Additional module for tamper protection of a sensor
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Patents
- Current Assignee / Owner
- VEGA GRIESHABER GMBH & CO
- Filing Date
- 2021-10-18
- Publication Date
- 2026-07-09
AI Technical Summary
Existing sensors in industrial environments are vulnerable to unauthorized access and manipulation, lacking effective protection against hacking, incorrect password entry, and unauthorized changes to settings and measured values.
An additional module with a coupling unit, control unit, and encryption unit is retrofitted to sensors, enabling secure data processing, blocking unauthorized access, and providing encryption using blockchain technology, while allowing authorized access and parameterization.
The additional module effectively prevents unauthorized access and manipulation of sensor data and settings, ensuring secure operation and integrity of measurement data through encryption and validation processes.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Field of invention
[0001] The invention relates to add-on modules for sensors, in particular for measuring devices for containers in industrial environments. Specifically, the invention relates to an add-on module for a sensor, a sensor unit for detecting a fill level and / or limit level, and a method for controlling such a sensor unit. background
[0002] Sensors in industrial environments can be used as measuring devices for level measurement, limit level detection, flow measurement, pressure measurement, level and flow measurement, or temperature measurement. To protect sensors from unauthorized access, they can be equipped with additional modules that can prevent access to the sensor at the hardware level. Summary
[0003] It is an object of the invention to provide an alternative add-on module. In particular, it is an object of the invention to provide an add-on module that can be retrofitted to sensors.
[0004] This problem is solved by the subject matter of the independent patent claims. Further developments result from the dependent claims and the subsequent description of embodiments.
[0005] A first aspect of the present disclosure relates to an additional module for a sensor, such as a fill and / or level sensor, which may be set up in particular for process automation in an industrial environment.
[0006] The add-on module comprises a coupling unit and a control unit. The coupling unit, such as a physical interface, a radio interface, or an inductive interface, is configured to communicate with at least one predetermined sensor. The control unit is configured to enable and / or disable data processing, such as displaying, transmitting, and / or storing measured values, particularly data received from the sensor, of the at least one predetermined sensor. Furthermore, the control unit can also be configured to enable and / or disable parameterization of the at least one predetermined sensor, i.e., changes to the measurement parameters of the at least one predetermined sensor.
[0007] The add-on module can therefore prevent or block unauthorized access to at least one sensor, particularly to sensor settings and / or measured values. Examples of unauthorized access to the sensor include hacking attacks, incorrect password entry, use of unassigned add-on modules, tapping into the fieldbus, wireless connection, etc. For example, the add-on module can be pre-assigned to a specific sensor, so that during operation it grants access to at least that one sensor. Furthermore, it is conceivable that the sensor to which the add-on module is assigned is one of several sensors in a network, where the sensors within the network can communicate with each other.In such a sensor network, it is also possible that the additional module, when assigned to one pre-defined sensor, grants access not only to that one sensor, but to all sensors in the network.
[0008] Locking the display, preventing the transmission and / or storage of measurement data can prevent theft and / or unauthorized alteration of measurement data.
[0009] The sensor could be a level sensor, a limit level sensor, a pressure sensor, a flow sensor, a microwave barrier, or another type of sensor.
[0010] In other words, a fill and / or level sensor can be retrofitted with tamper protection via the add-on module, thus protecting it against unauthorized access and / or manipulation. The add-on module can therefore expand the functionality of the sensor and thus the measuring point. This allows standard sensors without tamper protection to be retrofitted.
[0011] According to one embodiment, the control unit can further be configured to enable and / or disable operation and / or parameterization of the sensor. Additionally, or alternatively, the control unit can also be configured to enable and / or disable the display and / or transmission and / or provision of measured values by the sensor. Furthermore, the additional module can provide operation and / or parameterization of the sensor via an interface.
[0012] Furthermore, the add-on module can also include a validation unit configured to verify a connection to at least one predetermined sensor. The validation unit can be located either within the sensor itself or in a cloud environment. It can employ various validation procedures to determine whether the add-on module is authorized to release the sensor for parameterization, such as password entry, a security question, etc. The authorization process can also be two-stage or multi-stage. For example, the validation procedure might involve, in a first step, the correct assignment of the add-on module to the assigned sensor, and in a second step, password entry.
[0013] Furthermore, the add-on module can include an encryption unit configured to encrypt the data received from the sensor and / or provide it with a tamper-proof digital signature. Specifically, the encryption unit can encrypt the sensor data, such as measured values or sensor status, using blockchain technology and thus provide it with a tamper-proof digital signature via a cryptographic process. The encrypted data set can then be sent to another party, which can verify that the data has not been manipulated.
[0014] According to one embodiment, the control unit can be configured to enable and / or disable data processing from multiple sensors. For example, the add-on module can only enable all sensors in the system if it is attached to a predetermined, assigned sensor within the system. If the assignment is incorrect—that is, if the add-on module is attached to an unassigned sensor in the system—all sensors in the system are put into a tamper-proof state. This makes it possible to put the sensors into a tamper-proof state even in the event of the add-on module being stolen.When using the add-on module for a sensor network, it is possible to switch the module's access for data processing and / or parameterization from one sensor in the network to another at freely definable intervals and / or on demand. A sensor network can be pre-configured at the factory or, alternatively, configured on-site. In particular, only one of the sensors in the network can be set as the pre-assigned sensor, so that access to all sensors in the network is only possible when the add-on module is assigned to this one pre-defined sensor.
[0015] According to one embodiment, the add-on module can further include a power supply unit, e.g., a battery and / or an "energy harvesting system." This allows the add-on module to have its own independent power supply. Additionally, or alternatively, the add-on module can also be powered via the sensor.
