Secured process control communications

US 10,257,163 B2
Filed: 10/24/2016
Issued: 04/09/2019
Est. Priority Date: 10/24/2016
Status: Active Grant

First Claim

Patent Images

1. A system for securely transporting communications from a process plant to another system, the secured communications transport system comprising:

a data diode disposed between a network of the process plant and a network of the other system, the data diode including one or more input ports, one or more output ports, and a communication link interconnecting the one or more input ports to the one or more output posts;

an edge gateway interconnecting the one or more output ports of the data diode and the network of the other system, the edge gateway storing a respective copy of a first key; and

a field gateway interconnecting the process plant network and the one or more input ports of the data diode, the field gateway storing a respective copy of the first key and including one or more non-transitory memories storing computer-readable instructions thereon that, when executed by one or more processors of the field gateway, cause the field gateway to generate a second key, encrypt the second key using the first key, and transmit, via the data diode, the encrypted second key to the edge gateway,the computer-readable instructions of the field gateway are further executable to cause the field gateway to (i) encrypt, using the second key, data that is generated by devices of the process plant while the process plant is operating to control an industrial process, the data generated by the devices of the process plant while the process plant is operating to control the industrial process being process plant data, and the process plant data secured by the devices of the process plant for delivery, via the process plant network, to the field gateway, and (ii) transmit the encrypted process plant data across the data diode to the edge gateway, andthe edge gateway including one or more non-transitory memories storing computer-readable instructions thereon that, when executed by one or more processors of the edge gateway, cause the edge gateway to decrypt, using the second key, the encrypted process plant data received via the data diode, secure the decrypted process plant data, and transmit the secured process plant data to the network of the other system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing communications from a process plant to a remote system includes a data diode disposed therebetween that allows data to egress from the plant but prevents ingress of data into the plant and its associated systems. Data is secured across the data diode by securely provisioning a sending device at the plant end of the diode to a receiving device at the remote system end. The sending and receiving devices share secret key material that is recurrently updated. To ensure fidelity of communications across the unidirectional data diode, the sending device recurrently provides context information that is descriptive of data sources of the plant. Additionally, data transmitted from plant data sources to the sending device of the data diode may be secured using a respective security mechanism/technique, and data transmitted from the receiving device of the data diode to the remote system may be secured using a respective security mechanism/technique.

Citations

51 Claims

1. A system for securely transporting communications from a process plant to another system, the secured communications transport system comprising:
- a data diode disposed between a network of the process plant and a network of the other system, the data diode including one or more input ports, one or more output ports, and a communication link interconnecting the one or more input ports to the one or more output posts;
  
  an edge gateway interconnecting the one or more output ports of the data diode and the network of the other system, the edge gateway storing a respective copy of a first key; and
  
  a field gateway interconnecting the process plant network and the one or more input ports of the data diode, the field gateway storing a respective copy of the first key and including one or more non-transitory memories storing computer-readable instructions thereon that, when executed by one or more processors of the field gateway, cause the field gateway to generate a second key, encrypt the second key using the first key, and transmit, via the data diode, the encrypted second key to the edge gateway,the computer-readable instructions of the field gateway are further executable to cause the field gateway to (i) encrypt, using the second key, data that is generated by devices of the process plant while the process plant is operating to control an industrial process, the data generated by the devices of the process plant while the process plant is operating to control the industrial process being process plant data, and the process plant data secured by the devices of the process plant for delivery, via the process plant network, to the field gateway, and (ii) transmit the encrypted process plant data across the data diode to the edge gateway, andthe edge gateway including one or more non-transitory memories storing computer-readable instructions thereon that, when executed by one or more processors of the edge gateway, cause the edge gateway to decrypt, using the second key, the encrypted process plant data received via the data diode, secure the decrypted process plant data, and transmit the secured process plant data to the network of the other system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The system of claim 1, wherein at least one of hardware or software of the data diode is configured to prevent communications egressed by the network of the other system from ingressing into the process plant network.
  - 3. The system of claim 2, wherein the software of the data diode is configured to prevent communications egressed by the network of the other system from ingressing into the process plant network by at least one of:
    - dropping or blocking any messages received from the edge gateway at the one or more output ports of the data diode, or dropping or blocking any messages addressed to the field gateway.
  - 4. The system of claim 2, wherein the hardware of the data diode is configured to prevent communications egress by the network of the other system from ingressing into the process plant network at least one of:
    - excluding, omitting, and/or disabling the one or more input ports of the data diode from being used to transmit data to the field gateway;
      
