INDUSTRIAL SECURITY AGENT PLATFORM

US 20160085972A1
Filed: 08/28/2015
Published: 03/24/2016
Est. Priority Date: 09/23/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an industrial control network;

one or more controller devices, each controller device operable to control one or more operational devices connected to the industrial control network;

one or more emulators, each emulator configured to communicate with a respective controller device, and each emulator configured to reference a respective profile that includes information about security capabilities of the respective controller device; and

an encryption relay processor operable to facilitate communication to and from each emulator over the industrial control network, the encryption relay processor executing a cryptographic function for a communication between the emulator and a node on the industrial control network when the respective controller device is incapable of performing the cryptographic function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network. The encryption relay processor can execute a cryptographic function for a communication between the emulator and a node on the industrial control network when the respective controller device is incapable of performing the cryptographic function.

144 Citations

20 Claims

1. A system comprising:
- an industrial control network;
  
  one or more controller devices, each controller device operable to control one or more operational devices connected to the industrial control network;
  
  one or more emulators, each emulator configured to communicate with a respective controller device, and each emulator configured to reference a respective profile that includes information about security capabilities of the respective controller device; and
  
  an encryption relay processor operable to facilitate communication to and from each emulator over the industrial control network, the encryption relay processor executing a cryptographic function for a communication between the emulator and a node on the industrial control network when the respective controller device is incapable of performing the cryptographic function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further comprising a security server operable to maintain the respective profile for the respective controller device and to implement the emulator.
  - 3. The system of claim 2, wherein the security server is operable to reference specification information for the respective controller device and to generate the profile based on the specification information.
  - 4. The system of claim 2, wherein the security server is operable to create the emulator based on its respective profile.
  - 5. The system of claim 2, wherein the security server and the encryption relay processor are each operable to maintain a list of controller devices that are incapable of performing the cryptographic function.
  - 6. The system of claim 2, wherein the security server and the encryption relay processor are each operable to maintain a shared encryption key and to perform key negotiation protocols, and wherein the communication is encrypted or decrypted using the shared encryption key.
  - 7. The system of claim 1, wherein the encryption relay processor does not execute the cryptographic function for the communication between the emulator and the node on the industrial control network when the respective controller device is capable of performing the cryptographic function.
  - 8. The system of claim 1, further comprising a firewall between the one or more emulators and the encryption relay processor.

9. A computer-implemented method for facilitating communication in an industrial control network, the method being executed by one or more processors and comprising:
- receiving, from a site security server, an encrypted query for a controller device;
  
  determining that the controller device is incapable of performing a cryptographic operation;
  
  after determining that the controller device is incapable of performing a cryptographic operation, decrypting the query for the controller device and providing the decrypted query to the controller device;
  
  in response to receiving an unencrypted query response from the controller device, encrypting the query response; and
  
  providing the encrypted query response to the site security server.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-implemented method of claim 9, further comprising referencing specification information for the controller device and generating a profile for the controller device that includes information about its security capabilities, based on the specification information.
  - 11. The computer-implemented method of claim 10, further comprising creating an emulator for the controller device based on the profile for the controller device, wherein the emulator handles cryptographic operations for its corresponding controller device.
  - 12. The computer-implemented method of claim 10, wherein determining that the controller device is incapable of performing the cryptographic operation includes referencing the profile for the controller device.
  - 13. The computer-implemented method of claim 9, further comprising maintaining a list of controller devices that are incapable of performing the cryptographic operation, wherein determining that the controller device is incapable of performing the cryptographic operation includes referencing the list.
  - 14. The computer-implemented method of claim 9, wherein the encrypted query for the controller device is received from the site security server through a firewall, and the encrypted query response is provided to the site security server through the firewall.

15. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for facilitating communication in an industrial control network, the operations comprising:
- receiving, from a site security server, an encrypted query for a controller device;
  
  determining that the controller device is incapable of performing a cryptographic operation;
  
  after determining that the controller device is incapable of performing a cryptographic operation, decrypting the query for the controller device and providing the decrypted query to the controller device;
  
  in response to receiving an unencrypted query response from the controller device, encrypting the query response; and
  
  providing the encrypted query response to the site security server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, the operations further comprising referencing specification information for the controller device and generating a profile for the controller device that includes information about its security capabilities, based on the specification information.
  - 17. The non-transitory computer-readable storage medium of claim 16, the operations further comprising creating an emulator for the controller device based on the profile for the controller device, wherein the emulator handles cryptographic operations for its corresponding controller device.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein determining that the controller device is incapable of performing the cryptographic operation includes referencing the profile for the controller device.
  - 19. The non-transitory computer-readable storage medium of claim 15, the operations further comprising maintaining a list of controller devices that are incapable of performing the cryptographic operation, wherein determining that the controller device is incapable of performing the cryptographic operation includes referencing the list.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the encrypted query for the controller device is received from the site security server through a firewall, and the encrypted query response is provided to the site security server through the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Luo, Song, Negm, Walid, Solderitsch, James J., Mulchandani, Shaan, Hassanzadeh, Amin, Modi, Shimon

Granted Patent

US 9,864,864 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/0894   Escrow, recovery or storing...

INDUSTRIAL SECURITY AGENT PLATFORM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

144 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INDUSTRIAL SECURITY AGENT PLATFORM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links