Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications

US 20070162957A1
Filed: 03/02/2007
Published: 07/12/2007
Est. Priority Date: 07/01/2003
Status: Abandoned Application

First Claim

Patent Images

1. A secure supervisory control and data acquisition (SCADA) system, comprising:

a SCADA control host system configured to process SCADA information;

at least one remote device configured to communicate with said control host system, said remote device having at least a first port and a second port, said first port being configured for communicating said SCADA information with said control host system;

at least one modem coupled between said at least one remote device and at least one communication line, wherein said modem is configured to allow for communication between said at least one remote device and said at least one communication line; and

a security module coupled between said modem and said second port of said at least one remote device, said security module being configured to control access to said at least one remote device by a user seeking access thereto from said at least one communication line through said modem.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure supervisory control and data acquisition (SCADA) system is presented. The inventive system includes a SCADA control host configured to process SCADA information, and at least one remote device configured to communicate with the control host. The remote device includes at least a first port and a second port wherein the first port is configured for communicating the SCADA information with said control host. The system further includes at least one modem coupled between the remote device and at least one communication line, wherein the modem is configured to allow for communication between the remote device and the at least one communication line. The inventive system still further includes a security module coupled between the modem and the second port of the remote device. The security module is configured to control access to the remote device by a user seeking access thereto from the communication line through the modem.

143 Citations

View as Search Results

39 Claims

1. A secure supervisory control and data acquisition (SCADA) system, comprising:
- a SCADA control host system configured to process SCADA information;
  
  at least one remote device configured to communicate with said control host system, said remote device having at least a first port and a second port, said first port being configured for communicating said SCADA information with said control host system;
  
  at least one modem coupled between said at least one remote device and at least one communication line, wherein said modem is configured to allow for communication between said at least one remote device and said at least one communication line; and
  
  a security module coupled between said modem and said second port of said at least one remote device, said security module being configured to control access to said at least one remote device by a user seeking access thereto from said at least one communication line through said modem.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A SCADA system in accordance with claim 1 wherein said security module is configured to control access by requesting and receiving user identification information from said user through said modem, which is then compared with authorized user identification information stored in a centralized user database.
  - 3. A SCADA system in accordance with claim 1 wherein said at least one remote device comprises at least one remote terminal unit (RTU).
  - 4. A SCADA system in accordance with claim 3 further comprising at least one control device coupled to, and configured for communication with, said at least one RTU and said security module, said security module being configured to control access to said at least one control device by said user in addition to controlling access to said at least one RTU.
  - 5. A SCADA system in accordance with claim 3 wherein said security module is configured to control access by said user to said at least one RTU by requesting and receiving user identification information from said user, which is then compared with authorized user identification information stored in a centralized user database.
  - 6. A SCADA system in accordance with claim 5 wherein said centralized user database is stored in said control host system and said user information provided to said security module is communicated to said control host system for comparison with said information stored in said database.
  - 7. A SCADA system in accordance with claim 6 wherein said control host system includes a control host, and said centralized user database is stored within said control host.
  - 8. A SCADA system in accordance with claim 6 wherein said control host system includes a host security device (HSD) coupled to a control host;
    - said SCADA system further comprising;
      
      a remote security device (RSD) coupled to said RTU; and
      
      said HSD and said RSD are configured to establish secure communications between said control host and said RTU such that said HSD is configured to encrypt SCADA information received from said control host and to decrypt encrypted SCADA information that is encrypted by and received from said RSD, and said RSD is configured to encrypt SCADA information received from said RTU and to decrypt encrypted SCADA information that is encrypted by and received from said HSD.
  - 9. A SCADA system in accordance with claim 8 wherein said RTU includes at least a first port configured to be coupled to said RSD to exchange SCADA information therebetween, and a second port configured to be coupled to said modem through said security module to enable communication therebetween.
  - 10. A SCADA system in accordance with claim 8 wherein said security module is coupled to and configured for communication with said RSD.
  - 11. A SCADA system in accordance with claim 10 wherein said security module is configured to be authenticated with said RSD and said RSD is configured to be authenticated with said HSD.
  - 12. A SCADA system in accordance with claim 11 wherein said security module is configured to communicate said user information to said RSD, said RSD is configured to communicate said user information from said security module to said HSD, and said HSD is configured to communicate said user information from said RSD to said control host.
  - 13. A SCADA system in accordance with claim 6 wherein said security module is configured with a predetermined group of operating parameters, said security module being further configured such that said parameters are configurable by said control host system.
  - 14. A SCADA system in accordance with claim 6 wherein said control host system is configured to log information relating to said user and said user'"'"'s activity.
  - 15. A SCADA system in accordance with claim 6 wherein said control host system is configured to detect and log attempts by unauthorized users to access said at least one RTU.
  - 16. A SCADA system in accordance with claim 1 wherein said system includes a plurality of modems and said security module is configured to be coupled to said plurality of modems.

