SYSTEM AND METHODOLOGY PROVIDING AUTOMATION SECURITY ANALYSIS, VALIDATION, AND LEARNING IN AN INDUSTRIAL CONTROLLER ENVIRONMENT

US 20150067844A1
Filed: 11/06/2014
Published: 03/05/2015
Est. Priority Date: 10/21/2002
Status: Abandoned Application

First Claim

Patent Images

1. A system for providing security on an industrial network, comprising:

a memory that stores computer-executable components; and

a processor, operatively coupled to the memory, that executes the computer-executable components, the computer-executable components comprising;

a learning component configured to determine a first pattern of data communication between an industrial controller and an industrial asset device based on monitoring of data exchanged between the industrial controller and the industrial asset device via an automation network during a training period; and

an analyzer component configured to determine a second pattern of data communication based on monitoring of the data exchanged between the industrial controller and the industrial asset device subsequent to the training period, and to generate a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined deviation threshold,wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a system and methodology facilitating automation security in a networked-based industrial controller environment. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur.

60 Citations

View as Search Results

20 Claims

1. A system for providing security on an industrial network, comprising:
- a memory that stores computer-executable components; and
  
  a processor, operatively coupled to the memory, that executes the computer-executable components, the computer-executable components comprising;
  
  a learning component configured to determine a first pattern of data communication between an industrial controller and an industrial asset device based on monitoring of data exchanged between the industrial controller and the industrial asset device via an automation network during a training period; and
  
  an analyzer component configured to determine a second pattern of data communication based on monitoring of the data exchanged between the industrial controller and the industrial asset device subsequent to the training period, and to generate a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined deviation threshold,wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising an interface component configured to receive input that modifies the defined deviation threshold.
  - 3. The system of claim 1, wherein the security output is configured to disable network requests to access the industrial controller from another network that is different than the automation network.
  - 4. The system of claim 1, wherein the data comprises at least one of input data received by the industrial controller from the industrial asset device and stored in an I/O memory space of the industrial controller or output data written to the I/O memory space by the industrial controller and sent to the industrial asset device.
  - 5. The system of claim 1, whereinthe learning component is further configured to determine a first average number of network retries performed by the industrial controller during the training period, andthe analyzer component is further configured to generate another security output in response to determining that a second average number of network retries performed by the industrial controller subsequent to the training period exceeds the first average number of network retries in excess of a tolerance.
  - 6. The system of claim 1, wherein the first pattern of data communication comprises an average number of data packet transfers between the industrial controller and the industrial asset device during a daily range of time.
  - 7. The system of claim 1, wherein the security output is further configured to adjust a security parameter on at least one of the industrial controller, the industrial asset device, or a network device on the automation network.
  - 8. The system of claim 1, wherein the analyzer component is further configured to set the security output based on model data that models the industrial controller, the industrial asset device, and one or more network pathways to at least one of the industrial controller or the industrial asset device.
  - 9. The system of claim 8, wherein the analyzer is further configured to generate, based on analysis of the model, a recommendation output specifying a recommendation for implementing a security countermeasure for an industrial system comprising the industrial controller and the industrial asset device.
  - 10. The system of claim 9, wherein the recommendation output specifies at least one of a recommended network architecture, a recommendation to connect an identified device of the industrial system to a router, or a recommended security component to be installed on an identified device of the industrial system.

11. A method for implementing industrial network security, comprising:
- monitoring, by a system comprising a processor, first data exchange activity between an industrial controller and an industrial asset via a plant network during a training period;
  
  determining, by the system based on the monitoring of the first data exchange activity, a first pattern of data communication between an industrial controller and an industrial asset device;
  
  monitoring, by the system, second data exchange activity between the industrial controller and the industrial asset via the plant network subsequent to the training period;
  
  determining, by the system based on the monitoring of the second data exchange activity, a second pattern of data communication between the industrial controller and the industrial asset device; and
  
  in response to determining that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined tolerance, generating a security output configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the generating the security output comprises configuring the security output to disable network requests for access to the industrial controller originating from another network that is different than the plant network.
  - 13. The method of claim 11, wherein the monitoring the first data exchange activity comprises monitoring at least one of input data received by the industrial controller from the industrial asset device and stored in an I/O memory space of the industrial controller or output data written to the I/O memory space by the industrial controller and sent to the industrial asset device.
  - 14. The method of claim 11, further comprising:
    - determining, based on monitoring of a data register stored on the industrial controller, a first average number of network retries performed by the industrial controller during the training period; and
      
      generating another security output in response to determining that a second average number of network retries performed by the industrial controller subsequent to the training period exceeds the first average number of network retries in excess of the defined tolerance.
  - 15. The method of claim 11, wherein the determining the first pattern of data communication comprises determining an average number of data packet transfers between the industrial controller and the industrial asset device during a daily range of time.
  - 16. The method of claim 11, wherein the generating the security output comprises configuring the security output to adjust a security parameter of at least one of the industrial controller, the industrial asset device, or a network device on the plant network.
  - 17. The method of claim 11, wherein the generating the security output comprises configuring the security output based on model information that models the industrial controller, the industrial asset device, and one or more network pathways to at least one of the industrial controller or the industrial asset device.

18. A non-transitory computer-readable medium having stored thereon instructions that, in response to execution, cause a security analysis system comprising a processor to perform operations, the operations comprising:
- determining a first pattern of data communication between an industrial controller and an industrial asset based on monitoring of first data exchanged between the industrial controller and the industrial asset device via an industrial network during a training period;
  
  determining a second pattern of data communication based on monitoring of second data exchanged between the industrial controller and the industrial asset device after the training period; and
  
  generating a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined tolerance, wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable medium of claim 18, wherein the generating comprises configuring the security output to disable network requests for access to the industrial controller originating from another network that is different than the automation network.
  - 20. The -transitory computer-readable medium of claim 18, wherein the generating comprises configuring the security output to adjust a security parameter on at least one of the industrial controller, the industrial asset device, or a network device on the industrial network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Brandt, David D., Hall, Kenwood, Anderson, Mark Burton, Anderson, Craig D., Collins, George Bradford

Application Number

US14/535,291
Publication Number

US 20150067844A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G05B 15/02   electric

G06N 20/00   Machine learning

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 67/12   specially adapted for propr...

H04L 69/329   in the application layer [O...

SYSTEM AND METHODOLOGY PROVIDING AUTOMATION SECURITY ANALYSIS, VALIDATION, AND LEARNING IN AN INDUSTRIAL CONTROLLER ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHODOLOGY PROVIDING AUTOMATION SECURITY ANALYSIS, VALIDATION, AND LEARNING IN AN INDUSTRIAL CONTROLLER ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others