng et al.	Jun 2010	A1
20100197366	Pattenden et al.	Aug 2010	A1
20100197367	Pattenden et al.	Aug 2010	A1
20100233889	Kiani et al.	Sep 2010	A1
20100262312	Kubota et al.	Oct 2010	A1
20110010016	Giroti	Jan 2011	A1
20110074349	Ghovanloo	Mar 2011	A1
20110080056	Low et al.	Apr 2011	A1
20110082621	Berkobin et al.	Apr 2011	A1
20110089900	Hogari	Apr 2011	A1
20110140538	Jung et al.	Jun 2011	A1
20110150431	Klappert	Jun 2011	A1
20110185196	Asano et al.	Jul 2011	A1
20110196997	Ruberg et al.	Aug 2011	A1
20110197009	Agrawal	Aug 2011	A1
20110202992	Xiao et al.	Aug 2011	A1
20110285847	Riedel et al.	Nov 2011	A1
20110296066	Xia	Dec 2011	A1
20110313547	Hernandez et al.	Dec 2011	A1
20120028498	Na et al.	Feb 2012	A1
20120046015	Little	Feb 2012	A1
20120053742	Tsuda	Mar 2012	A1
20120102334	O'Loughlin	Apr 2012	A1
20120124373	Dangoor et al.	May 2012	A1
20120143586	Vetter et al.	Jun 2012	A1
20120159210	Hosaka	Jun 2012	A1
20120236769	Powell et al.	Sep 2012	A1
20120242459	Lambert	Sep 2012	A1
20120265361	Billingsley et al.	Oct 2012	A1
20120271576	Kamel et al.	Oct 2012	A1
20120274273	Jacobs et al.	Nov 2012	A1
20120282805	Ku et al.	Nov 2012	A1
20120284354	Mukundan et al.	Nov 2012	A1
20120284514	Lambert	Nov 2012	A1
20120297101	Neupartl et al.	Nov 2012	A1
20120311071	Karaffa et al.	Dec 2012	A1
20120322513	Pattenden et al.	Dec 2012	A1
20120328094	Pattenden et al.	Dec 2012	A1
20130026973	Luke et al.	Jan 2013	A1
20130031382	Jau et al.	Jan 2013	A1
20130070788	Deiretsbacher et al.	Mar 2013	A1
20130170258	Calvin et al.	Jul 2013	A1
20130173832	Calvin et al.	Jul 2013	A1
20130211547	Buchdunger et al.	Aug 2013	A1
20130212390	Du et al.	Aug 2013	A1
20130224048	Gillingwater et al.	Aug 2013	A1
20130233924	Burns	Sep 2013	A1
20130244062	Teramoto et al.	Sep 2013	A1
20130290706	Socky et al.	Oct 2013	A1
20130291085	Chong et al.	Oct 2013	A1
20140015488	Despesse	Jan 2014	A1
20140068712	Frenkel	Mar 2014	A1
20140075186	Austen	Mar 2014	A1
20140091623	Shippy et al.	Apr 2014	A1
20140095867	Smith et al.	Apr 2014	A1
20140097672	Takemura et al.	Apr 2014	A1
20140129162	Hallman et al.	May 2014	A1
20140131450	Gordon et al.	May 2014	A1
20140142725	Boyd	May 2014	A1
20140280520	Baier	Sep 2014	A1
20140285318	Audeon et al.	Sep 2014	A1
20140312913	Kikuchi et al.	Oct 2014	A1
20140327318	Calvin et al.	Nov 2014	A1
20140335703	Calvin et al.	Nov 2014	A1
20140341220	Lessmann	Nov 2014	A1
20150046701	Rooyakkers et al.	Feb 2015	A1
20150048684	Rooyakkers et al.	Feb 2015	A1
20150115711	Kouroussis et al.	Apr 2015	A1
20150365240	Callaghan	Dec 2015	A1
20160065656	Patin et al.	Mar 2016	A1
20160172635	Stimm et al.	Jun 2016	A1
20160224048	Rooyakkers et al.	Aug 2016	A1
20160301695	Trivelpiece et al.	Oct 2016	A1
20180190427	Rooyakkers et al.	Jul 2018	A1

Foreign Referenced Citations (142)

