Operator action authentication in an industrial control system

US 10,834,094 B2
Filed: 10/20/2014
Issued: 11/10/2020
Est. Priority Date: 08/06/2013
Status: Active Grant

First Claim

Patent Images

1. A secure industrial control system, comprising:

an action originator configured to transmit an action request received at the action originator;

an action authenticator located physically remotely from the action originator and including at least one processor in communication with a storage medium having a private key provisioned by the key management entity stored thereon configured to;

receive the action request from the action originator,determine whether the received action request is an authorized action request independent of the action originator,sign the received action request with the private key thereby generating a signed version of the action request based on the determinationtransmit the action request; and

a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to;

receive the action request from the action authenticator, the action request forming a part of a request datagram, the request datagram comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate;

authenticate the received action request based on a determination of whether the received action is the signed version of the action request, wherein authenticating the received action request further comprises;

verifying that the request datagram is valid;

sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;

receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;

validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; and

execute the action request based on whether the received action request is an authenticated action request, wherein the action request includes operator control actions, including;

reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface or an engineering interface.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Operator actions and/or other commands or requests are secured via an authentication path from an action originator to a communications/control module or any other industrial element/controller. In implementations, an industrial control system includes an action authenticator configured to sign an action request generated by the action originator. The destination communications/control module or any other industrial element/controller is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.

245 Citations

20 Claims

1. A secure industrial control system, comprising:
- an action originator configured to transmit an action request received at the action originator;
  
  an action authenticator located physically remotely from the action originator and including at least one processor in communication with a storage medium having a private key provisioned by the key management entity stored thereon configured to;
  
  receive the action request from the action originator,determine whether the received action request is an authorized action request independent of the action originator,sign the received action request with the private key thereby generating a signed version of the action request based on the determinationtransmit the action request; and
  
  a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to;
  
  receive the action request from the action authenticator, the action request forming a part of a request datagram, the request datagram comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate;
  
  authenticate the received action request based on a determination of whether the received action is the signed version of the action request, wherein authenticating the received action request further comprises;
  
  verifying that the request datagram is valid;
  
  sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;
  
  receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;
  
  validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; and
  
  execute the action request based on whether the received action request is an authenticated action request, wherein the action request includes operator control actions, including;
  
  reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface or an engineering interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
- - 2. The industrial control system of claim 1, wherein the action originator comprises at least one of:
    - an operator interface, an engineering interface, a local application interface, and a remote application interface.
  - 3. The secure industrial control system of claim 1, wherein the action authenticator comprises a portable encryption device that includes the at least one processor in communication with the storage medium having the private key stored thereon.
  - 4. The secure industrial control system of claim 3, wherein the processor comprises an encrypted microprocessor.
  - 5. The secure industrial control system of claim 3, wherein the portable encryption device comprises a smart card.
  - 6. The secure industrial control system of claim 1, wherein the action authenticator comprises a secured workstation.
  - 7. The secure industrial control system of claim 6, wherein the secured workstation is accessible via at least one of:
    - a physical key, a portable encryption device, and a biometric cryptography device.
  - 8. The secure industrial control system of claim 1, wherein the action authenticator is configured to encrypt the action request prior to transmission of the action request to the communication/control module.
  - 9. The secure industrial control system of claim 1, wherein the communications/control module further includes a virtual key switch that enables the at least one processor to execute the action request upon authentication of the action request as the signed version of the action request.
  - 10. The secure industrial control system of claim 1, wherein the communications/control module and the action authenticator are further configured to perform an authentication sequence.
  - 11. The secure industrial control system of claim 1, wherein the one or more industrial elements further include at least one of:
    - a communications/control module, a power module, a field device, a switch, a workstation, and a physical interconnect device.
  - 20. The secure industrial control system of claim 1, wherein the communications/control module and the at least one input/output module are configured to receive respective first and second unique security credentials at respective points of manufacture from the key management entity, the first and second unique security credentials being stored in respective memories of the communications/control module and the at least one input/output module, wherein at least one of the first and second unique security credentials is at least one of modifiable, revocable, or authenticatable by the key management entity at a site different from the respective point of manufacture of the respective one of the communications/control module and the at least one input/output module.

