Backplane filtering and firewalls
First Claim
1. A control system, comprising:
- a processing module;
a plurality of input/output (IO) modules;
a backplane communications bus; and
a hardware logic component interposed between the backplane communications bus and the processing module such that the hardware logic component is in communication with the processing module and the backplane communications bus of the control system, wherein the hardware logic component receives signals output by the processing module, and wherein the hardware logic component is configured to perform the following acts;
responsive to receiving a signal from the processing module that is directed to at least one of the IO modules, determining that the signal comprises an impermissible communication for the control system; and
responsive to determining that the signal comprises an impermissible communication for the control system, executing, at the hardware logic component, a model of control logic of the processing module of the control system such that the hardware logic component performs at least some of the functionality of the processing module of the control system.
3 Assignments
0 Petitions
Accused Products
Abstract
Described herein are various technologies for providing active mitigation of cyber-attacks against industrial and other control systems. A filtering device is connected to a backplane of a control system and receives communications from various modules of the control system. The filter device analyzes the received communications and determines whether they are genuine and permissible communications for the control system. Validated signals are output to a communications bus of the control system by the filter device, while impermissible communications are blocked. The filter device can be interposed between the modules of the control system and the backplane, or the filter device can be included as a component of a control system backplane.
34 Citations
20 Claims
-
1. A control system, comprising:
-
a processing module; a plurality of input/output (IO) modules; a backplane communications bus; and a hardware logic component interposed between the backplane communications bus and the processing module such that the hardware logic component is in communication with the processing module and the backplane communications bus of the control system, wherein the hardware logic component receives signals output by the processing module, and wherein the hardware logic component is configured to perform the following acts; responsive to receiving a signal from the processing module that is directed to at least one of the IO modules, determining that the signal comprises an impermissible communication for the control system; and responsive to determining that the signal comprises an impermissible communication for the control system, executing, at the hardware logic component, a model of control logic of the processing module of the control system such that the hardware logic component performs at least some of the functionality of the processing module of the control system. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
receiving a signal from a processing module of a control system at a hardware logic device, the hardware logic device connected between the processing module of the control system and a backplane communications bus of the control system such that signals output by the processing module of the control system are received at the hardware logic device, the signal configured by the processing module to be provided to at least one other module of the control system; preventing the signal from being output to the at least one other module by way of the backplane communications bus based upon determining that the signal is an impermissible signal for the control system; and responsive to determining that the signal is an impermissible signal for the control system, executing, at the hardware logic device, a model of control logic of the processing module of the control system such that the hardware logic device performs at least some of the functionality of the processing module of the control system. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system comprising:
-
a control system comprising; a backplane communications bus; and a plurality of modules that receive signals from the backplane communications bus; and a field-programmable gate array (FPGA), the FPGA communicatively coupled between the backplane communications bus and the plurality of modules such that signals output by the plurality of modules are received at the FPGA, wherein the FPGA receives a signal from one of the plurality of modules and outputs the signal to the backplane communications bus based upon determining that the signal is a permissible communication for the control system, and wherein further the FPGA is configured to execute a model of control logic of a processing module of the control system responsive to determining that a signal received from a processing module in the plurality of modules is an impermissible communication for the control system, such that the FPGA performs at least some of the functionality of the processing module of the control system. - View Dependent Claims (20)
-
Specification