PROCESS PLANT NETWORK WITH SECURED EXTERNAL ACCESS
First Claim
1. A communication system, comprising:
- a process control network including a plurality of process control devices communicatively connected together;
an external data server disposed within the process control network;
an external communications network disposed outside of the process control network;
a gateway device communicatively coupled between the external data server and the external communications network; and
a configuration application stored on a computer memory within a device within the process control network, that executes on a processor within the device within the process control network to configure the external data server to publish data to the external communications network according to one or more data views, wherein each of the one or more data views defines a set of process control data to be published.
1 Assignment
0 Petitions
Accused Products
Abstract
A process control system having an external data server that provides process control data to external networks via one or more firewalls implements a cost-effective security mechanism that reduces or eliminates the ability of the external data server to be compromised by viruses or other security attacks. The security mechanism includes a DMZ gateway disposed outside of the process control network that connects to an external data server located within the process control network. A configuration engine is located within the process control network and configures the external data server to publish one or more preset or pre-established data views to the DMZ gateway, which then receives the data/events/alarms as defined by the data views from the control system automatically, without performing read and write requests to the external data server. The DMZ gateway then republishes the data within the data views on an external network to make the process control data within the published data views available to one or more client applications connected to the external network. Because this security mechanism does not support client read, write, or configuration access to the external data server within the control system, this security mechanism limits the opportunity of viruses to use the structure in the DMZ gateway device to access the process control network.
26 Citations
37 Claims
-
1. A communication system, comprising:
-
a process control network including a plurality of process control devices communicatively connected together; an external data server disposed within the process control network; an external communications network disposed outside of the process control network; a gateway device communicatively coupled between the external data server and the external communications network; and a configuration application stored on a computer memory within a device within the process control network, that executes on a processor within the device within the process control network to configure the external data server to publish data to the external communications network according to one or more data views, wherein each of the one or more data views defines a set of process control data to be published. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A communication system, comprising:
-
a process control network including a plurality of process control devices communicatively connected together; an external data server disposed within the process control network; an external communications network disposed outside of the process control network; and a gateway device communicatively coupled between the external data server and the external communications network; wherein the external data server stores one or more data view files and executes to publish data to the gateway device according to one or more data view files, wherein each of the one or more data view files defines a set of process control data from within the process control network to be published and wherein the gateway device stores a set of further data view files defining data to be received from the external data server via publications from the external data server and the gateway device is configured to republish data to one or more client applications connected to the external communications network using the set of further data view files. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method of securely providing information from a process control network to an external communications network in a system having an external data server coupled within the process control network and that is communicatively connected to a gateway device that is connected to the external communications network, comprising:
-
storing one or more data view files in the external data server, wherein each data view file specifies a set of process control data to be regularly published to the external communications network; configuring the external data server to communicate with the gateway device using data publish signals; causing the external data server to automatically publish process control data specified by the one or more data view files to the gateway device; and preventing the external data server from responding to read, write and configuration commands from the gateway device. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification