Removable security modules and related methods

US 8,977,851 B2
Filed: 01/21/2009
Issued: 03/10/2015
Est. Priority Date: 01/21/2009
Status: Active Grant

First Claim

Patent Images

1. A removable security module for use with a first process control device and a second process control device, comprising:

a body to be removably coupled to the first process control device or the second process control device;

a memory disposed in the body, the memory to store a first secret; and

a processing unit disposed in the body and coupled to the memory, the processing unit to;

read authentication information from the first process control device;

perform a comparison to compare the authentication information to the first secret;

authenticate the first process control device based on the comparison;

determine whether a request or command associated with a first operator has been received;

generate and provide a second secret to a second operator;

receive an action from the second operator to return the second secret to the first operator or to the security module;

authorize the first control device to process the request or command when the second secret is returned; and

enable the second process control device to operate after being coupled to the module after the module is removed from the first process control device without authenticating the second process control device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example removable security modules for use with process control devices and related methods are disclosed. An example removable security module includes a body configured to be removably coupled to the process control device and a memory disposed in the body with a shared secret stored in the memory. The example removable security module also includes a processing unit disposed in the body, coupled to the memory and configured to read information from the process control device, compare the information to the shared secret and authenticate the process control device based on the comparison.

Citations

30 Claims

1. A removable security module for use with a first process control device and a second process control device, comprising:
- a body to be removably coupled to the first process control device or the second process control device;
  
  a memory disposed in the body, the memory to store a first secret; and
  
  a processing unit disposed in the body and coupled to the memory, the processing unit to;
  
  read authentication information from the first process control device;
  
  perform a comparison to compare the authentication information to the first secret;
  
  authenticate the first process control device based on the comparison;
  
  determine whether a request or command associated with a first operator has been received;
  
  generate and provide a second secret to a second operator;
  
  receive an action from the second operator to return the second secret to the first operator or to the security module;
  
  authorize the first control device to process the request or command when the second secret is returned; and
  
  enable the second process control device to operate after being coupled to the module after the module is removed from the first process control device without authenticating the second process control device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The removable security module of claim 1, wherein the processing unit is to prevent commissioning of the first process control device if the first process control device is not authenticated based on the comparison.
  - 3. The removable security module of claim 1, wherein the comparison is a first comparison and the memory includes encryption information stored thereon, and wherein the processing unit is to:
    - extract communication information from a communication;
      
      perform a second comparison to compare the communication information to the encryption information; and
      
      enable the first process control device to process the communication based on the second comparison.
  - 4. The removable security module of claim 3, wherein the encryption information comprises an encryption key.
  - 5. The removable security module of claim 1, wherein the memory is to store commissioning information associated with the first process control device.
  - 6. The removable security module of claim 5, wherein the commissioning information comprises configuration information.
  - 7. The removable security module of claim 6, wherein the configuration information comprises at least one of a process control device identifier or a control parameter.
  - 8. The removable security module of claim 1, further comprising a display to present authorization information received from the first process control device.
  - 9. The removable security device of claim 8, further comprising an input device to receive a user input in response to the presentation of at least some of the authorization information via the display.
  - 10. The removable security device of claim 8, wherein the authorization information is a secret stored in the first process control device.
  - 11. The removable security module of claim 1, further comprising a communications unit to packetize information for transmission to a third process control device.
  - 12. The removable security module of claim 1, wherein, the comparison is a first comparison, the memory includes a list of approved process control devices, the list of approved process control devices generated prior to removably coupling the body to the first process control device, andthe processing unit to:
    - identify a communication to the authenticated first process control device from a third process control device having an identifier;
      
      perform a second comparison to compare the identifier to the list of approved process control devices; and
      
      authorize the first process control device to process the communication from the third process control device based on the second comparison.

13. A plurality of removable security modules for use with a process control device in a process system, wherein each of the modules comprises:
- a body to be removably coupled to the process control device;
  
  a memory disposed in the body, the memory to store a first secret; and
  
  a processing unit disposed in the body and coupled to the memory, the processing unit to;
  
  read authentication information from the process control device;
  
  perform a comparison to compare the authentication information to the first secret;
  
  authenticate the process control device based on the comparison;
  
  determine whether a communication associated with a first operator has been received;
  
  generate and provide a second secret to a second operator;
  
  receive an action from the second operator to return the second secret to the first operator or to the security module;
  
  authorize the process control device to process the communication when the second secret is returned; and
  
