Process control methods and apparatus for intrusion detection, protection and network hardening

US 7,761,923 B2
Filed: 03/01/2005
Issued: 07/20/2010
Est. Priority Date: 03/01/2004
Status: Active Grant

First Claim

Patent Images

1. A digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “

control systems”

), the digital data network comprising;

A. a plurality of digital data devices,B. network media that is coupled to digital data devices to support communications therewith,C. the digital data network comprising a first zone and a second zone, each zone including one or more of the digital data devices and the network media that is coupled thereto, the first zone comprising digital data devices executing business applications, the second zone comprising devices that monitor and control a control system,D. the network media of the first zone being coupled for at least selected communications to a network external to the digital data network by a first firewall and any of a first intrusion protection system (IPS) and a first intrusion detection system (IDS), andE. the network media of the second zone being coupled for selected communications to the first zone by a second firewall and any of a second intrusion protection system (IPS) and a second intrusion detection system (IDS),F. wherein any of the first IPS and first IDS implements security protocols tailored to connectivity requirements or traffic patterns of the first zone, and any of the second IPS and second IDS implements security protocols tailored to connectivity requirements or traffic patterns of the second zone, at least one of said security protocols implemented in the first or second zones utilizing signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to business networks and signature-based detection utilized in the second zone, if any, comprises signatures specific to control networks.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides an improved network and methods of operation thereof for use in or with process control systems, computer-based manufacturing or production control systems, environmental control systems, industrial control system, and the like (collectively, “control systems”). Those networks utilize a unique combination of firewalls, intrusion detection systems, intrusion protection devices and/or other devices for hardening (e.g., security against hacking, intrusion or other mischievous conduct) and/or intrusion detection. The networks and methods have application, by way of example, in plants, sites and other facilities in which networks that support control systems interface with corporate, business or other networks.

Citations

31 Claims

1. A digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
  
  ), the digital data network comprising;
  
  A. a plurality of digital data devices,B. network media that is coupled to digital data devices to support communications therewith,C. the digital data network comprising a first zone and a second zone, each zone including one or more of the digital data devices and the network media that is coupled thereto, the first zone comprising digital data devices executing business applications, the second zone comprising devices that monitor and control a control system,D. the network media of the first zone being coupled for at least selected communications to a network external to the digital data network by a first firewall and any of a first intrusion protection system (IPS) and a first intrusion detection system (IDS), andE. the network media of the second zone being coupled for selected communications to the first zone by a second firewall and any of a second intrusion protection system (IPS) and a second intrusion detection system (IDS),F. wherein any of the first IPS and first IDS implements security protocols tailored to connectivity requirements or traffic patterns of the first zone, and any of the second IPS and second IDS implements security protocols tailored to connectivity requirements or traffic patterns of the second zone, at least one of said security protocols implemented in the first or second zones utilizing signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to business networks and signature-based detection utilized in the second zone, if any, comprises signatures specific to control networks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The digital data network of claim 1, wherein one or more of the digital data devices of the second zone comprise control devices.
  - 3. The digital data network of claim 2, wherein one or more of the control devices being any of (i) coupled to any of actuators and sensors for the control system and (ii) comprising any of actuators and sensors for the control system.
  - 4. The digital data network of claim 3, wherein the network external to the digital data network comprises a public network
  - 5. The digital data network of claim 3, wherein the network external to the digital data network comprises an Internet.
  - 6. The digital data network of claim 5, wherein one or more digital data devices of the first zone execute any of an Internet browser and a messaging application.
  - 7. The digital data network of claim 1, comprising a third zone including one or more control devices coupled for communication with one or more digital data devices of the second zone.
  - 8. The digital data network of claim 7, wherein one or more of the control devices are coupled to any of actuators and sensors that make up at least a portion of the control system and/or a system controlled thereby.
  - 9. The digital data network of claim 7, wherein the one or more control devices of the third zone that are coupled to the one or more digital data devices of the second zone via any of media and devices supporting a control network protocol.
  - 10. The digital data network of claim 9, wherein the control network protocol comprises any of a FieldBus protocol, a ProfiBus protocol, a ModBus protocol, a Nodebus protocol, and an OPC protocol.
  - 11. The digital data network of claim 9, comprising any of a control station and a interface providing communications coupling between one or more control devices of the third zone and one or more digital data devices of the second zone.
  - 12. The digital data network of claim 10, wherein the network media of the first and second zones include any of local area networks and wide area networks.
  - 13. The method of claim 1, wherein the security protocol implemented in the first zone utilizes signature-based detection with signatures specific to business networks and the security protocol implemented in the second zone utilizes signature-based detection with signatures specific to control networks.

