Secure access point for scada devices
First Claim
1. Apparatus for interacting with a physical plant comprising:
- a programmable control unit for connecting to said physical plant and for performing a supervisory function for said physical plant, said programmable control unit having a public network interface for communicating with remote computer systems;
a user computer system located remotely from said programmable control unit;
a front-end security gateway located remotely from said programmable control unit, wherein said front-end security gateway communicates with said user computer system to authenticate and authorize a user for access to said programmable control unit, and wherein said front-end security gateway forwards messages between said user computer system and said programmable control unit after said user is authenticated and authorized;
a public communication network coupled between said front-end security gateway and said programmable control unit to carry said forwarded messages, wherein said public communication network comprises a public switched telephone network; and
a routing control configured to allow communication with said programmable control unit only by said front-end security gateway, wherein said routing control comprises a telephone switching system configured to provide an originating call restriction for a first telephone number at which said programmable control unit interfaces to said public switched telephone network so that telephone calls are accepted from a second telephone number corresponding to an interface of said front-end security gateway to said public switched telephone network and telephone calls from other telephone numbers are blocked.
1 Assignment
0 Petitions
Accused Products
Abstract
A programmable control unit interacts with a physical system. The physical system has a public network interface for communicating with remote computer systems. A user computer system is located remotely from the programmable control unit. A front-end security gateway is located remotely from the programmable control unit, wherein the front-end security gateway communicates with the user computer system to authenticate and authorize a user for access to the programmable control unit. The front-end security gateway forwards messages between the user computer system and the programmable control unit after the user is authenticated and authorized. A public communication network is coupled between the front-end security gateway and the programmable control unit to carry the forwarded messages. The public communication network includes a routing control configured to allow communication with the programmable control unit only by the front-end security gateway.
-
Citations
11 Claims
-
1. Apparatus for interacting with a physical plant comprising:
-
a programmable control unit for connecting to said physical plant and for performing a supervisory function for said physical plant, said programmable control unit having a public network interface for communicating with remote computer systems; a user computer system located remotely from said programmable control unit; a front-end security gateway located remotely from said programmable control unit, wherein said front-end security gateway communicates with said user computer system to authenticate and authorize a user for access to said programmable control unit, and wherein said front-end security gateway forwards messages between said user computer system and said programmable control unit after said user is authenticated and authorized; a public communication network coupled between said front-end security gateway and said programmable control unit to carry said forwarded messages, wherein said public communication network comprises a public switched telephone network; and a routing control configured to allow communication with said programmable control unit only by said front-end security gateway, wherein said routing control comprises a telephone switching system configured to provide an originating call restriction for a first telephone number at which said programmable control unit interfaces to said public switched telephone network so that telephone calls are accepted from a second telephone number corresponding to an interface of said front-end security gateway to said public switched telephone network and telephone calls from other telephone numbers are blocked. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for a programmable control unit that controls/monitors a physical plant to communicate over a public network with a user computer system, said method comprising the steps of:
-
establishing a dedicated communication path within said public network between said programmable control unit and a front-end security gateway using routing control for preventing devices other than said front-end security gateway from communicating with said programmable control unit, wherein said public network is comprised of a public switched telephone network; establishing a protected communication channel between said user computer system and said front-end security gateway; authenticating and authorizing a user of said user computer system for accessing said programmable control unit; and exchanging messages relating to supervisory functions of said physical plant between said user computer system and said programmable control unit through said front-end security gateway acting as a proxy; wherein said routing control is comprised of; configuring a telephone switching system to provide an originating call restriction for a first telephone number at which said programmable control unit interfaces to said public switched telephone network so that telephone calls are accepted from a second telephone number corresponding to an interface of said front-end security gateway to said public switched telephone network and telephone calls from other telephone numbers are blocked; initiating a telephone call for a dial-up connection from said front-end security gateway to said programmable control unit; said telephone switching system recognizing said second telephone number as originating said telephone call; and said telephone switching system completing said telephone call to said programmable control unit.
-
-
8. A method for providing a gateway via a public communication network between a user computer system and a remotely-located programmable control unit operating with a physical plant, said method comprising the steps of:
-
establishing a protected communication channel between said user computer system and said gateway via a public data network; authenticating and authorizing a user of said user computer system for accessing said programmable control unit; and establishing a dedicated communication path within said public network between said programmable control unit and said gateway using routing control for preventing devices other than said gateway from communicating with said programmable control unit, wherein said public communication network is comprised of a public switched telephone network; relaying messages relating to supervisory functions of said physical plant between said user computer system and said programmable control unit through said gateway acting as a proxy; wherein said routing control is comprised of; configuring a telephone switching system to provide an originating call restriction for a first telephone number at which said programmable control unit interfaces to said public switched telephone network so that telephone calls are accepted from a second telephone number corresponding to an interface of said gateway to said public switched telephone network and telephone calls from other telephone numbers are blocked; initiating a telephone call for a dial-up connection from said gateway to said programmable control unit; said telephone switching system recognizing said second telephone number as originating said telephone call; and said telephone switching system completing said telephone call to said programmable control unit. - View Dependent Claims (9, 10, 11)
-
Specification