  change an authorization setting for other devices to communicate with the process control device without modifying the software of the process control device, wherein the authorization setting is to prevent the process control device from processing an unauthorized communication.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 26)
- - 14. The plurality of removable security modules of claim 13, wherein a first module is to assign the process control device a first role in the process system and a second module is to assign the process control device a second role in the process system, wherein the first role and the second role in the process system enable a different type of function or level of functionality to be provided by the process control device.
  - 15. The plurality of removable security modules of claim 13, wherein at least one of the modules is to provide upgraded functionality relative to another one of the modules.
  - 16. The plurality of removable security modules of claim 13, wherein a first module of the plurality of modules is effective as a replacement of a second module of the plurality of modules.
  - 17. The plurality of removable security modules of claim 16, wherein the process control device remains in service when the first module replaces the second module.
  - 18. The plurality of removable security modules of claim 13, wherein a module of the plurality of modules is couplable to a second process control device.
  - 19. The plurality of removable security modules of claim 18, wherein the second process control device is to operate after being coupled to the module without commissioning the second process control device to operate.
  - 26. The plurality of removable security modules of claim 13, wherein the comparison is a first comparison, the memory includes an encryption key, and the processing unit is to:
    - monitor communications to the authenticated process control device for a request with a key;
      
      perform a second comparison to compare the key to the encryption key; and
      
      authorize the authenticated process control device to process the request based on the first comparison and the second comparison.

20. A method of securing a process control device with a removable security module, the method comprising:
- reading authentication information in the process control device via a first security module;
  
  performing a comparison to compare the authentication information to a first secret stored in a memory of the first security module;
  
  authenticating the process control device and providing a first security measure to the process control device based on the comparison via the first security module;
  
  determining whether a communication associated with a first operator has been received;
  
  generating and providing a second secret to a second operator;
  
  receiving an action from the second operator to return the second secret to the first operator or to the first security module;
  
  authorizing the process control device to process the communication when the second secret is returned;
  
  removing the first security module; and
  
  providing a second security measure to the process control device via a second security module coupled to the process control device without re-authenticating the process control device.
- View Dependent Claims (21, 22, 23, 24, 25, 30)
- - 21. The method of claim 20, further comprising preventing commissioning of the process control device if the process control device is not authenticated based on the comparison.
  - 22. The method of claim 20, further comprising using encryption information stored in the memory to secure communications associated with the process control device.
  - 23. The method of claim 22, wherein the encryption information comprises an encryption key.
  - 24. The method of claim 20, further comprising storing commissioning information in the memory in response to the process control device being authenticated.
  - 25. The method of claim 24, wherein the commissioning information comprises at least one of a device identifier or a control parameter.
  - 30. The method as described in claim 20, wherein the comparison is a first comparison, the method further comprising:
    - monitoring communications to the authenticated process control device for a request;
      
      performing a second comparison to compare request information included in the request to encryption information stored in the memory of the first security module; and
      
      authorizing the process control device to process the request based on the second comparison.

27. A distributed process control system comprising:
- a plurality of process control devices, wherein each of the process control devices includes software;
  
  a first removable security module having a first processor to;
  
  read authentication information from at least one of the process control devices;
  
  perform a comparison to compare the authentication information to a first secret;
  
  authenticate the at least one of the process control devices based on the comparison;
  
  authorize one or more applications for use with the at least one of the process control devices; and
  
  prevent first unauthorized communications to the at least one of the process control devices with a first security measure; and
  
  a second removable security module having a second processor to prevent second unauthorized communications to the at least one of the process control devices with a second security measure without the second processor reconfiguring the software of the at least one of the process control devices, wherein the first processor or the second processor is to determine whether a two-person authorization of one or more applications is needed, wherein at least one of the first processor or the second processor performs the two-person authorization by;
  
  determining whether a communication associated with a first person has been received;
  
  generating and providing a second secret to a second person;
  
  receiving an action from the second person to return the second secret to the first person or to the corresponding removable security module; and
  
  authorizing the at least one of the process control devices to process the communication when the second secret is returned.
- View Dependent Claims (28, 29)
- - 28. A distributed process control system as defined in claim 27, wherein in response to completing a predetermined interval, the first processor or the second processor is to timeout.
  - 29. A distributed process control system as defined in claim 27, wherein the first processor or the second processor is to execute the one or more applications when the second secret is returned to the first processor or the second processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Original Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Inventors
Neitzel, Lee Allen, Law, Gary Keith, Sherriff, Godfrey R.
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
BECHTEL, KEVIN M

Application Number

US12/356,863
Publication Number

US 20100185857A1
Time in Patent Office

2,239 Days
Field of Search

713/150, 713168-181, 713189-194, 726/2, 700/83, 709204-207
US Class Current

713/168
CPC Class Codes

G05B 19/0428   Safety, monitoring G05B19/0...

G05B 2219/25107   Pluggable card, magnetic or...

G05B 2219/25326   Module with low maintenance...

G06F 12/1408   by using cryptography for d...

H04L 63/0853   using an additional device,...

Removable security modules and related methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Removable security modules and related methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links