Process control methods and apparatus for intrusion detection, protection and network hardening
First Claim
1. A digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
), the digital data network comprising;
A. a plurality of digital data devices,B. network media that is coupled to digital data devices to support communications therewith,C. the digital data network comprising a first zone and a second zone, each zone including one or more of the digital data devices and the network media that is coupled thereto, the first zone comprising digital data devices executing business applications, the second zone comprising devices that monitor and control a control system,D. the network media of the first zone being coupled for at least selected communications to a network external to the digital data network by a first firewall and any of a first intrusion protection system (IPS) and a first intrusion detection system (IDS), andE. the network media of the second zone being coupled for selected communications to the first zone by a second firewall and any of a second intrusion protection system (IPS) and a second intrusion detection system (IDS),F. wherein any of the first IPS and first IDS implements security protocols tailored to connectivity requirements or traffic patterns of the first zone, and any of the second IPS and second IDS implements security protocols tailored to connectivity requirements or traffic patterns of the second zone, at least one of said security protocols implemented in the first or second zones utilizing signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to business networks and signature-based detection utilized in the second zone, if any, comprises signatures specific to control networks.
6 Assignments
0 Petitions
Accused Products
Abstract
The invention provides an improved network and methods of operation thereof for use in or with process control systems, computer-based manufacturing or production control systems, environmental control systems, industrial control system, and the like (collectively, “control systems”). Those networks utilize a unique combination of firewalls, intrusion detection systems, intrusion protection devices and/or other devices for hardening (e.g., security against hacking, intrusion or other mischievous conduct) and/or intrusion detection. The networks and methods have application, by way of example, in plants, sites and other facilities in which networks that support control systems interface with corporate, business or other networks.
-
Citations
31 Claims
-
1. A digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
), the digital data network comprising;A. a plurality of digital data devices, B. network media that is coupled to digital data devices to support communications therewith, C. the digital data network comprising a first zone and a second zone, each zone including one or more of the digital data devices and the network media that is coupled thereto, the first zone comprising digital data devices executing business applications, the second zone comprising devices that monitor and control a control system, D. the network media of the first zone being coupled for at least selected communications to a network external to the digital data network by a first firewall and any of a first intrusion protection system (IPS) and a first intrusion detection system (IDS), and E. the network media of the second zone being coupled for selected communications to the first zone by a second firewall and any of a second intrusion protection system (IPS) and a second intrusion detection system (IDS), F. wherein any of the first IPS and first IDS implements security protocols tailored to connectivity requirements or traffic patterns of the first zone, and any of the second IPS and second IDS implements security protocols tailored to connectivity requirements or traffic patterns of the second zone, at least one of said security protocols implemented in the first or second zones utilizing signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to business networks and signature-based detection utilized in the second zone, if any, comprises signatures specific to control networks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- control systems”
-
14. A digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
), the digital data network comprising;A. a first network zone comprising one or more digital data processors that are coupled for communications via network media and that execute applications to provide any of a monitoring and control interface to control devices of the control system, B. a second network zone comprising one or more digital data processors that are coupled for communication via network media and that execute any of business, engineering and scientific applications and functions (collectively, “
business applications”
) connected with a manufacturing, environmental control, industrial or other operation in which control systems are employed,C. a third network zone comprising one or more digital data processors that are coupled for communication via network media and that execute business applications, D. the network media of the third network zone being coupled to a public network by a first firewall and any of a first intrusion protection system (IPS) and a first intrusion detection system (IDS), E. the network media of the second network zone being coupled to the network media of the third network zone by a second firewall, F. the network media of the first network zone being coupled to the network media of the second network zone by a firewall and any of a second intrusion protection system (IPS) and a second intrusion detection system (IDS), G. wherein any of the first IPS and first IDS implements security protocols tailored to connectivity requirements or traffic patterns of the third zone, and any of the second IPS and second IDS implements security protocols tailored to connectivity requirements or traffic patterns of the first zone, at least one of said security protocols implemented in the first or third zones utilizing signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to control networks and signature-based detection utilized in the third zone, if any, comprises signatures specific to business networks. - View Dependent Claims (15, 16, 17, 18, 19, 20)
- control systems”
-
21. A method of operating a digital data network for use with process control systems, computer-based manufacturing/production control systems, environmental control systems, and/or industrial control system (collectively, “
- control systems”
), the method comprising;A. executing business applications on or more digital data processors that are interconnected in a first zone on the network, B. controlling the control system with one or more digital data processors that are interconnected in a second zone on the network, C. filtering with a first firewall digital data traffic between a network external to the digital data network and the first zone, D. filtering with a second firewall digital data traffic between the first zone and the second zone, and E. monitoring with any of a first intrusion detection system (IDS) and a first intrusion protection system (IPS) digital data traffic traveling between the first zone and the external network, F. monitoring with any of a second intrusion detection system (IDS) and a second intrusion protection system (IPS) digital data traffic traveling between the first zone and the second zone. , G. implementing, with any of the first IPS and first IDS, security protocols tailored to connectivity requirements or traffic patterns of the first zone, H. implementing, with any of the second IPS and second IDS, security protocols tailored to connectivity requirements or traffic patterns of the second zone, I. wherein at least one of said security protocols implemented in the first or second zones utilizes signature-based detection, where signature-based detection utilized in the first zone, if any, comprises signatures specific to business networks and signature-based detection utilized in the second zone, if any, comprises signatures specific to control networks. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- control systems”
Specification