Bi-directional data security for control systems
First Claim
1. A cyber-security device for providing secure communication of data in a system including a control device, wherein the system is operable in one or more system states, the cyber-security device comprising:
- a first communication interface configured for accepting incoming messages destined for the control device;
a second communication interface configured for accepting outgoing messages from the control device;
a memory configured to store current system state information and a rule-set comprising rules for qualifying and validating the incoming and the outgoing messages, wherein the rule-set includes a system state-dependent rule;
a processor operatively coupled to the memory and to the first communication interface and the second communication interface, and configured to qualify and validate the incoming messages and the outgoing messages on a byte-by-byte basis;
wherein the processor is operable in an operational mode to;
accept messages received from one of the first communication interface and the second communication interface;
retrieve the rule-set from the memory;
qualify the received messages, including any received messages containing received system state information, on a byte-by-byte basis, based on compliance with the rule-set;
for any received message that has been qualified, validate the qualified received message, on a byte-by-byte basis, in accordance with the rule-set, wherein the qualified received message is validated by compliance with the system state-dependent rule in the rule-set based on the current system state information;
transmit the received messages to the other of the first communication interface and the second communication interface only if the received message is validated in compliance with the rule-set; and
update the current system state information based on the system state information in any validated message that includes received system state information.
4 Assignments
0 Petitions
Accused Products
Abstract
A cyber-security device includes a processor operable to process messages with a data validation rule-set; an external communication interface configured for bi-directional data communication between the processor and external networks or systems; and an internal communication interface configured for bi-directional data communication between the processor and a safety-critical control device, wherein the data received by the processor via either the external or internal communication interface is blocked, sanitized, or passed by the appropriate rule-set, depending on whether the data conform to validation criteria established by the rule-set. The processor analyzes the data, preferably byte-by-byte, with the data in each byte being required to conform to the rule-set validation criteria before being passed from the processor to the appropriate interface.
-
Citations
59 Claims
-
1. A cyber-security device for providing secure communication of data in a system including a control device, wherein the system is operable in one or more system states, the cyber-security device comprising:
-
a first communication interface configured for accepting incoming messages destined for the control device; a second communication interface configured for accepting outgoing messages from the control device; a memory configured to store current system state information and a rule-set comprising rules for qualifying and validating the incoming and the outgoing messages, wherein the rule-set includes a system state-dependent rule; a processor operatively coupled to the memory and to the first communication interface and the second communication interface, and configured to qualify and validate the incoming messages and the outgoing messages on a byte-by-byte basis; wherein the processor is operable in an operational mode to; accept messages received from one of the first communication interface and the second communication interface; retrieve the rule-set from the memory; qualify the received messages, including any received messages containing received system state information, on a byte-by-byte basis, based on compliance with the rule-set; for any received message that has been qualified, validate the qualified received message, on a byte-by-byte basis, in accordance with the rule-set, wherein the qualified received message is validated by compliance with the system state-dependent rule in the rule-set based on the current system state information; transmit the received messages to the other of the first communication interface and the second communication interface only if the received message is validated in compliance with the rule-set; and update the current system state information based on the system state information in any validated message that includes received system state information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of providing secure communication of messages to and from a control device in a system operable in any of several system states, wherein a current system state of the system is indicated by a current system state indication, the method comprising:
-
accepting incoming messages, bound for the control device, at a first communication interface that is in data communication with a processor operable to process messages with a rule-set that includes rules for qualifying the accepted incoming messages for message size and message type, and for validating message contents in the qualified incoming messages; processing each accepted incoming message bound for the control device by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted incoming message bound for the control device in accordance with the rule-set for message type, message size, message contents, and for compliance with a system state-dependent rule in the rule-set, based on the current system state indication; sending only the incoming messages that are qualified and validated based on the rule-set to a second communication interface that is in data communication with the processor for transmission to the control device; accepting outgoing messages from the control device at the second communication interface; processing each accepted outgoing message from the control device by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted outgoing message from the control device in accordance with the rule-set for message type, message size, message contents, and, for compliance with a system state-dependent rule in the rule-set, based on the current system state indication; sending only the outgoing messages that are qualified and validated based on the rule-set to the first communication interface; and updating the current system state indication based on any system state information included in any validated message. - View Dependent Claims (12, 13, 14, 15, 16, 17, 51, 52)
-
-
18. A non-transitory computer-readable medium for use in a system operable in any of several system states, each of which is indicated by a current system state indication, the non-transitory computer-readable medium including instructions that, when executed by a processor in the system, cause the processor to:
-
