Method and system for controlling access to at least one computer program
By setting first and second runtime modes on the embedded system, the challenge of switching IT security constraints in edge computing environments is solved, enabling flexible access and execution permission control, improving development efficiency and reducing costs.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SIEMENS AG
- Filing Date
- 2021-08-13
- Publication Date
- 2026-06-05
AI Technical Summary
In edge computing environments, existing technologies cannot effectively enable flexible switching of IT security constraints between the development and normal operation phases, resulting in insufficient or excessive access permissions during software development and debugging, which affects development efficiency and costs.
An embedded system is provided, which has first and second runtime modes. In the first mode, IT security constraints are enforced, while in the second mode, some or all constraints are invalid, allowing elevated access and execution for software development operations, and the mode switching is controlled by a timer.
It enables flexible IT security management during the development and normal operation phases, improves software development and debugging efficiency, reduces costs, and shortens time to market.
Smart Images

Figure CN116157780B_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to a method and system for controlling access to at least one computer program, wherein the at least one computer program, specifically an application program, is accessible and executable on an embedded system, specifically on an edge device, and more particularly on an industrial edge device. Background Technology
[0002] Edge computing aims to bridge the gap between IT and OT, such as the gap between the cloud and machines, to bring new capabilities such as AI and data analytics to the shop floor.
[0003] Devices embedded in automation systems such as SCADA (Supervisory Control and Data Acquisition), such as edge devices, provide the foundation for creating an ecosystem of edge applications that allows for both native and third-party applications on these embedded devices.
[0004] To establish a secure edge computing ecosystem, edge devices must be equipped with secure operating and edge application runtime systems. To this end, edge devices and all installed edge applications must adhere to certain IT security-related rules applied in the production environment at the boundary between the shop floor and factory network / cloud (e.g., strict separation of the two network interfaces on the edge device's software and / or hardware).
[0005] However, these IT security constraints cannot be enforced during the development of edge platforms and edge applications because developers (including third-party edge application developers) need full access to edge devices to monitor, debug, and analyze their applications. These activities typically take place during development, but in certain specific scenarios (e.g., during customer trials of edge applications) or in the event of system or application failures, they also need to be performed during normal production operations.
[0006] Therefore, there is a need to provide methods and systems that allow access to software on embedded systems for development, debugging, and testing purposes during the development and normal operation phases, leveraging escalated access permissions. Summary of the Invention
[0007] To achieve the above objectives, the present invention provides a method for controlling access to at least one computer program, wherein the at least one computer program, specifically an application program, is accessible and executable on an embedded system, specifically on an edge (computing) device, and more particularly on an industrial edge device. The method includes providing the embedded system, wherein the embedded system includes the two different runtime modes: a first runtime mode and a second runtime mode, wherein in the first runtime mode, a predefined set of IT security constraints is associated with at least one computer program (itself and its execution on the embedded system), and wherein in the second runtime mode, at least a portion of the predefined set of IT security constraints associated with the at least one computer program is invalid, and with elevated privileges, the at least one computer program is accessible and executable. The elevated (access and execution) privileges allow software developers to perform software development operations on the at least one computer program. The method further includes setting the embedded system to the second runtime mode for a predefined period of time, and resetting the embedded system to the first runtime mode after the predefined period of time has expired.
[0008] In other words, a predefined set of IT security constraints is imposed in the first runtime mode. This predefined set of IT security constraints determines the access level to at least one computer program and optionally the access level to the embedded system, specifically the access level to the embedded system's operating system (e.g., changing firewall settings), and more specifically, the access level to the application management system within the operating system (e.g., container management system). The IT security constraints may also regulate the operations permitted by at least one computer program on the embedded system and / or by the embedded system while executing at least one computer program. In the second runtime mode, at least a portion of the predefined set of IT security constraints is invalid, allowing elevated privileges to access at least one computer program and optionally the embedded system. In the second runtime mode of the embedded system, at least one computer program can also execute on the embedded system using elevated privileges. The elevated privileges (for access and execution) are authorized for performing software development operations on at least one computer program.
[0009] Therefore, the second runtime mode of the embedded system allows software developers to access at least one computer program with elevated privileges, and optionally, the embedded system. The second runtime mode of the embedded system also allows the execution of at least one computer program with elevated privileges. This means that a software developer can perform a (first) operation on at least one computer program, and, when the at least one computer program is executed by the embedded system, cause the embedded system to perform a (second) operation, where (first and / or second) operations are not feasible when no IT security constraints are ineffective.
[0010] An embedded system is provided with a first runtime and a second runtime, as well as the ability to switch between these two runtime modes, allowing elevated / leveraged (access and execution) privileges to be used for development, debugging, and testing purposes during development and normal operation phases (e.g., when the device is already in use in an automated system).
[0011] In this embodiment, there may be multiple computer programs that can be accessed and executed on the embedded system. In this case, by switching the embedded system to a second runtime mode, enhanced privileges can be utilized to enable at least a portion of the multiple computer programs to be accessed and executed.
[0012] In this embodiment, there may be multiple embedded systems, each embedded system having at least one program that can be accessed and executed on the system, and each embedded system including a first runtime mode and a second runtime mode. In this embodiment, one or more embedded systems among the multiple embedded systems can switch back and forth between the two runtime modes, such that, with enhanced (access and execution) privileges, one or more computer programs can be accessed and executed within a predefined time window, the "developer's time window".
[0013] In this embodiment, the reset can be performed automatically by a person, such as by a system administrator.
[0014] In an embodiment, the method may further include setting at least one timer to control the expiration of a predetermined time period.
[0015] In this embodiment, the software development operation includes at least one of the following:
[0016] - Perform remote login to at least one computer program using read-write access (e.g., SSH login to a Docker or OCI application container).
[0017] - Utilize read-write access to access the file system of at least one computer program (e.g., WinSCP for Docker or OCI application containers).
[0018] - Track the log file of at least one computer program in real-time mode (e.g., "tail --followmyapp.log").
[0019] - Connect the debugger to the running process of at least one computer program.
[0020] - Connect the CPU, main memory, disk, or network I / O analyzer to the running process of at least one computer program.
[0021] - Change the log level of at least one computer program (for example, set the log level to DEBUG).
[0022] In this embodiment, the enhanced privileges may include at least one of the following privileges:
[0023] - Use read-write access to remotely log in to at least one computer program's container.
[0024] - Remote access, specifically remote read / write access to the container file system of at least one computer program.
[0025] - Remote online log tracking of at least one computer program,
[0026] - Remote debugging of at least one computer program,
[0027] - Remote analysis of at least one computer program,
[0028] - Change the log level to include debugging-related log information for at least one computer program in the log output.
[0029] - Remotely log in to the underlying system of the embedded device using read-only access.
[0030] - Use read-only access to remotely log in to at least one computer program at runtime.
[0031] In this embodiment, the underlying system may be an operating system, specifically an operating system that includes a container management system.
[0032] In an embodiment, the method may further include:
[0033] - Before setting the embedded device to the second runtime mode, create, specifically automatically create, a snapshot of the embedded device's system and / or at least one computer program running and / or at least one computer program and / or configuration and / or data, specifically a complete snapshot, and
[0034] - When the embedded device is set to the first runtime mode, the system is restored to its previous state based on a snapshot, that is, the state the system had before it was set to the first runtime mode.
[0035] In this embodiment, the snapshot is inaccessible, for example, it is unreadable or immutable in the second runtime mode.
[0036] In this embodiment, the embedded system may be an edge device of an automation system, specifically a machine controller, monitoring and control and data acquisition (SCADA) system, or more specifically a distributed control system (DCS) or process control system (PCS).
[0037] In this embodiment, the configuration that may be part of a snapshot may be configuration data of the underlying system (specifically, the OS), the container management system, or the application (specifically, the application container).
[0038] In an embodiment, the data that may be part of a snapshot may be data from at least one computer program (e.g., an application) (specifically, recorded data of an automated process, such as audio / video / time-series sensor / control data from the aforementioned automated system).
