Method for verifying the setting of predefined safety functions of a field device in process and automation technology

A method for verifying and adjusting field device safety functions addresses user knowledge gaps and cyberattack risks by authenticating users, comparing settings, and providing corrective measures, ensuring secure and accurate configuration.

DE102019131833B4Undetermined Publication Date: 2026-06-25ENDRESS & HAUSER GMBH & CO KG

Patent Information

Authority / Receiving Office
DE · DE
Patent Type
Patents
Current Assignee / Owner
ENDRESS & HAUSER GMBH & CO KG
Filing Date
2019-11-25
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Configuring field devices with predefined safety functions to meet specific security levels is challenging due to the lack of user knowledge and the risk of cyberattacks, which can lead to incorrect settings and operational disruptions.

Method used

A method for verifying and adjusting the safety functions of field devices through authentication, comparison of actual and target settings, and providing electronic reports to guide users in achieving the required security level, including measures to correct deviations.

Benefits of technology

Ensures correct configuration of safety functions without specialized knowledge, reducing errors and enhancing security by preventing unauthorized access and parameter changes.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

A method for verifying the setting of predefined safety functions (SF1, ..., SFn) of a field device for process and automation technology, wherein the predefined safety functions (SF1, ..., SFn) relate in particular to access to at least one function of the field device by an unauthorized person, wherein the method provides the following steps: - Determining a security level required at the measuring point and / or at the field device, wherein the determined security level defines the target setting of the predefined safety functions (SF1, ..., SFn) of the field device (1), - Identifying a user by means of an authentication protocol (2), - Starting a query about the actual setting of the safety functions (SF1, ..., SFn) of the field device specified at the measuring point by the user (3), - Comparing the actual setting of the predefined safety functions (SF1, ..., SFn) of the field device with the target setting of the specified safety functions (SF1, ..., SFn) defined by the specified safety level (4),- Issuance of an electronic report to the user regarding a conformity or deviation between the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device (5),- in the case of conformity between the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device, the following step is provided:◯ Storage of the electronic report (6), or- in the case of deviation between the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device, the following steps are provided:◯ Proposal of at least one measure to adjust the actual setting of at least one specified safety function (SF1, ..., SFn) of the field device to the target setting (7), whereby at least one measure is shown to the user,◯ Implementation of the at least one proposed measure to adapt the actual setting to the target setting of the specified safety functions (SF1, ..., SFn) of the field device by the user (8),◯ Repetition of the query about the actual setting of the specified safety functions (SF1, ..., SFn) of the field device by the user (3).
Need to check novelty before this filing date? Find Prior Art

