Bi-directional data security for control systems

US 9,998,426 B2
Filed: 08/08/2017
Issued: 06/12/2018
Est. Priority Date: 01/30/2014
Status: Active Grant

First Claim

Patent Images

1. A cyber-security device for providing secure communication of data in a system including a control device, wherein the system is operable in one or more system states, the cyber-security device comprising:

a first communication interface configured for accepting incoming messages destined for the control device;

a second communication interface configured for accepting outgoing messages from the control device;

a memory configured to store current system state information and a rule-set comprising rules for qualifying and validating the incoming and the outgoing messages, wherein the rule-set includes a system state-dependent rule;

a processor operatively coupled to the memory and to the first communication interface and the second communication interface, and configured to qualify and validate the incoming messages and the outgoing messages on a byte-by-byte basis;

wherein the processor is operable in an operational mode to;

accept messages received from one of the first communication interface and the second communication interface;

retrieve the rule-set from the memory;

qualify the received messages, including any received messages containing received system state information, on a byte-by-byte basis, based on compliance with the rule-set;

for any received message that has been qualified, validate the qualified received message, on a byte-by-byte basis, in accordance with the rule-set, wherein the qualified received message is validated by compliance with the system state-dependent rule in the rule-set based on the current system state information;

transmit the received messages to the other of the first communication interface and the second communication interface only if the received message is validated in compliance with the rule-set; and

update the current system state information based on the system state information in any validated message that includes received system state information.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cyber-security device includes a processor operable to process messages with a data validation rule-set; an external communication interface configured for bi-directional data communication between the processor and external networks or systems; and an internal communication interface configured for bi-directional data communication between the processor and a safety-critical control device, wherein the data received by the processor via either the external or internal communication interface is blocked, sanitized, or passed by the appropriate rule-set, depending on whether the data conform to validation criteria established by the rule-set. The processor analyzes the data, preferably byte-by-byte, with the data in each byte being required to conform to the rule-set validation criteria before being passed from the processor to the appropriate interface.

Citations

59 Claims

1. A cyber-security device for providing secure communication of data in a system including a control device, wherein the system is operable in one or more system states, the cyber-security device comprising:
- a first communication interface configured for accepting incoming messages destined for the control device;
  
  a second communication interface configured for accepting outgoing messages from the control device;
  
  a memory configured to store current system state information and a rule-set comprising rules for qualifying and validating the incoming and the outgoing messages, wherein the rule-set includes a system state-dependent rule;
  
  a processor operatively coupled to the memory and to the first communication interface and the second communication interface, and configured to qualify and validate the incoming messages and the outgoing messages on a byte-by-byte basis;
  
  wherein the processor is operable in an operational mode to;
  
  accept messages received from one of the first communication interface and the second communication interface;
  
  retrieve the rule-set from the memory;
  
  qualify the received messages, including any received messages containing received system state information, on a byte-by-byte basis, based on compliance with the rule-set;
  
  for any received message that has been qualified, validate the qualified received message, on a byte-by-byte basis, in accordance with the rule-set, wherein the qualified received message is validated by compliance with the system state-dependent rule in the rule-set based on the current system state information;
  
  transmit the received messages to the other of the first communication interface and the second communication interface only if the received message is validated in compliance with the rule-set; and
  