[0039] In this embodiment, the system administrator may set the embedded system to a second runtime mode within a predefined time period, and the method may further include:
[0040] - Request the system administrator to accept the terms and disclaimers associated with the elevated privileges, specifically the terms and disclaimers regarding appropriate operation and / or service level guarantees, and
[0041] - Read and accept the terms and disclaimers.
[0042] - Notify the system administrator at least once before and / or after automatically resetting the embedded system to the first runtime mode. In this case, the system administrator may be notified that (at least one) the embedded system will be reset to the first runtime mode and / or it has already been reset to the first runtime mode.
[0043] In an embodiment, the system administrator may be designed to be configured as a hardware and / or software component that facilitates the above steps.
[0044] In an embodiment, the method may further include extending the predefined time period before its expiration. To achieve the above objective, a system for controlling access to at least one computer program is also provided. The at least one computer program is accessible and executable on at least one embedded system, specifically at least one embedded device. The system includes the at least one embedded system having the at least one computer program, wherein the at least one embedded system includes two different runtime modes: a first runtime mode and a second runtime mode, wherein in the first runtime mode, a predefined set of IT security constraints is associated with the at least one computer program, and wherein in the second runtime mode, at least a portion of the predefined set of IT security constraints associated with the at least one computer program is invalid, and the at least one computer program is accessible and executable with elevated (access and execution) privileges, which allow software developers to perform software development operations on the at least one computer program. The system also includes a management system for the at least one embedded system, configured to set the at least one embedded system to the second runtime mode during the predefined time period and switch the at least one embedded system back to the first runtime mode after the predefined time period expires.
[0045] In this embodiment, at least two computer programs can be accessed and executed on at least one embedded system, wherein
[0046] - In the first runtime mode, a predefined set of IT security constraints is associated with each computer program.
[0047] - In the second runtime mode, at least a portion of a predefined set of IT security constraints is invalid for at least one of at least two computer programs, and at least one computer program is able to access and execute the program by utilizing elevated (access and execution) privileges.
[0048] In this embodiment, there may be multiple computer programs that can be accessed and executed on the embedded system. In this case, by switching the embedded system to a second runtime mode, enhanced privileges can be utilized to enable access and execution of at least a portion of the multiple computer programs.
[0049] In an embodiment, the system may include at least two embedded systems.
[0050] In this embodiment, the management system may be designed as a cloud-based management system, such as a cloud-based edge device management system.
[0051] In this embodiment, there may be multiple embedded systems, each equipped with at least one program that can be accessed and executed on the system, and each embedded system includes a first runtime mode and a second runtime mode. In this embodiment, one or more of the multiple embedded systems can switch back and forth between the two runtime modes, allowing one or more computer programs to be accessed and executed within a predefined time window, known as the "developer's time window," by leveraging enhanced privileges.
[0052] In this embodiment, the embedded system may be an edge device of an automation system, specifically a machine controller, monitoring and control and data acquisition (SCADA) system, or more specifically a distributed control system (DCS) or process control system (PCS).
[0053] In an embodiment, at least one computer program may be an edge application.
[0054] In one embodiment, the management system and / or at least one embedded system may include a timer, wherein the timer is configured to control the expiration of a predefined time period.
[0055] In an embodiment, the management system may include means for managing at least one embedded system, specifically for managing a backend server of at least one embedded system, and more specifically for managing a cloud backend server of at least one embedded system.
[0056] In one embodiment, the management backend server can be configured to set the embedded device to a second runtime mode for a predefined period of time, and switch the embedded device to a first runtime mode after the predefined period of time has expired. Attached Figure Description
[0057] The above and other objects and advantages of the present invention will become apparent from the following detailed description taken in conjunction with the accompanying drawings, wherein like reference numerals refer to like parts throughout, and wherein:
[0058] Figure 1 It is a simplified software development solution with two images, and
[0059] Figure 2 It is part of an ecosystem for controlling access to edge applications on edge devices and a sequence of operations for controlling access to edge applications on edge devices. Detailed Implementation
[0060] Go to Figure 1This illustrates a common scenario for hardware in a loop development environment (prior art). In the development project of a computer program (e.g., an edge application, or simply edge device application software) for an embedded system (e.g., an edge device), the developer P typically sets up two edge devices P1 and P2 with artifacts under development during different phases.
[0061] First, use edge devices with dedicated development support. Figure 1 The edge device P1 is an example. This device can be implemented through a so-called developer firmware version (“DEV” image). A device P1 with development support runs its software with little or no IT security-related features, such as allowing root access to the edge operating system, the edge application runtime system, and each edge application. However, this is absolutely impractical for regular production edge systems.
[0062] Second, configure the standard production version on production equipment P2. This can be achieved through a so-called "PROD" firmware version. This equipment applies full IT security-related constraints, which may be anticipated by the operator of the automation system, and therefore may be used, for example, at the network boundary between the operator's secure OT shop floor / machine network and the operator's IT factory network / cloud.
[0063] Software developers working on edge devices 1 include third-party edge application developers P. Developer P always starts with an open DEV image, building and testing their software without any IT security constraints. Once they move to a PROD image, their software often doesn't work as expected. This is likely because IT security constraints weren't seen early in the development phase (e.g., no direct physical network access for standard edge applications). This means that problems seen on the PROD image cannot be debugged in a lifetime using IDE-integrated remote debugging mechanisms, and there's no means to analyze the software's resource consumption at a fine-grained level, either at the level of individual programming statements or at the object level in object-oriented programming.
[0064] Therefore, software problems are often not seen until very late in the development lifecycle. This typically leads to reduced time to market and increased development effort and costs.
[0065] Figure 2 Methods and systems corresponding to the methods and systems according to the present invention are shown respectively.
[0066] The system includes an edge device 1 with two operating modes, P10 and P11. Edge device 1 can be an edge device of an automation system, specifically a machine controller, monitoring and control and data acquisition (SCADA) system, and more specifically a distributed control system (DCS) or process control system (PCS).
[0067] Edge device 1 has edge applications that can be executed on edge device 1, such as production firmware.
[0068] In an embodiment, the system may include multiple edge devices, wherein each edge device is provided with two runtime modes and is provided with one or more edge applications that can be executed on the edge device.
[0069] In the first runtime mode P10, a predefined set of IT security constraints is associated with the edge application (or at least a portion of the edge application provided on the edge device).
[0070] This set of IT security constraints determines the access levels to edge applications and, optionally, to edge device 1. These IT security constraints can regulate operations, allowing the edge application on edge device 1 to perform the operation and / or the edge application to perform the operation on edge device 1 while it is executing the edge application.
[0071] In the second runtime mode P11, at least a portion of the predefined set of IT security constraints associated with the edge application is invalidated, and the edge application is able to access and execute enhanced access and execution permissions, which allow software developer P to perform software development operations on the edge application.
[0072] The system further includes a cloud-based edge device management system 2. The edge device management system 2 may include an edge device management backend server 21 and is configured to set edge device 1 to a second runtime mode P11 for a predefined period of time, and to switch edge device 1 to a first runtime mode P10 after the predefined period of time has expired. Those skilled in the art will understand that the edge device management system 2 does not necessarily have to be cloud-based. For example, it may reside at the site of an automated factory / automation system, and is included herein as a "local" edge device management backend server.
[0073] Edge device 1 can be a cloud-based edge device management system 2, or can be connected to a cloud-based edge device management system 2, specifically via one or more networks, such as via the network of an automation system (the factory network) and / or via the Internet, to the edge backend server 21.
[0074] In step S1 of the method, edge device 1 (or some of the edge devices among multiple edge devices) is set to a second runtime mode P11 within a predefined time period. This can be performed by a responsible and authorized person A (e.g., a system administrator) associated with the cloud-based edge device management system 2, who uses the edge management backend 21 in the cloud and sets edge device 1 to the second runtime mode P11—the so-called “controlled open mode.” In the case of multiple edge devices, one or more edge devices can be set to the second runtime mode P11.
[0075] In Controlled Open Mode P11, edge application developers / testers can temporarily access Edge Device 1 for their monitoring and debugging purposes. A typical environment could be a collaborative project for testing new (not always stable) edge applications on a customer's production site.
[0076] In an optional step S2 of the method, the edge management backend 21 may request the administrator A to accept specific terms and disclaimers T1, T2…; D1, D2…, for example, stating that there are appropriately reduced operation / service level guarantees during the phase of running edge device 1 in controlled open mode P11.
[0077] In an optional step S3, Administrator A needs to read and accept the terms and conditions T1, T2…; D1, D2…; in order to proceed.
[0078] In step S4 of the method, the edge management backend 21 can set a timer for the edge device 1 with a predefined time period. For this time window, the edge application can be monitored and debugged, for example, on the edge device 1 or on the edge device itself.
[0079] In the case of multiple edge devices, where each edge device may include multiple edge applications, the edge management backend 21 can identify the appropriate edge device and put it into a controlled open mode P11 for a set of edge applications, which will be monitored and debugged, and set a timer for each edge device in a second runtime mode P11.
[0080] The timer set by the edge management backend 21 is called a backend timer. In one embodiment, the backend timer can be displayed to administrator A.
[0081] Once the timer reaches zero, the controlled open mode P11 switches back to the first runtime mode P10 – also known as the “default protected mode”.
[0082] Resetting edge device 1 to the default protection mode can be done automatically or by a person, such as system administrator A.
[0083] It becomes advantageous to set a second timer on edge device 1 in step S5 when the controlled open mode P11 is activated. This timer is called the "edge timer". This ensures that edge device 1 will be able to switch back to the default protected mode P10 even if it does not have a valid connection to the cloud-based edge management backend 21. This is reasonable, especially since it is not always guaranteed that edge device 1 will always be connected to the edge management backend 21, which monitors the time span in which edge device 1 operates in controlled open mode P11.
[0084] Once edge device 1 is in the second runtime mode P11, edge application developers and testers P gain enhanced access to edge device 1 and can perform software development operations on the edge application in step S6.
[0085] Software development operations may include, but are not limited to, one or more of the following activities:
[0086] - Utilize read-write access to perform remote logins to edge applications (e.g., SSH logins to Docker or OCI application containers).
[0087] - Utilize read-write access to access the file system of edge applications (e.g., WinSCP for Docker or OCI application containers).
[0088] - Track edge application log files in real-time mode (e.g., "tail-follow myapp.log").
[0089] - Connect the debugger to the running edge application process
[0090] Connect the CPU, main memory, disk, or network I / O analyzer to the running edge application process.
[0091] - Change the edge application log level to include debugging-related log information for the edge application in the log output.
[0092] Once the edge and / or backend timers time out (the predefined time period expires), in step S7, the system switches back to the default protection mode P10. Switching back to the first runtime mode P10 may include stopping all remote access connections from the application developer and tester P and / or continuing in normal operation.
[0093] In step S8, the system, such as edge device 1, can directly or indirectly (via edge management backend 21) notify administrator A to switch back to the default protection mode P10. In this case, system administrator A can be notified that edge device 1 is about to be reset to the first runtime mode P10. If necessary, administrator A can prevent the switch and extend the second runtime mode P11. In addition, edge device 1 can notify administrator A that it has successfully reset to the first runtime mode P10.
[0094] The elevated privileges mentioned above may include at least one of the following:
[0095] Remotely log in to the container of at least one computer program using read-write access.
[0096] Remote read / write access to the container file system of at least one computer program.
[0097] Remote online log tracking of at least one computer program,
[0098] Remote debugging of at least one computer program,
[0099] Remote analysis of at least one computer program,
[0100] Change the log level to include debugging-related log information for at least one computer program in the log output.
[0101] Remotely log in to the underlying system of an embedded device using read-only access.
[0102] Remotely log in to at least one computer program during runtime using read-only access.
[0103] In this embodiment, the underlying system may be an operating system, specifically an operating system that includes a container management system.
[0104] In this embodiment, the system may, for example, automatically create a full snapshot of the edge infrastructure system before activating the second runtime mode P11. Furthermore, the system may automatically create full snapshots of the edge application runtime and / or all edge applications and / or configurations and / or data. For example, the system may back up all partitions used for activation to a snapshot backup stored in a fixed location that cannot be accessed by anyone during the controlled open mode P11 phase (e.g., on an attached secure disk partition).
[0105] The configuration, which can be part of a snapshot, can be configuration data for the underlying system (specifically the OS), the container management system, or the application (specifically, the application container).
[0106] The data that may be part of a snapshot may be data from at least one computer program (e.g., an application) (specifically, recorded data from an automated process, such as audio / video / time-series sensor / control data from the aforementioned automated system).
[0107] In this embodiment, when leaving the controlled open mode P11, the system can, for example, automatically restore the entire system to a snapshot state before activating the second runtime mode P11. In this case, application developers and testers P can be allowed unrestricted access to the entire system except for the fixed snapshot backup, i.e., full access including write access to the edge infrastructure system and the edge application runtime. This is beneficial for rapid prototyping, test case injection, and unrestricted advanced deep debugging. This embodiment still guarantees that edge device 1 switches back to its initial state after leaving the controlled open mode P11. Any changes made by developers and testers P are intentionally lost. If software problems are identified, any relevant fixes can be provided at a later time via channels such as edge firmware and edge application downloads.
[0108] In this embodiment, the predefined time period (e.g., 1 hour) can be extended before its expiration. The extension can be performed automatically if certain conditions are met during the controlled open mode P11, or if system administrator A can click a special "Reset Timer" button.
[0109] When the predefined time period expires (at least one of the timers reaches zero), edge device 1 is automatically or by system administrator A set to the first running mode P10.
[0110] In summary, there is no need to further develop and maintain two different edge firmware versions, "PROD" and "DEV". This monitoring and debugging support in the production environment reduces costs, speeds up time-to-market for new versions, and requires fewer development resources.
[0111] Furthermore, since edge devices that can be switched uncontrollably in the first runtime mode for software development purposes are not permitted by most operators of automated systems, the methods and systems disclosed herein benefit all parties involved in the ecosystem, such as edge device manufacturers, (third-party) edge application developers, and operators of automated systems using edge devices and edge applications.
[0112] The embodiments of the invention described above are presented for illustrative purposes and not for limitation. Specifically, the embodiments described with reference to the accompanying drawings are merely a few examples of the embodiments described in the introductory section. Those skilled in the art will understand that the technical features disclosed regarding the method can be used in the system and vice versa without departing from the scope of protection defined by the claims.
[0113] Reference numerals in the claims are for clarity only and should not be considered as limiting parts of the claims.
Claims
1. A method for controlling access to at least one computer program, wherein, The at least one computer program is accessible and executable on the embedded system (1), wherein the method includes: - Provide the embedded system (1), wherein the embedded system (1) includes two different runtime modes: a first runtime mode (P10) and a second runtime mode (P11), wherein - In the first runtime mode (P10), a predefined set of IT security constraints is associated with the at least one computer program, wherein - In the second runtime mode (P11), at least a portion of the predefined set of IT security constraints associated with the at least one computer program is invalidated and elevated privileges are granted for performing software development operations on the at least one computer program, and the at least one computer program can be accessed and executed using the elevated privileges for performing software development operations on the at least one computer program. - Set the embedded system (1) to the second runtime mode (P11) within a predefined time period. - After the predetermined time period expires, the embedded system (1) will be reset to the first runtime mode (P10). The method further includes, wherein the system administrator (A) sets the embedded system (1) to the second runtime mode (P11) within a predefined time period, and the method further includes: - Request the system administrator (A) to accept the terms and disclaimers (T1, T2, D1, D2) associated with the elevated privileges, and - Read and accept the terms and disclaimers stated above, and - The system administrator (A) shall be notified at least once before and / or after at least one of the embedded systems (1) is reset to the first runtime mode (P10).
2. The method of claim 1, further comprising setting at least one timer to control the expiration of the predetermined time period.
3. The method as described in claim 1 or 2, wherein, The software development operations include at least one of the following: - Perform remote login to the at least one computer program using read-write access. - Access the file system of the at least one computer program using read / write access. - Track the log files of the at least one computer program in real-time mode. - Connect the debugger to the running process of the at least one computer program. - Connect the CPU, main memory, disk, or network I / O analyzer to the running process of the at least one computer program. - Change the log level of the at least one computer program.
4. The method according to any one of claims 1 to 2, wherein, The enhanced privileges include at least one of the following access permissions: - Remotely log in to the container of the at least one computer program using read-write access. - Remote read / write access to the container file system of at least one of the computer programs. - Remote online log tracking of the at least one computer program, - Remote debugging of the at least one computer program, - Remote analysis of the at least one computer program, - Change the log level to include debugging-related log information for the at least one computer program in the log output. - Remotely log in to the underlying system of the embedded device using read-only access. - Remotely log in to the runtime of the at least one computer program using read-only access.
5. The method according to any one of claims 1 to 2, further comprising: - Before setting the embedded device (1) to the second runtime mode, create a snapshot of the system and / or the runtime of the at least one computer program of the embedded device (1) and / or the configuration and / or data of the at least one computer program, and - When the embedded device is set to the first runtime mode, the system is restored to the previous state based on the snapshot.
6. The method according to any one of claims 1 to 2, wherein, The embedded system is an edge device of the automation system (1).
7. The method of claim 6, wherein, The automation system is a machine controller, monitoring and control and data acquisition (SCADA), distributed control system (DCS), or process control system (PCS).
8. The method of claim 1, wherein, The terms and disclaimers (T1, T2, D1, D2) are terms and disclaimers concerning appropriate operation and / or service level guarantees.
9. The method of any one of claims 1 to 2, further comprising extending the predetermined time period before its expiration.
10. A system for controlling access to at least one computer program, wherein, The at least one computer program is accessible and executable on at least one embedded system (1), wherein the system comprises: - The at least one embedded system (1) having the at least one computer program, wherein the at least one embedded system (1) includes two different runtime modes: a first runtime mode (P10) and a second runtime mode (P11), wherein - In the first runtime mode (P10), a predefined set of IT security constraints is associated with the at least one computer program, wherein - In the second runtime mode (P11), at least a portion of the predefined set of IT security constraints associated with the at least one computer program is invalidated and elevated privileges are granted for performing software development operations on the at least one computer program, and the at least one computer program can be accessed and executed using the elevated privileges for performing software development operations on the at least one computer program. - The management system (2) of the at least one embedded system (1) is configured to set the at least one embedded system (1) to the second runtime mode (P11) within a predetermined time period, and to switch the at least one embedded system (1) to the first runtime mode (P10) after the predetermined time period expires. In this process, the system administrator (A) sets the embedded system (1) to the second runtime mode (P11) within a predefined time period, and the management system (2) is configured as follows: - Request the system administrator (A) to accept the terms and disclaimers (T1, T2, D1, D2) associated with the elevated privileges, and - Read and accept the terms and disclaimers stated above, and - The system administrator (A) shall be notified at least once before and / or after the at least one embedded system (1) is reset to the first runtime mode (P10).
11. The system of claim 10, wherein, At least two computer programs are accessible and executable on the at least one embedded system (1), wherein - In the first runtime mode (P10), a predefined set of IT security constraints is associated with each computer program. - In the second runtime mode (P11), at least a portion of the predefined set of IT security constraints is invalid for at least one of the at least two computer programs, and the at least one computer program is able to access it with elevated privileges.
12. The system as claimed in claim 10 or 11, wherein, The system includes at least two embedded systems (1), wherein each embedded system (1) includes at least one computer program.
13. The system as claimed in any one of claims 10 to 11, wherein, The embedded system is an edge device of an automated system.
14. The system as claimed in any one of claims 10 to 11, wherein, The at least one computer program is an edge application.
15. The system as claimed in any one of claims 10 to 11, wherein, The management system (2) and / or the at least one embedded system (1) includes a timer, wherein the timer is configured to control the expiration of the predefined time period.
16. The system as claimed in any one of claims 10 to 11, wherein, The management system (2) includes means for managing the at least one embedded system (1).
17. The system of claim 16, wherein, The means for managing the at least one embedded system (1) is a back-end server (21) for managing the at least one embedded system (1).
18. The system of claim 13, wherein, The automation system is a machine controller, a monitoring and control and data acquisition (SCADA) system, a distributed control system (DCS) or a process control system (PCS).