Number	Date	Country
2162746	Apr 1994	CN
1440254	Sep 2003	CN
1571335	Jan 2005	CN
1702582	Nov 2005	CN
1839581	Sep 2006	CN
101005359	Jul 2007	CN
101069407	Nov 2007	CN
101262401	Sep 2008	CN
101322089	Dec 2008	CN
101447861	Jun 2009	CN
101533380	Sep 2009	CN
101576041	Nov 2009	CN
201515041	Jun 2010	CN
101809557	Aug 2010	CN
101919139	Dec 2010	CN
101977104	Feb 2011	CN
102035220	Apr 2011	CN
102237680	Nov 2011	CN
202205977	Apr 2012	CN
102480352	May 2012	CN
1934766	Jun 2012	CN
102546707	Jul 2012	CN
102809950	Dec 2012	CN
102812576	Dec 2012	CN
10337666	Oct 2013	CN
103376766	Oct 2013	CN
103682883	Mar 2014	CN
103701919	Apr 2014	CN
104025387	Sep 2014	CN
203932181	Nov 2014	CN
104185969	Dec 2014	CN
204243110	Apr 2015	CN
105556762	May 2016	CN
104025387	Jul 2018	CN
102013213550	Jan 2015	DE
473336	Mar 1992	EP
507360	Oct 1992	EP
1176616	Jan 2002	EP
1241800	Sep 2002	EP
1246563	Oct 2002	EP
1571559	Sep 2005	EP
1877915	Jan 2008	EP
1885085	Feb 2008	EP
1885085	Feb 2008	EP
2179364	Apr 2010	EP
2317743	May 2011	EP
2450921	May 2012	EP
2557657	Feb 2013	EP
2557670	Feb 2013	EP
2613421	Jul 2013	EP
2777796	Sep 2014	EP
2806319	Nov 2014	EP
S59-074413	May 1984	JP
59177226	Nov 1984	JP
4-245411	Sep 1992	JP
H04245411	Sep 1992	JP
H05346809	Dec 1993	JP
7105328	Apr 1995	JP
07-320963	Dec 1995	JP
08-037121	Feb 1996	JP
08098274	Apr 1996	JP
8241824	Sep 1996	JP
8322252	Dec 1996	JP
09182324	Jul 1997	JP
H09182324	Jul 1997	JP
11-89103	Mar 1999	JP
11-098707	Apr 1999	JP
11-235044	Aug 1999	JP
H11230504	Aug 1999	JP
3370931	Nov 1999	JP
H11312013	Nov 1999	JP
2000252143	Sep 2000	JP
2001292176	Oct 2001	JP
2001307055	Nov 2001	JP
2002134071	May 2002	JP
2002280238	Sep 2002	JP
2002343655	Nov 2002	JP
2002359131	Dec 2002	JP
2003047912	Feb 2003	JP
2003068543	Mar 2003	JP
2003142327	May 2003	JP
2003152703	May 2003	JP
2003152708	May 2003	JP
2003216237	Jul 2003	JP
2004501540	Jan 2004	JP
2004303701	Oct 2004	JP
2005038411	Feb 2005	JP
2005513956	May 2005	JP
2005151720	Jun 2005	JP
2005250833	Sep 2005	JP
2005275777	Oct 2005	JP
2005531235	Oct 2005	JP
4439340	Nov 2005	JP
2005327231	Nov 2005	JP
2005332406	Dec 2005	JP
2006060779	Mar 2006	JP
2006180460	Jul 2006	JP
2006223950	Aug 2006	JP
2006238274	Sep 2006	JP
2007034711	Feb 2007	JP
2007096817	Apr 2007	JP
2007519150	Jul 2007	JP
2007238696	Sep 2007	JP
2007252081	Sep 2007	JP
2008215028	Sep 2008	JP
2008257707	Oct 2008	JP
2008538668	Oct 2008	JP
2009163909	Jul 2009	JP
2009157913	Sep 2009	JP
2010515407	May 2010	JP
2010135903	Jun 2010	JP
2011078249	Apr 2011	JP
2011217037	Oct 2011	JP
2011223544	Nov 2011	JP
5013019	Aug 2012	JP
2012190583	Oct 2012	JP
20120195259	Oct 2012	JP
2013021798	Jan 2013	JP
2013170258	Sep 2013	JP
2014080952	May 2014	JP
2015023375	Feb 2015	JP
2016512039	Apr 2016	JP
6189479	Aug 2017	JP
1020020088540	Nov 2002	KR
100807377	Feb 2005	KR
20050014790	Feb 2005	KR
1020060034244	Apr 2006	KR
100705380	Apr 2007	KR
201310344	Mar 2013	TW
2005070733	Aug 2005	WO
2006059195	Jun 2006	WO
20006059195	Jun 2006	WO
2007041866	Apr 2007	WO
2007148462	Dec 2007	WO
2008083387	Jul 2008	WO
2009032797	Mar 2009	WO
2011104935	Sep 2011	WO
2013033247	Mar 2013	WO
2013102069	Jul 2013	WO
2014179556	Nov 2014	WO
2014179566	Nov 2014	WO
2015020633	Feb 2015	WO