  update the current system state information based on the system state information in any validated message that includes received system state information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The cyber-security device of claim 1, wherein the processor is operable in a programming mode in which the processor is operable to replace the rule-set in the memory with a new rule-set, and to cycle back to the operational mode after the new rule set is loaded from the memory.
  - 3. The cyber-security device of claim 1, wherein the processor is further operable to block the received message when the received message cannot be validated.
  - 4. The cyber-security device of claim 1, wherein, when the received message cannot be validated, the processor is further operable to replace data in the received message that are not in compliance with the rule-set with data known to be in compliance with the rule-set, whereby the received message with the data known to be compliant with the rule-set is deemed validated.
  - 5. The cyber-security device of claim 4, wherein the data known to be in compliance with the rule-set are selected from one or more of data with default values, and data with last-known compliant values.
  - 6. The cyber-security device of claim 5, wherein the data with last-known compliant values are determined from at least one previously-validated message.
  - 7. The cyber-security device of claim 5, wherein the data with the last known compliant values are determined from an external data source.
  - 8. The cyber-security device of claim 1, wherein the received system state information comes from at least one of the control device, an external system, and a secondary control device.
  - 9. The cyber-security device of claim 1, wherein the processor is further operable in a learning mode in which the processor is operable to build or update rule-sets based on contents of received messages.
  - 10. The cyber-security device of claim 1, wherein the processor is further operable for cross-domain processing of received messages across two or more security domain classifications.

11. A method of providing secure communication of messages to and from a control device in a system operable in any of several system states, wherein a current system state of the system is indicated by a current system state indication, the method comprising:
- accepting incoming messages, bound for the control device, at a first communication interface that is in data communication with a processor operable to process messages with a rule-set that includes rules for qualifying the accepted incoming messages for message size and message type, and for validating message contents in the qualified incoming messages;
  
  processing each accepted incoming message bound for the control device by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted incoming message bound for the control device in accordance with the rule-set for message type, message size, message contents, and for compliance with a system state-dependent rule in the rule-set, based on the current system state indication;
  
  sending only the incoming messages that are qualified and validated based on the rule-set to a second communication interface that is in data communication with the processor for transmission to the control device;
  
  accepting outgoing messages from the control device at the second communication interface;
  
  processing each accepted outgoing message from the control device by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted outgoing message from the control device in accordance with the rule-set for message type, message size, message contents, and, for compliance with a system state-dependent rule in the rule-set, based on the current system state indication;
  
  sending only the outgoing messages that are qualified and validated based on the rule-set to the first communication interface; and
  
  updating the current system state indication based on any system state information included in any validated message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 51, 52)
- - 12. The method of claim 11, further comprising blocking incoming messages and outgoing messages that cannot be qualified and validated in accordance with the rule-set.
  - 13. The method of claim 11, further comprising sanitizing incoming messages and outgoing messages that cannot be qualified and validated in accordance with the programmable rule-set by replacing data that are non-compliant with the rule-set with data known to be compliant with the rule-set.
  - 14. The method of claim 11, wherein the rule-set is a first rule-set, the method further comprising:
    - putting the processor into a programming mode in response to a mode-selection signal;
      
      receiving a second rule-set while the processor is in the programming mode;
      
      replacing the first rule-set with the second rule-set;
      
      exiting the programming mode; and
      
      processing future incoming messages and outgoing messages based on the second rule-set by operating the processor to implement the second rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted incoming message and outgoing message in accordance with the second rule-set.
  - 15. The method of claim 13, wherein the data known to be compliant with the rule-set are selected from one or more of data with default values, and data with last-known compliant values.
  - 16. The method of claim 15, wherein the data with last-known compliant values are determined from at least one previously-validated message.
  - 17. The method of claim 11, wherein the validation provided by the rule-set is dependent on the current system state indication.
  - 51. The method of claim 11, wherein the system state information included in any validated message comes from at least one of the control device, an external system, and a secondary control device.
  - 52. The method of claim 11, further comprising updating the rule-set based on contents of a validated message.

18. A non-transitory computer-readable medium for use in a system operable in any of several system states, each of which is indicated by a current system state indication, the non-transitory computer-readable medium including instructions that, when executed by a processor in the system, cause the processor to:
- accept incoming messages, bound for a control device, at a first communication interface in data communication with the processor, when the processor has been programmed with a rule-set that includes rules for qualifying and validating the accepted incoming messages for message size and message type, and for validating message contents in the accepted incoming messages wherein the rule-set includes a system state-dependent rule;
  
  process each accepted incoming message by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted incoming message in accordance with the rule-set, wherein each accepted incoming message is further validated by the system state dependent rule in the rule-set, based on the current system state indication;
  
  send only the incoming messages that are qualified and validated based on the rule-set to a second communication interface that is in data communication with the processor for transmission to the control device;
  
  accept outgoing messages from the control device at a second communication interface in data communication with the processor;
  
  process each accepted outgoing message from the control device by operating the processor to implement the rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted outgoing message in accordance with the rule-set, is further validated by the system state dependent rule in the rule-set, based on the current system state indication;
  
  send only the outgoing messages that are qualified and validated based on the rule-set to the first communication interface; and
  
  update the current system state indication based on any system state information in any validated message.
- View Dependent Claims (19, 20, 21, 22, 23, 53, 54)
- - 19. The non-transitory computer-readable medium of claim 18, wherein the instructions further cause the processor to block incoming messages and outgoing messages that cannot be qualified and validated in accordance with the rule-set.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the instructions further cause the processor to sanitize incoming messages and outgoing messages that cannot be qualified and validated in accordance with the rule-set by replacing data that are non-compliant with the rule-set with data known to be compliant with the rule-set.
  - 21. The non-transitory computer-readable medium of claim 18, wherein the rule-set is a first rule-set, the non-transitory computer-readable medium further comprising instructions to:
    - put the processor into a programming mode in response to a mode-selection signal;
      
      accept a second rule-set including a system-state-dependent rule only while the processor is in the programming mode;
      
      replace the first rule-set with the second rule-set;
      
      exit the programming mode; and
      
      process future incoming messages and outgoing messages based on the second rule-set by operating the processor to implement the second rule-set so as to qualify and validate, on a byte-by-byte basis, each accepted incoming message and outgoing message in accordance with the second rule-set.
  - 22. The non-transitory computer-readable medium of claim 20, wherein the data known to be in compliance with the rule-set are selected from one or more of data with default values, and data with last-known compliant values.
  - 23. The non-transitory computer-readable medium of claim 22, wherein the data with last-known compliant values are determined from at least one previously-validated message.
  - 53. The non-transitory, computer-readable medium of claim 18, wherein the instructions, when executed by the processor, cause the processor to build or update a rule-set based on contents of a validated message.
  - 54. The non-transitory, computer-readable medium of claim 18, wherein system state information included in any validated message comes from at least one of the control device, an external system, and a secondary control device.

24. A cyber-security device for providing secure data communication to and from a control device in a control system operable in more than one system state, the cyber-security device comprising:
- a first communication interface configured for data communication with the control device;
  
  a second communication interface configured for data communication with a system, a network, or a device other than the control device;
  
  a memory configured to store an indication of a current system state of the control system and a processor-implementable rule-set defining qualification criteria and validation criteria for data contents of incoming messages to the control device and data contents of outgoing messages from the control device; and
  
  a processor in communication with the first communication interface, the second communication interface, and the memory;
  
  wherein the processor is operable in an operational mode to;
  
  accept incoming data messages into the processor;
  
  determine the indication of the current system state of the control system from the memory;
  
  qualify, on a byte-by-byte basis, the content of each incoming data message by compliance with the data qualification criteria defined by the processor-implementable rule-set;
  
  validate, on a byte-by-byte basis, the content of each qualified incoming data message by compliance with the data validation criteria defined by the processor-implementable rule-set, and by compliance with a system state-dependent rule in the rule-set based on the current system state;
  
  output from the processor to the first communication interface only those incoming data messages the content of which has been qualified and validated;
  
  accept outgoing data messages into the processor;
  
  qualify, on a byte-by-byte basis, the content of each outgoing data message by compliance with the data qualification criteria defined by the processor-implementable rule-set;
  
  validate, on a byte-by-byte basis, the content of each qualified outgoing data message by compliance with the data validation criteria defined by the processor-implementable rule-set, and by compliance with the system state-dependent rule in the rule-set based on the current system state;
  
  output from the processor to the second communication interface only those outgoing data messages the content of which has been qualified and validated; and
  
