Enhancing security in a wireless network

US 8,670,746 B2
Filed: 04/10/2008
Issued: 03/11/2014
Est. Priority Date: 04/13/2007
Status: Active Grant

First Claim

Patent Images

1. A method of enhancing security in a wireless mesh communication network operating in a process control environment and including a plurality of wireless network devices, comprising:

processing a join request from a wireless device wishing to join the wireless mesh communication network, the wireless device configured to perform a physical control function within a process being controlled in the process control environment, and configured to communicate in the wireless mesh communication network using a wireless protocol that includes commands for transfer of data corresponding to the process, the processing the join request from the wireless device including;

establishing a direct wireless connection between the wireless device and at least one of the plurality of wireless network devices; and

propagating a join request from the wireless device via the at least one of the plurality of wireless network devices to a network manager responsible for managing the wireless communication network;

maintaining an absolute slot number at the network manager, the absolute slot number indicative of a number of communication timeslots scheduled since a start time of the wireless network, wherein each of the plurality of wireless network devices communicates with at least one other of the plurality of wireless network devices within a communication timeslot associated with a respective superframe having a repeating sequence of communication timeslots;

causing the wireless device to enter a quarantined state including providing a limited network functionality to the wireless device if the join request is granted, the providing the limited network functionality to the wireless device including;

providing the absolute slot number to the wireless device; and

exchanging a plurality of messages between the wireless device and the at least one of the plurality of wireless network devices, including a generating a message integrity code for at least one of the plurality of messages by including the absolute slot number in a nonce value used to generate the message integrity code;

while the wireless device is in the quarantined state, requesting a complete approval of the wireless device; and

causing the wireless device to exit the quarantined state and to enter an operational state including granting a full network functionality to the wireless device if the complete approval of the wireless device is received.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of enhancing security in a wireless mesh communication network operating in a process control environment and including a plurality of wireless network devices includes processing a join request from a wireless device wishing to join the wireless mesh communication network, providing a limited network functionality to the wireless device if the join request is granted, requesting a complete approval of the wireless device; and granting a full network functionality to the wireless device if the complete approval of the wireless device is received.

Citations

10 Claims

1. A method of enhancing security in a wireless mesh communication network operating in a process control environment and including a plurality of wireless network devices, comprising:
- processing a join request from a wireless device wishing to join the wireless mesh communication network, the wireless device configured to perform a physical control function within a process being controlled in the process control environment, and configured to communicate in the wireless mesh communication network using a wireless protocol that includes commands for transfer of data corresponding to the process, the processing the join request from the wireless device including;
  
  establishing a direct wireless connection between the wireless device and at least one of the plurality of wireless network devices; and
  
  propagating a join request from the wireless device via the at least one of the plurality of wireless network devices to a network manager responsible for managing the wireless communication network;
  
  maintaining an absolute slot number at the network manager, the absolute slot number indicative of a number of communication timeslots scheduled since a start time of the wireless network, wherein each of the plurality of wireless network devices communicates with at least one other of the plurality of wireless network devices within a communication timeslot associated with a respective superframe having a repeating sequence of communication timeslots;
  
  causing the wireless device to enter a quarantined state including providing a limited network functionality to the wireless device if the join request is granted, the providing the limited network functionality to the wireless device including;
  
  providing the absolute slot number to the wireless device; and
  
  exchanging a plurality of messages between the wireless device and the at least one of the plurality of wireless network devices, including a generating a message integrity code for at least one of the plurality of messages by including the absolute slot number in a nonce value used to generate the message integrity code;
  
  while the wireless device is in the quarantined state, requesting a complete approval of the wireless device; and
  
  causing the wireless device to exit the quarantined state and to enter an operational state including granting a full network functionality to the wireless device if the complete approval of the wireless device is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10)
- - 2. The method of claim 1, wherein processing a join request from a wireless device includes receiving identity information associated with the wireless device;
    - and wherein requesting a complete approval of the wireless device includes supplying the identity information to a human operator.
  - 3. The method of claim 1, wherein providing the limited network functionality to the wireless device includes:
    - allowing the wireless device to source data;
      
