Systems and Methods for Securing Industrial Data Streams with a Fog Root of Trust

US 20200137078A1
Filed: 10/24/2018
Published: 04/30/2020
Est. Priority Date: 10/24/2018
Status: Active Grant

First Claim

Patent Images

1. A method for security of industrial data streams arising from industrial applications and devices, comprising:

provisioning a fogNode that is communicatively coupled with a fog cloud manager through a forwarder of the fogNode;

providing a fogLet within the fogNode, the fogLet communicating with a plurality of operational technology devices;

providing fogLet identification information using a root of trust of the fogNode, the root of trust of the fogNode being located in the fogNode;

providing fogLet encryption information using the root of trust of the fogNode;

communicating the fogLet identification information and the fogLet encryption information to the fog cloud manager;

transferring the fogLet identification information and the fogLet encryption information to a third party cloud application for validation of industrial data streams from the plurality of operational technology devices;

receiving operational device authentication information from a third party tenant application, the third party tenant application communicating with the plurality of operational technology devices;

providing the operational device authentication information with fogLet identification information using the root of trust of the fogNode; and

communicating the operational device authentication information with the fogLet identification information to the third party tenant application, the third party tenant application communicating the operational device authentication information with the fogLet identification information to the third party cloud application, the third party cloud application validating the industrial data streams from the plurality of operational technology devices using the operational device authentication information and the fogLet identification information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for security of industrial data streams are provided herein. Methods according to various embodiments include provisioning a fogNode that is communicatively coupled with a fog cloud manager through a forwarder of the fogNode and providing a fogLet within the fogNode, the fogLet communicating with a plurality of operational technology devices. Embodiments include providing fogLet identification information using hardware root of trust of the fogNode, the hardware root of trust of the fogNode being a Trusted Platform Module (TPM) of the fogNode. Embodiments further comprise communicating operational device authentication information with fogLet identification information to a third party tenant application, the third party tenant application validating industrial data streams from the operational technology devices by communicating the operational device authentication information with the fogLet identification information to a third party cloud application.

Citations

20 Claims

1. A method for security of industrial data streams arising from industrial applications and devices, comprising:
- provisioning a fogNode that is communicatively coupled with a fog cloud manager through a forwarder of the fogNode;
  
  providing a fogLet within the fogNode, the fogLet communicating with a plurality of operational technology devices;
  
  providing fogLet identification information using a root of trust of the fogNode, the root of trust of the fogNode being located in the fogNode;
  
  providing fogLet encryption information using the root of trust of the fogNode;
  
  communicating the fogLet identification information and the fogLet encryption information to the fog cloud manager;
  
  transferring the fogLet identification information and the fogLet encryption information to a third party cloud application for validation of industrial data streams from the plurality of operational technology devices;
  
  receiving operational device authentication information from a third party tenant application, the third party tenant application communicating with the plurality of operational technology devices;
  
  providing the operational device authentication information with fogLet identification information using the root of trust of the fogNode; and
  