  update the current system state based on any system state information in any validated data message.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 55, 56)
- - 25. The cyber-security device of claim 24, wherein the processor is operable in a programming mode to load a new rule set and to cycle back to the operational mode after the new rule set is loaded.
  - 26. The cyber security device of claim 24, wherein the processor-implementable rule set includes a first rule set configured to process the incoming data messages and a second rule set configured to process the outgoing data messages.
  - 27. The cyber-security device of claim 24, wherein the memory is configured for storing system state information derived from any qualified and validated incoming data message that includes system state information, and from any qualified and validated outgoing data message that includes system state information.
  - 28. The cyber-security device of claim 24, wherein the processor is configured to store in the memory the updated current system state based on the system state information received from at least one of the qualified and validated incoming data messages and outgoing data messages that includes system state information.
  - 29. The cyber-security device of claim 24, wherein the processor is further operable to block any data message that cannot be validated.
  - 30. The cyber-security device of claim 24, wherein, in any data message that cannot be validated, the processor is further operable to replace data that are not in compliance with the rule-set with data known to be in compliance with the rule-set, whereby the data message with the data known to be compliant with the rule-set is deemed validated.
  - 31. The cyber-security device of claim 30, wherein the data known to be in compliance with the rule-set are selected from one or more of data with default values, and data with last-known compliant values.
  - 32. The cyber-security device of claim 31, wherein the data with last-known compliant values are determined from at least one previously-validated message.
  - 55. The cyber-security device of claim 24, wherein the processor is further operable to build or update a rule-set based on contents of a validated message.
  - 56. The cyber-security device of claim 24, wherein system state information included in any validated message comes from at least one of the control device, an external system, and a secondary control device.

33. A method for providing secure communication of incoming data messages sent to a control device and outgoing data messages sent from a control device in a system operable in more than one system state, the method comprising:
- determining a current system state of the system;
  
  providing a processor programmed with a processor-implementable rule-set configured for qualification and validation of the content of the incoming and outgoing data messages, the rule-set defining data qualification and validation criteria;
  
  accepting incoming data messages into the processor;
  
  qualifying, on a byte-by-byte basis, the content of each incoming data message by compliance with the data qualification criteria defined by the rule-set;
  
  validating, on a byte-by-byte basis, the content of each qualified incoming data message by compliance with the data validation criteria defined by the rule-set, and by compliance with a system state-dependent rule in the rule-set based on the current system state;
  
  outputting from the processor only those incoming data messages the content of which has been qualified and validated;
  
  accepting outgoing data messages into the processor;
  
  qualifying, on a byte-by-byte basis, the content of each outgoing data message by compliance with the data qualification criteria defined by the rule-set;
  
  validating, on a byte-by-byte basis, the content of each qualified outgoing data message by compliance with the data validation criteria defined by the rule-set, and by compliance with the system state-dependent rule in the rule-set based on the current system state;
  
  outputting from the processor only those outgoing data messages the content of which has been qualified and validated; and
  
  updating the current system state of the system based on any system state information in any validated data message.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 57, 58)
- - 34. The method of claim 33, wherein the rule-set includes a first rule-set configured to process the incoming data messages, and a second rule-set configured to process the outgoing data messages.
  - 35. The method of claim 33, wherein the processor has an operational mode and a programming mode, and wherein the rule-set is implemented only when the processor is in the operational mode.
  - 36. The method of claim 35, further comprising re-programming the processor with a new processor-implementable rule-set when the processor is in the programming mode.
  - 37. The method of claim 36, wherein the re-programming is performed by:
    - switching the processor from the operational mode to the programming mode;
      
      loading the new processor-implementable rule-set into the processor; and
      
      cycling the processor back to the operational mode.
  - 38. The method of claim 37, wherein the loading of the new processor-implementable rule-set is performed via a communication interface.
  - 39. The method of claim 33, wherein the qualification of the content of the incoming data messages and the outgoing data messages comprises:
    - determining the presence, in each data message, of unqualified content that is not in compliance with the data qualification criteria defined by the rule-set; and
      
