Process control methods and apparatus for intrusion detection, protection and network hardening
First Claim
1. A digital data network for use with any of a process control system, a computer-based manufacturing/production control system, an environmental control system, and/or an industrial control system (collectively, “
- control systems”
), the digital data network comprising;
A. network media that supports digital data communications, B. an intrusion system that is coupled to the network media and that monitors traffic thereon utilizing signature-based detection in order to identify traffic that is potentially adverse to the control system control or devices therefor in communications coupling with the network media, C. the intrusion system utilizing one or more signatures specific to a control network (hereinafter, “
control signatures”
) and blocking traffic on the network media matching at least a selected control signature;
4 Assignments
0 Petitions
Accused Products
Abstract
The invention provides an improved network and methods of operation thereof for use in or with process control systems, computer-based manufacturing or production control systems, environmental control systems, industrial control system, and the like (collectively, “control systems”). Those networks utilize a unique combination of firewalls, intrusion detection systems, intrusion protection devices and/or other devices for hardening (e.g., security against hacking, intrusion or other mischievous conduct) and/or intrusion detection. The networks and methods have application, by way of example, in plants, sites and other facilities in which networks that support control systems interface with corporate, business or other networks.
373 Citations
23 Claims
-
1. A digital data network for use with any of a process control system, a computer-based manufacturing/production control system, an environmental control system, and/or an industrial control system (collectively, “
- control systems”
), the digital data network comprising;
A. network media that supports digital data communications, B. an intrusion system that is coupled to the network media and that monitors traffic thereon utilizing signature-based detection in order to identify traffic that is potentially adverse to the control system control or devices therefor in communications coupling with the network media, C. the intrusion system utilizing one or more signatures specific to a control network (hereinafter, “
control signatures”
) and blocking traffic on the network media matching at least a selected control signature;
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- control systems”
-
10. A digital data network for use with any of a process control system, a computer-based manufacturing/production control system, an environmental control system, and/or an industrial control system (collectively, “
- control systems”
), the digital data network comprising;
A. network media that supports digital data communications, B. an intrusion system that is coupled to the network media and that monitors traffic thereon utilizing signature-based detection in order to identify traffic that is potentially adverse to the control system control or devices therefor in communications coupling with the network media, C. the intrusion system utilizing one or more signatures specific to a control network (hereinafter, “
control signatures”
) and blocking traffic on the network media matching at least a selected control signature,D. wherein the control signatures are indicative of the following;
traffic that would change, to an out-of-range value, a setpoint for one or more control devices in communications coupling with the network media;
an attempted root login with an incorrect password, via a telnet protocol, to a digital data device in communications coupling with the network media;
an attempt to login with any of a standard user name and standard password, via any of an FTP and a telnet protocol, to a digital data device in communications coupling with the network media;
an attempt to login, via execution of a remote executive (rexec) command, to a digital data device in communications coupling with the network media;
traffic originating from any of an unknown media access control (MAC) address and unknown internet protocol (IP) address;
traffic other than from MAC addresses within a selected range;
an attempt to login, via a telnet protocol, to a digital data device forming part of an I/A Series control system with any of a password “
gnomes”
;
a username “
fox” and
a password “
gnomes”
;
an attempt to login, via a telnet protocol, to a digital data processor in communications coupling with the network media with any of a username “
hstorian”
, wherein that username is a misspelled formative of “
historian”
;
a username “
Administrator”
with password “
password”
;
a username “
bpm”
;
a username “
pam”
;
an attempt to access, via any of an ftp and tftp protocol, a password file on a digital data device in communications coupling with the network media, and wherein the intrusion system blocks traffic matching that signature.
- control systems”
-
11. A method of operating a digital data network for use with any of a process control system, a computer-based manufacturing/production control system, an environmental control system, and/or an industrial control system (collectively, “
- control systems”
), the method comprising;
A. transmitting digital data traffic on digital data network media, B. monitoring that traffic with an intrusion system that is coupled to the network media and that utilizes signature-based detection in order to identify traffic that is potentially adverse to the control system control or devices therefor in communications coupling with the network media, C. blocking, with the intrusion system, traffic on the network media matching at least a selected signature specific to a control network (hereinafter, “
control signature”
). - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- control systems”
-
20. A digital data network for use with any of a process control system, a computer-based manufacturing/production control system, an environmental control system, and/or an industrial control system (collectively, “
- control systems”
), the digital data network comprising;
A. network media that is coupled to control devices to support digital data communications therewith, B. an intrusion system that monitors traffic on the network media utilizing signature-based detection in order to identify traffic that is potentially adverse to the control devices or control system, C. the intrusion system utilizing one or more signatures specific to a control network (hereinafter, “
control signatures”
) and blocking traffic on the network media matching at least a selected control signature,D. wherein the control signatures are indicative of the following;
traffic that would change, to an out-of-range value, a setpoint for one or more control devices in communications coupling with the network media;
an attempted root login with an incorrect password, via a telnet protocol, to a digital data device in communications coupling with the network media;
an attempt to login with any of a standard user name and standard password, via any of an FTP and a telnet protocol, to a digital data device in communications coupling with the network media;
an attempt to login, via execution of a remote executive (rexec) command, to a digital data device in communications coupling with the network media;
traffic originating from any of an unknown media access control (MAC) address and unknown internet protocol (IP) address;
traffic other than from MAC addresses within a selected range;
an attempt to login, via a telnet protocol, to a digital data device forming part of an I/A Series control system with any of a password “
gnomes”
;
a username “
fox” and
a password “
gnomes”
;
an attempt to login, via a telnet protocol, to a digital data processor in communications coupling with the network media with any of a username “
hstorian”
, wherein that username is a misspelled formative of “
historian”
;
a username “
Administrator”
with password “
password”
;
a username “
bpm”
;
a username “
pam”
;
an attempt to access, via any of an ftp and tftp protocol, a password file on a digital data device in communications coupling with the network media, and wherein the blocking step includes blocking traffic matching that signature.
- control systems”
-
21. A method of hardening a digital data network for use with any of a process control system, a computer-based manufacturing/production control system, an environmental control system, and/or an industrial control system (collectively, “
- control systems”
), the method comprising;
A. selectively deactivating any of an operating system service and other service on one or more digital data processors on the digital data network;
B. backing up the one or more digital data processors to preserve at least current system status;
C. testing, following deactivation, to determine whether such deactivation affects normal and/or expected operation of any of the control system, the digital data network and the one or more digital data processors;
D. responding to testing revealing that the deactivation resulted in any of abnormal and unexpected operation by re-activiating the deactivated service, and repeating steps (A)-(C) with other services;
E. following deactivation of services believed non-essential to said normal and/or expected operation, testing any of said digital data network and said one or more digital data processors for any of hacking, intrusion and mischievous action (collectively, “
penetration”
);
F. responding to testing revealing that such penetration occurs by repeating steps (A)-(D) with additional services. - View Dependent Claims (22, 23)
- control systems”
Specification