SYSTEM AND METHOD FOR LOGGING SECURITY EVENTS FOR AN INDUSTRIAL CONTROL SYSTEM

US 20130291115A1
Filed: 04/30/2012
Published: 10/31/2013
Est. Priority Date: 04/30/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a security server comprising a memory and a processor configured to;

receive a first set of communications from a human machine interface (HMI) device, wherein the first set of communications relates to HMI device security events;

receive a second set of communications from an industrial controller, wherein the second set of communications relates to industrial controller security events; and

package and send the received first and second sets of communications to a remote managed security service provider (MSSP) for analysis.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a security server including a memory and a processor configured to receive a first set of communications from a human machine interface (HMI) device, wherein the first set of communications relates to HMI device security events. The security server is also configured to receive a second set of communications from an industrial controller, wherein the second set of communications relates to industrial controller security events. The security server is further configured to package and send the received first and second sets of communications to a remote managed security service provider (MSSP) for analysis.

Citations

20 Claims

1. A system, comprising:
- a security server comprising a memory and a processor configured to;
  
  receive a first set of communications from a human machine interface (HMI) device, wherein the first set of communications relates to HMI device security events;
  
  receive a second set of communications from an industrial controller, wherein the second set of communications relates to industrial controller security events; and
  
  package and send the received first and second sets of communications to a remote managed security service provider (MSSP) for analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, comprising the HMI device having another memory and another processor configured to:
    - allow an authorized user to log onto the HMI device;
      
      execute a configuration tool on the HMI device; and
      
      provide the first set of communications relating to the HMI device security events to the security server.
  - 3. The system of claim 2, wherein the configuration tool is configured provide instructions to the industrial controller to set or force variables on the industrial controller, to upload executable files to the industrial controller, or both.
  - 4. The system of claim 3, wherein the HMI device security events relate to an attempt to log onto the HMI device, starting the configuration tool on the HMI device, executing a set of instructions on the HMI device, attempting to set a variable of the industrial controller from the HMI device, uploading executable files to the industrial controller from the HMI device, or a combination thereof.
  - 5. The system of claim 1, comprising the industrial controller having another memory and another processor, configured to:
    - execute a plurality of executable files to control an industrial automation system;
      
      receive and execute instructions provided by a configuration tool of the HMI device; and
      
      provide the second set of communications relating to the industrial controller security events to the security server.
  - 6. The system of claim 5, wherein the industrial controller security events relate to setting a variable of the industrial controller or downloading executable files to the industrial controller, or both.
  - 7. The system of claim 5, wherein the industrial controller security events relate to a reboot, a startup failure, a communication error, or a detection of an unauthorized executable file, or a combination thereof.
  - 8. The system of claim 1, comprising the remote MSSP having another memory and another processor configured to:
    - receive and compare the first and second sets of communications;
      
      identify trends in the first and second sets of communications; and
      
      provide the security server with a security alert when certain trends are identified in the first and second sets of communications.
  - 9. The system of claim 8, wherein the security server is configured to receive the security alert from the remote MSSP when the remote MSSP determines that a security issue is present in the system.
  - 10. The system of claim 1, comprising an industrial system having the security server, wherein the industrial system comprises a gasification system, a gas treatment system, a turbine system, a power generation system, a heat recovery steam generation (HRSG) system, or a combination thereof.

11. A method, comprising:
- aggregating security logs comprising security events for a plurality of devices associated with an industrial system; and
  
  packaging and sending the aggregated security logs to a managed security service provider (MSSP), wherein the MSSP is configured to determine trends in the security logs.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the plurality of devices comprises an industrial controller configured to control the industrial system.
  - 13. The method of claim 12, wherein the security events relate to setting a variable of the industrial controller, downloading executable files to the industrial controller, a reboot of the industrial controller, a startup failure of the industrial controller, a communication error of the industrial controller, or a detection of an unauthorized executable file by the industrial controller, or a combination thereof.
  - 14. The method of claim 12, wherein the plurality of devices comprises a human machine interface (HMI) device configured to set variables on the industrial controller and configured to upload executable code to the industrial controller.
  - 15. The method of claim 14, wherein the security events relate to an attempt to log onto the HMI device, executing a set of instructions on the HMI device, attempting to set a variable of the industrial controller from the HMI device, or uploading executable files to the industrial controller from the HMI device, or a combination thereof.
  - 16. The method of claim 11, wherein packaging the aggregated security logs comprises packaging the received security logs into an archive file, compressing the security logs, encrypting the security logs, or any combination thereof.
  - 17. The method of claim 11, comprising receiving a security alert from the MSSP when the security logs for two of the plurality of devices are determined by the MSSP to not be consistent with one another.

18. A tangible, non-transitory, computer-readable medium configured to store instructions executable by a processor of an electronic device, the instructions comprising:
- instructions to receive security notifications from a human machine interface (HMI) device and an industrial controller, wherein the HMI device is configured to execute a configuration tool that provides instructions to the industrial controller;
  
  instructions to send the received security notifications to a remote processor, wherein the remote processor is configured to analyze and compare the security notifications from the HMI device and the industrial controller; and
  
  instructions to provide an alert when the remote processor indicates a security problem with the HMI device, the industrial controller, or both, based on the security notifications.
- View Dependent Claims (19, 20)
- - 19. The medium of claim 18, wherein the remote processor is configured to analyze the security notifications from the HMI device and the industrial controller using at least one heuristic to determine trends in the security notifications.
  - 20. The medium of claim 19, wherein the remote processor is configured notify the HMI device when the trends in the security notifications indicate a security problem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Infrastructure Technology, LLC (GE Vernova, Inc.)
Original Assignee
General Electric Company
Inventors
Chong, Justin Brandon, Socky, David Richard, Sahoo, Manas Ranjan

Granted Patent

US 9,046,886 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G05B 19/048   Monitoring; Safety

G05B 19/4185   characterised by the networ...

G06F 21/554   involving event detection a...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/12   specially adapted for propr...

Y04S 40/18   Network protocols supportin...

Y04S 40/20   Information technology spec...

SYSTEM AND METHOD FOR LOGGING SECURITY EVENTS FOR AN INDUSTRIAL CONTROL SYSTEM

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR LOGGING SECURITY EVENTS FOR AN INDUSTRIAL CONTROL SYSTEM

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links