Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices
First Claim
1. A processor-implemented method for controlling network traffic to and/or from at least one industrial machine, the method comprising:
- (a) the processor receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine;
(b) the processor detecting, in network traffic to and/or from the at least one industrial machine, a transaction;
(c) the processor applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and
(d) the processor modifying network traffic to and/or from the at least one industrial machine based on the determination in step (c).
2 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a processor-implemented method for controlling network traffic to and/or from at least one industrial machine, including: (a) receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) detecting, in network traffic to and/or from the at least one industrial machine, a transaction; (c) applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and (d) modifying network traffic to and/or from the at least one industrial machine based on the determination in step (c). This permits expression and enforcement of constraints on actual industrial machine behaviors by filtering, modifying or blocking network communications (e.g., control signals and telemetry) that violate constraints or could cause unsafe or inefficient operation.
-
Citations
2 Claims
-
1. A processor-implemented method for controlling network traffic to and/or from at least one industrial machine, the method comprising:
-
(a) the processor receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) the processor detecting, in network traffic to and/or from the at least one industrial machine, a transaction; (c) the processor applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and (d) the processor modifying network traffic to and/or from the at least one industrial machine based on the determination in step (c).
-
-
2. A policy-object enforcement device for controlling network traffic to and/or from at least one industrial machine, the device comprising:
-
a processor, wherein the processor is adapted to; (a) receive, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) detect, in network traffic to and/or from the at least one industrial machine, a transaction; (c) apply the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and (d) modify network traffic to and/or from the at least one industrial machine based on the determination in step (c).
-
Specification