      deleting any unqualified content determined to be present.
  - 40. The method of claim 39, wherein the validation of the content of the incoming data messages and the outgoing data messages comprises:
    - examining, in accordance with the data validation criteria defined by the rule-set, the qualified content of the data messages that has not been deleted, to determine compliance of the qualified content with the data validation criteria defined by the rule-set; and
      
      deleting any content determined to be non-compliant with the data validation criteria defined by the rule-set.
  - 41. The method of claim 40, wherein the validation further comprises replacing the deleted content with content known to be compliant with the data validation criteria defined by the rule-set.
  - 42. The method of claim 40, wherein the validation further comprises, after examining the qualified content of the data messages, modifying at least some of the qualified content that has not been deleted so as to be compliant with further data validation criteria defined by the rule-set.
  - 57. The method of claim 33, wherein the processor is further operable to build or update a rule-set based on contents of a validated message.
  - 58. The method of claim 33, wherein system state information included in any validated message comes from at least one of the control device, an external system, and a secondary control device.

43. A control system that is operable in one or more system states and that includes a cyber-security functionality, the automation and control system comprising:
- a control device;
  
  a processor in data communication with the control device and a network, control system or device other than the control device;
  
  a memory operatively associated with the processor and configured to store an indication of a current system state and a rule-set defining qualification and validation criteria for data contents of incoming data messages directed to the control device, and data contents of outgoing data messages directed from the control device;
  
  wherein the processor is operable in an operational mode to process the incoming data messages and the outgoing data messages in accordance with the rule-set so as to (a) qualify, byte-by-byte, (i) the content of each of the incoming data messages as conforming to qualification criteria defined by the rule-set, and (ii) the content of each of the outgoing data messages as conforming to qualification criteria defined by the rule-set;
  
  (b) validate, byte-by-byte, the content of each qualified data message in accordance with validation criteria defined by the rule-set, and by compliance with a system state-dependent rule in the rule-set;
  
  (c) pass to or from the control device only data content (i) that has been qualified and validated, and (ii) that is deemed proper based on the indication of the current system state and the compliance of the qualified data message with the system state-dependent rule in the rule-set; and
  
  (d) update the indication of current system state based on any system state information contained in any qualified and validated data message.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 59)
- - 44. The system of claim 43, wherein the processor is operable in a programming mode in which the processor may be re-programmed with a new rule-set, wherein the processor is configured to cycle back to the operational mode after the processor is re-programmed with the new rule-set.
  - 45. The system of claim 43, wherein the rule-set includes a first rule-set configured to process the incoming data messages, and a second rule-set configured to process the outgoing data messages.
  - 46. The system of claim 43, wherein the processor is further operable to block a message that cannot be validated.
  - 47. The system of claim 43, wherein the processor is further operable to replace data in a message that are not in compliance with the rule-set with data known to be in compliance with the rule-set, whereby the message with the data known to be compliant with the rule-set is deemed validated.
  - 48. The system of claim 47, wherein the data known to be in compliance with the rule-set are selected from one or more of data with default values, and data with last-known compliant values.
  - 49. The system of claim 48, wherein the data with last-known compliant values are determined from at least one previously-validated message.
  - 50. The system of claim 43, wherein the processor is further operable to build or update rule-sets based on contents of qualified and validated messages.
  - 59. The system of claim 43, wherein the system state information comes from at least one of the control device, an external system, and a secondary control device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sierra Nevada Co. LLC
Original Assignee
Sierra Nevada Corporation
Inventors
Fischer, Peter, Edwards, Joshua A., Shepard, Kyle Andrew, Streander, Kevin Jeffrey
Primary Examiner(s)
King, John B

Application Number

US15/671,870
Publication Number

US 20170374027A1
Time in Patent Office

308 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 2219/32404   Scada supervisory control a...

G06Q 10/0639   Performance analysis of emp...

G06Q 50/06   Energy or water supply

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Bi-directional data security for control systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

Bi-directional data security for control systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links