Centrally managed proxy-based security for legacy automation systems
First Claim
Patent Images
1. A system that facilitates enhanced security with respect to an industrial automation environment, comprising:
- a central access authority embodied on a computer-readable storage medium and executed by one or more processors, the central access authority configured to provide access rules relating to a device; and
a proxy associated with the device configured to receive the access rules from the central access authority if it is determined that the device is not capable of storing the access rules internally, wherein the proxy is configured to directly receive an access request directed to the device and to determine whether the access request is permitted based at least in part upon characteristics of the access request and the access rules,wherein the proxy is further configured to issue a query to the device and to create a fingerprint of the device based on the query, the fingerprint logically linking the proxy to the device, andwherein the proxy is further configured to detect replacement of the device with a replacement device and to employ the fingerprint to confirm that the replacement device is a valid replacement.
1 Assignment
0 Petitions
Accused Products
Abstract
A system that facilitates enhanced security with respect to an industrial automation environment comprises a legacy device that is existent within an industrial automation system and a central access authority that provides access rules to a proxy. The proxy receives an access request directed to the legacy device and determines whether the access request is permitted based at least in part upon characteristics of the access request and the access rules provided by the central access authority.
46 Citations
31 Claims
-
1. A system that facilitates enhanced security with respect to an industrial automation environment, comprising:
-
a central access authority embodied on a computer-readable storage medium and executed by one or more processors, the central access authority configured to provide access rules relating to a device; and a proxy associated with the device configured to receive the access rules from the central access authority if it is determined that the device is not capable of storing the access rules internally, wherein the proxy is configured to directly receive an access request directed to the device and to determine whether the access request is permitted based at least in part upon characteristics of the access request and the access rules, wherein the proxy is further configured to issue a query to the device and to create a fingerprint of the device based on the query, the fingerprint logically linking the proxy to the device, and wherein the proxy is further configured to detect replacement of the device with a replacement device and to employ the fingerprint to confirm that the replacement device is a valid replacement. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for enhancing security in an industrial automation system that includes one or more devices, comprising:
employing one or more processors executing computer-executable instructions stored on a computer-readable storage medium to implement the following acts; associating a device with a proxy; creating a fingerprint of the device based on at least one query of the device by the proxy, the fingerprint logically linking the device to the proxy; providing the proxy with access rules defining access permissions for the device; receiving, at the proxy, a request from a remote terminal to access the device; determining whether access to the device is granted or denied to the remote terminal based on the access rules and the request; detecting that the device has been replaced with a replacement device; and determining if the replacement device is a valid replacement based at least on the fingerprint. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
31. An apparatus that provides enhanced security, comprising:
-
an analysis component configured to maintain one or more access rules defining whether a requesting entity is permitted to access to a first automation device associated with the apparatus, wherein the analysis component is further configured to issue a query to the first automation device and to create a fingerprint of the device that logically links the device to the proxy based on results of the query, and is further configured to employ the fingerprint to confirm validity of a second automation device upon detecting that the first automation device has been replaced by the second automation device; and an activity sensor configured to monitor activity between the requesting entity and the device if the access rules permit the requesting entity to access the device.
-
Specification