Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices

a firewalling and content-aware technology, applied in the field of industrial automation, can solve problems such as unsafe or inefficient industrial machine operation, device malfunctions, and significant vulnerabilities

Inactive Publication Date: 2016-03-17
OPSWAT
View PDF2 Cites 28 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0016]Embodiments of the disclosure provide solutions to the foregoing problems and additional benefits, by employing a communications language designed to permit the expression of the desired behavior of machines and processes in an abstract and general form that, in turn, can be automatically and dynamically converted to control signals pertaining to specific machines and processes, by a communications device or devices resident on a converged network. At the same time, the same communications devices can enforce conditions and thresholds (for example, speeds, temperatures, pressures, and flow rates) beyond which machines and processes may not be allowed to operate for safety and efficiency reasons.
[0017]Embodiments of the disclosure provide languages and devices that permit the expression and enforcement of constraints on actual machine behaviors by filtering, modifying or blocking network communications (e.g., control signals and telemetry) that violate the constraints or may otherwise cause machines to operate unsafely or inefficiently. This is completely different from the filtration performed by network firewalls, even the so-called industrial firewalls. Existing devices focus on permitting or denying communications based on the identity of the endpoints, their position within the network, and even through analysis of the communications protocols (for example, enforcing that protocols such as Modbus or Ethernet/IP are in use and syntactically correct).
[0018]In one embodiment, the present disclosure provides a processor-implemented method for controlling network traffic to and/or from at least one industrial machine. The method includes: (a) the processor receiving, as input, (i) a stored policy object in language form de

Problems solved by technology

At the same time, tremendous vulnerabilities arise, because the computers and the network infrastructure devices such as switches and routers themselves are often quite easy for attackers to compromise, and those devices are subject to malfunctions of hardware and software.
Such attacks and malfunctions can create rogue control signals that can render unsafe or inefficient the functioning of industrial machines; and they can expose telemetry to unauthorized or malicious parties.
In addition, however, the electrical and functional characteristics of industrial machines are fundamentally different from those of general-purpose computers used for traditional data processing applications.
Although, strictly speaking, some industrial machines might include a computer, industrial machines are not general-purpose computers that would typically be used by a human operator for applications including such as data processing, information retrieval, email, and the like.
A problem very different from those of preventing undesired access to industrial machines through Ethernets by unauthorized users or by other machines through Ethernets, is that of inhibiting network traffic that arrives through Ethernets and is quite normal, typical and innocuous for traditional computers but is disruptive and even dangerous when encountered by industrial machines.
Conventional

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices
  • Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices
  • Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices

Examples

Experimental program
Comparison scheme
Effect test

example a

Stateful and Conditional Controls

[0042]

language / 2014” policyname=“segregate-client-data” uuid=“cbdf9064-3ab711e4a2be0800276380c2”>  value=“(?i)supersecret-client-A”> control=“session.variable” parameter=“$confidential” value=“true” / >    control=“session.variable” parameter=“$confidential” value=“true”> op=“=“ value=“clientb.mycompany.com” / >op=“=“ value=“clientc.mycompany.com” / > 

[0043]This example illustrates conditionality and stateful behavior in the control language, which are important characteristics of certain embodiments of the invention. It should be observed that the control “protocol” is used in two conditional statements in the language. These conditional statements examine the value of the “protocol” control which is returned by the runtime environment. The additional control-language statements contained inside the conditionals are executed whenever the conditional statement evaluates “true.” In this example, the statements inside the conditional labeled “detect smb / c...

example b

Enforcing Allowed Transactions

[0050]

language / 2014” policyname=“robot-control” uuid=“cbdf9064-3ab711e4a2be0800276380c2”>uuid=“d84f166e560e11e3949d0800273a32bd” value=“robot-rpc” verb=“allow” op=“=“ / >uuid=“056f4b583ab811e4a2be0800276380c2” value=“192.168.0.0 / 24” verb=“allow”op=“=“ / >op=“>=“ verb=“allow” uuid=“7f521efa-3ab8-11e4-a2be-0800276380c2” / >op=“

[0051]In this example, the control language is being executed by a network device that reads streams from a network, following the general pattern of a blocking firewall. This policy object has four rules marked with the verb “allow,” referencing three different controls. As the device inspects and parses the data flowing through the network, it determines (for each network flow) whether the data in the flow conform to the “robot-rpc” protocol. (Different embodiments of the invention may support any communications protocol(s) that are appropriate and meaningful for their applications.) Because the verb in the rule is “allow,” any networ...

example c

Machine Control Policy

[0055]

language / 2014” policyname=“centrifuge-control” uuid=“cbdf9064-3ab711e4a2be0800276380c2”>model” op=“one-of” value=“6000 series|7000 series|8000 series”> op=“ verb=“report” op=“>” value=“480” / >

[0056]This is an example of a policy object that illustrates operational constraints on machines. The conditional labeled “Manufacturer M centrifuges” is true whenever the control “centrifuge-model” evaluates to one of the values “6000 series,”“7000 series,” or “8000 series.” Clearly, in this embodiment of the invention, a way of obtaining a meaningful value for this control should be obtained. It should be observed, however, that the structure of the control language remains uniform and consistent despite the considerable difference in abstraction levels between this example (which refers to machine characteristics) and that of the preceding examples (which refer to values obtainable by parsing network flows).

[0057]Continuing the example, it can be seen that, for Se...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

In one embodiment, a processor-implemented method for controlling network traffic to and/or from at least one industrial machine, including: (a) receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) detecting, in network traffic to and/or from the at least one industrial machine, a transaction; (c) applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and (d) modifying network traffic to and/or from the at least one industrial machine based on the determination in step (c). This permits expression and enforcement of constraints on actual industrial machine behaviors by filtering, modifying or blocking network communications (e.g., control signals and telemetry) that violate constraints or could cause unsafe or inefficient operation.

Description

CROSS-REFERENCE TO RELATED APPLICATION[0001]This application claims priority to co-pending U.S. Provisional Patent Application Ser. No. 62 / 051,291, filed Sep. 16, 2014, the disclosure of which is incorporated herein by reference in its entirety.BACKGROUND[0002]1. Technical Field[0003]The disclosure relates, generally, to industrial automation, and more particularly, to policy regulation and firewalling for purposes of controlling industrial machines.[0004]2. Description of Related Art[0005]It is possible for industrial machines to communicate with each other using Ethernet-based networks. These are the same networks that are generally used to link computers together. Traditional practice uses network types other than Ethernets to network industrial machines together, for example DeviceNet and CAN, most notably for the purpose of ensuring that reliability and latency characteristics inherent in Ethernets do not compromise the more stringent safety and efficiency requirements of indus...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/0227H04L63/20
Inventor CIANFROCCA, FRANCIS
Owner OPSWAT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap