System and method for logging security events for an industrial control system

US 9,046,886 B2
Filed: 04/30/2012
Issued: 06/02/2015
Est. Priority Date: 04/30/2012
Status: Active Grant

First Claim

Patent Images

1. An industrial control system, comprising:

a security server that is part of an industrial control network, wherein the security server comprises a memory and a processor configured to;

receive a first set of communications from a human machine interface (HMI) device via the industrial control network, wherein the first set of communications relates to HMI device security events;

receive a second set of communications from an industrial controller via the industrial control network, wherein the second set of communications relates to industrial controller security events;

establish a network connection between the security server and a managed security service provider (MSSP) that is part of an external network separate from the industrial control network;

package and send, via the network connection, the first and second sets of communications to the MSSP for analysis;

receive, via the network connection, a security alert from the MSSP describing a security concern for the industrial control system identified by the MSSP during the analysis of the first and second sets of communications; and

instruct the HMI to present the security alert to an operator.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a security server including a memory and a processor configured to receive a first set of communications from a human machine interface (HMI) device, wherein the first set of communications relates to HMI device security events. The security server is also configured to receive a second set of communications from an industrial controller, wherein the second set of communications relates to industrial controller security events. The security server is further configured to package and send the received first and second sets of communications to a remote managed security service provider (MSSP) for analysis.

83 Citations

View as Search Results

20 Claims

1. An industrial control system, comprising:
- a security server that is part of an industrial control network, wherein the security server comprises a memory and a processor configured to;
  
  receive a first set of communications from a human machine interface (HMI) device via the industrial control network, wherein the first set of communications relates to HMI device security events;
  
  receive a second set of communications from an industrial controller via the industrial control network, wherein the second set of communications relates to industrial controller security events;
  
  establish a network connection between the security server and a managed security service provider (MSSP) that is part of an external network separate from the industrial control network;
  
  package and send, via the network connection, the first and second sets of communications to the MSSP for analysis;
  
  receive, via the network connection, a security alert from the MSSP describing a security concern for the industrial control system identified by the MSSP during the analysis of the first and second sets of communications; and
  
  instruct the HMI to present the security alert to an operator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, comprising the HMI device having another memory and another processor configured to:
    - allow an authorized user to log onto the HMI device;
      
      execute a configuration tool on the HMI device; and
      
      provide the first set of communications relating to the HMI device security events to the security server.
  - 3. The system of claim 2, wherein the HMI device security events relate to an attempt to log onto the HMI device, starting the configuration tool on the HMI device, executing a set of instructions on the HMI device, attempting to set a variable of the industrial controller from the HMI device, uploading executable files to the industrial controller from the HMI device, or a combination thereof.
  - 4. The system of claim 1, comprising the industrial controller having another memory and another processor, configured to:
    - execute a plurality of executable files to control an industrial automation system;
      
      receive and execute instructions provided by a configuration tool of the HMI device; and
      
      provide the second set of communications relating to the industrial controller security events to the security server.
  - 5. The system of claim 4, wherein the industrial controller security events relate to setting a variable, downloading executable files, a reboot, a startup failure, a communication error, or a detection of an unauthorized executable file, or a combination thereof.
  - 6. The system of claim 1, comprising the MSSP having another memory and another processor configured to:
    - receive and analyze the first and second sets of communications;
      
      identify trends in the first and second sets of communications indicative of the security concern; and
      
      provide the security server with the security alert describing the security concern.
  - 7. The system of claim 1, wherein the industrial control system comprises a gasification system, a gas treatment system, a turbine system, a power generation system, a heat recovery steam generation (HRSG) system, or a combination thereof.
  - 8. The system of claim 1, wherein the security alert comprises suggested actions for the operator to take to address the security concern.

9. A method, comprising:
- aggregating security logs using a security server of an industrial control system, wherein the security logs comprise security events for a plurality of devices of the industrial control system;
  
  establishing a network connection between the security server and a managed security service provider (MSSP), wherein the MSSP is disposed on an external network separate from the industrial control system; and
  
  packaging and sending the security logs from the security server to the MSSP via the network connection; and
  
  receiving, via the network connection, a security alert from the MSSP based on one or more security concerns identified by the MSSP during analysis of the security logs; and
  
  instructing one of the plurality of devices of the industrial control system to present the security alert to an operator.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein the plurality of devices comprises an industrial controller configured to control the industrial control system and a human machine interface (HMI) device configured to set variables on the industrial controller, to upload executable code to the industrial controller, and to present the security alert to the operator.
  - 11. The method of claim 10, wherein the security events relate to setting a variable of the industrial controller, downloading executable files to the industrial controller, a reboot of the industrial controller, a startup failure of the industrial controller, a communication error of the industrial controller, or a detection of an unauthorized executable file by the industrial controller, or a combination thereof.
  - 12. The method of claim 10, wherein the security events relate to an attempt to log onto the HMI device, executing a set of instructions on the HMI device, attempting to set a variable of the industrial controller from the HMI device, or uploading executable files to the industrial controller from the HMI device, or a combination thereof.
  - 13. The method of claim 9, wherein packaging the security logs comprises packaging the security logs into an archive file, compressing the security logs, or any combination thereof.
  - 14. The method of claim 9, wherein receiving the security alert comprises receiving the security alert from the MSSP when the MSSP determines that the security logs for two of the plurality of devices are not consistent with one another.
  - 15. The method of claim 9, wherein establishing the network connection between the security server and the MSSP comprises establishing an encrypted network connection between the security server and the MSSP.
  - 16. The method of claim 9, wherein packaging the security logs comprises encrypting the security logs before sending the security logs to the MSSP via the network connection, wherein the network connection is not an encrypted network connection.
  - 17. The method of claim 9, wherein the security alert comprises suggested actions for the operator to take to address the one or more security concerns.

18. A tangible, non-transitory, computer-readable medium configured to store instructions executable by a processor of an electronic device, the instructions comprising:
- instructions for a local processor of an industrial control network to receive security notifications from a human machine interface (HMI) device and an industrial controller of the industrial control network;
  
  instructions for the local processor to establish a network connection to a remote processor of an external network that is separate from the industrial control network;
  
  instructions for the local processor to send the received security notifications to the remote processor for analysis;
  
  instructions for the local processor to receive, from the remote processor, one or more security alerts relating to security problems with the HMI device, the industrial controller, or both, based on the analysis; and
  
  instructions for the local processor to instruct the HMI to present the security alert to an operator.
- View Dependent Claims (19, 20)
- - 19. The medium of claim 18, wherein the remote processor is configured to analyze the security notifications from the HMI device and the industrial controller using at least one heuristic to determine the one or more security alerts.
  - 20. The medium of claim 18, wherein the one or more security alerts comprises suggested actions for the operator to take to address the security problems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Infrastructure Technology, LLC (General Electric Company)
Original Assignee
General Electric Company
Inventors
Chong, Justin Brandon, Socky, David Richard, Sahoo, Manas Ranjan
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US13/460,779
Publication Number

US 20130291115A1
Time in Patent Office

1,128 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G05B 19/048   Monitoring; Safety

G05B 19/4185   characterised by the networ...

G06F 21/554   involving event detection a...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/12   specially adapted for propr...

Y04S 40/18   Network protocols supportin...

Y04S 40/20   Information technology spec...

System and method for logging security events for an industrial control system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for logging security events for an industrial control system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links