System and methodology providing multi-tier security for network data with industrial control components

US 8,190,888 B2
Filed: 05/13/2009
Issued: 05/29/2012
Est. Priority Date: 06/04/2002
Status: Expired due to Term

First Claim

Patent Images

1. An industrial control system, comprising:

an industrial controller configured to communicate with a network based in part on at least one configured security layer; and

the at least one configured security layer mapped according to a mapping to at least one of a respective area or module associated with the industrial controller, the mapping relates the at least one configured security layer to at least one security component that facilitates variation of levels of data access to the industrial controller, and the at least one configured security layer is associated with at least one of similar security components or dissimilar security components.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a system and methodology facilitating network security and data access in an industrial control environment. An industrial control system is provided that includes an industrial controller to communicate with a network. At least one security layer can be configured in the industrial controller, wherein the security layer can be associated with one or more security components to control and/or restrict data access to the controller. An operating system manages the security layer in accordance with a processor to limit or mitigate communications from the network based upon the configured security layer or layers.

84 Citations

View as Search Results

20 Claims

1. An industrial control system, comprising:
- an industrial controller configured to communicate with a network based in part on at least one configured security layer; and
  
  the at least one configured security layer mapped according to a mapping to at least one of a respective area or module associated with the industrial controller, the mapping relates the at least one configured security layer to at least one security component that facilitates variation of levels of data access to the industrial controller, and the at least one configured security layer is associated with at least one of similar security components or dissimilar security components.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein, the at least one security component includes a trust component configured to authenticate a trust relationship associated with a remote system.
  - 3. The system of claim 1, wherein, the at least one security component includes an encryption component configured to at least one of provide data encryption, or authenticate or authorize at least one of a user or a device.
  - 4. The system of claim 3, wherein, the encryption component is configured to at least one of encapsulate or encrypt a control protocol.
  - 5. The system of claim 1, wherein, the at least one security component includes a policy component configured to comprise at least one of a security parameter, at least one rule, at least one filter, a filter list, an authentication method, a tunnel parameter, or a connection type.
  - 6. The system of claim 1, further comprising, a user policy store configured to store data, which is utilized to configure the at least one security component.
  - 7. The system of claim 6, wherein, the data includes at least one of a system-based policy or an associated rule for grant, permission or denial of access to at least one of the industrial controller or a component associated with the industrial controller.
  - 8. The system of claim 1, further comprising at least one of a security components store configured to store the at least one security component, or a security mappings store configured to relate the at least one configured security layer to at least one of an area within the industrial controller or a module associated with the industrial controller.
  - 9. The system of claim 1, wherein the at least one security component includes a locking component configured to at least one of grant or prevent access to the industrial controller.
  - 10. The system of claim 1, wherein, the at least one security component includes a Virtual Private Network (VPN) component configured to facilitate communications between the industrial controller and one or more VPN devices by establishing trust between the industrial controller and the one or more VPN devices.
  - 11. The system of claim 1, wherein, the at least one security component includes a virus detection component configured to at least one of analyze or discard potentially harmful data that is received at the industrial controller.

12. A method to facilitate secure data exchange in an industrial controller network, comprising:
- storing one or more security layers, including at least one of configurable or selectable security protocols associated with an industrial controller;
  
  mapping the one or more security layers to at least one of a respective area associated with the industrial controller or a respective module associated with the industrial controller; and
  
  establishing communications with a network device based in part on at least one of the mapping, the one or more security layers or associated one or more security components selected for the one or more security layers.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, further comprising, mapping a trust component, an encryption component and a policy component.
  - 14. The method of claim 12, further comprising, creating a private network across a public network to provide access to the industrial controller.
  - 15. The method of claim 12, further comprising, detecting a virus on the industrial controller.
  - 16. The method of claim 12, further comprising, segmenting at least one of an area or a device associated with the industrial controller, according to the mapping.
  - 17. The method of claim 12, further comprising, configuring a locking component to at least one of grant or prevent access to the industrial controller.
  - 18. The method of claim 12, further comprising, segmenting a plurality of security areas wherein respective areas are identified with an associated security layer or layers having respective security components.
  - 19. The method of claim 12, further comprising:
    - determining a mapping for communication associated with the industrial controller;
      
      determining a set of the one or more security layers associated with the mapping; and
      
      associating the set of the one or more security layers with one or more security components that are configured for a respective security layer.

20. A non transitory computer readable storage medium comprising computer-executable instructions that, in response to execution by a system, cause the system to perform operations, comprising:
- storing one or more security layers associated with an industrial controller that include at least one of a configurable or selectable security protocol;
  
  mapping one of the one or more security layers to at least one of a respective area or module associated with the industrial controller; and
  
  communicating with a network device based in part on at least one of the mapping, the one or more security layers or associated security components selected for one of the one or more security layers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Batke, Brian Alan, Baier, John Joseph, Morse, Richard Alan, Callaghan, David Michael
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US12/464,970
Publication Number

US 20090222885A1
Time in Patent Office

1,112 Days
Field of Search

None
US Class Current

713/166
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/16   Implementing security featu...

System and methodology providing multi-tier security for network data with industrial control components

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

84 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and methodology providing multi-tier security for network data with industrial control components

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links