accept incoming messages, bound for a control device, at a first communication interface in data communication with the processor, when the processor has been programmed with a rule-set that includes rules for qualifying and validating the accepted incoming messages for message size and message type, and for validating message contents in the accepted incoming messages wherein the rule-set includes a system state-dependent rule; process each accepted incoming message by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted incoming message in accordance with the rule-set, wherein each accepted incoming message is further validated by the system state dependent rule in the rule-set, based on the current system state indication; send only the incoming messages that are qualified and validated based on the rule-set to a second communication interface that is in data communication with the processor for transmission to the control device; accept outgoing messages from the control device at a second communication interface in data communication with the processor; process each accepted outgoing message from the control device by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted outgoing message in accordance with the rule-set, is further validated by the system state dependent rule in the rule-set, based on the current system state indication; send only the outgoing messages that are qualified and validated based on the rule-set to the first communication interface; and update the current system state indication based on any system state information in any validated message. - View Dependent Claims (19, 20, 21, 22, 23, 53, 54)
-
-
24. A cyber-security device for providing secure data communication to and from a control device in a control system operable in more than one system state, the cyber-security device comprising:
-
a first communication interface configured for data communication with the control device; a second communication interface configured for data communication with a system, a network, or a device other than the control device; a memory configured to store an indication of a current system state of the control system and a processor-implementable rule-set defining qualification criteria and validation criteria for data contents of incoming messages to the control device and data contents of outgoing messages from the control device; and a processor in communication with the first communication interface, the second communication interface, and the memory; wherein the processor is operable in an operational mode to; accept incoming data messages into the processor; determine the indication of the current system state of the control system from the memory; qualify, on a byte-by-byte basis, the content of each incoming data message by compliance with the data qualification criteria defined by the processor-implementable rule-set; validate, on a byte-by-byte basis, the content of each qualified incoming data message by compliance with the data validation criteria defined by the processor-implementable rule-set, and by compliance with a system state-dependent rule in the rule-set based on the current system state; output from the processor to the first communication interface only those incoming data messages the content of which has been qualified and validated; accept outgoing data messages into the processor; qualify, on a byte-by-byte basis, the content of each outgoing data message by compliance with the data qualification criteria defined by the processor-implementable rule-set; validate, on a byte-by-byte basis, the content of each qualified outgoing data message by compliance with the data validation criteria defined by the processor-implementable rule-set, and by compliance with the system state-dependent rule in the rule-set based on the current system state; output from the processor to the second communication interface only those outgoing data messages the content of which has been qualified and validated; and update the current system state based on any system state information in any validated data message. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 55, 56)
-
-
33. A method for providing secure communication of incoming data messages sent to a control device and outgoing data messages sent from a control device in a system operable in more than one system state, the method comprising:
-
determining a current system state of the system; providing a processor programmed with a processor-implementable rule-set configured for qualification and validation of the content of the incoming and outgoing data messages, the rule-set defining data qualification and validation criteria; accepting incoming data messages into the processor; qualifying, on a byte-by-byte basis, the content of each incoming data message by compliance with the data qualification criteria defined by the rule-set; validating, on a byte-by-byte basis, the content of each qualified incoming data message by compliance with the data validation criteria defined by the rule-set, and by compliance with a system state-dependent rule in the rule-set based on the current system state; outputting from the processor only those incoming data messages the content of which has been qualified and validated; accepting outgoing data messages into the processor; qualifying, on a byte-by-byte basis, the content of each outgoing data message by compliance with the data qualification criteria defined by the rule-set; validating, on a byte-by-byte basis, the content of each qualified outgoing data message by compliance with the data validation criteria defined by the rule-set, and by compliance with the system state-dependent rule in the rule-set based on the current system state; outputting from the processor only those outgoing data messages the content of which has been qualified and validated; and updating the current system state of the system based on any system state information in any validated data message. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 57, 58)
-
-
43. A control system that is operable in one or more system states and that includes a cyber-security functionality, the automation and control system comprising:
-
a control device; a processor in data communication with the control device and a network, control system or device other than the control device; a memory operatively associated with the processor and configured to store an indication of a current system state and a rule-set defining qualification and validation criteria for data contents of incoming data messages directed to the control device, and data contents of outgoing data messages directed from the control device; wherein the processor is operable in an operational mode to process the incoming data messages and the outgoing data messages in accordance with the rule-set so as to (a) qualify, byte-by-byte, (i) the content of each of the incoming data messages as conforming to qualification criteria defined by the rule-set, and (ii) the content of each of the outgoing data messages as conforming to qualification criteria defined by the rule-set;
(b) validate, byte-by-byte, the content of each qualified data message in accordance with validation criteria defined by the rule-set, and by compliance with a system state-dependent rule in the rule-set;
(c) pass to or from the control device only data content (i) that has been qualified and validated, and (ii) that is deemed proper based on the indication of the current system state and the compliance of the qualified data message with the system state-dependent rule in the rule-set; and
(d) update the indication of current system state based on any system state information contained in any qualified and validated data message. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 59)
-
Specification