RECORDING REMOTE ACCESS ACTIONS IN VIDEO FILES
1. A method of remote access action recording in a video file of a remote session, comprising:
- during said remote session directing said remote access actions of a user including a first action to be applied to a destination device located within at least one industrial control system (ICS) through a terminal server including a memory and a remote access recording component (RARC) and a security center that is coupled by a communication server through a network connection to said ICS, wherein said terminal server is coupled to a streaming server having a recorded session repository database, and wherein said terminal server limits said user to only specifically allowed said remote access actions and directing said first action if said specifically allowed that enables said user selecting said destination device from a menu that then provides a connection to said destination device for said first action to be begun;
said RARC during each sampling interval of said remote session;
recording streams of video of display window content as well as text representing said first action;
combining said text and said display window content to generate a single combined video comprising output file, andstoring said combined video comprising output file in said recorded session repository database.
A method of remote access action includes directing user actions including a first action to a destination device in an industrial control system (ICS) through a terminal server including a memory, a remote access recording component (RARC), and a security center coupled by a communication server through a network connection to the ICS. The terminal server is coupled to a streaming server having a recorded session repository database. The terminal server limits the user to specifically allowed actions and directs actions if allowed enabling user selecting the destination device from a menu that then provides a connection for the first action to be begun. The RARC during the remote session records streams of video of display window content and text representing the first action, combines the text and display window content to generate a combined video output file and stores the file in the session repository database.
- 1. A method of remote access action recording in a video file of a remote session, comprising:
during said remote session directing said remote access actions of a user including a first action to be applied to a destination device located within at least one industrial control system (ICS) through a terminal server including a memory and a remote access recording component (RARC) and a security center that is coupled by a communication server through a network connection to said ICS, wherein said terminal server is coupled to a streaming server having a recorded session repository database, and wherein said terminal server limits said user to only specifically allowed said remote access actions and directing said first action if said specifically allowed that enables said user selecting said destination device from a menu that then provides a connection to said destination device for said first action to be begun; said RARC during each sampling interval of said remote session; recording streams of video of display window content as well as text representing said first action; combining said text and said display window content to generate a single combined video comprising output file, and storing said combined video comprising output file in said recorded session repository database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- 12. A security management system for at least one industrial control system (ICS), comprising:
a terminal server including a memory and a remote access recording component (RARC) coupled to a security center that is coupled by a communication server through a network connection to said ICS, wherein said terminal server is coupled to a streaming server having a recorded session repository database and wherein said terminal server is for limiting a user to only specifically allowed remote access actions and directing a first action if said specifically allowed that enables said user selecting a destination device in said ICS during a remote session from a menu that then provides a connection to said destination device for said first action to be begun; recording streams of video of display window content as well as text representing said first action; storing said combined video comprising output file in said recorded session repository database.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
Disclosed embodiments relate to Industrial Control Systems, more specifically to security management for industrial cyber-security for remotely accessed Industrial Control Systems.
Industrial plants and important infrastructure sites are common across industries such as oil, gas, mining, chemicals, energy, manufacturing and defense. Such plants may be defined by the well-known Purdue model where levels 0-3 in the Purdue model comprise the industrial control system (ICS), with level 0 being the field level with field devices (sensors and actuators) and processing equipment, which utilize an industrial network for its communications, and Level 4 and above (e.g., level 5). Level 4 and above are considered the “enterprise” level(s), such as for production scheduling. The ICS can comprise a distributed control system (DCS) or a supervisory control and data acquisition (SCADA) system.
There has been a move for allowing remote access to devices in the ICS, such as for allowing authorized contactors including vendors, including using the Industrial Internet of Things (IIoT). The advantage of IIoT or other remote access mechanisms is that factories and other industrial enterprises are becoming smarter, with more agile and more efficient operations and businesses. For example, remote access enables vendors to access the equipment they supply to their industrial customers for routine maintenance activities, such as patching, hardening and log collection, as well as rapid responses to certain incidents, including to perform investigations into a sudden drop in production, or a potential cyber-security breach. The downside is that connected industrial operations expose the ICS of factories and manufacturing facilities to external cyber-security risks.
Engineers and contractors can remotely access equipment within one or more of a customer'"'"'s ICS using commercially available remote equipment access platforms, such as a Nextnine Ltd. (now part of Honeywell International Inc.) platform known as an ‘ICS SHIELD’ that is a security management solution for securing one or more ICS. The ICS SHIELD also protects ICS from cyber-security attacks, and enables remote monitoring and process control of its devices such as process controllers, field devices, and processing equipment. Engineers and other authorized individuals using the ICS shield may use a Nextnine'"'"' remote access protocol recording solution known as Session Recording for connecting through a designated remote server to generally perform any action that can be performed from within the ICS. ICS SHIELD sessions which were previously designated to be recorded within the ICS SHIELD software are recorded, thus capturing and storing display window content during remote access sessions, which enables plant auditors to play back the display window content in a video format, including the ability to stream the video in real-time so that an auditor can view the actions taken on his or her plants while the engineer was working.