Non-Patent Literature Citations (122)

Entry
“Introduction to Cryptography,” Network Associates, Inc., PGP 6.5.1, 1990-1999, Retrieved @ [ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCryoti.pdf] on Mar. 17, 2016, (refer to pp. 16-20).
S. Keith, et al. “Guide to Industrial Control Systems (ICS) Security,” NIST, Special Pub. 800-82, Jun. 2011, (refer to pp. 2-1 to 2-10).
Office Action dated Feb. 10, 2017 for Canadian Appln. No. 2,875,515.
Office Action dated Jul. 5, 2017 for Canadian Appln. No. 2,875,515.
Office Action dated Jan. 22, 2018 for EP Application No. 14196409.8.
Notice of Reason for Rejection for Japanese Patent Application No. 2014-243830, dated Sep. 21, 2018.
Chinese Office Action for Appln. No. 201410799473.2 dated Oct. 12, 2018.
International Search Report and Written Opinion for PCT/US2014/036368, dated Sep. 12, 2014.
Office Action for Chinese Appln No. 201380079515.9, dated Nov. 16, 2017.
Office Action for Chinese Appln No. 201380079515.9 dated Aug. 7, 2018.
Office Action for Chinese Appln No. 201380079515.9, dated Feb. 25, 2019.
Supplementary Search Report in European Application No. 13890953.6, dated Jan. 26, 2017.
Office Action for Japanese Application No. 2016-533280, dated Jun. 28, 2017.
Office Action for Japanese Application No. 2016-533280, dated Apr. 11, 2018.
Office Action for Japanese Application No. 2016-533280, dated Jan. 7, 2019.
International Search Report and Written Opinion for PCT/US2013/053721, dated May 12, 2014.
Office Action for Chinese Appln No. 201380079514.4, dated Feb. 5, 2018.
Office Action for Chinese Appln No. 201380079514.4, dated Nov. 5, 2018.
Examination Report for European Application No. 13891327.2, dated Sep. 26, 2018.
Supplementary Search Report for European Application No. 13891327.2, dated Jan. 10, 2017.
Reason for Rejection in Japanese Patent Application No. 2016-533279, dated Aug. 13, 2018.
Notice of Reasons for Rejection in Japanese Patent Application No. 2016-533279, dated Jul. 13, 2017.
Notice of Reason for Rejection in Japanese Patent Application No. 2016-533279, dated Mar. 1, 2018. 11.
Fabien Fleuot, “Raspberry Pi + Mihini, Controlling an off-the-grid Electrical Installation, Part I,” Apr. 11, 2014, XP055290314.
Generex Systems Gmbh, “BACS—Battery Analysis & Care System,” Aug. 17, 2014, XP055290320.
Siemens, “Uninterruptible 24 V DC Power Supply High-Performance, communicative and integrated in TIA,” Mar. 31, 2015, XP055290324
Rodrigues, A. et al., “Scada Security Device,” Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW '11, Jan. 1, 2011, XP055230335.
Zafirovic-Vukotic, M. et al., “Secure SCADA network supporting NERC CIP”, Power & Energy Society General Meeting, 2009, PES '09, IEEE, Piscataway, NJ, USA, Jul. 26, 2009, pp. 1-8, XP031538542.
Roman Kleinerman; Daniel Feldman (May 2011), Power over Ethernet (PoE): An Energy-Efficient Alternative (PDF), Marvell, retrieved Sep. 25, 2018 @ http://www.marvell.com/switching/assests/Marvell-PoE-An-Energy-Efficient-Alternative.pdf (Year: 2011).
Molva, R. Ed et al., “Internet security architecture”, Computer Networks, Elsevier Science Publishers B. V., Amsterdam, NL, vol. 31, No. 8, Apr. 23, 1999, pp. 787-804, XP004304518.
Rodrigues, A., “SCADA Security Device: Design and Implementation”, Master of Science Thesis, Wichita State University, Dec. 2011.
Baran, M.E. et al., “Overcurrent Protection on Voltage-Source-Converter-Based Multiterminal DC Distribution Systems,” IEEE Transactions on Power Delivery, Jan. 2007.
Office Action for Chinese Patent Application 201410802889.5, dated May 7, 2019.
Office Action for Canadian Application No. 2,875,517, dated May 4, 2015.
Office Action for Chinese Application No. 201410802889.5, dated Jul. 26, 2018.
European Search Report for European Application No. 14196406.4, dated Sep. 23, 2015.
Extended Search Report for European Application No. 16165112.0, dated Sep. 6, 2016.
Examination Report for European Application No. 16165112.0, dated Feb. 16, 2018.
Notice of Reason for Rejection for Japanese Application No. 2014-243827, dated Jan. 24, 2019.
Office Action for Chinese Application No. 2015103905202.2, dated Jun. 20, 2018.
Office Action for Chinese Application No. 2015103905202.2, dated Mar. 6, 2019.
Search Report for European Application No. 15175744.0, dated Apr. 26, 2016.
Partial Search Report for European Application No. 15175744.0, dated Dec. 14, 2015.
Office Action for Canadian Application No. 2,875,518, dated Jun. 3, 2015.
Office Action for Canadian Application No. 2,875,518, dated Apr. 22, 2016.
European Search Report for EP Application No. 14196408.0, dated Nov. 24, 2015.
Office Action for Canadian Application No. 2,875,515, dated Jun. 1, 2016.
Office Action for Canadian Application No. 2,875,515, dated Oct. 6, 2016.
Search Report for European Application No. 14196409.8, dated May 19, 2016.
Search Report for European Application No. 16154943.1, dated Jun. 17, 2016.
Partial European Search Report in European Application No. 17208183.8, dated Mar. 28, 2018.
Examination Report in European Application No. 17208183.8, dated Jun. 22, 2018.
Examination Report in European Application No. 17208183.8, dated Feb. 27, 2019.
Office Action for Chinese Appln. No. 201610239130.X, dated Feb. 14, 2018.
Office Action for Chinese Appln. No. 201610239130.X, dated Aug. 2, 2017.
Office Action for Chinese Application No. 201280065564.2, dated Aug. 3, 2016.
Office Action for Chinese Application No. 201280065564.2, dated Feb. 28, 2017.
Office Action for Chinese Application No. 201280065564.2, dated Oct. 19, 2017.
Partial Supplementary European Search Report in Application No. 12862174.5, dated Nov. 3, 2015.
European Search Report in Application No. 12862174.5, dated Feb. 15, 2016.
European Search Report in Application No. 17178867.2, dated Nov. 2, 2017.
Office Action for Japanese Application No. 2014-550508, dated Dec. 2, 2016.
Office Action for Japanese Application No. 2014-550508, dated Sep. 15, 2017.
International Search Report and Written Opinion for PCT/US2012/072056, dated Apr. 29, 2013.
Office Action for CN Appln. No. 201410182071.8, dated Mar. 1, 2017.
Office Action for Chinese Application No. 201410383686.7, dated May 31, 2017.
Office Action for Chinese Application No. 201410383686.7, dated Feb. 23, 2018.
Office Action for Chinese Application No. 201480034066.0, dated May 3, 2017.
Search Report and Opinion for European Application No. 14166908.8, dated Jan. 7, 2015.
Extended Search Report for European Application No. 14180106.8, dated Jul. 13, 2015.
Examination Report for European Application No. 14180106.8, dated Jun. 28, 2017.
Supplementary Search Report for European Application No. 14791210.9, dated Dec. 6, 2016.
Office Action for Japanese Application No. 2014-080952, dated May 2, 2018.
Office Action for Japanese Application No. 2014-080952, dated Jan. 7, 2019.
Office Action for Japanese Application No. 2014-159475, dated Jul. 18, 2018.
Office Action for Japanese Application No. 2014-159475, dated Feb. 15, 2019.
Office Action for Japanese Application No. 2016-512039, dated Jun. 5, 2018.
Office Action for Japanese Application No. 2016-512039, dated Feb. 5, 2019.
CGI, White Paper on “Public Key Encryption and Digital Signature: How do they work?”, 2004 (refer to pp. 3-4).
European Search Report dated Dec. 2, 2015 for EP Application No. 14196408.0.
Examination Report for European Application No. 17178867.2, dated Mar. 13, 2019.
Examination Report for European Application No. 16165112.0, dated Apr. 17, 2019.
Supplementary European Search Report for European Patent Application No. EP 14791210 dated Dec. 16, 2016, 11 pages.
Examination Report for European Patent Application No. 16154943.1, dated May 16, 2019.
Extended European Search Report for Application No. EP14180106.8, dated Aug. 12, 2015.
Extended European Search Report for European Patent Application No. EP 14196409 dated May, 31, 2016, 10pages.
Extended European Search Report for European Patent Application No. EP 16154943 dated Jun. 29, 2016, 9pages.
Extended European Search Report for European Patent Application No. EP 18176358 dated Sep. 11, 2018, 11 pages.
International Search Report for Application No. PCT/US2013/053721 dated May 12, 2014.
Notice of Reason for Rejection for Japanese Patent Application No. 2014-243830, dated Jul. 10, 2019.
Notice of Reason for Rejection for JP Patent Application No. 2018-109151, dated Jun. 25, 2019.
Office Action for Canadian Application No. 2,875,515, dated Feb. 17, 2016.
Office Action for Canadian Application No. 2,920,133, dated Jan. 30, 2017.
Office Action for Canadian Application No. 2,920,133, dated Oct. 19, 2016.
Office Action for Chinese Application No. 2015103905202.2, dated Aug. 6, 2019.
Office Action dated May 17, 2013 for U.S. Appl. No. 13/341,161.
Office Action for Canadian Application No. 2,920,133, dated Apr. 14, 2016.
Office Action for Chinese Application No. 20141079995.2, dated Jul. 3, 2019.
Partial Supplementary European Search Report dated Nov. 10, 2015 in Application# EP12862174.5.
Search Report for European Application No. 14196406.4, dated Nov. 4, 2015.
Siemens AG: “ERTEC 400 I Enhanced Real-Time Ethernet Controller I Handbuch”,no. Version 1.2.2 pp. 1-98, XP002637652, Retrieved from the Internet: URL:http:llcache.automation.siemens.comldniiDUl DUxNDgzNwAA_21631481_HBIERTEC400_Handbuch_V122.pdf [retrieved on May 2, 2011].
Extented European search report for European Patent Application No. EP16165112 dated Sep. 6, 2016, 12 pages.
Extended European search report for European Patent Application No. EP16165112 dated Sep. 6, 2016, 12 pages.
Partial European Search Report for European Patent Application No. EP 15175744 dated Jan. 4, 2016, 7 pages.
Decision of Rejection for Patent Application No. 2014-243827, dated Nov. 5, 2019.
Decision or Rejection for Chinese Application No. 2015103905202.2, dated Nov. 5, 2019.
Examinationl Report for European Patent Application No. 1720883.8, dated Oct. 29, 2019.
Notice of Reason for Rejection for Patent Application No. 2016-021763, dated Nov. 27, 2019.
Office Action for Chinese Patent Application No. 201610236358.3, dated Sep. 4, 2019.
Office Action for Chinese Patent Application 201410802889.5, dated Dec. 4, 2019.
Office Action from Chinese Patent Application No. 201610229230.4, dated Oct. 24, 2019.
Office Action from EP Application No. 14196406.4, dated Jul. 29, 2019.
Office Action for Japanese Application No. 2015-136186, dated Oct. 10, 2019.
Supplementary European Search Report for European Patent Application No. EP 13890953 dated Feb. 6, 2017, 9 pages.
Examination Report for European Application No. 1615112.0, dated Apr. 17, 2019.
Decision of Rejection for Japanese Application No. 2014-243830, dated Mar. 18, 2020.
Notice of Reason for Rejection for Japanese Application No. 2016-080207, dated Jun. 4, 2020.
Reason for Rejection for Japanese Application No. 2015-136186, dated May 7, 2020.
Summons to attend oral proceedings for European Application No. 14196409.8, dated Nov. 13, 2019.
Office Action for Japanese Application No. 2016-533280, dated Jun. 29, 2020.
Office Action for Chinese Patent Application No. 201610236358.3, dated Jun. 24, 2020.
Office Action from Chinese Patent Application No. 201610229230.4, dated Jul. 15, 2020.

Related Publications (1)

	Number	Date	Country
	20150046697 A1	Feb 2015	US

Provisional Applications (1)

	Number	Date	Country
	62021438	Jul 2014	US

Continuation in Parts (3)

	Number	Date	Country
Parent	14469931	Aug 2014	US
Child	14519066		US
Parent	14446412	Jul 2014	US
Child	14469931		US
Parent	PCT/US2013/053721	Aug 2013	US
Child	14446412		US

Operator action authentication in an industrial control system

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

CPC

International Classifications

Abstract