INDUSTRIAL SECURITY AGENT PLATFORM

US 20180144144A1
Filed: 11/27/2017
Published: 05/24/2018
Est. Priority Date: 09/23/2014
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network. The encryption relay processor can execute a cryptographic function for a communication between the emulator and a node on the industrial control network when the respective controller device is incapable of performing the cryptographic function.

154 Citations

21 Claims

1. (canceled)

2. A computer-implemented method, the method being executed by one or more processors and comprising:
- for each controller device of a plurality of controller devices in an operational technology network;
  
  determining a security capability of the controller device that is indicative of whether the controller device is capable of performing a security operation within the operational technology network; and
  
  based on the determined security capability of the controller device, generating a security profile for the controller device;
  
  receiving, by a security relay in the operational technology network, and from a requester device that is outside of the operational technology network, a first request to communicate with a first controller device in the operational technology network;
  
  determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, based on a first security profile that corresponds to the first controller device;
  
  after determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, providing, by the security relay, security services for communication between the first controller device and the requester device that is outside of the operational technology network.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The computer-implemented method of claim 2, wherein the security capability of the controller device is determined based on specifications for the controller device.
  - 4. The computer-implemented method of claim 2, further comprising monitoring network communications of the controller device, wherein the security capability of the controller device is based on whether the monitored network communications are encrypted.
  - 5. The computer-implemented method of claim 2, further comprising attempting to establish a network connection with the controller device, wherein the security capability of the controller device is based on whether the controller device requests credentials.
  - 6. The computer-implemented method of claim 2, further comprising:
    - receiving, by the security relay in the operational technology network, and from the requester device that is outside of the operational technology network, a second request to communicate with a second controller device in the operational technology network;
      
      determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, based on a second security profile that corresponds to the second controller device;
      
      after determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, not providing, by the security relay, security services for communication between the second controller device and the requester device that is outside of the operational technology network.
  - 7. The computer-implemented method of claim 2, further comprising creating a first emulator for the first controller device based on the first security profile, wherein the security relay uses the first emulator to handle security services for the first controller device.
  - 8. The computer-implemented method of claim 2, further comprising, for each controller device of the plurality of controller devices in the operational technology network, adding the generated security profile for the controller device to a library of security profiles.
  - 9. The computer-implemented method of claim 2, wherein the security services include one or more of cryptographic services and authentication services.

10. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  for each controller device of a plurality of controller devices in an operational technology network;
  
  determining a security capability of the controller device that is indicative of whether the controller device is capable of performing a security operation within the operational technology network; and
  
  based on the determined security capability of the controller device, generating a security profile for the controller device;
  
  receiving, by a security relay in the operational technology network, and from a requester device that is outside of the operational technology network, a first request to communicate with a first controller device in the operational technology network;
  
  determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, based on a first security profile that corresponds to the first controller device;
  
  after determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, providing, by the security relay, security services for communication between the first controller device and the requester device that is outside of the operational technology network.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the security capability of the controller device is determined based on specifications for the controller device.
  - 12. The system of claim 10, the operations further comprising monitoring network communications of the controller device, wherein the security capability of the controller device is based on whether the monitored network communications are encrypted.
  - 13. The system of claim 10, the operations further comprising attempting to establish a network connection with the controller device, wherein the security capability of the controller device is based on whether the controller device requests credentials.
  - 14. The system of claim 10, the operations further comprising:
    - receiving, by the security relay in the operational technology network, and from the requester device that is outside of the operational technology network, a second request to communicate with a second controller device in the operational technology network;
      
      determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, based on a second security profile that corresponds to the second controller device;
      
      after determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, not providing, by the security relay, security services for communication between the second controller device and the requester device that is outside of the operational technology network.
  - 15. The system of claim 10, the operations further comprising creating a first emulator for the first controller device based on the first security profile, wherein the security relay uses the first emulator to handle security services for the first controller device.

16. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
- for each controller device of a plurality of controller devices in an operational technology network;
  
  determining a security capability of the controller device that is indicative of whether the controller device is capable of performing a security operation within the operational technology network; and
  
  based on the determined security capability of the controller device, generating a security profile for the controller device;
  
  receiving, by a security relay in the operational technology network, and from a requester device that is outside of the operational technology network, a first request to communicate with a first controller device in the operational technology network;
  
  determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, based on a first security profile that corresponds to the first controller device;
  
  after determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, providing, by the security relay, security services for communication between the first controller device and the requester device that is outside of the operational technology network.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the security capability of the controller device is determined based on specifications for the controller device.
  - 18. The non-transitory computer-readable storage medium of claim 16, the operations further comprising monitoring network communications of the controller device, wherein the security capability of the controller device is based on whether the monitored network communications are encrypted.
  - 19. The non-transitory computer-readable storage medium of claim 16, the operations further comprising attempting to establish a network connection with the controller device, wherein the security capability of the controller device is based on whether the controller device requests credentials.
  - 20. The non-transitory computer-readable storage medium of claim 16, the operations further comprising:
    - receiving, by the security relay in the operational technology network, and from the requester device that is outside of the operational technology network, a second request to communicate with a second controller device in the operational technology network;
      
      determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, based on a second security profile that corresponds to the second controller device;
      
      after determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, not providing, by the security relay, security services for communication between the second controller device and the requester device that is outside of the operational technology network.
  - 21. The non-transitory computer-readable storage medium of claim 16, the operations further comprising creating a first emulator for the first controller device based on the first security profile, wherein the security relay uses the first emulator to handle security services for the first controller device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Luo, Song, Negm, Walid, Solderitsch, James J., Mulchandani, Shaan, Hassanzadeh, Amin, Modi, Shimon

Granted Patent

US 10,824,736 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/0894   Escrow, recovery or storing...

INDUSTRIAL SECURITY AGENT PLATFORM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

154 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

INDUSTRIAL SECURITY AGENT PLATFORM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links