REAL-TIME INDUSTRIAL FIREWALL

US 20080320582A1
Filed: 06/19/2007
Published: 12/25/2008
Est. Priority Date: 06/19/2007
Status: Active Grant

First Claim

Patent Images

1. A system that provides secure communication between an automation control network and devices external thereto, comprising:

a monitoring component that inspects at least a portion of an instance of electronic communication to or from an automation control network and a network external thereto; and

a filtering component that selectively admits or denies propagation of the instance of electronic communication based on the inspection, an application-level communication security criterion, and information specified in a related request or response communication compliant with the security criterion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing for employing a real time firewall to secure components of an automation control network from unauthorized communication to or from such components is disclosed herein. A monitoring component can inspect at least a portion of an instance of communication directed toward or originating from a component of the automation control network. Such inspection can, e.g., be a deep packet inspection based on information received from a communication request and/or response protocol. A filtering component can selectively admit or deny propagation of the instance of communication based on the inspection and a predetermined security criterion. In such a manner, the subject innovation can provide for limited access to network components from office network machines and for securing components of an automation control network from influence by unauthorized entities.

91 Citations

View as Search Results

20 Claims

1. A system that provides secure communication between an automation control network and devices external thereto, comprising:
- a monitoring component that inspects at least a portion of an instance of electronic communication to or from an automation control network and a network external thereto; and
  
  a filtering component that selectively admits or denies propagation of the instance of electronic communication based on the inspection, an application-level communication security criterion, and information specified in a related request or response communication compliant with the security criterion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, the predetermined communication security criterion establishes an access right with the automation control network or components thereof, such that the filtering component admits propagation of the instance of communication if at least a portion thereof contains or is related to the request or response communication and complies with the communication security criterion.
  - 3. The system of claim 1, the automation control network contains at least one manufacturing or process automation device and utilizes an industrial Ethernet-related communication protocol.
  - 4. The system of claim 3, the industrial Ethernet-related communication protocol comprises at least a portion of an input/output (I/O) protocol, or a component based automation (CBA) protocol.
  - 5. The system of claim 1, the monitoring component further identifies a discovery and configuration request message contained within the instance of communication.
  - 6. The system of claim 1, comprising an identification component that broadcasts a request for, or receives a response to a discovery and configuration message configured to request and receive addressing, routing, or programmable control information associated with components of the automation control network or devices of an external network.
  - 7. The system of claim 6, the filtering component denies propagation to the instance of communication if it contains at least a portion of a discovery and configuration message, and was not initiated by or directed to the identification component.
  - 8. The system of claim 7, the programmable control information includes a name, physical topology, or logical topology, or combinations thereof, associated with one or more components of the automation control network.
  - 9. The system of claim 1, comprising a replication component that acts as a communication proxy on behalf of the automation control network or components of such network for communication between external communication devices.
  - 10. The system of claim 9, the replication component receives addressing, routing, or programmable control information, or combinations thereof, to facilitate acting as a proxy for the automation control network and components of such network.
  - 11. The system of claim 1, comprising a mapping component that correlates addressing, routing or control information, or combinations thereof, associated with a component of the automation control network to a device name, and facilitates routing, inspection, and selective propagation of the instance of communication via the device name.

12. A system that facilitates secure configuration and control of components of an automation network, comprising:
- means for addressing a component of an automation network, that establishes a tiered command structure mapped to functions, capabilities, parameters, or diagnostics of the component, or combinations thereof, andmeans for rejecting communication that terminates a data packet routed to the component of the automation network and containing at least a portion of information related to the tiered command structure, if the data packet does not comply with a security policy.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, comprising means for generating the security policy that authorizes an external device to access at least one function, capability, parameter, or diagnostic of the component of the automation network.
  - 14. The system of claim 12, comprising means for monitoring that inspects a data packet directed at the component of the automation network for information indicative of a transmitting device, and where the means for rejecting terminates the packet if the transmitting device is not authorized by the security policy to communicate with the component.
  - 15. The system of claim 14, the data packet contains information in accord with the tiered command structure related to querying, controlling, or identifying, or combinations thereof, at least a portion of the component, and the means for filtering terminates the packet if the transmitting device is not authorized by the security policy to query, control, or identify the portion of the component.
  - 16. The system of claim 12, the tiered command structure includes at least one of an API number, slot number, sub-slot number, index number, physical device name, logical device name, real time (RT)-auto name, data/event name, or combinations thereof.

17. A method for protecting components of an automation control network from unauthorized communication or interference, comprising:
- establishing at least one application-level relationship between a device external to and components of an automation control network;
  
  employing a value of a communication request as a signature for deep packet inspection of a data packet related to the request, inbound to the automation control network or a component thereof, anddiscarding the data packet if the deep packet inspection indicates the packet is not legitimate.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, comprising establishing rules of access, based on the at least one application-level relationship, that indicate whether the data packet is a legitimate communication with the automation control network or a component thereof.
  - 19. The method of claim 17, the value of the communication request employed as the signature for deep packet inspection includes at least one of a media access control address, an internet protocol address, a user datagram protocol real-time port, or an alarm reference of an initiating or responding device or process, an ARUUID, a session key, an input frameID or data update rate, an output frameID or data update rate, an application process identifier (API) number, an (API) slot number, an API subslot number, a physical device name, a logical device name, an RT-auto name, a data name, or an event name, or combinations thereof.
  - 20. The method of claim 17, the data packet is not legitimate at least because it is not received with strict deterministic interval, or it is not received with proper sequence number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Chen, Chao, Scott, Steven J.

Granted Patent

US 8,782,771 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

REAL-TIME INDUSTRIAL FIREWALL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REAL-TIME INDUSTRIAL FIREWALL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links