Apparatus and method supporting wireless access to multiple security layers in an industrial control and automation system or other system
First Claim
1. A method comprising:
- receiving a message from a wireless leaf node at a first wireless node, the first wireless node connected to a first wired network, the first wired network associated with a first security layer;
using a tag to identify one or more security layers associated with the message;
determining whether to filter the message;
discarding the message if the message is to be filtered;
if the message is not to be filtered;
transmitting the message over the first wired network when at least one destination of the message is located in the first security layer, wherein the transmitting is based on the one or more identified security layers; and
wirelessly transmitting the message for delivery to a second wireless node when at least one destination of the message is located in a second security layer, the second wireless node associated with a second wired network, the second wired network associated with the second security layer, wherein the wirelessly transmitting is based on the one or more identified security layers;
receiving a second message from a mobile human-machine interface device; and
transmitting the received second message to a Demilitarized Zone (DMZ) for secure routing between two of the security layers;
wherein the first and second wired networks are coupled by a wired router; and
wherein determining whether to filter the message comprises determining whether to filter the message in order to avoid creation of a network loop.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes receiving a message at a first wireless node. The first wireless node is associated with a first wired network, and the first wired network is associated with a first security layer. The method also includes transmitting the message over the first wired network when at least one destination of the message is located in the first security layer. The method further includes wirelessly transmitting the message for delivery to a second wireless node when at least one destination of the message is located in a second security layer. The second wireless node is associated with a second wired network, and the second wired network is associated with the second security layer. The first and second security layers may be associated with different security paradigms and/or different security domains. Also, the message could be associated with destinations in the first and second security layers.
60 Citations
23 Claims
-
1. A method comprising:
-
receiving a message from a wireless leaf node at a first wireless node, the first wireless node connected to a first wired network, the first wired network associated with a first security layer; using a tag to identify one or more security layers associated with the message; determining whether to filter the message; discarding the message if the message is to be filtered; if the message is not to be filtered; transmitting the message over the first wired network when at least one destination of the message is located in the first security layer, wherein the transmitting is based on the one or more identified security layers; and wirelessly transmitting the message for delivery to a second wireless node when at least one destination of the message is located in a second security layer, the second wireless node associated with a second wired network, the second wired network associated with the second security layer, wherein the wirelessly transmitting is based on the one or more identified security layers; receiving a second message from a mobile human-machine interface device; and transmitting the received second message to a Demilitarized Zone (DMZ) for secure routing between two of the security layers; wherein the first and second wired networks are coupled by a wired router; and wherein determining whether to filter the message comprises determining whether to filter the message in order to avoid creation of a network loop. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20, 21, 22, 23)
-
-
9. An apparatus comprising:
-
a wired network interface configured to communicate over a first wired network, the first wired network associated with a first security layer; a wireless network interface configured to communicate over a wireless network; and a controller configured to; receive a message from a wireless leaf node through the wireless network interface; identify one or more security layers associated with the message; determine whether to filter the message; discard the message if the message is to be filtered; if the message is not to be filtered; based on the one or more identified security layers, initiate transmission of the message by the wired network interface over the first wired network when at least one destination is located in the first security layer; and based on the one or more identified security layers, initiate transmission of the message by the wireless network interface over the wireless network when at least one destination of the message is located in a second security layer associated with a second wired network; receive a second message from a mobile human-machine interface device; and transmit the received second message to a Demilitarized Zone (DMZ) for secure routing between two of the security layers; wherein the controller is configured to determine whether to filter the message by determining whether to filter the message in order to avoid creation of a network loop when the first and second wired networks are coupled by a wired router. - View Dependent Claims (10, 11, 12)
-
-
13. A system comprising:
-
multiple security layers, the security layers associated with multiple wired networks; and multiple gateway nodes, each gateway node coupled to one of the wired networks and associated with one of the security layers, wherein each of the gateway nodes is configured to; receive a message from a wireless leaf node; use a tag to identify one or more of the security layers associated with the message; determine whether to filter the message; discard the message if the message is to be filtered; if the message is not to be filtered; based on the one or more identified security layers, transmit the message over its associated wired network when at least one destination of the message is located in its associated security layer; and based on the one or more identified security layers, wirelessly transmit the message for delivery to another of the gateway nodes when at least one destination of the message is located in a different one of the security layers; receive a second message from a mobile human-machine interface device; and transmit the received second message to a Demilitarized Zone (DMZ) for secure routing between two of the security layers; wherein each gateway is configured to determine whether to filter the message by determining whether to filter the message in order to avoid creation of a network loop when at least two of the wired networks are coupled by a wired router. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A non-transitory computer readable medium embodying a computer program, the computer program comprising:
-
computer readable program code for receiving a message from a wireless leaf node at a first wireless node, the first wireless node connected to a first wired network, the first wired network associated with a first security layer; computer readable program code for using a tag to identify one or more security layers associated with the message; computer readable program code for determining whether to filter the message; computer readable program code for discarding the message if the message is to be filtered; computer readable program code for, if the message is not to be filtered; initiating, based on the one or more identified security layers, transmission of the message over the first wired network when at least one destination of the message is located in the first security layer; and initiating, based on the one or more identified security layers, wireless transmission of the message for delivery to a second wireless node when at least one destination of the message is located in a second security layer, the second wireless node associated with a second wired network, the second wired network associated with the second security layer; computer readable program code for receiving a second message from a mobile human-machine interface device; and computer readable program code for transmitting the received second message to a Demilitarized Zone (DMZ) for secure routing between two of the security layers; wherein the computer readable program code for determining whether to filter the message comprises computer readable program code for determining whether to filter the message in order to avoid creation of a network loop when the first and second wired networks are coupled by a wired router.
-
Specification