System and methodology providing automation security analysis and network intrusion protection in an industrial environment

US 9,412,073 B2
Filed: 04/07/2015
Issued: 08/09/2016
Est. Priority Date: 10/21/2002
Status: Expired due to Term

First Claim

Patent Images

1. A system, comprising:

a pattern analysis component configured to generate at least one learned profile characterizing at least one learned pattern of data traffic determined based at least in part on data traffic information obtained by monitoring the data traffic associated with an industrial network at least during a training period; and

a comparison analyzer component configured to detect a deviation of a pattern of the data traffic from the at least one learned pattern of data traffic in excess of a defined threshold of deviation, and to initiate one or more security countermeasures in response to detecting the deviation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automation security in a networked-based industrial controller environment is implemented. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur.

151 Citations

20 Claims

1. A system, comprising:
- a pattern analysis component configured to generate at least one learned profile characterizing at least one learned pattern of data traffic determined based at least in part on data traffic information obtained by monitoring the data traffic associated with an industrial network at least during a training period; and
  
  a comparison analyzer component configured to detect a deviation of a pattern of the data traffic from the at least one learned pattern of data traffic in excess of a defined threshold of deviation, and to initiate one or more security countermeasures in response to detecting the deviation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising a pattern monitoring component configured to monitor the data traffic associated with the industrial network during the training period.
  - 3. The system of claim 2, wherein the pattern monitoring component is configured to monitor the data traffic between an industrial controller and one or more input/output (I/O) modules, wherein the pattern analysis component is configured to determine an average cycle time of data transfers between the industrial controller and the one or more I/O modules, and wherein the at least one learned pattern of data traffic comprises the average cycle time of the data transfers.
  - 4. The system of claim 2, wherein the pattern analysis component is configured to determine the defined threshold of deviation based at least in part on cycle time variations of data transfers observed by the pattern monitoring component, and to encode the defined threshold of deviation in the at least one learned profile.
  - 5. The system of claim 4, wherein the pattern analysis component is configured to determine respective defined thresholds of deviation of a set of defined thresholds of deviation associated with respective time periods as a function of time a day, based at least in part on respective cycle time variations of data transfers observed by the pattern monitoring component during the respective time periods, and to encode the set of defined thresholds of deviation in the at least one learned profile, wherein the set of defined thresholds of deviation comprises the defined threshold of deviation and at least one other defined threshold of deviation.
  - 6. The system of claim 2, wherein the pattern monitoring component is configured to monitor at least one network statistic for at least one automation asset associated with the industrial network during the training period, and the pattern analysis component is configured to determine a pattern of network activity for the at least one automation asset, based at least in part on the at least one network statistic, and record the pattern of the network activity in the at least one learned profile.
  - 7. The system of claim 6, wherein the at least one network statistic comprises at least one of a number of network connection retry attempts performed by the at least one automation asset, a number of access requests received by the at least one automation asset, a type of access request received by the at least one automation asset, an error code associated with the at least one automation asset, a number of times an industrial controller is forced to re-open a connection to an input/output (I/O) module or to another industrial controller, a number of unrecognized messages received by the industrial controller or the I/O module, a number of connections opened to the I/O module, an instance of a device closing a first connection to a first source and opening a second connection to a second source, or a number of packets on the network that alter industrial controller inputs or outputs.
  - 8. The system of claim 1, wherein the pattern analysis component is configured to detect a source of allowable data traffic associated with the industrial network during the training period, based at least in part on the data traffic information, and to record the source in the at least one learned profile.
  - 9. The system of claim 1, wherein the one or more security countermeasures comprise at least one of blocking an unlearned, unknown, or unauthorized source of the data traffic detected by the comparison analyzer component, applying a rate limiting rule to unlearned or unknown data traffic detected by the comparison analyzer component, increasing a priority of at least a portion of the data traffic relative to the unlearned or unknown data traffic, instructing at least one automation asset associated with the industrial network to use an alternate communication channel for data communication, instructing an industrial controller and one or more input/output (I/O) modules to employ an alternate addressing for exchange of input data and output data, switching between a wireless communication channel and a wired communication channel, changing a virtual local area network number for a group of assets, instructing the industrial controller to execute an alternative control routine, instructing the at least one automation asset to operate in a safe mode, initiating an emergency stop of the at least one automation asset, or instructing the at least one automation asset to move to a defined home position.
  - 10. The system of claim 1, further comprising a response component configured to determine the one or more security countermeasures in response to the deviation in accordance with one or more rules defining an association between the one or more security countermeasures and the deviation, and to apply the one or more security countermeasures at least until the deviation is determined to be mitigated.

11. A method, comprising:
- generating, by a system comprising a processor, at least one learned profile comprising at least one learned data traffic pattern determined based at least in part on data traffic information relating to data traffic associated with an industrial automation network that is monitored at least during a training period; and
  
  identifying, by the system, a deviation of other data traffic associated with the industrial automation network from the at least one learned data traffic pattern in excess of a defined threshold of deviation to facilitate mitigating the deviation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, further comprising:
    - generating, by the system, at least one learned asset activity profile characterizing at least one learned pattern of asset activity of at least one automation asset that is determined based at least in part on asset activity information obtained by monitoring at least the at least one automation asset; and
      
      identifying, by the system, another deviation of other asset activity associated with the at least one automation asset from the at least one learned pattern of asset activity in excess of a defined threshold of deviation of asset activity to facilitate mitigating the other deviation of the other asset activity.
  - 13. The method of claim 11, further comprising:
    - monitoring, by the system, the data traffic and the other data traffic associated with the industrial automation network to obtain the data traffic information and other data traffic information relating to the other data traffic.
  - 14. The method of claim 13, wherein the monitoring further comprises monitoring a subset of the data traffic between an industrial controller and one or more input/output (I/O) modules associated with the industrial controller, and wherein the method further comprises:
    - determining, by the system, respective average cycle times of data transfers between the industrial controllers and the one or more I/O modules over time based at least in part on the subset of the data traffic; and
      
      determining, by the system, a set of defined thresholds of deviation, comprising the defined threshold of deviation and at least one other defined threshold of deviation, based at least in part on variations in the respective average cycle times of the data transfers during respective time periods.
  - 15. The method of claim 14, further comprising:
    - changing, by the system, the defined threshold of deviation to the at least one other defined threshold of deviation during a time period that at least one of the industrial controller or the one or more I/O modules is determined to be in a sleep mode, wherein the at least one other defined threshold of deviation is a decreased threshold of deviation as compared to the defined threshold of deviation.
  - 16. The method of claim 11, further comprising:
    - comparing, by the system, a pattern of the other data traffic to the at least one learned data traffic pattern;
      
      determining, by the system, whether a difference between the pattern of the other data traffic and the at least one learned data traffic pattern is in excess of the defined threshold of deviation; and
      
      identifying, by the system, whether the deviation exists based at least in part on the difference.
  - 17. The method of claim 11, further comprising:
    - initiating, by the system, one or more security countermeasures in response to the identifying of the deviation.
  - 18. The method of claim 17, wherein the initiating the one or more security countermeasures comprises at least one of blocking an unlearned, unknown, or unauthorized source of the data traffic, applying a rate limiting rule to unlearned or unknown data traffic, increasing a priority of at least a portion of the other data traffic relative to the unlearned or unknown data traffic, instructing at least one automation asset to use an alternate communication channel for data communication, instructing at least one of an industrial controller or an input/output (I/O) module to change from a first I/O addressing scheme to a second I/O addressing scheme, instructing the industrial controller to execute an alternative control program, instructing the at least one automation asset to operate in a safe operation mode, initiating an emergency stop of the at least one automation asset, or instructing the at least one automation asset to move to a defined safe position.

19. A non-transitory computer-readable medium storing computer-executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
- creating at least one data traffic profile characterizing at least one determined pattern of data traffic based at least in part on data traffic information relating to data traffic associated with an industrial automation network that is monitored at least during a training period; and
  
  identifying a deviation of second data traffic associated with the industrial automation network from the at least one determined data traffic pattern in excess of a defined threshold of deviation to facilitate reducing the deviation using at least one security countermeasure.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the operations further comprise:
    - in response to the identifying the deviation, implementing the at least one security countermeasure in connection with the industrial automation network to reduce the deviation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Brandt, David D., Hall, Kenwood, Anderson, Mark Burton, Anderson, Craig D., Collins, George Bradford
Primary Examiner(s)
Holmes, Michael B

Application Number

US14/681,026
Publication Number

US 20150213369A1
Time in Patent Office

490 Days
Field of Search

706/12
US Class Current

1/1
CPC Class Codes

G05B 15/02   electric

G05B 19/4185   characterised by the networ...

G05B 2219/31151   Lan local area network

G05B 2219/45103   Security, surveillance appl...

G06N 20/00   Machine learning

G06N 5/047   Pattern matching networks; ...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/12   specially adapted for propr...

H04L 67/535   Tracking the activity of th...

System and methodology providing automation security analysis and network intrusion protection in an industrial environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and methodology providing automation security analysis and network intrusion protection in an industrial environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others