This Summary is provided to introduce a brief selection of disclosed concepts in a simplified form that are further described below in the Detailed Description including the drawings provided. This Summary is not intended to limit the claimed subject matter'"'"'s scope.
Disclosed embodiments recognize although some remote equipment access platforms provide a recording solution that records the display window content for authorized user remote access sessions to enable later auditing, there remains a problem when the engineer or other individual was connected to the remote server for a long time (e.g. several hours) session. For lengthy sessions it will generally take an extended period of time (almost the time of the entire session) for an auditor to review the entire remote session to enable finding specific transaction(s) of interest that occurred during the session, such as commands entered generally by typing in by the engineer.
Without disclosed recording of remote access user actions in video files, for an auditor to find a specific user command of interest, they must watch a video recording of the session from the start of the session until the command is found by viewing the display window that is provided, such as for say 2 hours in a 3 hour session. This is because the auditor is required to potentially go over the entire video recording until a malicious or other activity of interest is seen. Moreover, the auditor is limited to the actions seen on the screen, which cannot audit for example when a user opens a terminal application, moves its window outside of the view, but is still be able to type in commands which will not be visible on the screen, and thus will be absent from the video recording to enable its auditing.
This Disclosure provides a solution that solves this remote access auditing problem by combining two previously separate methods of remote access plant auditing comprising video recording of the display window content as well as logging of the user'"'"' actions (e.g., keystrokes or voice commands). The video recording and text representing the user'"'"'s actions are provided together into a disclosed combined video comprising output file that contains both video of the display window content and the text representing the user'"'"'s actions.
Disclosed embodiments are described with reference to the attached figures, wherein like reference numerals are used throughout the figures to designate similar or equivalent elements. The figures are not drawn to scale and they are provided merely to illustrate certain disclosed aspects. Several disclosed aspects are described below with reference to example applications for illustration. It should be understood that numerous specific details, relationships, and methods are set forth to provide a full understanding of the disclosed embodiments.
As used herein an industrial process facility runs an industrial process involving a tangible material that disclosed embodiments apply. For example, oil and gas, chemical, beverage, pharmaceutical, pulp and paper manufacturing, petroleum processes, electrical, and water. An industrial process facility that includes an ICS is distinct from a data processing system that only performs data manipulations.
The security management system 110 including the SC 115, its coupled SC database in memory 115b, the communication server (CS) 125, streaming server 135, TS 130, and recorded sessions repository 135a can be physically located at a company'"'"'s headquarters, which is generally at the enterprise level(s) of the plant. Alternatively, most or all the security management system 110 components can be cloud-located at a dedicated virtual machine provider. The ICS1 and ICS2 each include a Virtual Security Engine (VSE) 102 comprising computers shown installed in ICS1 and in ICS2 that communicate through a firewall 109 over the network connection 140, which itself communicates through a firewall 126 to the CS 125. A workstation 138 shown as an auditor'"'"'s workstation is shown coupled to the TS 130 for enabling the providing of an auditing or supervisory function to enable viewing the recording or the live video stream of the session.
The VSE 102 is an enabler of the remote access itself, where an engineer (or other individual) indirectly connects to the VSE 102 through the security management system 110, which in turn redirects the connection to the desired device in the ICS. The VSE 102 does not have any special role in the disclosed recording process. The VSE 102 in the respective ICS are shown coupled to an application station 104 that is coupled to a process controller shown as a programmable logic controller (PLC) 105. The PLC 105 is coupled to control field devices such as the sensor 106 and actuator 107 shown that are coupled to processing equipment shown as 108.
The SC database in memory 115b enables security personnel to centrally define their security policies, and distribute and deploy them to the VSEs 102 at the remote sites, together with rules for monitoring and reporting. The VSEs 102 connect to the various assets in the ICS, monitoring and enforcing its cyber-security.
The TS 130 implements remote access user action recording of actions by authorized users, such as contractors and engineers allowed by the customer to perform work at their sites, as captions in a video file to provide a disclosed combined video comprising output file. The process of injecting captions or subtitles into video files is known, and is widely used in the cinema and TV industries. The video portion comprises whatever the user had seen within the display window of a monitor of a workstation 148 of user'"'"'s remote access connection shown in
The actions of the user can be entered by the user typing on a keyboard of the workstation 148 coupled to the TS 130. For disclosed recording to generally be possible, the session is conducted through the TS 130. The customer may choose not to use a TS 130, and still have ordinary remote access, but will not have any recording capability including command recording. The action of the user may also be a voice command that is processed with voice (or speech) recognition that enables the recognition and translation of spoken language into text by computers. The voice recognition can comprise a computer program or a hardware device that enables the decoding of the human voice. TS 130 thus acts as a recording device for user actions applied to a device in the ICS such as PLC 105, sensor 106, actuator 107, or processing equipment 108, through the SC 115.
The TS 130 limits and direct the users to specific allowed actions. For example, the SC 115 can be accessed from the workstation 148 as a SC website, which can be the portal through which the users select their destination device in an ICS through connecting to TS 130, inside of which the only available function can be to open a browser to the SC 115. The TS 130 has a memory 130a and remote access recording component (RARC) comprising RARC firmware 130b or RARC logic gates 130c.
As known in the art, algorithms such as for generating disclosed single video files containing both video and user actions algorithms may be implemented by hardware or can be implemented by software. Regarding hardware-based implementations, algorithm equations can be converted into a digital logic gate pattern, such as using a Very High Speed Integrated Circuits (VHSIC) Hardware Description Language (VHDL) that can then be realized using a programmable device such as a field-programmable gate array (FPGA) or a dedicated application-specific integrated circuit (ASIC) to implement the needed logic gate pattern shown as hardware including digital logic. Only one of the RARC firmware 130b and RARC logic gates 130c shown in
The RARC component is for capturing streams of video of the user'"'"'s screen actions as well as keystrokes or voice commands through voice recognition. The RARC component combines the user'"'"' actions such as keystrokes as text in captions in the streams of video to generate a single combined video comprising output file. There is generally a combined video comprising a frame every sampling/recording interval, from the time of the remote connection to through the full user action duration. The combined video comprising output files include the user commands such as keystrokes with the video at a same moment in video time as they were commanded by the user. The combined video comprising output files are stored in a recorded sessions repository database 135a of a memory of the database streaming server 135.
In the case of keylogging, keystroke logging, generally referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard. Data can then be retrieved by the person operating the logging program.
The keyboard device driver interprets a scan code and translates it to a virtual-key code, a device-independent value defined by the system that identifies the purpose of a key. After translating a scan code, the keyboard device driver creates a message that includes the scan code, the virtual-key code, and other information about the keystroke, and then places the message in the system message queue. The system removes the message from the system message queue and posts it to the message queue of the appropriate thread of the application. Later, the thread'"'"'s message loop removes the message and passes it to the appropriate window procedure of the application for processing.
The user generally comprises a contractor or engineer allowed by a manager of the ICS to perform remote work at the ICS. The destination device can comprise a process controller, field device, or processing equipment, and the first action can comprise changing a setting of the process controller, field device, or changing a threshold value or a login permission.
The RARC 130b during each sampling interval of the remote session implements steps 202-204. Step 202 comprises recording streams of video of display window content as well as text representing the first action. As described above, the remote access actions can comprise keystrokes or voice commands by the user entered on a workstation computer coupled to the TS 130.
Step 203 comprises combining the text and display window content to generate a single combined video comprising output file. The text of remote access actions can be added as a caption in the display window content. Step 204 comprises storing the combined video comprising output file in the recorded session repository database.
The method can further comprise an auditor connected to the SC 115 for auditing at least one remote session comprising streaming the combined video comprising output files stored in the recorded sessions repository database 135a to identify a malicious activity. The session recordings in the recorded sessions repository database 135a are accessed via the SC 115. The sessions repository database 135a is generally transparent to users of the security management system 110, as they only generally ‘see’ the SC. Although the workstation 138 in
An auditor utilizing a disclosed combined video comprising output file can now find a specific command of interest using at least two different audit options. A first audit option comprises viewing/downloading the recorded combined video comprising output file and following the user'"'"'s (e.g., engineer'"'"'s) actions along the way, seeing the keystrokes or other commands as captions similar to subtitle/caption dubbing for a foreign language film. A second audit option can use an ICS SHIELD web portal to search the database for the specified remote access session, including searching by a particular term, command, or part of command. In addition, the auditor can receive a textual list of the user'"'"' commands made during the session in a single file/document, allowing for a rapid overview of the user'"'"'s actions regardless of the length of the session or idle times in the session.
Disclosed embodiments are further illustrated by the following specific Examples, which should not be construed as limiting the scope or content of this Disclosure in any way.
A customer allowed certain authorized contractors and engineers to access the SC 115 through a TS 130 on which disclosed firmware 130b for a disclosed RARC was installed. As described above, the firmware 130b captures and streams a video of the contractor'"'"'s engineer'"'"'s remote actions, and the firmware 130b also includes code for recording all of the engineer'"'"'s keystrokes and streaming them along the video as an additional caption (or subtitle track). The streaming server 135 received the additional text data and combined it with the video data, and the output file contained frames including text representing the keystrokes at the exact moment in time (video time) that they were pressed. In addition, the keystrokes were saved in the recorded sessions repository database 135a, enabling auditors to have the capability to search for them.
One search method for auditing connects to the SC 115 via the TS 130, such as using workstation 148 in
While various disclosed embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Numerous changes to the subject matter disclosed herein can be made in accordance with this Disclosure without departing from the spirit or scope of this Disclosure. In addition, while a particular feature may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular application.