Integrated unified threat management for a process control system
First Claim
1. A method for securing network traffic in a process control system comprising:
- providing an operator interface to display and configure various characteristics of both a network access device and a process control device, wherein the network access device facilitates data transmission over a process control system network without changing underlying data communicated over the process control system network, and the process control device changes the data communicated over the process control system network;
instantiating an object having a programmable interface to the network access device and the process control device, the object having access to a ruleset including one or more rules defining a condition to accept or deny network traffic received at the network access device, the network traffic originating externally from the process control system and attempting to communicate control information through the network access device to control the process control device;
determining which of the one or more rules of the ruleset to apply to the instantiated object;
securing the process control device by applying the one or more determined rules to the instantiated object to control the network access device to accept or deny the network traffic received at the network access device;
monitoring the network traffic received at the network access device using the instantiated object; and
in response to determining that the network traffic received at the network access device violates one or more of the rules applied to the instantiated object, denying the network traffic access to the secured process control device and displaying an alarm in the operator interface.
2 Assignments
0 Petitions
Accused Products
Abstract
A Unified Threat Management System (UTMS) for securing network traffic in a process control system may comprise network devices configured to receive network traffic related to the process control system and including a ruleset received from an external source. The ruleset may include one or more rules defining a condition to accept or deny the network traffic received at the network device. The state of the network device may be integrated into the process control system as a process control object or variable, thus allowing the state and other UTMS and component network device parameters and variables to be displayed to an operator at a workstation within a graphical process control system environment. The network devices may also communicate with a perpetual service that proactively supplies the devices with rulesets to meet the latest security threats, threat patterns, and control system vulnerabilities found or predicted to exist within the network.
-
Citations
59 Claims
-
1. A method for securing network traffic in a process control system comprising:
-
providing an operator interface to display and configure various characteristics of both a network access device and a process control device, wherein the network access device facilitates data transmission over a process control system network without changing underlying data communicated over the process control system network, and the process control device changes the data communicated over the process control system network; instantiating an object having a programmable interface to the network access device and the process control device, the object having access to a ruleset including one or more rules defining a condition to accept or deny network traffic received at the network access device, the network traffic originating externally from the process control system and attempting to communicate control information through the network access device to control the process control device; determining which of the one or more rules of the ruleset to apply to the instantiated object; securing the process control device by applying the one or more determined rules to the instantiated object to control the network access device to accept or deny the network traffic received at the network access device; monitoring the network traffic received at the network access device using the instantiated object; and in response to determining that the network traffic received at the network access device violates one or more of the rules applied to the instantiated object, denying the network traffic access to the secured process control device and displaying an alarm in the operator interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A network device for securing network traffic in a process control system comprising:
-
a first network connector to communicate network traffic into and out of the network device; a second network connector to communicate network traffic to a control appliance of the process control system, wherein the control appliance controls equipment within a process plant and wherein the network traffic attempts to communicate control information through the network device to control the control appliance; a ruleset including one or more rules defining a condition to accept or deny network traffic received at the network device; a comparison routine to determine if network traffic communicated to the network device violates one or more rules of the ruleset; an operator interface routine to display and configure various characteristics of both the network device and the control appliance in an operator interface, wherein the network device facilitates data transmission over a process control system network without changing underlying data communicated over the process control system network, and the control appliance changes the data communicated over the process control system network, and wherein the operator interface routine has access to the ruleset; and a security routine to control the network device based upon a determination of the comparison routine to deny access of the network traffic to the control appliance or another device of the process control system and to cause an alarm to be displayed with an illustration of the control appliance that corresponds to the alarm in the operator interface of the process control system. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A unified threat management system for securing network traffic in a process control system comprising:
-
a plurality of network devices that receive network traffic related to the process control system, wherein at least one of the network devices receives a ruleset from a source that is external to the process control system, the ruleset including one or more rules defining a condition to accept or deny the network traffic received at least one of the plurality of network devices, wherein the network traffic attempts to communicate control information through at least one of the network devices to control at least one of a plurality of process control devices; and a graphical process control environment for graphically representing and configuring elements of the process control system including the plurality of network devices, the plurality of process control devices, and a state of a network traffic connection to each of the plurality of network devices; wherein the graphical process control environment; provides an operator interface to display and configure various characteristics of both the plurality of network devices and the plurality of process control devices, wherein the network devices facilitate data transmission over a process control system network without changing underlying data communicated over the process control system network, and the process control devices change the data communicated over the process control system network, instantiates an object for each of the plurality of network devices, each object graphically representing a different network device of the plurality of network devices and having a programmable interface to configure one or more parameters of the network device that the object represents, the parameters including one or more of the state of the network traffic connection to each of the plurality of network devices, the ruleset, and a ruleset update, and secures at least one of the plurality of process control devices by applying at least one of the one or more rules to the instantiated object for at least one of the plurality of network devices to control the at least one of the plurality of network devices to accept or deny the network traffic received at the at least one of the plurality of network devices. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
Specification