Description

The invention relates to a method for checking the setting of predetermined safety functions of a field device for process and automation technology, wherein the predetermined safety functions relate in particular to access to at least one function of the field device by a person not authorized to access it. Various field devices are already known from the state of the art and are used in industrial plants. Field devices are widely used in process automation as well as in manufacturing automation. In principle, field devices are defined as all devices that are used close to the process and that acquire and / or process process-relevant information. Thus, field devices are used to determine and / or influence process variables. Measuring devices or sensors are used to determine process variables. These are used, for example, for pressure and temperature measurement, conductivity measurement, flow measurement, pH measurement, level measurement, etc., and record the corresponding process variables such as pressure, temperature, conductivity, pH value, level, flow rate, etc. Actuators are used to influence process variables.These include, for example, pumps or valves that can influence the flow of a liquid in a pipe or the fill level in a container. In addition to the aforementioned measuring devices and actuators, field devices also include remote I / Os, radio adapters, and generally any devices located at the field level. Field devices can be mounted on containers or installed in control cabinets or control rooms. A large number of such field devices are produced and distributed by the Endress+Hauser Group. In modern industrial plants, field devices are often integrated into communication networks. The field device communicates, for example, with higher-level control units and / or mobile operating tools. Communication between at least one higher-level control unit and the field devices typically takes place via a bus system, primarily using fieldbus protocols common in automation technology, such as Profibus®, Foundation Fieldbus®, or HART®, or Ethernet-based standards like PROFINET® or EtherNet / IP. Communication can be wired or wireless. The higher-level control unit is responsible for process control, process visualization, process monitoring, as well as commissioning and operation of the field devices, and is also referred to as a configuration / management system. Information from the field device can be retrieved, for example, via an operating tool.It is also known to configure the field device via an operating tool. Field devices are increasingly being equipped with internet interfaces for communication and / or power supply. Besides network access points like Ethernet, these devices are preferably operated via a mobile control unit, which connects to the field device as needed. Bluetooth or WLAN, for example, are used as communication protocols between the control unit and the field devices. The diverse communication options available to field devices have significantly expanded their usability. However, the increasing number of functions places greater demands on the user, who must be familiar with and understand all of these functions to configure them and operate the device correctly. Simultaneously, the use of multiple, particularly wireless, communication interfaces also increases the risk of cyberattacks, as unauthorized individuals have more opportunities to gain remote access to the field device. Such attacks by external third parties can lead to data loss and disruption of the field device's operation. In this context, the International Electrotechnical Commission (IEC) introduced a new safety guideline in February 2019: IEC 62443-4-2 addresses the safety of industrial automation and control systems, focusing on the technical requirements for these systems. The aim is to prevent both unintentional disruption of ongoing operations and intentional disruption by third parties. The guideline describes four safety levels designed to reduce potential threats to field devices and specify concrete requirements for the safety functions of automation and control systems, such as the use of timestamps and support for updates. Each safety level is defined by a specific set of predefined settings for the field device's safety functions. The desired security level can be achieved by adjusting specific security function settings on the field device. However, this requires extensive knowledge of security levels and IT on the part of the field device user, which they typically lack. Without this knowledge, it is difficult to configure the security functions according to the security level, which can lead to incorrect settings on the field device. A method for commissioning field devices has become known from DE 10 2018 124 251 A1. The present invention is therefore based on the objective of setting the safety functions of a field device in a simple and user-friendly manner. The problem is solved by a method according to the invention for checking the setting of predefined safety functions of a field device in process and automation technology, wherein the predefined safety functions relate in particular to access to at least one function of the field device by an unauthorized person. The method provides the following steps: - Determining a safety level required at the measuring point and / or at the field device, wherein the determined safety level defines the target setting of the predefined safety functions of the field device, - Identifying a user by means of an authentication protocol, - Starting a query by the user about the actual setting of the safety functions of the field device specified at the measuring point.- Comparison of the actual setting of the specified safety functions of the field device with the target setting of the specified safety functions defined by the specified safety level; - Issuance of an electronic report to the user regarding a conformity or deviation between the actual setting and the target setting of the specified safety functions of the field device; - In the case of conformity between the actual setting and the target setting of the specified safety functions of the field device, the following step is provided: ◯ Storage of the electronic report; or - In the case of a deviation between the actual setting and the target setting of the specified safety functions of the field device, the following steps are provided: ◯ Proposal of at least one measure to adjust the actual setting of at least one specified safety function of the field device to the target setting.where at least one measure is shown to the user,◯ Implementation of at least one suggested measure by the user to adjust the actual setting to the target setting of the specified safety functions of the field device,◯ Repeat the query about the actual setting of the specified safety functions of the field device by the user. The major advantage of the method according to the invention lies in the fact that the user is supported by the method in checking the actual setting of the specified safety functions of the field device. The user does not need any special know-how regarding the safety requirements of a field device to apply the method. Furthermore, the user does not have to manually check the actual setting of the specified safety functions, thus reducing errors. The electronic report provides the user with an overview of the actual setting of the specified safety functions of the field device. If the actual setting corresponds to the target setting of the specified safety functions of the field device, the electronic report is saved.This allows future access to the report and a comparison of the previous actual settings of the field device's predefined safety functions with the current actual settings. If the actual settings deviate from the target settings of the field device's predefined safety functions, the user can adjust the actual settings to match the target settings and thus achieve the specified safety level. A subsequent query of the actual settings of the field device's predefined safety functions is then performed to verify that the actual settings have been correctly adjusted to the target settings. Ideally, the method according to the invention is used directly after the field device has been installed and configured.This ensures that, after commissioning the field device, the actual setting of the specified