      or excluding, omitting, and/or disabling the one or more output ports of the data diode from being used to receive data from the edge gateway.
  - 5. The system of claim 2, wherein the at least one of the hardware or the software the data diode is configured to prevent communications egressed by the network of the other system from ingressing into the process plant network upon receipt of the encrypted second key at the edge gateway.
  - 6. The system of claim 1, wherein the encrypted process plant data is transmitted across the data diode based on TCP (Transmission Control Protocol), UDP (User Datagram Protocol), or serial communications.
  - 7. The system of claim 1, wherein the field gateway is disposed at the process plant.
  - 8. The system of claim 7, where the data diode is disposed at the process plant.
  - 9. The system of claim 1, further comprising a local plant gateway interconnecting the process plant network to the field gateway, the local plant gateway securing the process plant data using a TLS (Transport Layer Security) wrapper.
  - 10. The system of claim 9, wherein at least one of:
    - at least a first portion of the data generated by the devices included in the process plant is streamed to the local plant gateway;
      
      orat least a second portion of the data generated by the devices included in the process plant is sent to the local plant gateway in response to polling.
  - 11. The system of claim 1, wherein the encryption performed by the field gateway using the second key is a first encryption, and wherein a second encryption of at least some of the data generated by the devices is performed at the devices.
  - 12. The system of claim 9, wherein the at least some of the data generated and encrypted by the devices is transmitted to the local plant gateway via at least one of a wireless network or a wired network of the process plant.
  - 13. The system of claim 1, wherein the edge gateway is disposed at the process plant.
  - 14. The system of claim 1, wherein the edge gateway secures delivery of the process plant data to the other system using a token or certificate.
  - 15. The system of claim 14, wherein:
    - the token or certificate is managed by a security service included in the other system;
      
      the token or certificate is valid for a finite period of time; and
      
      the finite period of time has a duration of no more than an hour.
  - 16. The system of claim 1, where the secured process plant data is transmitted from the edge gateway to the network of the other system using at least one of:
    - an Internet connection, a cellular router, or another type of backhaul Internet connection.
  - 17. The system of claim 1, wherein the process plant data is stored at the other system, and access to the stored data at the other system is granted to only authorized users of the other system.
  - 18. The system of claim 1,wherein the first key is shared between the field gateway and the edge gateway.
  - 19. The system of claim 18, wherein the computer-readable instructions of the edge gateway are further executable to cause the edge gateway to generate the first key and share the first key with the field gateway.
  - 20. The system of claim 1, wherein the other system is included in the process plant.
  - 21. The system of claim 1, wherein the other system is implemented in one or more computing clouds.
  - 22. The system of claim 1, wherein the other system is accessible via the public Internet.
  - 23. The system of claim 1, wherein the other system is not accessible via the public Internet.
  - 24. The system of claim 1, wherein the other system provides one or more services corresponding to the process plant, the one or more services including at least one of:
    - monitoring of conditions and/or events occurring at the process plant;
      
      sensing of the conditions and/or events occurring at the process plant;
      
      monitoring of at least a portion of a process being controlled by the process plant;
      
      descriptive analytics;
      
      prescriptive analytics;
      
      orone or more prescriptive changes to modify at least a portion of the process plant.
  - 25. The system of claim 1, wherein:
    - at least one of the devices communicates with another device within the process plant via a communications network included in the process plant to control at least a portion of a process within the process plant,the communications network is different than the process plant network, andthe communications network supports at least one of a Wi-Fi protocol, an Ethernet protocol, an IEEE 802.11 compliant protocol, a mobile communication protocol, a short-wavelength radio communication protocol, 4-20 ma signaling, the PROFIBUS protocol, the DeviceNet protocol, or another industrial communication protocol.
  - 26. The system of claim 25, wherein the communications network included in the process plant is a first communications network, and wherein the data diode receives the generated data from the one or more devices via the process plant network.
  - 27. The system of claim 1, wherein the process plant network supports at least one industrial communication protocol.

