System and method for controlling access to a plant network
First Claim
Patent Images
1. A security system for interfacing a plant facility network and a plurality of computers in a corporate business network via a firewall, the system providing for minimization of the rule set for the firewall by unifying traffic flow between the corporate business network and the plant facility network, the system comprising:
- a first access control device located between the corporate business network and the firewall, the first access control device being in a multiplexer (MUX) configuration;
a second access control device located between the firewall and the plant facility network, the second access control device being in a demultiplexer (DEMUX) configuration, such that the corporate business network, the first access device, the firewall, the second access device, and the plant facility network are configured in a series-connected unidirectional MUX-DEMUX configuration;
wherein the first access control device is supplied with a multi-user application hosting platform, multiprotocol stack, the first access control device receiving a plurality of requests from computers on the corporate business network;
wherein the second access control device is supplied with a multi-user application hosting platform, multiprotocol stack, the second access control device relaying one stream of requests from the first access control device to a plurality of system components on the plant facility network;
wherein the firewall is programmed with a single rule such that the only communications that can pass through the firewall is a communication between the first access control device and the second access control device;
wherein the plant facility network is a perimeter network serving as an interface to a plurality of autonomous systems containing process control field information and non-process applications such as closed circuit television (CCTV), asset management systems, and cybersecurity systems, and wherein the first and second access control systems are programmed such that plant management information systems data, as well as reports, logs and analysis information from CCTV, asset management, and cybersecurity systems that is addressed to one or more corporate network computers is transmitted via the second access control system, the firewall, and the first access control system; and
wherein the first and second access control devices are programmed such that service request communications originating from the corporate business network computers and addressed to the plant facility network is transmitted via the first access control system, the firewall, and the second access control system.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for centrally controlling access by computers in a corporate network to a plant network that runs plant applications. The system includes an access control computer in communication with the corporate network and includes a memory, a processor coupled to the memory and a multi-user application stored in the memory and executable by the processor. The multi-user application communicates with a plurality of computers in the corporate network concurrently and communicates with at least one plant application running in the plant network to retrieve data from and pass data to the plant application on behalf of the plurality of computers in the corporate network concurrently. Since all communication from the plurality of computers is tunneled through the access control computer, the likelihood of any virus or worm spreading into the plant network is minimized.
17 Citations
6 Claims
-
1. A security system for interfacing a plant facility network and a plurality of computers in a corporate business network via a firewall, the system providing for minimization of the rule set for the firewall by unifying traffic flow between the corporate business network and the plant facility network, the system comprising:
-
a first access control device located between the corporate business network and the firewall, the first access control device being in a multiplexer (MUX) configuration; a second access control device located between the firewall and the plant facility network, the second access control device being in a demultiplexer (DEMUX) configuration, such that the corporate business network, the first access device, the firewall, the second access device, and the plant facility network are configured in a series-connected unidirectional MUX-DEMUX configuration; wherein the first access control device is supplied with a multi-user application hosting platform, multiprotocol stack, the first access control device receiving a plurality of requests from computers on the corporate business network; wherein the second access control device is supplied with a multi-user application hosting platform, multiprotocol stack, the second access control device relaying one stream of requests from the first access control device to a plurality of system components on the plant facility network; wherein the firewall is programmed with a single rule such that the only communications that can pass through the firewall is a communication between the first access control device and the second access control device; wherein the plant facility network is a perimeter network serving as an interface to a plurality of autonomous systems containing process control field information and non-process applications such as closed circuit television (CCTV), asset management systems, and cybersecurity systems, and wherein the first and second access control systems are programmed such that plant management information systems data, as well as reports, logs and analysis information from CCTV, asset management, and cybersecurity systems that is addressed to one or more corporate network computers is transmitted via the second access control system, the firewall, and the first access control system; and wherein the first and second access control devices are programmed such that service request communications originating from the corporate business network computers and addressed to the plant facility network is transmitted via the first access control system, the firewall, and the second access control system. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeSaudi Arabian Oil Company (Government of Saudi Arabia)
-
Original AssigneeSaudi Arabian Oil Company (Government of Saudi Arabia)
-
InventorsAl-Khabbaz, Fouad M., Abu Al-Saud, Zakarya A., Al-Harbi, Saad A., Al-Khunaizi, Osama R., Al-Salem, Hussain A.
-
Primary Examiner(s)DINH, KHANH Q
-
Application NumberUS13/877,310Publication NumberTime in Patent Office2,497 DaysField of Search709203, 709220, 709224, 709227US Class CurrentCPC Class CodesG06Q 10/06 Resources, workflows, human...G06Q 10/067 Enterprise or organisation ...H04L 63/0209 Architectural arrangements,...H04L 63/0236 Filtering by address, proto...