safety functions of the field device corresponds to the defined and required safety level. Proposing a measure to adjust the actual setting of at least one predefined safety function of the field device to the target setting makes this adjustment easier for the user. This shows the user which measures they can take to achieve the defined safety level of the field device. Again, the user does not need any special knowledge about the safety levels, but can simply implement the suggested measures. Preferably, the specified safety functions of the field device relate in particular to access to at least one parameter of the field device and / or communication between the field device and an external device. Another design provides that whether the specified security level is achieved or not is indicated in the electronic report by the actual setting of the field device's security functions. By displaying whether or not the specified safety level of the field device has been reached, the user does not need to memorize the target setting of the specified safety functions for the specified safety level of the field device, nor does he need to laboriously compare it with the actual setting of the specified safety functions of the field device. According to an advantageous further development of the method according to the invention, it is provided that there is at least one defined safety level, wherein each safety level is defined independently of the measuring point and the field device, and wherein the target setting of the specified safety functions of the field device is defined for each safety level. Typically, there are several safety levels, each defining a target setting for the specified safety functions. These safety levels are valid for all field devices. After configuring the field device, a suitable safety level for the field device and / or the measuring point can be selected and verified and adjusted using the method according to the invention. In an additional embodiment, the authentication protocol includes the entry of a password or a verification of the user based on at least one biometric characteristic, whereby the user is identified if the password or biometric characteristic matches previously stored data. Preferably, the authentication protocol features multi-factor authentication. This means the user is not identified by a single characteristic, such as a password, but by at least two characteristics. This increases security and prevents unauthorized access from being wrongly granted. In a further embodiment, the measure to adjust the actual setting of the field device's safety functions relates in particular to a change in the field device's parameters, whereby the change of the parameters by a non-authenticated user is prevented, or whereby the field device's parameters are only visible to the authenticated user. Correctly configuring the field device parameters is essential for smooth operation. Incorrect parameter changes can severely disrupt the ongoing process. Therefore, it is crucial to prevent unintentional parameter changes by users or intentional, incorrect changes by third parties. This can be achieved, for example, by denying unauthenticated users access to parameter changes or by granting authenticated users only read-only access to the parameters, preventing them from modifying them. A preferred embodiment provides that the measure for adjusting the actual setting of the safety functions of the field device affects at least one communication interface of the field device, whereby the communication interface is switched off. Disabling the communication interface makes it more difficult for unauthorized third parties to access the parameters and functions of the field device. At the same time, it also prevents the user from accidentally sending information from the field device to an external device via the communication interface that is not authorized to receive that information. Advantageously, a Bluetooth and / or WLAN and / or Ethernet interface is used as the communication interface. In a possible further development of the procedure, the electronic report is output on a display unit of the field device and / or an operating device intended for operating the field device. In one possible configuration, the electronic report is stored in the field device and / or in the operating device intended for operating the field device. In a preferred embodiment, the method is carried out on the field device and / or on the operating device which is intended for operating the field device. The method according to the invention will be explained in more detail with reference to the following Fig. 1. Fig. 1 shows an embodiment of the method according to the invention. The present procedure extends to all field devices that acquire and / or process process-relevant information, regardless of whether they are mounted on a container, a control cabinet or another location. The method according to the invention shown in Fig. 1 serves to verify the setting of predefined safety functions (SF1, ..., SFn) of a field device for process and automation technology, wherein the predefined safety functions (SF1, ..., SFn) relate in particular to access to at least one function of the field device by an unauthorized person. The method is carried out on the field device and / or on an operating device provided for operating the field device. The predefined safety functions (SF1, ..., SFn) of the field device relate, without limitation of generality, in particular to access to at least one parameter of the field device and / or communication between the field device and an external device. In the first step (Step 1), the required security level for the field device and / or the measuring point is defined. This security level defines the target setting of the specified security functions (SF1, ..., SFn) of the field device. At least one security level is available for selection. Each security level is defined independently of the measuring point and the field device, and the target setting of the specified security functions (SF1, ..., SFn) of the field device is defined for each security level. In Step 2, a user is identified using an authentication protocol. The authentication protocol can involve a password, a biometric characteristic, or multi-factor authentication, although other methods may also be used. In the next step (Step 3), the user initiates a query regarding the current setting of the security functions (SF1, ...) specified at the measuring point.Step 4 involves querying the field device and comparing the actual settings of the specified safety functions (SF1, ..., SFn) with the target settings defined by the specified safety level. The query result is then output to the user as an electronic report in Step 5, distinguishing between a match and a deviation between the actual and target settings of the specified safety functions (SF1, ..., SFn) of the field device. Optionally, the electronic report can also indicate whether the actual settings of the safety functions (SF1, ..., SFn) achieve or fail to achieve the specified safety level. If the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device match, the electronic report is saved in step 6. The electronic report can be output and / or saved on the field device itself or on the operator panel. Output and saving of the electronic report are not limited to these devices. If the actual setting of the specified safety functions (SF1, ..., SFn) of the field device deviates from the target setting, at least one measure to adjust the actual setting of at least one specified safety function (SF1, ..., SFn) of the field device to the target setting is suggested (step 7). In step 8, the user then performs at least one of the measures suggested in step 7. Subsequently, the user initiates another query about the actual setting of the specified safety functions (SF1, ..., SFn) of the field device (step 3). The measures proposed in step 7 may, for example, involve changing the field device's parameters. One measure could be to disable parameter changes by unauthenticated users or to grant authenticated users only read access to the field device's parameters. Another measure could involve disabling at least one of the field device's communication interfaces. This could include a Bluetooth, WLAN, and / or Ethernet interface, and other possibilities are not excluded.

Claims

A method for verifying the setting of predefined safety functions (SF1, ..., SFn) of a field device for process and automation technology, wherein the predefined safety functions (SF1, ..., SFn) relate in particular to access to at least one function of the field device by an unauthorized person, wherein the method provides the following steps: - Determining a security level required at the measuring point and / or at the field device, wherein the determined security level defines the target setting of the predefined safety functions (SF1, ..., SFn) of the field device (1), - Identifying a user by means of an authentication protocol (2), - Starting a query about the actual setting of the safety functions (SF1, ..., SFn) of the field device specified at the measuring point by the user (3), - Comparing the actual setting of the predefined safety functions (SF1, ..., SFn) of the field device with the target setting of the specified safety functions (SF1, ..., SFn) defined by the specified safety level (4),- Issuance of an electronic report to the user regarding a conformity or deviation between the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device (5),- In the case of conformity between the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device, the following step is provided:◯ Storage of the electronic report (6), or- In the case of deviation between the actual setting and the target setting of the specified safety functions (SF1, ..., SFn) of the field device, the following steps are provided:◯ Proposal of at least one measure to adjust the actual setting of at least one specified safety function (SF1, ..., SFn) of the field device to the target setting (7), whereby at least one measure is shown to the user,◯ Implementation of the at least one proposed measure to adapt the actual setting to the target setting of the specified safety functions (SF1, ..., SFn) of the field device by the user (8),◯ Repetition of the query about the actual setting of the specified safety functions (SF1, ..., SFn) of the field device by the user (3). Method according to claim 1, wherein the specified safety functions (SF1, ..., SFn) of the field device relate in particular to access to at least one parameter of the field device and / or communication of the field device with an external device. Method according to one of the preceding claims, wherein the achievement or non-achievement of the specified safety level is indicated in the electronic report by the actual setting of the safety functions (SF1, ..., SFn) of the field device. Method according to one of the preceding claims, wherein there is at least one defined safety level, wherein each safety level is defined independently of the measuring point and the field device, and wherein the target setting of the specified safety functions (SF1, ..., SFn) of the field device is defined for each safety level. Method according to one of the preceding claims, wherein the authentication protocol includes the entry of a password or a verification of the user based on at least one biometric characteristic, wherein the user is identified if the password or biometric characteristic matches previously stored data. Method according to one of the preceding claims, wherein the authentication protocol includes multi-factor authentication. Method according to one of the preceding claims, wherein the measure for adjusting the actual setting of the safety functions (SF1, ..., SFn) of the field device relates in particular to a change of the parameters of the field device, wherein the change of the parameters by a non-authenticated user is prevented, or wherein the parameters of the field device are only visible to the authenticated user. Method according to one of the preceding claims, wherein the measure for adjusting the actual setting of the safety functions (SF1, ..., SFn) of the field device relates to at least one communication interface of the field device, wherein the communication interface is switched off. Method according to claim 8, wherein a Bluetooth and / or WLAN and / or Ethernet interface is used as the communication interface. Method according to one of the preceding claims, wherein the electronic report is output on a display unit of the field device and / or an operating device which is provided for operating the field device. Method according to one of the preceding claims, wherein the electronic report is stored in the field device and / or in the operating device which is provided for operating the field device. Method according to one of the preceding claims, wherein the method is carried out on the field device and / or on the operating device which is provided for operating the field device.