Integrated unified threat management for a process control system

US 9,130,980 B2
Filed: 09/23/2010
Issued: 09/08/2015
Est. Priority Date: 09/24/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for securing network traffic in a process control system comprising:

providing an operator interface to display and configure various characteristics of both a network access device and a process control device, wherein the network access device facilitates data transmission over a process control system network without changing underlying data communicated over the process control system network, and the process control device changes the data communicated over the process control system network;

instantiating an object having a programmable interface to the network access device and the process control device, the object having access to a ruleset including one or more rules defining a condition to accept or deny network traffic received at the network access device, the network traffic originating externally from the process control system and attempting to communicate control information through the network access device to control the process control device;

determining which of the one or more rules of the ruleset to apply to the instantiated object;

securing the process control device by applying the one or more determined rules to the instantiated object to control the network access device to accept or deny the network traffic received at the network access device;

monitoring the network traffic received at the network access device using the instantiated object; and

in response to determining that the network traffic received at the network access device violates one or more of the rules applied to the instantiated object, denying the network traffic access to the secured process control device and displaying an alarm in the operator interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Unified Threat Management System (UTMS) for securing network traffic in a process control system may comprise network devices configured to receive network traffic related to the process control system and including a ruleset received from an external source. The ruleset may include one or more rules defining a condition to accept or deny the network traffic received at the network device. The state of the network device may be integrated into the process control system as a process control object or variable, thus allowing the state and other UTMS and component network device parameters and variables to be displayed to an operator at a workstation within a graphical process control system environment. The network devices may also communicate with a perpetual service that proactively supplies the devices with rulesets to meet the latest security threats, threat patterns, and control system vulnerabilities found or predicted to exist within the network.

Citations

59 Claims

1. A method for securing network traffic in a process control system comprising:
- providing an operator interface to display and configure various characteristics of both a network access device and a process control device, wherein the network access device facilitates data transmission over a process control system network without changing underlying data communicated over the process control system network, and the process control device changes the data communicated over the process control system network;
  
  instantiating an object having a programmable interface to the network access device and the process control device, the object having access to a ruleset including one or more rules defining a condition to accept or deny network traffic received at the network access device, the network traffic originating externally from the process control system and attempting to communicate control information through the network access device to control the process control device;
  
  determining which of the one or more rules of the ruleset to apply to the instantiated object;
  
  securing the process control device by applying the one or more determined rules to the instantiated object to control the network access device to accept or deny the network traffic received at the network access device;
  
  monitoring the network traffic received at the network access device using the instantiated object; and
  
  in response to determining that the network traffic received at the network access device violates one or more of the rules applied to the instantiated object, denying the network traffic access to the secured process control device and displaying an alarm in the operator interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein the object is integrated as a process variable in a process control environment of the process control system.
  - 3. The method of claim 1, wherein the object includes a Unified Threat Management System (UTMS) object and the network access device includes a Unified Threat Management System (UTMS) device.
  - 4. The method of claim 3, wherein the UTMS is one of a Network Intrusion Detection System (NIDS) or a Host Intrusion Detection System (HIDS).
  - 5. The method of claim 1, further comprising storing the ruleset at the network access device and storing a subset of the ruleset at another device.
  - 6. The method of claim 1, wherein the network access device includes one or more of a firewall, a network device, or a field device.
  - 7. The method of claim 1, wherein the object includes a data store for storing variable or changing data describing the network access device, the data including one or more of state data, parameter data, status data, input data, output data, ruleset data, and cost data.
  - 8. The method of claim 1, further comprising receiving the ruleset at the network access device.
  - 9. The method of claim 8, further comprising the object algorithmically determining which of the one or more rules of the ruleset apply to another device of the process control system, the other device providing access to network traffic for a sub-system of the process control system.
  - 10. The method of claim 9, further comprising receiving the algorithmically determined one or more rules at the other device to secure the sub-system of the process control system.
  - 11. The method of claim 1, wherein determining if the network traffic received at the secured process control device violates one or more of the rules applied to the secured process control device includes comparing the incoming network traffic to the determined rules of the ruleset.
  - 12. The method of claim 1, wherein securing the process control device by applying the one or more determined rules to the network access device comprises one of a user configuring the object within a graphic display of the process control system to secure the process control device and automatically configuring the object to secure the process control device.
  - 13. The method of claim 12, wherein the user authenticates an ability to configure the object if the user configures the object within a graphic display of the process control system, the user authentication including an inbuild, two-factor authentication method of the secured process control device.
  - 14. The method of claim 1, further comprising using the object to track statistics related to the network traffic received at the network access device.
  - 15. The method of claim 1, further comprising determining a status of the network access device including a number and type of internal and external data connections to the process control system.
  - 16. The method of claim 1, wherein determining which of the one or more rules of the ruleset to apply to the network access device comprises determining a security profile for the network access device, the security profile securing a subsystem of the process control system.
  - 17. The method of claim 1, further comprising detecting an update of another device within the process control system and displaying an alarm in the operator interface, the alarm indicating the update and recommending a user request an update of the ruleset.
  - 18. The method of claim 1, wherein determining if the network traffic received at the secured process control device violates one or more of the rules applied to the secured process control device includes determining a current operating state of the process control device and one or more of determining if the current operating state includes an unexpected increase in network traffic or type of network traffic at the process control device, determining if the current operating state includes a known fault-inducing attack on the process control system, and determining if the current operating state includes a software, firmware, or configuration change of another device in the process control system.
  - 19. The method of claim 1, further comprising updating the ruleset by collecting threat data from a plurality of sources, constructing the ruleset, validating the ruleset, and distributing the ruleset to the network access device.
  - 20. The method of claim 19, wherein the network access device determines which rules of the ruleset are appropriate for one or more of subsystems and other devices of the process control system and the network access device distributes the determined rules to the appropriate subsystems and other devices.
  - 21. The method of claim 1, wherein the network access device bypasses another device of the process control system that is upstream of the network access device to allow less secure data access to the network access device.
  - 22. The method of claim 21, wherein the network access device bypasses another device of the process control system for an amount or time that is set by a user or set by default.
  - 23. The method of claim 22, wherein the network access device is an I/O Device.