14. A digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
  
  ), the digital data network comprising;
  
  A. a first network zone comprising one or more digital data processors that are coupled for communications via network media and that execute applications to provide any of a monitoring and control interface to control devices of the control system,B. a second network zone comprising one or more digital data processors that are coupled for communication via network media and that execute any of business, engineering and scientific applications and functions (collectively, “
  
  business applications”
  
  ) connected with a manufacturing, environmental control, industrial or other operation in which control systems are employed,C. a third network zone comprising one or more digital data processors that are coupled for communication via network media and that execute business applications,D. the network media of the third network zone being coupled to a public network by a first firewall and any of a first intrusion protection system (IPS) and a first intrusion detection system (IDS),E. the network media of the second network zone being coupled to the network media of the third network zone by a second firewall,F. the network media of the first network zone being coupled to the network media of the second network zone by a firewall and any of a second intrusion protection system (IPS) and a second intrusion detection system (IDS),G. wherein any of the first IPS and first IDS implements security protocols tailored to connectivity requirements or traffic patterns of the third zone, and any of the second IPS and second IDS implements security protocols tailored to connectivity requirements or traffic patterns of the first zone, at least one of said security protocols implemented in the first or third zones utilizing signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to control networks and signature-based detection utilized in the third zone, if any, comprises signatures specific to business networks.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The digital data network of claim 14, further comprising a field I/O network zone comprising one or more of said control devices, the control devices being any of (i) coupled to any of actuators and sensors for the control system and (ii) comprising any of actuators and sensors for the control system.
  - 16. The digital data network of claim 15, wherein one or more control devices of the field I/O network zone are coupled to the one or more digital data processors of the first network zone via any of media and devices supporting a control network protocol.
  - 17. The digital data network of claim 16, wherein the control network protocol comprises any of a FieldBus protocol, a ProfiBus protocol, a ModBus protocol, a Nodebus protocol, and an OPC protocol.
  - 18. The digital data network of claim 17, comprising any of a control station and a interface providing communications coupling between one or more control devices of the field I/O zone and one or more digital data devices of the first network zone.
  - 19. The digital data network of claim 14, wherein the network media of each of the first business network zone and the second business network zone comprise any of a local area network (LAN) and a wide area network (WAN).
  - 20. The method of claim 14, wherein the security protocol implemented in the first zone utilizes signature-based detection with signatures specific to control networks and the security protocol implemented in the third zone utilizes signature-based detection with signatures specific to business networks.

21. A method of operating a digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
  
  ), the method comprising;
  
  A. executing business applications on or more digital data processors that are interconnected in a first zone on the network,B. controlling the control system with one or more digital data processors that are interconnected in a second zone on the network,C. filtering with a first firewall digital data traffic between a network external to the digital data network and the first zone,D. filtering with a second firewall digital data traffic between the first zone and the second zone, andE. monitoring with any of a first intrusion detection system (IDS) and a first intrusion protection system (IPS) digital data traffic traveling between the first zone and the external network,F. monitoring with any of a second intrusion detection system (IDS) and a second intrusion protection system (IPS) digital data traffic traveling between the first zone and the second zone. ,G. implementing, with any of the first IPS and first IDS, security protocols tailored to connectivity requirements or traffic patterns of the first zone,H. implementing, with any of the second IPS and second IDS, security protocols tailored to connectivity requirements or traffic patterns of the second zone,I. wherein at least one of said security protocols implemented in the first or second zones utilizes signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to business networks and signature-based detection utilized in the second zone, if any, comprises signatures specific to control networks.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 22. The method of claim 21, comprising signaling an alert when traffic monitored in step (E) is indicative of an intrusion.
  - 23. The method of claim 21, comprising blocking traffic identified in step (E) as an intrusion.
  - 24. The method of claim 21, wherein one or more of the digital data devices of the second zone comprise control devices.
  - 25. The method of claim 21, wherein one or more of the control devices being any of (i) coupled to any of actuators and sensors for the control system and (ii) comprising any of actuators and sensors for the control system.
  - 26. The method of claim 21, comprising executing any of an Internet browser and a messaging application with a digital data device in the first zone.
  - 27. The method of claim 21, communicating between one or more of the digital data devices in the second zone and one or more control devices in a third zone of the network.
  - 28. The method of claim 27, wherein one or more of the control devices are coupled to any of actuators and sensors that comprise and/or form at least a part of a system being controlled.
  - 29. The method of claim 27, comprising communicating between the one or more control devices of the third zone and the one or more digital data devices of the second zone via any of media and devices supporting a control network protocol.
  - 30. The method of claim 29, wherein the control network protocol comprises any of a FieldBus protocol, a ProfiBus protocol, a ModBus protocol, a Nodebus protocol, and an OPC protocol.
  - 31. The method of claim 21, wherein implementing the security protocol in the first zone comprises utilizing signature-based detection with signatures specific to business networks and implementing the security protocol in the second zone comprises utilizing signature-based detection with signatures specific to control networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Schneider Electric Systems USA, Inc. (Schneider Electric SE)
Original Assignee
Invensys Systems Incorporated (Invensys PLC)
Inventors
Simpson, George, Khuti, Bharat, Rath, David, Rakaczky, Ernest, Leslie, Jim, Peralta, Juan, Coleman, Clayton
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Reza; Mohammad W

Application Number

US11/069,465
Publication Number

US 20060294579A1
Time in Patent Office

1,967 Days
Field of Search

713/193, 726/11, 726/23, 726/27
US Class Current

726/27
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04L 67/12   specially adapted for propr...

Process control methods and apparatus for intrusion detection, protection and network hardening

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Process control methods and apparatus for intrusion detection, protection and network hardening

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links