Patent Grant
11182991
The present invention relates to a security system.
It is relevant to the field of applications of automation, in particular to industrial-process automation, building automation or systems for monitoring and/or controlling a power distribution network.
It is known to use programmable logic controllers to manage domestic or industrial processes, for example to manage an electricity grid.
In order to ensure the security of these processes against any risk of theft of data or attempt at malicious intrusion, the controllers generally comprise one or more security systems that allow the stored data to be monitored and their integrity to be ensured, and the reliability of the communications of the controllers to be guaranteed.
These security systems may for example take the form of software (anti-malware tool, firewall, vulnerability search, etc.) or of physical access restrictions (keys, encrypted passwords, etc.).
By way of example, in order to control direct local access to certain controller modules, the latter comprise a security system in the form of a human-machine interface, requiring an operator to enter a password on a keyboard if he wants to gain access to the controller.
However, such systems are not entirely satisfactory.
Specifically, it is necessary to provide one human-machine interface per module of the controller. Apart from the fact that a human-machine interface is expensive, time-consuming to implement on each module and has a power consumption that is high, said interface may be vulnerable if the password is disclosed or stolen.
Furthermore, although certain operating situations require a high controller security state, a lower-security state may also be sufficient in other operating situations, which therefore do not require relatively complex security systems.
The invention improves the situation.
The invention more particularly aims to provide, for a device such as a controller, an effective security system usage of which is particularly simple and flexible, and that allows in particular the security state to be simply and securely varied depending on the operating requirements.
A security system is provided, which system is fitted in a device, the security system comprising a command element that is actuatable by an operator at least:
By virtue of these arrangements, the actuation of a command element of the device allows the expected security state to be set. Means allowing control of physical access and software means that are particularly simple and effective are thus simultaneously implemented with a view to ensuring the security of the device.
More particularly, a remote connection to the device does not allow its security state to be modified, direct access and actuation of the security system being necessary.
According to another aspect, a device comprising such a security system is provided.
According to another aspect, a method for operating such a security system is provided, this method comprising the following steps:
According to another aspect, a computer program containing instructions for implementing all or some of a method such as defined in this document when this program is executed by a processor is provided.
According to another aspect, a computer-readable non-volatile storage medium on which such a program is stored is provided.
By “computer”, what is meant is any programmable means of processing information, for example a processor comprised in a desktop computer, tablet computer, mobile phone or the like.
The features described in the following paragraphs may, optionally, be implemented. They may be implemented independently of one another or in combination with one another:
The high-security state comprises a configuration of software protection functions.
The command element is actuatable by an operator manually.
The command element comprises a slot allowing a selector to be pivoted between at least the first position and the second position.
The command element is actuatable by an operator by means of a short-range wireless communication with the device.
The command element is also actuatable to a third position, in which the device is in a reset state.
The device is a programmable logic controller or a programmable-logic-controller module.
The device comprises a front face and a back face, the security system being fitted in the back face, the back face being configured to be placed in contact with a holder.
The method comprises the following steps:
The actuation of the command element between the first position and the second position requires intermediate passage to the third position.
Other features, details and advantages will become apparent on reading the detailed description below, and on analysing the appended drawings, in which:
The drawings and the description below contain, for the most part, elements of certain character. They will therefore possibly not only serve to better understand the present disclosure, but also contribute to its definition, where appropriate.
Reference is made to
According to one embodiment, the device 1 is installed in a programmable logic controller (PLC). Such a controller is configured to control an industrial or domestic process, in particular via sequential information processing. More particularly, the controller allows a command to be transmitted to one or more other controllers or actuators, the transmitted command depending on input data, such as sensor measurements, instruction data, etc.
By way of example, the controller allows machines and sensors in a factory or a building to be controlled, or a power management system to be driven.
Advantageously, the device 1 according to the invention relates to a secure controller.
According to one embodiment, the device 1 is a module, such as a communication module, of the controller. More generally, the device 1 may be any industrial module or piece of equipment allowing security to be configured remotely.
As illustrated in
The device 1 generally has a parallelepipedal shape. However, other shapes are also envisionable.
The device 1 thus comprises a front face 1a, visible in
The device 1 also comprises a back face 1b, visible in
As illustrated in
The device 1 also comprises a processor 12 (CPU or central processing unit) configured to process instructions that form the operating computer program of the device 1.
The device 1 also comprises a memory 13 configured to store the instructions forming the operating computer program and various other pieces of information.
The device 1 also comprises a wired or wireless communication interface 14, in particular for communication with a remote server configured to store the data of the device 1.
Lastly, the device 1 may comprise a power source, such as a battery (not illustrated), or be directly connected to an electricity grid.
According to the invention, the device 1 furthermore comprises at least one security system. The security system comprises a command element 20 that is fitted in the device 1.
As illustrated in
The command element 20 may be actuated by an operator.
According to one embodiment, the command element 20 may be actuated manually by the operator.
To this end, the command element 20 may comprise a slot allowing an element of the flat-head screwdriver type to be used to make a selector 21 pivot. However, other types of manual actuations are possible—a key, a crank or any other tool known per se, whether specific or not, may be used. Furthermore, other types of command element 20 are possible, such as a pivoting button etc.
According to another embodiment, the command element 20 may be actuated without contact by the operator. The actuation is advantageously carried out at short range.
By “short range”, what is in particular meant is an actuation via a wireless communication with the device 1, which actuation is performed for example from a distance smaller than 1 metre, or even advantageously from a distance smaller than 10 centimetres. Such a short-range communication may for example use near-field-communication (NFC) technology.
Such a short-range communication is advantageously secure in terms of authentication, integrity, and information confidentiality.
Thus, the command element 20 is actuatable between at least a first position and a second position.
In the first position (illustrated by position A in
By way of example, the device 1 cannot set up any communication until the security state has been configured. Once in the security state, communications are authenticated and secured.
In the second position (illustrated by position B in
By “low-/high-security states”, what is meant is that the security states are to be understood relative to each other. Thus, the low-security security state may correspond to a standard state, in which the device 1 does not require security configuration, or comprises protection functions that are relatively less involved than those provided in the high-security state.
According to one embodiment, the command element 20 may furthermore be actuated to one or more other positions corresponding to other security states of the device 1, which states are not described below.
In the embodiment illustrated in
In the third position (illustrated by position C in
The device 1 advantageously comprises a dedicated output allowing the operator to learn the security state of the device 1, for example via a signal tower or stack light mounted on the electrical enclosure containing the device 1 or via a software application intended for the operator.
The device 1 may also comprise an indicator allowing an operator to in particular learn the security state of the device 1. The indicator is placed on the front face 1a of the device 1, as illustrated in
According to one embodiment, the indicator comprises one or more indicator lights 15 allowing the security, diagnostic and/or operating state of the device 1 to be displayed. The operator may in particular compare the display of the one or more lights 15 with the position of the security system, in order to satisfy himself of the integrity of the device 1.
A method for operating, and more particularly installing, the security system of the device 1 is described below with reference to
Initially, the command element 20 is in one of the first, second or third positions A, B, C, corresponding to the device 1 in the high-security state, the low-security state and the reset state, respectively.
If the command element 20 is initially in the first position, a step of the method consists in verifying whether the security of the device 1 has already been configured.
If the configuration has already been carried out, the device 1 may be used.
If the security of the device 1 has not yet been configured, the method comprises one or more additional configuring steps. In these configuring steps, security data CS_conf may be downloaded by the device 1, in particular by means of the communication interface 14. These data are for example downloaded via an Ethernet or USB communication from a specific configuration application stored in a remote server or in an internal web server.
As a variant, the security data CS_conf may already be stored in the memory 13 of the device 1.
The security is configured by means of a computer program that is advantageously already present in the device 1. Once the configuration has been performed, the security is in place and the device 1 may be used.
If the command element 20 is initially in the second position, the device 1 may be used without requiring particular configuration of the security of the device 1.
If the command element 20 is initially in the third position, the command element 20 must be actuated to one of the other positions before any use, in order to put the device 1 in the high- or low-security state. The steps described above of the method may then subsequently be implemented.
During its use, the device 1 is fasted to the holder 2. The back face 1b of the device 1 is then no longer directly accessible to the operator.
Furthermore, the actuation of the command element 20 is advantageously deactivated when the device 1 is used, in particular connected to the power source.
This makes it possible to prevent the command element 20 from being able to be easily actuated to modify the security state of the device 1 after it has been turned on.
Thus, if it is desired to pass from the high-security state to the low-security state, or vice versa, it is necessary, beforehand, to unplug the device 1 from the power source and/or to separate the device 1 from the holder 2 in order to make the back face 1b of the device 1 once again accessible.
In case of unauthorized actuation of the command element 20, the security system may comprise an alarm (not illustrated), for example a visual or audio alarm, allowing the operator to be apprised.
According to one embodiment, to pass from a high-security state to a low-security state, or vice versa, it is preferably necessary to actuate the command element 20 to the third position.
Thus, the security configuration is necessarily deleted before the device 1 can pass to the other security state. This makes it possible to ensure that no information relating to the configuration of the device 1 can be preserved in the low-security state, which is potentially more vulnerable to cyberattacks.
Of course, the invention is not limited to the embodiments described above, which were provided solely by way of example. It encompasses various modifications, alternative forms and other variants that those skilled in the art will be able to envision in the context of the present invention, and in particular all of the combinations of the various modes of operation described above, whether considered separately or in association.
| Number | Date | Country | Kind |
|---|---|---|---|
| 1909965 | Sep 2019 | FR | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6418027 | Suzuki | Jul 2002 | B1 |
| 8253554 | Wang | Aug 2012 | B2 |
| 8813244 | Lyon | Aug 2014 | B1 |
| 9098692 | Choi | Aug 2015 | B2 |
| 9720700 | Brown | Aug 2017 | B1 |
| 10608819 | Brown | Mar 2020 | B1 |
| 20040123118 | Dahan | Jun 2004 | A1 |
| 20070283146 | Neveux | Dec 2007 | A1 |
| 20090021350 | Hatta | Jan 2009 | A1 |
| 20090067079 | Al-Azzawi | Mar 2009 | A1 |
| 20090122502 | Baran | May 2009 | A1 |
| 20090303050 | Choi | Dec 2009 | A1 |
| 20100071054 | Hart | Mar 2010 | A1 |
| 20100079238 | Gravelle | Apr 2010 | A1 |
| 20100299493 | McGee, III | Nov 2010 | A1 |
| 20110087870 | Spangler et al. | Apr 2011 | A1 |
| 20110199225 | Touchberry | Aug 2011 | A1 |
| 20110201309 | Jin | Aug 2011 | A1 |
| 20120008279 | Chin | Jan 2012 | A1 |
| 20120099219 | Al-Azzawi | Apr 2012 | A1 |
| 20140181964 | Park | Jun 2014 | A1 |
| 20140359750 | Adams | Dec 2014 | A1 |
| 20150229632 | Lee | Aug 2015 | A1 |
| 20150271184 | Josang | Sep 2015 | A1 |
| 20150280410 | Elberbaum | Oct 2015 | A1 |
| 20160314319 | Choi | Oct 2016 | A1 |
| 20160370785 | Kaufleitner | Dec 2016 | A1 |
| 20170286722 | Xia | Oct 2017 | A1 |
| 20180145485 | Fischer | May 2018 | A1 |
| 20180199439 | Kreuter | Jul 2018 | A1 |
| 20180288012 | Khylenko | Oct 2018 | A1 |
| 20190130715 | Chang | May 2019 | A1 |
| 20190288453 | Blake | Sep 2019 | A1 |
| 20200064153 | Kagan | Feb 2020 | A1 |
| Number | Date | Country |
|---|---|---|
| 2007053822 | May 2007 | WO |
| 2018038536 | Mar 2018 | WO |
| Entry |
|---|
| Search Report and Written Opinion for French Patent Application No. FR1909965 dated Jun. 22, 2020, 9 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20210074098 A1 | Mar 2021 | US |
