Operator action authentication in an industrial control system
First Claim
Patent Images
1. A secure industrial control system, comprising:
- an action originator configured to transmit an action request received at the action originator;
an action authenticator located physically remotely from the action originator and including at least one processor in communication with a storage medium having a private key provisioned by the key management entity stored thereon configured to;
receive the action request from the action originator,determine whether the received action request is an authorized action request independent of the action originator,sign the received action request with the private key thereby generating a signed version of the action request based on the determinationtransmit the action request; and
a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to;
receive the action request from the action authenticator, the action request forming a part of a request datagram, the request datagram comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate;
authenticate the received action request based on a determination of whether the received action is the signed version of the action request, wherein authenticating the received action request further comprises;
verifying that the request datagram is valid;
sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;
receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;
validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; and
execute the action request based on whether the received action request is an authenticated action request, wherein the action request includes operator control actions, including;
reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface or an engineering interface.
5 Assignments
0 Petitions
Accused Products
Abstract
Operator actions and/or other commands or requests are secured via an authentication path from an action originator to a communications/control module or any other industrial element/controller. In implementations, an industrial control system includes an action authenticator configured to sign an action request generated by the action originator. The destination communications/control module or any other industrial element/controller is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.
245 Citations
20 Claims
-
1. A secure industrial control system, comprising:
-
an action originator configured to transmit an action request received at the action originator; an action authenticator located physically remotely from the action originator and including at least one processor in communication with a storage medium having a private key provisioned by the key management entity stored thereon configured to; receive the action request from the action originator, determine whether the received action request is an authorized action request independent of the action originator, sign the received action request with the private key thereby generating a signed version of the action request based on the determination transmit the action request; and a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to; receive the action request from the action authenticator, the action request forming a part of a request datagram, the request datagram comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate; authenticate the received action request based on a determination of whether the received action is the signed version of the action request, wherein authenticating the received action request further comprises; verifying that the request datagram is valid; sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate; receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce; validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; and execute the action request based on whether the received action request is an authenticated action request, wherein the action request includes operator control actions, including;
reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface or an engineering interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
-
-
12. A communications/control module, comprising:
-
at least one processor; and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to; receive an action request initiated at an action originator, the action request forming a part of a request datagram, the request comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate, wherein; an unsigned version of the action request is transmitted from the action originator to an action authenticator located physically remotely from the action originator, the action authenticator determines whether the received action request is an authorized action request independent of the action originator, wherein the determination further comprises; verifying that the request datagram is valid; sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate; receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce; validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce, wherein the action authenticator generates a signed version of the action request based on the determination, and the action authenticator transmits the action request to the communication/control module; determine an authenticity of the received action request based on whether the received action request is the signed version of the action request; and perform an action associated with the received action request based on the determination, wherein the action request includes at least one operator control action provided at the action originator, and wherein the action originator includes at least one of;
an operator interface, an engineering interface, a local application interface, and a remote application interface. - View Dependent Claims (13, 14, 15)
-
-
16. A method of executing a requested action in a secure industrial control system, comprising:
-
receiving an action request at an action originator, the action request forming a part of a request datagram, the request comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate; transmitting the action request from the action originator; receiving the action request from the action originator at an action authenticator located physically remotely from the action originator; determining whether the action request is an authorized action request at the action authenticator independent of the action originator; signing the action request at the action authenticator based on the determination, the action authenticator including at least one processor in communication with a storage medium having a private key stored thereon, the at least one processor being configured to sign the action request with the private key based on the determination thereby generating a signed version of the action request; receiving the action request at a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor for controlling communications with the one or more industrial elements; determining whether the action request is a signed version of the action request at the communication/control module; authenticating, at the communications/control module, the action request based on the determination, wherein authenticating the action request further comprises; verifying that the request datagram is valid; sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate; receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce; validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; and executing the action request, via the communications/control module, only if the action request is authenticated, wherein the action request includes operator control actions, including;
reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface, and an engineering interface. - View Dependent Claims (17, 18, 19)
-
Specification