Distributed security for industrial networks

US 20040162996A1
Filed: 07/08/2003
Published: 08/19/2004
Est. Priority Date: 02/18/2003
Status: Abandoned Application

First Claim

Patent Images

1. A industrial network, comprising:

a local area network; and

a security policy implementation point (SPIP) configured to apply policy in the control of network access to at least one factory machine.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Distributed security for industrial networks is achieved through the implementation of Security Policy Implementation Points (SPIPs) on the network to apply security policy in a distributed fashion to prevent network users from taking action in particular areas of the network. The SPIP integrates with network services to perform authentication and authorization services on behalf of particular factory machines, groups of factory machines, and other industrial network resources. The SPIP also maintains a local access policy to enable emergency access to the factory machines as well as enable local access to attendant programmable logic controllers. The SPIP also includes audit functionality to enable the SPIP to record local accesses and network accesses to maintain a log of users and network devices that have interfaced with the SPIP. The SPIP may also support VPNs, encryption, compression, and numerous other functions to engage in communications on the network.

92 Citations

View as Search Results

25 Claims

1. A industrial network, comprising:
- a local area network; and
  
  a security policy implementation point (SPIP) configured to apply policy in the control of network access to at least one factory machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13)
- - 2. The industrial network of claim 1, further comprising a programmable logic controller connected to the at least one factory machine, and wherein the SPIP is integrated with the programmable logic controller.
  - 3. The industrial network of claim 1, further comprising a programmable logic controller connected to the at least one factory machine, and wherein the SPIP interfaces between the local area network and the programmable logic controller.
  - 4. The industrial network of claim 3, wherein the local area network is an Ethernet network, wherein the SPIP is configured to communicate with network devices on the local area network over the Ethernet network, and wherein the SPIP is configured to communicate with the programmable logic controller using a protocol selected from at least one of Profibus, Controller Area Network, RS-232, RS-422, and RS-485.
  - 5. The industrial network of claim 1, wherein the local area network includes at least one Ethernet switch/router, and wherein the SPIP is included as a blade in the Ethernet switch/router.
  - 6. The industrial network of claim 5, wherein the SPIP is configured to implement security policy to control network access to at least one PLC connected to the Ethernet switch/router through the SPIP.
  - 7. The industrial network of claim 6, wherein the subnet includes at least one programmable logic controller is configured to control the operation of at least one of said factory machines.
  - 8. The industrial network of claim 1, wherein the SPIP comprises an authentication module and an authorization module to control network access to said factory machine.
  - 10. The industrial network of claim 1, wherein the SPIP includes a local policy configured to enable the SPIP to enforce network policy in connection with local accesses.
  - 11. The industrial network of claim 10, wherein the local policy comprises:
    - a local access policy configured to require authentication and authorization of at least one of an user and an accessing electronic device for non-emergency attempts to access the SPIP, and an alternate access policy configured to allow access to the SPIP and maintain an audit log attendant to a local attempt to access the SPIP.
  - 12. The industrial network of claim 1, wherein the SPIP comprises a network policy configured to enable the SPIP to enforce network policy by interfacing with network services.
  - 13. The industrial network of claim 12, wherein the SPIP comprises a local authentication policy and information associated with authorized users and indicative of authorization policy information associated with said at least one factory machine.

9. The industrial network of claims, wherein the industrial network is an untrusted network configured to interconnect network services with a plurality of SPIPs associated with factory machines, and wherein the network services are configured to enable operation of the factory machines to be altered through the industrial network.

14. A Security Policy Implementation Point (SPIP) for use in an industrial network, comprising:
- a local path configured to implement a local access policy; and
  
  a network path configured to secure network paths on the industrial network.

15. The SPIP of claim 15, further comprising programmable logic controller circuitry configured to function to control at least one factory machine.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The SPIP of claim 15, wherein the local access policy includes enabling access to an associated factory machine to enable operation of the factory machine to be altered without verification of authorization and authentication of an user seeking to alter the operation.
  - 17. The SPIP of claim 16, wherein the local path further comprises an accounting module configured to record accesses to at least one of the SPIP, an associated programmable logic controller, and an associated factory machine.
  - 18. The SPIP of claim 15, wherein the local path comprises an authentication module configured to authenticate the identity of an individual seeking to access a device through the SPIP, and an authorization module configured to assess an authorization associated with the individual to ascertain whether the individual is authorized to access the device.
  - 19. The SPIP of claim 18, wherein the authorization module is an interface to a Lightweight Directory Access Protocol (LDAP) server, and wherein the authentication module is an interface to a Remote Access Dial In User Service (RADIUS) server.
  - 20. The SPIP of claim 18, wherein the authentication and authorization modules maintain a local copy of authorized users and authentication policy to allow local access to the SPIP.
  - 21. The SPIP of claim 15, wherein the local path comprises a virtual private network module configured to participate in a virtual private network tunnel established on the industrial network.
  - 22. The SPIP of claim 15, further comprising network ports configured to interface with the industrial network, and output ports configured to interface with a programmable logic controller.
  - 23. The SPIP of claim 22, wherein the network ports are configured to communicate on the industrial network utilizing an Ethernet protocol;
    - and wherein the output ports are configured to communicate with the programmable logic controller using a protocol understandable by the programmable logic controller.
  - 24. The SPIP of claim 15, further comprising network ports configured to interface with the industrial network, control logic configured to implement a control program associated with a programmable logic controller, and interface ports configured to interface with a factory machine.
  - 25. The SPIP of claim 24, wherein the interface ports comprise at least one input port configured to receive input from an environmental sensor, and at least one output port configured to control at least one electro-mechanical device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Chmara, Thomas P., Subramanian, Siva, Wallace, R. Bruce

Application Number

US10/615,513
Publication Number

US 20040162996A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/104 Grouping of entities

H04L 67/12 specially adapted for propr...

Distributed security for industrial networks

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed security for industrial networks

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links