Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices

a firewalling and content-aware technology, applied in the field of industrial automation, can solve problems such as unsafe or inefficient industrial machine operation, device malfunctions, and significant vulnerabilities

Inactive Publication Date: 2016-03-17
OPSWAT
View PDF2 Cites 28 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

The patent text describes a solution for controlling the behavior of machines and processes in an industrial setting. It uses a communications language that allows for the expression of desired behaviors and the enforcement of operational constraints. The system detects transactions in network traffic and applies a stored policy object and machine profile to determine if a desired behavior is being performed or if an operational constraint is being met. The system can then modify network traffic to prevent unsafe or inefficient behavior. Overall, the solution ensures safety and efficiency in industrial settings by controlling network traffic and monitoring machine behavior.

Problems solved by technology

At the same time, tremendous vulnerabilities arise, because the computers and the network infrastructure devices such as switches and routers themselves are often quite easy for attackers to compromise, and those devices are subject to malfunctions of hardware and software.
Such attacks and malfunctions can create rogue control signals that can render unsafe or inefficient the functioning of industrial machines; and they can expose telemetry to unauthorized or malicious parties.
In addition, however, the electrical and functional characteristics of industrial machines are fundamentally different from those of general-purpose computers used for traditional data processing applications.
Although, strictly speaking, some industrial machines might include a computer, industrial machines are not general-purpose computers that would typically be used by a human operator for applications including such as data processing, information retrieval, email, and the like.
A problem very different from those of preventing undesired access to industrial machines through Ethernets by unauthorized users or by other machines through Ethernets, is that of inhibiting network traffic that arrives through Ethernets and is quite normal, typical and innocuous for traditional computers but is disruptive and even dangerous when encountered by industrial machines.
Conventionally, such a mode of traffic recognition and filtration is not available.
In general, such prior art has focused on the problem of recognizing which specific machines are being targeted with control signals and from which telemetry is being requested or monitored.
But many problems can be created by accesses that are not prohibited by access-control rules.
Among the distinctive issues that arise specifically in Ethernets, which include both traditional computer equipment and industrial machines, are problems of policy regulation; problems arising from the different electrical and functional characteristics of computers and typical industrial machines; and problems arising as machines acquire a broader ability to communicate with one another, thus affecting the functioning of other machines.
None of these problem areas has been addressed by current practice or prior art.
The problem of policy regulation in converged networks arises from the goals of controlling the behavior and function of industrial machines from distant control points, and of dispatching telemetry from machines to distant analysis points.
At the same time, the same communications devices can enforce conditions and thresholds (for example, speeds, temperatures, pressures, and flow rates) beyond which machines and processes may not be allowed to operate for safety and efficiency reasons.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices
  • Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices
  • Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices

Examples

Experimental program
Comparison scheme
Effect test

example a

Stateful and Conditional Controls

[0042]

language / 2014” policyname=“segregate-client-data” uuid=“cbdf9064-3ab711e4a2be0800276380c2”>  value=“(?i)supersecret-client-A”> control=“session.variable” parameter=“$confidential” value=“true” / >    control=“session.variable” parameter=“$confidential” value=“true”> op=“=“ value=“clientb.mycompany.com” / >op=“=“ value=“clientc.mycompany.com” / > 

[0043]This example illustrates conditionality and stateful behavior in the control language, which are important characteristics of certain embodiments of the invention. It should be observed that the control “protocol” is used in two conditional statements in the language. These conditional statements examine the value of the “protocol” control which is returned by the runtime environment. The additional control-language statements contained inside the conditionals are executed whenever the conditional statement evaluates “true.” In this example, the statements inside the conditional labeled “detect smb / c...

example b

Enforcing Allowed Transactions

[0050]

language / 2014” policyname=“robot-control” uuid=“cbdf9064-3ab711e4a2be0800276380c2”>uuid=“d84f166e560e11e3949d0800273a32bd” value=“robot-rpc” verb=“allow” op=“=“ / >uuid=“056f4b583ab811e4a2be0800276380c2” value=“192.168.0.0 / 24” verb=“allow”op=“=“ / >op=“>=“ verb=“allow” uuid=“7f521efa-3ab8-11e4-a2be-0800276380c2” / >op=“

[0051]In this example, the control language is being executed by a network device that reads streams from a network, following the general pattern of a blocking firewall. This policy object has four rules marked with the verb “allow,” referencing three different controls. As the device inspects and parses the data flowing through the network, it determines (for each network flow) whether the data in the flow conform to the “robot-rpc” protocol. (Different embodiments of the invention may support any communications protocol(s) that are appropriate and meaningful for their applications.) Because the verb in the rule is “allow,” any networ...

example c

Machine Control Policy

[0055]

language / 2014” policyname=“centrifuge-control” uuid=“cbdf9064-3ab711e4a2be0800276380c2”>model” op=“one-of” value=“6000 series|7000 series|8000 series”> op=“ verb=“report” op=“>” value=“480” / >

[0056]This is an example of a policy object that illustrates operational constraints on machines. The conditional labeled “Manufacturer M centrifuges” is true whenever the control “centrifuge-model” evaluates to one of the values “6000 series,”“7000 series,” or “8000 series.” Clearly, in this embodiment of the invention, a way of obtaining a meaningful value for this control should be obtained. It should be observed, however, that the structure of the control language remains uniform and consistent despite the considerable difference in abstraction levels between this example (which refers to machine characteristics) and that of the preceding examples (which refer to values obtainable by parsing network flows).

[0057]Continuing the example, it can be seen that, for Se...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

In one embodiment, a processor-implemented method for controlling network traffic to and / or from at least one industrial machine, including: (a) receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and / or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) detecting, in network traffic to and / or from the at least one industrial machine, a transaction; (c) applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and / or whether an operational constraint is satisfied; and (d) modifying network traffic to and / or from the at least one industrial machine based on the determination in step (c). This permits expression and enforcement of constraints on actual industrial machine behaviors by filtering, modifying or blocking network communications (e.g., control signals and telemetry) that violate constraints or could cause unsafe or inefficient operation.

Description

CROSS-REFERENCE TO RELATED APPLICATION[0001]This application claims priority to co-pending U.S. Provisional Patent Application Ser. No. 62 / 051,291, filed Sep. 16, 2014, the disclosure of which is incorporated herein by reference in its entirety.BACKGROUND[0002]1. Technical Field[0003]The disclosure relates, generally, to industrial automation, and more particularly, to policy regulation and firewalling for purposes of controlling industrial machines.[0004]2. Description of Related Art[0005]It is possible for industrial machines to communicate with each other using Ethernet-based networks. These are the same networks that are generally used to link computers together. Traditional practice uses network types other than Ethernets to network industrial machines together, for example DeviceNet and CAN, most notably for the purpose of ensuring that reliability and latency characteristics inherent in Ethernets do not compromise the more stringent safety and efficiency requirements of indus...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
CPCH04L63/0227H04L63/20
Inventor CIANFROCCA, FRANCIS
Owner OPSWAT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com