Firewall System and Method for Establishing Secured Communications Connections to an Industrial Automation System

US 20190317481A1
Filed: 06/27/2017
Published: 10/17/2019
Est. Priority Date: 07/12/2016
Status: Active Grant

First Claim

Patent Images

1-11. -11. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A connection management device for establishing secured communications connections to an industrial automation system, wherein the device provides, in cases of a positive authorization verification outcome, access control information for establishing an encrypted communication connection between a first communication unit of a requesting user and a selected second communication unit, where the connection management device is formed by a server instance running on a firewall system, where data packets transmitted via an encrypted communications connection between the first communication unit of the requesting user and the selected second communication unit are encrypted for verification by the firewall system, based on specified security rules and, in cases of a successful verification, the data packets are forwarded encrypted to the first communication unit of the requesting user or to the selected second communication unit.

3 Citations

25 Claims

1-11. -11. (canceled)

12. A method for establishing secured communications connections to an industrial automation system in which communications connections are set up from first communications devices outside of the industrial automation system to second communications devices assigned to the industrial automation system via a connection management device, the communications connections established via the connection management device between first communications devices and second communications devices being Virtual Private Network (VPN) connections, the connection management device being formed by a server instance running on a firewall system, and data packets transmitted via an encrypted communications connection between the first communication device of the requesting user and the selected second communication device being decrypted for a verification by the firewall system based on defined security rules, the method comprising:
- performing, by the connection management device, an authorization verification for a requesting user based on an access control list in an event of a request to set up a connection to a selected second communication device by a requesting user of a first communication device, the authorization verification comprising an authentication of the requesting user against the connection management device;
  
  providing, by the connection management device, access control information for establishing an encrypted communications connection between the first communication device of the requesting user and the selected second communication device for these communication devices in an event of a positive authorization verification outcome, the connection management device providing access control information to the requesting user regarding a use of a VPN connection between the first communication device of the requesting user and the selected second communication device only after an authentication of the requesting user, and the access control information items comprising passwords for VPN sessions or temporarily valid passwords;
  
  forwarding, the firewall system, data packets successfully verified based on defined security rules in encrypted form to at least one of (i) the first communication device of the requesting user and (ii) the selected second communication device, the verification by the firewall system based on the defined security rules comprising a verification of a correctness of passwords for VPN sessions or temporarily valid passwords; and
  
  rejecting, by the firewall system, data packets for the transmission of which incorrect passwords have been specified.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 13. The method as claimed in claim 12, wherein the access control list comprises user-specific information about each permissible communication connection between at least one first communication device and at least one second communication device.
  - 14. The method as claimed in claim 12, wherein in cases of a positive authorization verification outcome, the connection management device provides an encrypted communications connection to the first communication device of the requesting user and to the selected second communication device and links these communications connections to each other.
  - 15. The method as claimed in claim 14, wherein in cases of a positive authorization verification outcome, the connection management device provides an encrypted communications connection to the first communication device of the requesting user and to the selected second communication device and links these communications connections to each other.
  - 16. The method as claimed in claim 12, wherein the data packets transmitted via the encrypted communications connection between the first communication device of the requesting user and the selected second communication device are decrypted by the firewall system and are verified based on the defined security rules;
    - and wherein data packets to be forwarded that are successfully verified based on the defined security rules are encrypted by the firewall system.
  - 17. The method as claimed in claim 13, wherein the data packets transmitted via the encrypted communications connection between the first communication device of the requesting user and the selected second communication device are decrypted by the firewall system and are verified based on the defined security rules;
    - and wherein data packets to be forwarded that are successfully verified based on the defined security rules are encrypted by the firewall system.
  - 18. The method as claimed in claim 14, wherein the data packets transmitted via the encrypted communications connection between the first communication device of the requesting user and the selected second communication device are decrypted by the firewall system and are verified based on the defined security rules;
    - and wherein data packets to be forwarded that are successfully verified based on the defined security rules are encrypted by the firewall system.
  - 19. The method as claimed in claim 16, wherein at least one of (i) a decryption of data packets and (ii) an encryption of data packets is performed by the firewall system in hardware.
  - 20. The method as claimed in claim 12, wherein the defined security rules comprise at least one of (i) firewall rules and (ii) rules relating to an admissibility of at least one of control commands and control parameters for automation devices specified in data packets.
  - 21. The method as claimed in claim 12, wherein the firewall system rejects data packets that do not comply with the defined security rules.
  - 22. The method as claimed in claim 12, wherein the firewall system is arranged in a secured communication network of the industrial automation system.
  - 23. The method as claimed in claim 12, wherein the connection management device is a rendezvous server.
  - 24. The method as claimed in claim 12, wherein the second communication devices are integrated into automation devices or assigned to said automation devices.

25. A firewall system comprising:
- a processor;
  
  memory operatively coupled to said processor;
  
  wherein the firewall system is configured to;
  
  verify data packets based on specified security rules;
  
  process at least one server instance forming a connection management device which is configured to establish a communications connection from first communication devices outside of an industrial automation system to second communication devices assigned to the industrial automation system;
  
  wherein the communications connections established via the connection management device between first communications devices and second communications devices are Virtual Private Network (VPN) connections;
  
  wherein the connection management device is further configured, in an event of a request, to set up a connection to a selected second communication device by a requesting user of a first communication device, and is further configured to perform an authorization verification for the requesting user based on an access control list, the authorization verification comprising an authentication of the requesting user against the connection management device;
  
  wherein the connection management device is additionally configured, in the event of a positive authorization verification outcome, to provide access control information for establishing an encrypted communications connection between the first communication device of the requesting user and the selected second communication device for these communication devices;
  
  wherein the connection management device is additionally configured to provide access control information to the requesting user regarding use of a VPN connection between the first communication device of the requesting user and the selected second communication device only after an authentication of the requesting user, the access control information items comprising passwords for VPN sessions or temporarily valid passwords; and
  
  wherein the firewall system is further configured to;
  
  decrypt data packets transmitted via an encrypted communications connection between the first communication device of the requesting user and the selected second communication device for the verification based on defined security rules; and
  
  forward data packets successfully verified based on the defined security rules in encrypted form to the first communication device of the requesting user or to the selected second communication device, the verification by the firewall system based on the defined security rules comprising a verification of the correctness of passwords for VPN sessions or temporarily valid passwords, andreject data packets, for the transmission of which incorrect passwords have been specified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
GLAS, Karl, GOTTWALD, Sven

Granted Patent

US 11,209,803 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/4185   characterised by the networ...

G05B 2219/25205   Encrypt communication

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

Y02P 90/02   Total factory control, e.g....

Firewall System and Method for Establishing Secured Communications Connections to an Industrial Automation System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

3 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall System and Method for Establishing Secured Communications Connections to an Industrial Automation System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links