24. A network device for securing network traffic in a process control system comprising:
- a first network connector to communicate network traffic into and out of the network device;
  
  a second network connector to communicate network traffic to a control appliance of the process control system, wherein the control appliance controls equipment within a process plant and wherein the network traffic attempts to communicate control information through the network device to control the control appliance;
  
  a ruleset including one or more rules defining a condition to accept or deny network traffic received at the network device;
  
  a comparison routine to determine if network traffic communicated to the network device violates one or more rules of the ruleset;
  
  an operator interface routine to display and configure various characteristics of both the network device and the control appliance in an operator interface, wherein the network device facilitates data transmission over a process control system network without changing underlying data communicated over the process control system network, and the control appliance changes the data communicated over the process control system network, and wherein the operator interface routine has access to the ruleset; and
  
  a security routine to control the network device based upon a determination of the comparison routine to deny access of the network traffic to the control appliance or another device of the process control system and to cause an alarm to be displayed with an illustration of the control appliance that corresponds to the alarm in the operator interface of the process control system.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 25. The network device of claim 24, wherein the network traffic originates externally from the process control system and seeks access to the process control system.
  - 26. The network device of claim 24, further comprising a ruleset determining routine to determine which of the one or more rules of the ruleset to apply to the network device.
  - 27. The network device of claim 24, wherein the security routine further denies the network traffic access to the control appliance or another device of the process control system by initiating a bypass routine if the network traffic received at the first network connector violates one or more of the rule, the bypass routine one or more of disengaging a temporary connection to the control appliance, disengaging all connections to the control appliance, and activating an alarm.
  - 28. The network device of claim 27, wherein the bypass routine receives a heartbeat signal from the control appliance and if the bypass routine does not receive the heartbeat signal for a period of time, one or more of disengages a temporary connection, disengages all connections, and activates an alarm.
  - 29. The network device of claim 27, wherein the bypass routine bypasses another device of the process control system that is upstream of the network device to allow less secure data access to the network device.
  - 30. The network device of claim 27, wherein the bypass routine enables or disables one or more relays to disrupt either power or signal transmission to the first or second network connector.
  - 31. The network device of claim 24, wherein the control appliance is an I/O Device.
  - 32. The network device of claim 24, wherein the network device is one of a Network Intrusion Detection System (NIDS) or a Host Intrusion Detection System (HIDS).
  - 33. The network device of claim 24, wherein the ruleset is stored at the network device and a subset of the ruleset is stored at another device.
  - 34. The network device of claim 24, wherein the network device includes one or more of a firewall or a field device.
  - 35. The network device of claim 24, further comprising a data store for storing variable or changing data describing the network device, the data including one or more of state data, parameter data, status data, input data, output data, ruleset data, and cost data.
  - 36. The network device of claim 24, wherein the security routine algorithmically determines which of the one or more rules of the ruleset to apply to another network device of the process control system, the other network device providing access to network traffic for a sub-system of the process control system.
  - 37. The network device of claim 24, further comprising an inbuild, two-factor authentication routine.
  - 38. The network device of claim 24, further comprising an update detection routine to detect an update of another device within the process control system and displaying an alarm in the operator interface, the alarm indicating the update and recommending a user request an update of the ruleset.
  - 39. The network device of claim 24, wherein the security routine determines a current operating state of the network device and one or more of determine if the current operating state includes an unexpected increase in network traffic or the type of network traffic at the network device, determine if the current operating state includes a known fault-inducing attack on the process control system, and determine if the current operating state includes a software, firmware, or configuration change of another device in the process control system.
  - 40. The network device of claim 24, wherein the security routine updates the ruleset by:
    - collecting threat data from a plurality of sources, constructing the ruleset, validating the ruleset, and distributing the ruleset to the network device;
      
      determines which rules of the ruleset are appropriate for subsystems of the process control system, and distributes the determined rules to the appropriate subsystems.

41. A unified threat management system for securing network traffic in a process control system comprising:
- a plurality of network devices that receive network traffic related to the process control system, wherein at least one of the network devices receives a ruleset from a source that is external to the process control system, the ruleset including one or more rules defining a condition to accept or deny the network traffic received at least one of the plurality of network devices, wherein the network traffic attempts to communicate control information through at least one of the network devices to control at least one of a plurality of process control devices; and
  
  a graphical process control environment for graphically representing and configuring elements of the process control system including the plurality of network devices, the plurality of process control devices, and a state of a network traffic connection to each of the plurality of network devices;
  
  wherein the graphical process control environment;
  
  provides an operator interface to display and configure various characteristics of both the plurality of network devices and the plurality of process control devices, wherein the network devices facilitate data transmission over a process control system network without changing underlying data communicated over the process control system network, and the process control devices change the data communicated over the process control system network,instantiates an object for each of the plurality of network devices, each object graphically representing a different network device of the plurality of network devices and having a programmable interface to configure one or more parameters of the network device that the object represents, the parameters including one or more of the state of the network traffic connection to each of the plurality of network devices, the ruleset, and a ruleset update, andsecures at least one of the plurality of process control devices by applying at least one of the one or more rules to the instantiated object for at least one of the plurality of network devices to control the at least one of the plurality of network devices to accept or deny the network traffic received at the at least one of the plurality of network devices.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 42. The unified threat management system of claim 41, wherein the network device that receives the ruleset algorithmically derives one or more individual rulesets for other network devices, the individual rulesets each being subsets of the ruleset and configurable using the graphical process control environment.
  - 43. The unified threat management system of claim 41, wherein the condition to accept or deny the network traffic received at the network device includes whether the network traffic originates internally or externally from the process control system.
  - 44. The unified threat management system of claim 41, wherein the state of the connection to each of the plurality of network devices includes one or more of a number of connections to the network device and whether or not the connections are active or inactive and communicating or not communicating.
  - 45. The unified threat management system of claim 41, wherein the graphical process control environment is a DeltaV™
    - graphical process control environment.
  - 46. The unified threat management system of claim 41, wherein the object is integrated as a process variable in the graphical process control environment.
  - 47. The unified threat management system of claim 41, wherein the unified threat management system is one of a Network Intrusion Detection System (NIDS) or a Host Intrusion Detection System (HIDS).
  - 48. The unified threat management system of claim method of claim 41, wherein the network device includes one or more of a firewall and a field device.
  - 49. The unified threat management system of claim 41, wherein the object includes a data store for storing variable or changing data describing the network device, the data including one or more of state data, parameter data, status data, input data, output data, ruleset data, and cost data.
  - 50. The unified threat management system of claim 41, wherein the object compares network traffic to the ruleset and, if the network traffic received at the network device violates one or more of the rules, to deny the network traffic received at the network device and to cause an alarm to be displayed in an operator interface of the graphical process control environment, wherein the network traffic is received by the network device.
  - 51. The unified threat management system of claim 41, wherein the object secures the network device by one of a user configuring the object within a graphic display of the graphical process control environment and configuring the object to automatically secure the network device.
  - 52. The unified threat management system of claim 51, wherein the user configuring the object within a graphic display of the graphical process control environment requires user authentication via an inbuild, two-factor authentication method of the process control system.
  - 53. The unified threat management system of claim 41, wherein the object tracks statistics related to the network traffic received at the network device.
  - 54. The unified threat management system of claim 41, wherein the object determines a security profile for the network device, the security profile for securing a subsystem of the process control system.
  - 55. The unified threat management system of claim 41, wherein the object detects an update of another network device within the process control system and to display an alarm in a graphical display of the graphical process control environment, the alarm indicating the update and recommending a user request an update of the ruleset.
  - 56. The unified threat management system of claim 41, wherein the object determines if the network traffic received at the network device violates one or more of the rules.
  - 57. The unified threat management system of claim 41, wherein the object updates the ruleset by collecting threat data from a plurality of sources, constructing the ruleset, validating the ruleset, and distributing a subset of the ruleset to other network devices, each other network device corresponding to a subsystem of the process control system.
  - 58. The unified threat management system of claim 41, wherein the one or more parameters includes a function to bypass another network device of the process control system for a configurable amount of time.
  - 59. The unified threat management system of claim 41, wherein the network device is an I/O Device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Original Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Inventors
Law, Gary Keith, Kube, Nate, Huba, Robert Kent, Hieb, Brandon, Denison, David R., Hernandez, Cheyenne
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
DOLLY, KENDALL LYNN

Application Number

US12/889,235
Publication Number

US 20110072506A1
Time in Patent Office

1,811 Days
Field of Search

726/11, 726/3, 726/23, 709/224, 709/230, 713/171, 713/201
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Integrated unified threat management for a process control system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated unified threat management for a process control system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links