12. A communications/control module, comprising:
- at least one processor; and
  
  a non-transitory medium bearing a set of instructions executable by the at least one processor, the set of instructions including instructions to;
  
  receive an action request initiated at an action originator, the action request forming a part of a request datagram, the request comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate, wherein;
  
  an unsigned version of the action request is transmitted from the action originator to an action authenticator located physically remotely from the action originator,the action authenticator determines whether the received action request is an authorized action request independent of the action originator, wherein the determination further comprises;
  
  verifying that the request datagram is valid;
  
  sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;
  
  receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;
  
  validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce, whereinthe action authenticator generates a signed version of the action request based on the determination, andthe action authenticator transmits the action request to the communication/control module;
  
  determine an authenticity of the received action request based on whether the received action request is the signed version of the action request; and
  
  perform an action associated with the received action request based on the determination, wherein the action request includes at least one operator control action provided at the action originator, and wherein the action originator includes at least one of;
  
  an operator interface, an engineering interface, a local application interface, and a remote application interface.
- View Dependent Claims (13, 14, 15)
- - 13. The communications/control module of claim 12, further comprising:
    - a virtual key switch that enables the at least one processor to run execute the received action request upon a determination that the received action request is a signed version of the action request.
  - 14. The communications/control module of claim 12, wherein the received action request is an encrypted version of the action request and the set of instructions further includes instructions to decrypt the encrypted version of the action request.
  - 15. The communications/control module of claim 12, wherein the instructions to execute the action request upon a determination that the action request is a signed version of the action request includes:
    - instructions to control a communicatively coupled industrial element including at least one of;
      
      a communications/control module, an input/output module, a power module, a field device, a switch, a workstation, and a physical interconnect device.

16. A method of executing a requested action in a secure industrial control system, comprising:
- receiving an action request at an action originator, the action request forming a part of a request datagram, the request comprising a first nonce, a first device authenticating key certificate, and a first identity attribute certificate;
  
  transmitting the action request from the action originator;
  
  receiving the action request from the action originator at an action authenticator located physically remotely from the action originator;
  
  determining whether the action request is an authorized action request at the action authenticator independent of the action originator;
  
  signing the action request at the action authenticator based on the determination, the action authenticator including at least one processor in communication with a storage medium having a private key stored thereon, the at least one processor being configured to sign the action request with the private key based on the determination thereby generating a signed version of the action request;
  
  receiving the action request at a communications/control module in communication with one or more industrial elements, the one or more industrial elements including at least one input/output module operable to receive industrial sensor information or send control information to an industrial actuator or motor, the communications/control module including at least one processor and a non-transitory medium bearing a set of instructions executable by the at least one processor for controlling communications with the one or more industrial elements;
  
  determining whether the action request is a signed version of the action request at the communication/control module;
  
  authenticating, at the communications/control module, the action request based on the determination, wherein authenticating the action request further comprises;
  
  verifying that the request datagram is valid;
  
  sending a response datagram to the action authenticator, the response datagram comprising a second nonce, a first signature associated with the first nonce and the second nonce, and a second identity attribute certificate;
  
  receiving an authentication datagram from the action authenticator, the authentication datagram comprising a second signature associated with the first nonce and the second nonce;
  
  validating the authentication datagram by verifying the second signature associated with the first nonce and the second nonce; and
  
  executing the action request, via the communications/control module, only if the action request is authenticated, wherein the action request includes operator control actions, including;
  
  reading or changing control set points, controlling one or more actuators, and executing control commands from an operator interface, and an engineering interface.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the action request is encrypted by the action authenticator prior to transmission to the communication/control module.
  - 18. The method of claim 16, wherein the action authenticator comprises at least one of:
    - a portable encryption device, a secured workstation, and a device lifecycle management system.
  - 19. The method of claim 16, wherein executing the action request further includes:
    - controlling an industrial element according to the action request, the industrial element including at least one of;
      
      a communications/control module, an input/output module, a power module, a field device, a switch, a workstation, and a physical interconnect device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Analog Devices, Inc.
Original Assignee
Bedrock Automation Platforms, Inc. (Analog Devices, Inc.)
Inventors
Galpin, Samuel, Clish, Timothy, Calvin, James G., Rooyakkers, Albert
Primary Examiner(s)
Leung, Robert B

Application Number

US14/519,066
Publication Number

US 20150046697A1
Time in Patent Office

2,213 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 2219/23342   Pluggable rom, smart card

G05B 2219/24162   Biometric sensor, fingerpri...

G05B 2219/24167   Encryption, password, user ...

G06F 2212/175   Industrial control system

G09C 1/00   Apparatus or methods whereb...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/12   Applying verification of th...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Operator action authentication in an industrial control system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

245 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Operator action authentication in an industrial control system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

245 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others