Identifying a manipulated client of a control system
By using asymmetric key encryption and hash function verification in a client-server architecture, the problem of code manipulation in the control system is solved, enabling secure code identification and repair, ensuring the stable operation of the facility, and complying with industrial safety standards.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SIEMENS AG
- Filing Date
- 2020-08-05
- Publication Date
- 2026-07-14
Smart Images

Figure CN114207617B_ABST
Abstract
Description
[0001] This invention relates to a method for performing integrity checks on a client-server architecture for a control system of a technical facility. The invention also relates to a client-server architecture for a control system of a technical facility. The invention further relates to a control system for a technical facility.
[0002] Web-based operator station clients register with the operator station server's web server and load the code required for operation and observation (typically in JavaScript and / or HTML5 form), which is executed on the client side—for example, operation views, report sequence displays, trend displays, alarm indicators, and navigation levels.
[0003] If code is loaded into the operator station client, it can also be manipulated there (e.g., through viruses, penetration testing, etc.), causing things like alerts to no longer be visible in the operator station client, control values and process values to display incorrect values, etc. Therefore, it is necessary to protect the code loaded in the operator station client from unnoticed manipulation.
[0004] For example, the code can be signed accordingly, allowing manipulation to be identified through signature verification failures. Beyond identification, what is crucial for the operation of the methodological infrastructure is the direct acceptance of any identified manipulation and the immediate initiation of remediation, thereby minimizing disruption to operation and allowing continued operation and observation.
[0005] Currently, the code loaded in operator station clients is often unprotected or only protected by very rudimentary anti-manipulation mechanisms. Furthermore, there is no solution for immediately recognizing potential manipulation and seamlessly following up with remediation. Therefore, on the one hand, damage can be caused by loading undetected manipulated code.
[0006] On the other hand—if manipulation is detected—by implementing recommendations established in the IT field, which reject manipulated code and thus the manipulated client upon detection of manipulation, the operation of related methodological infrastructure is severely threatened, and the infrastructure may be completely paralyzed.
[0007] The purpose of this invention is to propose a client-server architecture for a control system of technical facilities and a method that enables safer operation of the technical facilities and effectively protects them from possible manipulation.
[0008] A method according to the present invention for performing integrity checks in a client-server architecture of a control system of a technical facility, wherein the client-server architecture includes at least one first device configured and set as a client and at least one second device configured and set as a server, the method comprising the following steps:
[0009] a) Register the client with the server and download the code to be executed by the client from the server;
[0010] b) Generate a key, encrypt the key using the client's public key, and then create a signature for the encrypted key using the server's public key.
[0011] c) Transfer the previously encrypted and signed key from the server to the client;
[0012] d) Use the server's public key to check the signature of the encrypted and signed key;
[0013] e) If the previously checked signature is valid, the encrypted key is decrypted by the client using the client's private key;
[0014] f) The hash value of the code is obtained by the client using a hash function;
[0015] g) Encrypt the hash value using a key, and then sign the encrypted hash value using the client's private key.
[0016] h) The encrypted and signed hash value is transmitted from the client to the server;
[0017] i) The server uses the client's public key to check the signature of the encrypted and signed hash value;
[0018] j) If the previously checked signature is valid, the encrypted hash value is decrypted by the server using the key;
[0019] k) Calculate the additional hash value of the copy of the code stored on the server that has not been transmitted to the client;
[0020] l) If the hash value and the appended hash value are the same, the server allows the client to communicate with the control system of the technical facility.
[0021] Technical facilities can be facilities from processing industries (e.g., chemical, pharmaceutical, petrochemical) or from food and beverage industries. This also includes any facilities from manufacturing industries, such as factories producing automobiles or any type of goods. Technical facilities suitable for carrying out the methods according to the invention can also originate from production capacity sectors. Wind turbines, solar energy facilities, or power plants for generating energy are also included in the term "technical facilities."
[0022] These facilities each have a control system or at least one computer-aided module for controlling and regulating ongoing processing or production. In this document, a control system is understood as a computer-aided technical system that includes functions for displaying, operating, and controlling technical systems such as manufacturing or production facilities. In the present context, a control system includes sensors for determining measured values and various actuators. The control system also includes so-called process-related or manufacturing-related components for driving actuators or sensors. Furthermore, the control system has mechanisms for visualizing the technical facility and for engineering design. The term control system is also additionally understood to include other computing units for more complex regulation and systems for data storage and processing.
[0023] The client can be a regular computer, smartphone, tablet, server, etc. Typically, the client has a graphics display device, allowing users to obtain information graphically. To obtain information from the control system of the technical facility, the client registers with the server and obtains code for execution.
[0024] Both the client and server have asymmetric key pairs, consisting of a public key and a private key. The private key can be hardware-bound (e.g., in a hardware security element integrated into the underlying hardware, such as a TPM (Trusted Platform Module) or HSM (Hardware Security Module)). For lower security requirements, the private key can also be stored, for example, in the Windows Key Store.
[0025] The binding between the two keys in a key pair can be ensured by using certificates issued by a trusted Certificate Authority (CA). This could be, for example, TLS certificates for both objects (client and server), manufacturer certificates (Manufacturer Device Certificates) tied to the underlying hardware, or Windows certificates issued in Windows Active Directory or Windows Work Group. It is also possible (if the topology of the appropriate use case allows): the participants have requested their certificates from the LetsEncrypt CA.
[0026] In a simplest implementation, the certificate (along with the associated key if necessary) can be purchased from a trusted provider and stored in the participant’s Certificate Store, where, as mentioned above, special care should be taken to protect the private key (not only in the case of its archiving but also in the case of transfers that are only permitted in special circumstances).
[0027] This is ensured by exchanging certificates within the scope of a so-called secure handshake (such as a TLS handshake): each participant possesses the other participant's public key. Using the other participant's public key, it becomes possible to encrypt messages specific to them or verify their signatures.
[0028] A hash function is generally understood as a function rule that maps a larger input to a smaller target (hash value).
[0029] The method according to the invention provides a trusted client implementation: it convinces the (web) server that the code executed in the browser has not changed, without transmitting the code to the web server in plain text form. Instead of plain text code, encrypted values are transmitted in a secure manner and method. Furthermore, this ensures that the aforementioned encrypted values are always formed relative to the code executed in the client.
[0030] Even if the code loaded from the server into the client remains unchanged over a long period, the values transmitted from the client to the server for inspection are random to a potential attacker. Therefore, despite executing the manipulated code, an attacker (even if they were supposed to log multiple values) cannot derive any useful conclusions from it that would help them attempt to transmit the correct values to the server. Thus, the manipulation does not remain undetected.
[0031] By implementing the aforementioned inspection methods specifically designed to identify manipulation, it can be ensured that manipulation attempts are specifically identified and therefore cannot be manipulated unnoticed (by viruses or attackers) in the code executed on the client side. This allows for a fundamental contribution to maintaining the integrity of the control system and technical facilities in a particularly advantageous manner and method.
[0032] In cases of inconsistent hash values, the client can be excluded from communication with the technical facility's control system. This prevents the client from executing erroneous or manipulated code, potentially causing damage to the technical facility's control system.
[0033] Preferably, if a client, after being excluded from communication with the control system, re-registers with the server and, following the previously described integrity check, obtains a consistent hash value, the server allows the client to communicate with the control system again. In this case, the client's remediation is discussed. The newly loaded client can also advantageously determine from the server why it was excluded from communication with the control system. Through the fully automated process described above (which immediately acknowledges any attempt at manipulation and remediates the client once it is no longer threatened and no longer presents a security risk), it is possible to contribute to maintaining operation and improving the availability of the technical system.
[0034] In an advantageous improvement of the invention, if a client, after being excluded from communication with the control system, re-registers with the server and fails to obtain a matching hash value during a second integrity check, the server excludes the client from communication with the control system and stores the client as a device to be rejected in the control system. Subsequently, the client is placed on a so-called "blacklist." This blacklist is accessible to all participants within the control system, particularly the server, thus preventing the client from registering with other servers. Here, complete authorization exists. The client can only be reinstated to communicate with the control system again through the control system administrator.
[0035] This objective is also achieved by a client-server architecture for a control system of a technical facility, wherein the client-server architecture includes at least one first device configured and set as a client and at least one second device configured and set as a server, the client-server architecture being configured to perform the previously described methods.
[0036] Furthermore, this objective is achieved through a client-server architecture for a control system of a technical facility, wherein the client-server architecture includes at least one first device configured and set as a client and at least one second device configured and set as a server associated with the client.
[0037] Furthermore, the client is configured to communicate with the server, receive and execute code from the server, and facilitate communication between the client and the control system through the server.
[0038] Furthermore, the server is configured to: identify whether the code executed by the client is consistent with the code received by the client from the server.
[0039] The server is configured to: interrupt code execution through the client and exclude the client from communication with the control system in the event of code inconsistency.
[0040] Here, the server is preferably configured to store the client as a device to be rejected in the control system when the client re-connects to the server after being excluded from communication with the control system and is excluded from communication with the control system a second time due to the execution of inconsistent code.
[0041] The above objectives are also achieved through a control system with technical facilities having the client-server architecture described above.
[0042] The features, characteristics, and advantages of the present invention described above, as well as the ways and methods of achieving them, become clearer and easier to understand in conjunction with the following description of embodiments, which are described in detail with reference to the accompanying drawings.
