Remote control of secure installations
First Claim
Patent Images
1. Communication apparatus, comprising:
- a transmission station, which comprises;
a processor running software which generates commands in a predetermined command format, responsive to input from a user;
hardware encoding logic configured to receive commands in the predetermined command format from the software running on the processor, to convert the received commands into a predefined converted data format of permitted commands including only a limited subset of the commands in the predetermined command format and to cryptographically sign the converted commands in the predefined converted data format; and
a communications processor configured to transmit the cryptographically signed converted commands over a communications network, and an uplink controller, comprising;
a first hardware interface configured to receive commands from the transmission station over the communications network;
a second hardware interface configured to convey the received commands to a protected destination;
hardware logic, which is coupled between the first and second interfaces so as to receive commands from the first interface, to authenticate that the received commands were cryptographically signed by the transmission station, to compare the received commands to a set of hardware masks corresponding to the permitted commands to check the commands are in the predefined converted data format, and to pass to the second interface only received commands that were authenticated as received from the transmission station and match one of the masks, while rejecting commands in the predetermined command format;
a first one-way link connecting the first hardware interface to the hardware logic, allowing data from the first hardware interface to the hardware logic, but incapable of carrying data from the hardware logic to the first hardware interface; and
a second one-way link separate from and independent of the hardware logic, connecting the protected destination to the communication network in a manner allowing information to flow freely out of the protected destination to the communication network, without passing through the hardware logic, wherein the one-way link is incapable of carrying data from the communication network to the protected destination,wherein the hardware encoding logic comprises dedicated hardware logic not containing a CPU and is designed to perform a task which cannot be changed remotely,wherein the hardware logic of the uplink controller comprises dedicated hardware logic not containing a CPU and is designed to perform a task which cannot be changed remotely,wherein the protected destination is an industrial control system, and wherein the permitted commands are configured to control an operating configuration of the industrial control system, andwherein the hardware encoding logic of the transmission station is configured to encrypt the commands it receives and the hardware logic of the uplink controller is configured to decrypt the received commands.
1 Assignment
0 Petitions
Accused Products
Abstract
Communication apparatus includes a one-way, hardware-actuated data relay, which includes a first hardware interface configured to receive a command from a communications network and a second hardware interface configured to convey the received command to a protected destination when the relay is actuated. A decoder includes a third hardware interface configured to receive a digital signature for the command from the communications network and hardware decoding logic coupled to verify the digital signature and to actuate the relay upon verifying the digital signature, whereby the command is conveyed via the second hardware interface to the protected destination.
-
Citations
10 Claims
-
1. Communication apparatus, comprising:
a transmission station, which comprises; a processor running software which generates commands in a predetermined command format, responsive to input from a user; hardware encoding logic configured to receive commands in the predetermined command format from the software running on the processor, to convert the received commands into a predefined converted data format of permitted commands including only a limited subset of the commands in the predetermined command format and to cryptographically sign the converted commands in the predefined converted data format; and a communications processor configured to transmit the cryptographically signed converted commands over a communications network, and an uplink controller, comprising; a first hardware interface configured to receive commands from the transmission station over the communications network; a second hardware interface configured to convey the received commands to a protected destination; hardware logic, which is coupled between the first and second interfaces so as to receive commands from the first interface, to authenticate that the received commands were cryptographically signed by the transmission station, to compare the received commands to a set of hardware masks corresponding to the permitted commands to check the commands are in the predefined converted data format, and to pass to the second interface only received commands that were authenticated as received from the transmission station and match one of the masks, while rejecting commands in the predetermined command format; a first one-way link connecting the first hardware interface to the hardware logic, allowing data from the first hardware interface to the hardware logic, but incapable of carrying data from the hardware logic to the first hardware interface; and a second one-way link separate from and independent of the hardware logic, connecting the protected destination to the communication network in a manner allowing information to flow freely out of the protected destination to the communication network, without passing through the hardware logic, wherein the one-way link is incapable of carrying data from the communication network to the protected destination, wherein the hardware encoding logic comprises dedicated hardware logic not containing a CPU and is designed to perform a task which cannot be changed remotely, wherein the hardware logic of the uplink controller comprises dedicated hardware logic not containing a CPU and is designed to perform a task which cannot be changed remotely, wherein the protected destination is an industrial control system, and wherein the permitted commands are configured to control an operating configuration of the industrial control system, and wherein the hardware encoding logic of the transmission station is configured to encrypt the commands it receives and the hardware logic of the uplink controller is configured to decrypt the received commands. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A method for communication, comprising:
-
receiving an instruction to generate a command directed to a protected destination, from a user, by a transmission station; generating a command in a predetermined command format, responsive to the instruction from the user, by software running on a processor; converting the generated command into a predefined converted data format of permitted commands including only a limited subset of the commands in the predetermined command format, by hardware encoding logic containing no CPU, designed in dedicated hardware logic to perform a task which cannot be changed remotely, wherein converting the generated command into a predefined converted data format comprises encrypting the command; cryptographically signing the converted commands in the predefined converted data format; transmitting the cryptographically signed converted command over a communications network to an uplink controller; receiving the converted command by the uplink controller; transferring the received converted command to a hardware logic of the uplink controller through a first one-way link incapable of carrying data back from the hardware logic; decrypting the received converted command by the hardware logic of the uplink controller, wherein the hardware logic of the uplink controller comprises dedicated hardware logic not containing a CPU and is designed to perform a task which cannot be changed remotely; authenticating that the received commands were cryptographically signed by the transmission station; comparing the received command to a set of hardware masks corresponding to the permitted commands, by the hardware logic of the uplink controller; passing the received command to the protected destination only when the received command matches one of the hardware masks and was authenticated as received from the transmission station, while rejecting commands in the predetermined command format; and conveying output data from the protected destination to the communications network over a second one-way link, which is separate from and independent of the hardware logic and is physically incapable of conveying input data from the communications network to the protected destination, wherein the protected destination is an industrial control system, wherein the permitted commands are configured to control an operating configuration of the industrial control system. - View Dependent Claims (8, 9, 10)
-
Specification