      allowing the wireless device to receive data; and
      
      preventing the wireless device from routing data sent from one of the plurality of wireless network devices to another one of the plurality of wireless network devices;
      
      whereingranting the full network functionality to the wireless device includes allowing the wireless device to route data sent from the one of the plurality of wireless network devices to the other one of the plurality of wireless network devices.
  - 4. The method of claim 3, wherein providing the limited network functionality to the wireless device further includes:
    - preventing the wireless device from establishing a communication session with a gateway device connecting the wireless communication network to a plant automation network.
  - 5. The method of claim 1, wherein providing a limited network functionality to the wireless device includes providing the wireless device with a subset of a key set associated with the full network functionality;
    - wherein at least one of the keys in the key set but not in the subset is an encryption key for establishing secure communications with one of the plurality of wireless network devices.
  - 6. The method of claim 1, further comprising:
    - provisioning the wireless device with a join key prior to generating the join request; and
      
      provisioning a network manager with the join key, wherein the network manager is responsible for managing the wireless mesh communication network.
  - 7. The method of claim 6, wherein provisioning the wireless device with the join key includes coupling a provisioning tool to the wireless device via a maintenance port, wherein the maintenance port restricts access to the wireless device only.
  - 9. The method of claim 1, further comprising:
    - verifying data packets of at least one type sent from each of the plurality of wireless network devices, including applying a network key to the data packets;
      
      updating the network key in response to detecting a first condition; and
      
      propagating the updated network key to each of the plurality of wireless network devices.
  - 10. The method of claim 9, wherein propagating the updated network key to each of the plurality of wireless network devices includes specifying a time when the updated network key replaces an old value of the network key.

8. A method of enhancing security in a wireless mesh communication network operating in a process control environment and including a plurality of wireless network devices, comprising:
- processing a join request from a wireless device wishing to join the wireless mesh communication network, including;
  
  establishing a direct wireless connection between the wireless device and at least one of the plurality of wireless network devices; and
  
  propagating a join request from the wireless device via the at least one of the plurality of wireless network devices to a network manager responsible for managing the wireless communication network;
  
  providing a limited network functionality to the wireless device if the join request is granted;
  
  requesting a complete approval of the wireless device;
  
  granting a full network functionality to the wireless if the complete approval of the wireless device is received; and
  
  maintaining an absolute slot number at the network manager, the absolute slot number indicative of a number of communication timeslots scheduled since a start time of the wireless network, wherein each of the plurality of wireless network devices communicates with at least one other of the plurality of wireless network devices within a communication timeslot associated with a respective superframe having a repeating sequence of communication timeslots,wherein providing a limited network functionality to the wireless device includes;
  
  providing the absolute slot number to the wireless device; and
  
  exchanging a plurality of messages between the wireless device and the at least one of the plurality of wireless network devices, including a generating a message integrity code for at least one of the plurality of messages by including the absolute slot number in a nonce value used to generate the message integrity code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FieldComm Group, Inc.
Original Assignee
Hart Communication Foundation (FieldComm Group, Inc.)
Inventors
Pratt, Wallace A. Jr., Nixon, Mark J., Rotvold, Eric D., Pramanik, Robin S., Phinney, Thomas L., Lennvall, Tomas P., Zats, Yuri, Enns, Frederick
Primary Examiner(s)
Eisner, Ronald

Application Number

US12/101,021
Publication Number

US 20090054033A1
Time in Patent Office

2,161 Days
Field of Search

455/410, 455/445, 455/550.1, 455/411, 455/26.1, 370/406, 370/328, 370/338, 370/390, 370/400, 370/431, 370/447, 370/461, 370/462, 709/203, 709/230, 709/231, 709/232, 709/249, 726 1- 7, 726/14, 726 17- 21, 726 26- 29
US Class Current

455/410
CPC Class Codes

G01D 21/00   Measuring or testing not ot...

H04W 24/00   Supervisory, monitoring or ...

H04W 56/0015   one node acting as a refere...

H04W 56/002   Mutual synchronization

H04W 80/00   Wireless network protocols ...

Enhancing security in a wireless network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Enhancing security in a wireless network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links