28. A method of securing communications between a process plant and an other system, the method comprising:
- receiving, at a field gateway from a process plant network, data generated by one or more devices of the process plant while the process plant is operating to control an industrial process, the data generated by the one or more devices of the process plant being process plant data, and respective process plant data is secured, by each of the one or more devices via a first security mechanism, for transmission from the each of the one or more devices to the field gateway;
  
  securing, by the field gateway, the received process plant data via a second security mechanism, the second security mechanism including (i) a first key that is provisioned into one of;
  
  an edge gateway communicatively connected to the other system, or the field gateway, the first key shared between the edge gateway and the field gateway, (ii) a second key that is encrypted based on the first key, and (iii) an encryption, by the field gateway and utilizing the second key, of the received process plant data; and
  
  transporting the secured, process plant data across a data diode to the edge gateway for delivery to the other system, the communicative connection between the edge gateway and the other system secured by the edge gateway and the other system via a third security mechanism, and the data diode configured to prevent ingress of any data transmitted by the edge gateway into the field gateway.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The method of claim 28, further comprising provisioning the field gateway and the edge gateway with the first key, including receiving, at the field gateway, the first key generated by the edge gateway.
  - 30. The method of claim 28, wherein the first security mechanism includes a respective encryption, by the each of the one or more devices, of the process plant data generated by the each of the one or more devices.
  - 31. The method of claim 30, wherein the first security mechanism further includes a wrapping of the encrypted, process plant data in a security layer implemented in the process plant.
  - 32. The method of claim 28, wherein the third security mechanism comprises a security token or certificate.
  - 33. The method of claim 28, wherein the third security mechanism comprises an encryption performed by the edge gateway.
  - 34. The method of claim 28, wherein the data diode is configured to prevent ingress of any data transmitted by the edge gateway into the field gateway via at least one of:
    - an exclusion, omission, and/or disabling of a first one or more ports via which data is received at the data diode from the edge gateway;
      
      an exclusion, omission, and/or disabling of a second one or more ports via which data is transmitted from the data diode to the field gateway;
      
      a dropping or a blocking of any messages received from the edge gateway;
      
      or a dropping or a blocking of any messages addressed to the field gateway.
  - 35. The method of claim 28, wherein:
    - (i) the method further comprises;
      
      generating, by the field gateway, the second key;
      
      encrypting, by the field gateway, the second key based on the first key; and
      
      transmitting, by the field gateway via the data diode, the encrypted second key to the edge gateway; and
      
      (ii) the data diode is configured to prevent the ingress of any data transmitted by the edge gateway into the field gateway upon a reception of the encrypted second key at the edge gateway.

36. A method of securing communications between a process plant and an other system servicing the process plant, the method comprising:
- (i) receiving, at an edge gateway via a data diode that is communicatively connected to a field gateway of the process plant, data generated by one or more devices of the process plant while the process plant is operating to control an industrial process, the data generated by the one or more devices of the process plant being process plant data, wherein;
  
  respective process plant data is secured, by each of the one or more devices via a first security mechanism, for transmission from the each of one or more devices to the field gateway, and is further secured, by the field gateway via a second security mechanism, for transport from the field gateway across the data diode to the edge gateway, the second security mechanism including (i) a first key that is provisioned into one of the edge gateway or the field gateway, the first key shared between the edge gateway and the field gateway, (ii) a second key that is encrypted based on the first key, and (iii) an encryption, by the field gateway and utilizing the second key, of the process plant data; and
  
  the data diode is configured to prevent ingress of any data transmitted by the edge gateway into the field gateway;
  
  (ii) decrypting, by the edge gateway using the second key, the process plant data encrypted by the field gateway and received at the edge gateway via the data diode;
  
  (iii) securing, by the edge gateway, the decrypted process plant data via a third mechanism; and
  