[0043] The accompanying drawings illustrate a portion of a control system 1 according to the invention, which is constructed as a methodological facility. The control system 1 includes a first server or first operator station server 2 and a second operator station server 3, both serving as operating systems. Furthermore, the control system 1 includes operator station clients 4. The first operator station server 2, the second operator station server 3, and the operator station client 4 are interconnected via a terminal bus 5 and connected to other components of the control system 1 (not shown), such as an engineering design system server or a process data archive.
[0044] In the context of operation and observation, users or operators can access the first operator station server 2 and / or the second operator station server 3 via the terminal bus 5 through the operator station client 4. The terminal bus 5 can be configured as, for example, an industrial Ethernet, but is not limited thereto.
[0045] Operator station client 4 has a component 6 called the "Local Client Observer". First operator station server 2 has a component 7 called the "Client Observer". Second operator station server 3 also has a component 8 called the "Client Observer".
[0046] Components "Local Client Observer" 6 and "Client Observer" 7 and 8 have asymmetric (public key) key pairs, where "X" represents the corresponding asymmetric key (private key) and "Y" represents the corresponding asymmetric public key. For security reasons, ideally, the associated private key should be hardware-bound (i.e., in a so-called hardware security element integrated into the underlying hardware, such as a TPM or HSM) or alternatively (in cases of lower security requirements) securely stored, for example, in a Windows Key Store or another key store.
[0047] Client 4 registers with the first operator station server 2 and downloads the code to be executed from it. The "Client Observer" 7 of the first operator station server 6 triggers the code inspection method by generating a key (using pseudo-random values whenever possible for security reasons), then encrypts the key using the public key of the "Local Client Observer" 6, and signs the result (Enc) (Sig) using its public key. The "Client Observer" 7 then transmits the result to the "Local Client Observer" 6.
[0048] The decryption and signature functions used here are those based on existing technology. The corresponding functions for "Enc" or "Sig" are referred to as "Dec" or "Ver" below. It is important to note that for every encryption or signature function, there is always a decryption or signature verification function. The symmetric key is regenerated for each verification process by component "Client Observer" 7.
[0049] Component "Local Client Observer" 6 receives a value from component "Client Observer" 7 of the first operator station server 2. This value consists of the value Enc and the associated signature Sig. First, the local client observer checks whether the signature Sig(Enc) is valid using the public key of the operator station server 2: Ver(Sig(Enc) = True?
[0050] If the signature is valid, it decrypts the shared symmetric key using its private key. Next, it generates a hash value for the code received from the first operator station server 2 (hash = h(Code)), using the hash function h. Then, client 4 encrypts the hash value using the shared symmetric key and signs the result with its private key. It then transmits the entire result, consisting of encryption and signing, to the "client observer" 7 component of the first operator station server 2. It is crucial to note that the transmitted value appears random to an outsider or attacker. As already mentioned, despite executing manipulated code, an attacker (even if they log multiple values) cannot derive useful conclusions from it that would help them attempt to transmit the correct value to the first operator station server 2.
[0051] The "Client Observer" 7 of the first operator station server 2 receives the encrypted and signed hash value of the code to be executed from the "Local Client Observer" 6. First, the "Client Observer" 7 checks the signature using the public key of the client 4 to see if it is valid. If valid, the "Client Observer" 6 decrypts the hash value using the shared symmetric key. Next, the "Client Observer" 6 checks whether the decryption result matches the (and thus the correct) hash value formed for the correct code stored on the first operator station server 2.
[0052] If so, the check process ends successfully, confirming that the code loaded from the first operator station server 2 into the client 4 has not been manipulated. Otherwise (if manipulation is detected), the approval and remediation process described below is executed.
[0053] If the first operator station server 2 detects manipulation, it directly interrupts the currently executing command (e.g., control value change, alarm response, etc.). Furthermore, the first operator station server terminates the current client session, meaning it at least temporarily excludes client 4 from communication with the control system 1. The first operator station server 2 publishes a corresponding event or security report, which notifies the rest of the control system 1 about the potentially manipulated client 4. Additionally, in component 9, referred to as the "User Profile Service," the relevant client 4 is added to the "Client Blacklist" 10. This is initially a comment and does not pertain to actual blocking.
[0054] The other operator station servers 3 are placed in the same cognitive state via component 11, referred to as the "mirror," from the first operator station server 2. Regardless of which operator station server 2 or 3 the client 4 registers with again—which is known to the control system 1—it is first "repaired" due to manipulation—or, one might say, in a trial period—and is not yet completely excluded from operation and observation.
[0055] If client 4 reconnects to operator station servers 2 and 3, the potentially manipulated code in client 4 is reloaded by the corresponding operator station servers 2 and 3. Now, further checks are conducted using the corresponding components "Client Observer" 7 and 8 to assess whether client 4 has been fixed. If so, it can be removed from the blacklist. If not, client 4 remains blocked accordingly.