17. A method of securing a supervisory control and data acquisition (SCADA) system, comprising the steps of:
- providing a SCADA control host system;
  
  providing at least one remote device configured to communicate with said control host system;
  
  providing at least one modem coupled between said at least one remote device and at least one communication line, wherein said modem is configured to allow for communication between said at least one remote device and said at least one communication line;
  
  providing a security module coupled between said modem and said at least one remote device to control access to said at least one remote device by a user seeking access thereto from said at least one communication line through said modem;
  
  receiving, at said security module, user information provided by said user through said modem;
  
  comparing said user information with authorized user information stored in a centralized user database located within said system; and
  
  allowing access to said at least one remote device if said user information matches said authorized user information, otherwise denying access.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. A method in accordance with claim 17 wherein said providing at least one remote device step includes the step of providing at least one remote terminal unit (RTU), said method further comprising the steps of:
    - providing a control host system comprising a control host coupled to a host security device (HSD); and
      
      providing a remote security device (RSD) coupled to said RTU wherein said RSD is further coupled to said security module.
  - 19. A method in accordance with claim 18, further comprising the step of authenticating said security module with said RSD.
  - 20. A method in accordance with claim 17 wherein said providing a control host system step includes providing a control host system configured with said centralized user database, said method further comprising:
    - authenticating said security module with said RSD and said RSD with said HSD; and
      
      sending said user information provided by said user to said control host system for comparison with said authorized user information in said centralized database to authenticate said user.
  - 21. A method in accordance with claim 17 wherein said providing a control host system step includes providing a control host system configured with said centralized user database, said method further comprising the step of sending said user information provided by said user to said control host system for comparison with said authorized user information in said centralized database.
  - 22. A method in accordance with claim 21 wherein said method further comprises the step of logging information relating to said user and said user activity by said control host system.
  - 23. A method in accordance with claim 17 wherein said providing a security module step includes providing a security module having a predetermined group of parameters, said method further comprising the step of configuring said parameters from said control host system.

24. A method of transferring data in a supervisory control and data acquisition (SCADA) system, comprising the steps of:
- receiving SCADA information from a source at a clear interface;
  
  compressing the SCADA information using an algorithm in which the compression statistics used in compressing said information are based on all of the packets communicated from said source to a particular destination taken as a whole;
  
  transmitting the compressed data stream to said destination.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24 wherein said compressing step includes the substeps of:
    - providing a first and a second compression engine;
      
      providing a first master dictionary table associated with said first compression engine;
      
      copying said first master dictionary table and storing said copy locally in a storage module of said first compression engine;
      
      compressing said SCADA information with said first compression engine and transmitting said compressed SCADA information said destination;
      
      providing a first model dictionary table associated with said second compression engine;
      
      compressing said SCADA information with said second compression engine;
      
      updating the compression statistics of said first model dictionary table with each successive compression;
      
      comparing the length of the compressed SCADA information from said first and second compression engines to determine the difference in length of said compressed SCADA information;
      
      determining whether said difference meets a predetermined threshold;
      
      replacing said first master dictionary table with said first model dictionary table if said threshold is met to create a second master dictionary table such that said second master dictionary table is used for the next compression; and
      
      creating a second model dictionary table having initial compression statistics if said first master dictionary table is replaced by said first model dictionary table.
  - 26. The method of claim 24 further including the step of:
    - encrypting the compressed SCADA information to create an encrypted data stream prior to transmitting said data stream to said destination.
  - 27. The method of claim 26 wherein:
    - said receiving step includes receiving a portion of a first packet of SCADA information from a sender at a clear interface;
      
      said encrypting step includes encrypting the received portion of the first packet of SCADA information using a cryptographic protocol that is independent of the SCADA information to create an encrypted data stream; and
      
      said providing step includes providing the encrypted portion of the first packet to a secure interface for transmission to the receiver, while concurrently receiving another portion of the first packet at the clear interface.
  - 28. The method of claim 25, further comprising the step of:
    - receiving compressed SCADA information at a secure interface;
      
      decompressing said compressed SCADA information and sending said decompressed information to said clear interface;
      
      re-compressing said decompressed SCADA information using said first and second compression engines;
      
      updating the compression statistics of said first model dictionary table comparing the length of the re-compressed data with that of the compressed data received at said secure interface to determine the difference in length of said compressed SCADA information;
      
      determining whether said difference meets a predetermined threshold;
      
      replacing said first master dictionary table with said first model dictionary table if said threshold is met to create a second master dictionary table such that said second master dictionary table is used for the next compression; and
      
      creating a second model dictionary table having initial compression statistics if said first master dictionary table is replaced with said first model dictionary table.

29. A method of compressing data communicated in a supervisory control and data acquisition (SCADA) system, comprising the steps of:
- receiving SCADA information from a source;
  
  providing a first and a second compression engine;
  
  providing a first master dictionary table associated with said first compression engine;
  
  compressing said SCADA information with said first compression engine and transferring said compressed SCADA information to a predetermined destination;
  
  providing a first model dictionary table associated with said second compression engine;
  
  compressing said SCADA information with said second compression engine;
  
  updating the compression statistics of said first model dictionary table with each successive compression;
  
  comparing the length of the compressed SCADA information from said first and second compression engines to calculate the difference in length of said compressed SCADA information;
  
  determining whether said difference meets a predetermined threshold;
  
  replacing said first master dictionary table with said first model dictionary table if said threshold is met to create a second master dictionary table such that said second master dictionary table is used for the next compression; and
  
  creating a second model dictionary table having initial compression statistics.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The method of claim 29 further comprising the steps of:
    - copying said first master dictionary table for each packet of SCADA information to be compressed and storing said copy locally to said first compression engine; and
      
      compressing said SCADA information using said copy of said first master dictionary table.
  - 31. The method of claim 29 further comprising the steps of:
    - providing a master dictionary table at said destination; and
      
      determining whether said first master dictionary table associated with said first compression engine and said master dictionary table of said destination match.
  - 32. The method of claim 31 wherein each of said first master dictionary associated with said first compression engine and said master dictionary table of said destination include a respective time indicator;
    - said determining step including verifying said respective time indicators match.
  - 33. The method of claim 31 further including the step of transferring said first master dictionary table to said destination to update said master dictionary table thereof if said time indicators do not match.
  - 34. The method of claim 29 further comprising the steps of:
    - providing a master dictionary table at said destination; and
      
      when said second master dictionary table replaces said first master dictionary table, transferring said second master dictionary table to said destination to replace said master dictionary table of said destination with said second master dictionary table.

35. A secure supervisory control and data acquisition (SCADA) system comprising:
- at least one remote terminal unit (RTU) system comprising an RTU transceiver, an RTU and a remote security device (RSD) coupling the RTU to the RTU transceiver; and
  
  a SCADA control host system comprising a SCADA control host configured to exchange SCADA information with the at least one RTU in a SCADA format, and a host security device (HSD) coupling the SCADA control host to a host transceiver, wherein the host transceiver is configured to establish communications with the at least one RTU transceiver;
  
  wherein the HSD is configured to communicate with the at least one RSD to compress and transparently encrypt the SCADA information using a cryptographic protocol that is independent of the SCADA protocol to thereby compress and secure the communications between the HSD and the at least one RSD, and to stream the SCADA information passing therethrough such that a portion of a first packet of SCADA information is encrypted as it is received by the HSD and transferred to at least one of the plurality of RSDs concurrent with the receipt of another portion of the first packet by the HSD.
- View Dependent Claims (36, 37, 38, 39)
- - 36. A SCADA system in accordance with claim 35 wherein said HSD comprises a compression module for compressing said SCADA information being communicated from said HSD to said RSD and a decompression module to decompress SCADA information being communicated from said RSD to said HSD.
  - 37. A SCADA system in accordance with claim 35 wherein said RSD comprises a compression module for compressing said SCADA information being communicated from said RSD to said HSD and a decompression module to decompress SCADA information being communicated from said HSD to said RSD.
  - 38. A SCADA system in accordance with claim 36 wherein said compression module includes:
    - a first compression engine configured to compress said SCADA information using a first master dictionary table associated therewith, and to transfer said compressed data to an encryption module in said HSD; and
      
      a second compression engine configured to compress said SCADA information using a first model dictionary table associated therewith, wherein said first model dictionary table is updated with each successive compression.
  - 39. A SCADA system in accordance with claim 38 wherein said HSD is configured to compare the length of the compressed data output from said first and second compression engines and to replace said first master dictionary table with said first model dictionary table if the difference in length of the respective compressed data outputs meets a predetermined threshold;
    - and said HSD being further configured to create a second model dictionary table to take the place of said first model dictionary table when said first master dictionary table is replaced with said first model dictionary table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Robert Thomas Sill
Original Assignee
Robert Thomas Sill
Inventors
Bartels, Andrew

Application Number

US11/713,314
Publication Number

US 20070162957A1
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G05B 15/02 electric

Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links