  communicating the operational device authentication information with the fogLet identification information to the third party tenant application, the third party tenant application communicating the operational device authentication information with the fogLet identification information to the third party cloud application, the third party cloud application validating the industrial data streams from the plurality of operational technology devices using the operational device authentication information and the fogLet identification information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - an offline policy engine, the offline policy engine conditionally elevating security based on analysis of the industrial data streams from the plurality of operational technology devices using a threshold for at least one of data volume of the industrial data streams, frequency of the industrial data streams, and a machine learning filter of the industrial data streams.
  - 3. The method of claim 1, wherein the operational device authentication information comprises manufacturer identification information of the plurality of operational technology devices.
  - 4. The method of claim 3, further comprising:
    - grouping of the industrial data streams from the plurality of operational technology devices based on the manufacturer identification information of the plurality of operational technology devices.
  - 5. The method of claim 1, wherein the root of trust of the fogNode is a hardware root of trust, the hardware root of trust being a Trusted Platform Module of the fogNode.
  - 6. The method of claim 1, wherein the root of trust of the fogNode is a hardware root of trust, the hardware root of trust being a Trusted Platform Module located in the fogLet.
  - 7. The method of claim 5, wherein the providing of the fogLet encryption information comprises the fogNode generating a private signing key with the Trusted Platform Module of the fogNode.
  - 8. The method of claim 7, wherein the providing of the fogLet encryption information further comprises the Trusted Platform Module of the fogNode returning a public key to a virtual machine of the fogNode.
  - 9. The method of claim 1, wherein the operational device authentication information from the third party tenant application comprises a signed authentication cookie.
  - 10. The method of claim 1, wherein the providing of the fogLet encryption information comprises the fogNode providing a private signing key with the Trusted Platform Module of the fogNode.
  - 11. The method of claim 1, wherein the fogLet identification information using the root of trust of the fogNode comprises a time limited, client server specific signed token.
  - 12. The method of claim 11, wherein the validation of the industrial data streams from the plurality of operational technology devices comprises validation of the time limited, client server specific signed token by a token validator of the fog cloud manager.
  - 13. The method of claim 1, wherein the fogLet identification information using the root of trust of the fogNode comprises:
    - a first time limited, client server specific signed identity token, the identity token comprising fogLet identification information for the validating of the industrial data streams from the plurality of operational technology devices; and
      
      a second time limited, client server specific signed access control token, the access control token comprising a timestamp and metadata attributes.
  - 14. The method of claim 13, wherein the validation of the industrial data streams from the plurality of operational technology devices comprises validation of the first time limited, client server specific signed identity token and the second time limited, client server specific signed access control token by a token validator of the fog cloud manager.

15. A system for security of industrial data streams arising from industrial applications and devices, comprising:
- a fog federation comprising at least one fogNode, the at least one fogNode comprising at least one fogLet, the at least one fogLet coupled, using a network, with one or more edge devices, the one or more edge devices generating industrial data streams; and
  
  a fog system manager coupled, using a network, with the fog federation, the fog system manager validating the industrial data streams of the one or more edge devices using a root of trust of the fog federation, the root of trust of the fog federation being located in the fog federation.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the root of trust of the fog federation is at least one of Platform Module (TPM), a Trusted Execution Environment (TEE), and key management (KM) located in the fog federation.
  - 17. The system of claim 15, wherein the root of trust of the fog federation is a hardware root of trust, the hardware root of trust being a Trusted Platform Module located in the at least one fogLet.

18. A system for security of industrial data streams arising from industrial applications and devices, comprising:
- a fogNode comprising at least one fogLet, the at least one fogLet coupled, using a network, with one or more operational technology devices, the one or more operational technology devices generating industrial data streams; and
  
  a fog system manager coupled, using a network, with the a fogNode, the fog system manager validating the industrial data streams of the one or more operational technology devices using a root of trust of the fogNode, the root of trust of the fogNode being located in the fogNode.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the root of trust of the fogNode is a hardware root of trust, the hardware root of trust being a Trusted Platform Module of the fogNode.
  - 20. The system of claim 18, wherein the root of trust of the fogNode is a hardware root of trust, the hardware root of trust being a Trusted Platform Module located in the at least one fogLet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TTTech Industrial Automation AG (TTTech Computertechnik AG)
Original Assignee
Nebbiolo Technologies, Inc. (TTTech Computertechnik AG)
Inventors
Tewari, Ruchir, Gowda, Thushar, Bhagra, Pankaj, Narayanan, Thiru, Chinnakannan, Palani

Granted Patent

US 11,005,857 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/108   when the policy decisions a...

H04L 63/126   the source of the received ...

H04L 9/0877   using additional device, e....

H04L 9/0897   involving additional device...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3297   involving time stamps, e.g....

Systems and Methods for Securing Industrial Data Streams with a Fog Root of Trust

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Securing Industrial Data Streams with a Fog Root of Trust

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links