[0056] Historical analysis or forensic analysis (Audit Trail) can be performed independently via the "Event Manager" 11, 12 integrated in the first operator station server or the second operator station server 2, 3 (all events detected within the scope of the described process are archived in principle): identifying which clients 4 were potentially manipulated in the past, even though they have been patched during that period. Event or security reports can be accessed via the corresponding process images 13, 14 of the first operator station server or the second operator station server 2, 3, displayed as a report sequence display 15 of client 4.
[0057] Through safety reports stored in the process image within the operating environment, all operators operating and observing the method's technical facilities are aware of the problematic client 4, which is crucial information for facility operation. Continuous monitoring of code checks, generation of corresponding events (if manipulation is identified), and prompt responses to these events (in an approved form) contribute to compliance with the relevant requirements of IEC 62443, the leading industrial safety standard, which addresses continuous safety monitoring and timely response to reported events and alarms.
[0058] Because availability and integrity are the most important requirements of IEC 62443, this invention typically contributes to compliance with IEC 62443 and the requirements based thereon within the scope of corresponding (gradually mandatory) certification and review.
[0059] Although the invention has been illustrated and described in detail through preferred embodiments, it is not limited to the disclosed examples and other variations can be derived by those skilled in the art without departing from the scope of protection of the invention.
Claims
1. A method for performing an integrity check on the consistency between code to be executed by a client (4) and code stored on a server (2, 3) in a client-server architecture of a control system (1) of a technical facility, wherein, The client-server architecture includes at least one first device configured and set as a client (4) and at least one second device configured and set as a server (2, 3), the first device being configured to communicate with the control system (1), the method comprising: a) Register the client (4) in the server (2, 3) and download the code to be executed by the client (4) from the server; b) Generate a key, encrypt the key using the public key of the client (4), and create a signature for the encrypted key using the public key of the server (2, 3); c) The previously encrypted and signed key is transmitted from the server (2, 3) to the client (4). d) Using the public key of the server (2, 3) to check the signature of the encrypted and signed key; e) If the previously checked signature is valid, the encrypted key is decrypted by the client (4) using the client (4)’s private key; f) The client (4) uses a hash function to calculate the hash value of the code; g) Encrypt the hash value using the key, and sign the encrypted hash value using the private key of the client (4); h) The encrypted and signed hash value is transmitted from the client (4) to the server (2, 3); i) The server (2, 3) uses the public key of the client (4) to check the signature of the encrypted and signed hash value; j) If the previously checked signature is valid, the encrypted hash value is decrypted by the server (2, 3) using the key; k) Calculate the additional hash value of the copy of the code stored on the server (2,3) and not transmitted to the client (4) through the server (2,3); l) If the hash value and the additional hash value are consistent, then the server (2, 3) allows the client (4) to communicate with the control system of the technical facility.
2. The method according to claim 1, wherein, In the event of inconsistent hash values, the client (4) is excluded from communication with the control system (1).
3. The method according to claim 2, wherein, If the client (4) is excluded from communication with the control system (1) and then re-registers with the server (2, 3) and the hash value is consistent according to the integrity check of claim 1, the server (2, 3) shall again allow the client (4) to communicate with the control system (1).
4. The method according to claim 2, wherein, If the client (4) is excluded from communication with the control system (1) and then re-registers with the server (2, 3) and the integrity check according to claim 1 does not yield a matching hash value, the server permanently excludes the client (4) from communication with the control system (1) and stores the client (4) as a device to be rejected in the control system (1).
5. A client-server architecture for a control system (1) for technical facilities, wherein, The client-server architecture includes at least one first device configured and set as a client (4) and at least one second device configured and set as a server (2, 3), the client-server architecture being configured to perform the method according to any one of the preceding claims.
6. A client-server architecture for a control system (1) for technical facilities, in, The client-server architecture includes at least one first device configured and set as a client (4) and at least one second device configured and set as a server (2, 3) associated with the client (4). Furthermore, the client (4) is configured to communicate with the servers (2, 3), receive and execute code from the servers (2, 3), wherein communication between the client (4) and the control system (1) exists via the servers (2, 3). Furthermore, the server (2, 3) is configured to: identify, using the method according to any one of claims 1 to 4, whether the code executed by the client (4) is consistent with the code transmitted to the client (4) and stored on the server (2, 3). The servers (2, 3) are configured to: interrupt the execution of the code through the client (4) and exclude the client (4) from communication with the control system (1) in the event of code inconsistency.
7. The client-server architecture according to claim 6, wherein, In the event that the client (4) re-contacts the server (2, 3) after being excluded from communication with the control system (1) and is excluded from communication with the control system (1) a second time due to inconsistent code execution, the server (2, 3) is configured to store the client (4) as a device to be rejected in the control system (1).
8. A control system (1) for a technical facility, the control system having a client-server architecture according to any one of claims 5 to 7.