Industrial security agent platform

US 9,864,864 B2
Filed: 08/28/2015
Issued: 01/09/2018
Est. Priority Date: 09/23/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an industrial control network;

two or more controller devices, each controller device operable to control one or more operational devices connected to the industrial control network;

two or more emulators, each emulator configured to communicate with a respective controller device, and each emulator configured to reference a respective profile that includes information about security capabilities of the respective controller device; and

an encryption relay processor operable to implement each emulator and to facilitate communication to and from each emulator over the industrial control network, the encryption relay processor configured to;

(i) execute a cryptographic function for a first communication between a first emulator and a first node on the industrial control network for a first controller device that is incapable of performing the cryptographic function; and

(ii) not execute a cryptographic function for a second communication between a second emulator and a second node on the industrial control network for a second controller device that is capable of performing the cryptographic function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network. The encryption relay processor can execute a cryptographic function for a communication between the emulator and a node on the industrial control network when the respective controller device is incapable of performing the cryptographic function.

Citations

20 Claims

1. A system comprising:
- an industrial control network;
  
  two or more controller devices, each controller device operable to control one or more operational devices connected to the industrial control network;
  
  two or more emulators, each emulator configured to communicate with a respective controller device, and each emulator configured to reference a respective profile that includes information about security capabilities of the respective controller device; and
  
  an encryption relay processor operable to implement each emulator and to facilitate communication to and from each emulator over the industrial control network, the encryption relay processor configured to;
  
  (i) execute a cryptographic function for a first communication between a first emulator and a first node on the industrial control network for a first controller device that is incapable of performing the cryptographic function; and
  
  (ii) not execute a cryptographic function for a second communication between a second emulator and a second node on the industrial control network for a second controller device that is capable of performing the cryptographic function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further comprising a security server operable to maintain the respective profile for the respective controller device and to implement, for each emulator implemented by the encryption relay processor, a corresponding instance of the emulator.
  - 3. The system of claim 2, wherein the security server is operable to reference specification information for the respective controller device and to generate the profile based on the specification information.
  - 4. The system of claim 2, wherein the security server is operable to create the emulator based on its respective profile.
  - 5. The system of claim 2, wherein the security server and the encryption relay processor are each operable to maintain a list of controller devices that are incapable of performing the cryptographic function.
  - 6. The system of claim 2, wherein the security server and the encryption relay processor are each operable to maintain a shared encryption key and to perform key negotiation protocols, and wherein the communication is encrypted or decrypted using the shared encryption key.
  - 7. The system of claim 1, further comprising a firewall between the two or more emulators and the encryption relay processor.
  - 8. The system of claim 1, wherein each emulator is a virtual security entity that is implemented by one or more software components executed by the encryption relay processor.

9. A computer-implemented method for facilitating communication in an industrial control network, the method being executed by one or more processors and comprising:
- receiving, from a site security server, an encrypted first query for a first controller device;
  
  after determining that the first controller device is incapable of performing a cryptographic operation, decrypting the first query for the first controller device and providing the decrypted first query to the first controller device;
  
  in response to receiving an unencrypted first query response from the first controller device, encrypting the first query response and providing the encrypted first query response to the site security server;
  
  receiving, from the site security server, an encrypted second query for a second controller device;
  
  after determining that the second controller device is capable of performing a cryptographic operation, providing the received encrypted second query to the second controller device; and
  
  in response to receiving an encrypted second query response from the second controller device, providing the encrypted second query response to the site security server.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-implemented method of claim 9, further comprising referencing specification information for the first controller device and generating a profile for the first controller device that includes information about its security capabilities, based on the specification information.
  - 11. The computer-implemented method of claim 10, further comprising creating an emulator for the first controller device based on the profile for the first controller device, wherein the emulator handles cryptographic operations for its corresponding controller device.
  - 12. The computer-implemented method of claim 10, wherein determining that the first controller device is incapable of performing the cryptographic operation includes referencing the profile for the first controller device.
  - 13. The computer-implemented method of claim 9, further comprising maintaining a list of controller devices that are incapable of performing the cryptographic operation, wherein determining that the first controller device is incapable of performing the cryptographic operation and determining that the second controller device is capable of performing the cryptographic operation includes referencing the list.
  - 14. The computer-implemented method of claim 9, wherein the encrypted first query for the first controller device and the encrypted second query for the second controller device are received from the site security server through a firewall, and the encrypted first query response and the encrypted second query response are provided to the site security server through the firewall.

15. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for facilitating communication in an industrial control network, the operations comprising:
- receiving, from a site security server, an encrypted first query for a first controller device;
  
  after determining that the first controller device is incapable of performing a cryptographic operation, decrypting the first query for the first controller device and providing the decrypted first query to the first controller device;
  
  in response to receiving an unencrypted first query response from the first controller device, encrypting the first query response and providing the encrypted query response to the site security server;
  
  receiving, from the site security server, an encrypted second query for a second controller device;
  
  after determining that the second controller device is capable of performing a cryptographic operation, providing the received encrypted second query to the second controller device; and
  
  in response to receiving an encrypted second query response from the second controller device, providing the encrypted second query response to the site security server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, the operations further comprising referencing specification information for the first controller device and generating a profile for the first controller device that includes information about its security capabilities, based on the specification information.
  - 17. The non-transitory computer-readable storage medium of claim 16, the operations further comprising creating an emulator for the first controller device based on the profile for the first controller device, wherein the emulator handles cryptographic operations for its corresponding controller device.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein determining that the first controller device is incapable of performing the cryptographic operation includes referencing the profile for the first controller device.
  - 19. The non-transitory computer-readable storage medium of claim 15, the operations further comprising maintaining a list of controller devices that are incapable of performing the cryptographic operation, wherein determining that the first controller device is incapable of performing the cryptographic operation and determining that the second controller device is capable of performing the cryptographic operation includes referencing the list.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the encrypted first query for the first controller device and the encrypted second query for the second controller device are received from the site security server through a firewall, and the encrypted first query response and the encrypted second query response are provided to the site security server through the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Luo, Song, Negm, Walid, Solderitsch, James J., Mulchandani, Shaan, Hassanzadeh, Amin, Modi, Shimon
Primary Examiner(s)
Garcia Cervetti, David

Application Number

US14/839,331
Publication Number

US 20160085972A1
Time in Patent Office

865 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/0894   Escrow, recovery or storing...

Industrial security agent platform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Industrial security agent platform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links