  (iv) transmitting, by the edge gateway to the other system, the process plant data secured by the edge gateway.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 37. The method of claim 36, wherein the first security mechanism includes a respective encryption, by the each of the one or more devices, of the process plant data.
  - 38. The method of claim 36, wherein the first security mechanism includes a respective wrapping, by the each of the one or more devices, of the process plant data in a security layer.
  - 39. The method of claim 36, further comprising establishing a secured connection between the edge gateway and the field gateway across the data diode using the first key, the first key being a secret key, and wherein the second security mechanism comprises the secured connection established between the edge gateway and the field gateway.
  - 40. The method of claim 36, further comprising establishing a secured connection between the edge gateway and the other system, and wherein the third security mechanism includes the secured connection established between the edge gateway and the other system.
  - 41. The method of claim 40, wherein establishing the secured connection between the edge gateway and the other system comprises:
    - authenticating to a security service provided by the other system; and
      
      receiving, in response to the authentication, a security token or certificate.
  - 42. The method of claim 41, wherein transmitting the process plant data secured by the edge gateway to the other system comprises transmitting the security token or certificate to the other system in conjunction with the process plant data.
  - 43. The method of claim 41, wherein the security or certificate token is a first security token or certificate, and the method further comprises receiving a different security token or certificate to utilize while transmitting subsequent data generated by the one or more devices to the other system.
  - 44. The method of claim 36, wherein securing, by the edge gateway, the decrypted process plant data via the third mechanism comprises encrypting, by the edge gateway, the decrypted process plant data.
  - 45. The method of claim 36, wherein transmitting the process plant data secured by the edge gateway to the other system comprises transmitting the process plant data secured by the edge gateway to a system included in the process plant.
  - 46. The method of claim 36, wherein transmitting the process plant data secured by the edge gateway to the other system comprises transmitting the process plant data secured by the edge gateway to a system implemented in one or more computing clouds.
  - 47. The method of claim 36, wherein transmitting, by the edge gateway, the process plant data to the other system comprises transmitting the process plant data to the other system via a secured connection over the public Internet.
  - 48. The method of claim 36, wherein transmitting, by the edge gateway, the process plant data to the other system comprises transmitting the process plant data to a system that provides at least one of:
    - monitoring of conditions and/or events occurring at the process plant;
      
      sensing of the conditions and/or events occurring at the process plant;
      
      monitoring of at least a portion of a process executed by the process plant;
      
      descriptive analytics;
      
      prescriptive analytics;
      
      ora prescriptive change to modify at least a portion of the process plant.
  - 49. The method of claim 36, wherein the data diode is configured to prevent ingress of any data transmitted by the edge gateway into the field gateway via at least one of:
    - an exclusion, omission, and/or disabling of a first one or more ports via which data is received at the data diode from the edge gateway;
      
      an exclusion, omission, and/or disabling of a second one or more ports via which data is transmitted from the data diode to the field gateway;
      
      a dropping or a blocking of any messages received from the edge gateway;
      
      or a dropping or a blocking of any messages addressed to the field gateway.
  - 50. The method of claim 36, wherein the second key is encrypted by the field gateway, and the method further comprises receiving, from the field gateway, the encrypted second key at the edge gateway via the data diode.
  - 51. The method of claim 50, wherein the data diode is configured to prevent the ingress of any data transmitted by the edge gateway into the field gateway upon the reception of the encrypted second key at the edge gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Original Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Inventors
Rotvold, Eric, Nixon, Mark J., Boudreaux, Michael J.
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/332,751
Publication Number

US 20180115517A1
Time in Patent Office

897 Days
Field of Search

None
US Class Current
CPC Class Codes

G05B 19/4185   characterised by the networ...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/80   Wireless

H04L 63/0209   Architectural arrangements,...

H04L 63/0428   wherein the data content is...

H04L 63/0457   wherein the sending and rec...

H04L 63/0492   by using a location-limited...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/068   using time-dependent keys, ...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 63/166   at the transport layer

H04L 9/0656   Pseudorandom key sequence c...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0891   Revocation or update of sec...

Y02P 90/02   Total factory control, e.g....

Secured process control communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Secured process control communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links