[0016] Another aspect of the present disclosure relates to a sensor unit for detecting a fill level and / or limit level. The sensor unit comprises at least one sensor and an additional module described above and below, wherein the additional module is configured to enable and / or disable data processing, such as displaying, transmitting, and / or storing measured values, in particular the data received from the sensor, of the at least one predetermined sensor.
[0017] According to one embodiment, the add-on module can be configured as a local control unit or as a remote control unit. In particular, the add-on module configured as a remote control unit can be connected to the at least one sensor via a radio interface, such as LoRaWAN, NB-IoT, Bluetooth, etc. Furthermore, the remote control unit can include a software module that can be integrated into the sensor itself or stored in a cloud, which can communicate with the sensor, especially via the radio interface.
[0018] Furthermore, the add-on module and / or the sensor can feature a visual indicator to display the sensor protection status. Additionally, or alternatively, such a visual indicator can also be provided on mobile devices and / or in the cloud, or on stationary end systems and / or control systems. The visual indicator for the sensor protection status allows for quick and easy identification of the sensor status. This makes it possible to quickly and easily determine whether the sensor has been placed in a tamper-proof state for security reasons or is operating normally. Moreover, the visual indicator also allows for the detection, even from a distance, of unauthorized access or an attempted unauthorized access.
[0019] Furthermore, the sensor unit can have multiple sensors configured to communicate with at least one predetermined sensor. Additionally, an add-on module can be configured to enable and / or disable data processing for these multiple sensors. In this case, the add-on module is assigned to the one predetermined sensor and can be authorized to enable or disable multiple sensors within the group associated with that one predetermined sensor, or to put them into a tamper-proof state. The sensor assignments within a group can be pre-configured at the factory or, alternatively, configured on-site.
[0020] According to one embodiment, the control unit can be configured to switch the control assignment of the add-on module to one of the multiple sensors and to at least one predetermined sensor at freely definable time intervals and / or on demand. This allows the control unit to determine when and for how long the add-on module can access the measurement data and / or sensor properties of one of the sensors in the system. Access can, for example, switch automatically at predetermined time intervals or on demand, such as by pressing a button on the sensor, the add-on module, etc.
[0021] Another aspect of the disclosure concerns a method for controlling a sensor unit described above and below. The method comprises the following steps: Operating at least one predetermined sensor during normal operation, Pairing the add-on module with at least one predetermined sensor, checking whether the add-on module and the sensor are assigned to each other, and Enabling sensor settings and / or data processing of the sensor when the add-on module and the sensor are paired, and / or Activating a tamper-proof state of the sensor, whereby at least the transmission of data received from the sensor is prevented.
[0022] Further embodiments are described below with reference to the figures. The representation in the figures is schematic and not to scale. The same or similar elements are marked with the same reference symbols. List of characters Fig. Figure 1 shows a schematic representation of an additional module according to one embodiment. Fig. Figure 2 shows a schematic representation of an additional module on a sensor with local operation according to one embodiment. Fig. Figure 3 shows a schematic representation of an additional module on a sensor with remote control according to one embodiment. Fig. Figure 4 shows a schematic representation of a sensor unit with multiple sensors according to one embodiment. Fig. Figure 5 shows a schematic and functional representation of a data transmission with an additional module with an encryption unit according to an embodiment of the invention. Fig. Figure 6 shows a method for controlling a sensor unit according to an embodiment of the invention. Detailed description of embodiments
[0023] Fig. Figure 1 shows a schematic block diagram of an add-on module 1 according to an exemplary embodiment of the invention. The add-on module 1 comprises a radio module 2, a validation unit 3, a control unit 4, a battery 5, and an interface 6. The radio module 2 according to the exemplary embodiment shown here serves for communication with a control system 20 (see Figure 1). Fig. 4), stationary and / or mobile devices (21 (see Fig. 4), which is used to monitor and / or control a sensor 7 assigned to the additional module 1 (see Fig. 2 and Fig. 3) or a sensor array 8 assigned to the additional module 1 (see Fig. 4) serve. Both the individual sensor 7 with the additional module 1 and the sensor assembly 8 with the additional module 1 can be referred to as a sensor unit 9.
[0024] Validation unit 3 is configured to use a validation procedure to verify whether the add-on module 1 is authorized to access sensor 7. The validation procedure can be single-stage or multi-stage and may, for example, include a password prompt.
[0025] The control unit 4 is configured to control the access of the add-on module 1 to the sensor unit 9. This means that the control unit 4 can control whether the add-on module 1 has access to the data processing of the measurement data generated by the sensor and / or whether parameterization, i.e., access to the sensor properties, is possible via the add-on module 1. Furthermore, in a sensor unit 9 configured as a sensor array 8, the control unit 4 can be configured to switch the control assignment of the add-on module 1 to one of the multiple sensors 7 and to at least one predetermined sensor 10 at freely definable time intervals and / or on demand. Thus, the control unit 4 can determine when and for how long the add-on module 1 can access the measurement data and / or sensor properties of one of the sensors 7 in the array 8.
[0026] Battery 5 enables the add-on module 1 to have its own independent power supply. This means that the add-on module 1 is powered even without a connection to sensor 7, allowing it to be used, at least to a limited extent, even without being assigned to a sensor 7. For example, settings can be made on the add-on module 1 itself before it is assigned to a sensor 7. However, it is also conceivable to design the add-on module 1 without its own power supply. Such an add-on module 1 would then be powered exclusively by the sensor 7 assigned to it. In this case, the add-on module 1 must be designed as a local control unit 11 (see Fig. 2).
[0027] Interface 6 is used for communication with sensor 7 and can be a physical interface, such as sliding contacts or a cable. Alternatively, interface 6 can also be wireless or contactless, such as a radio or inductive interface.
[0028] Fig. 2 and Fig. Figure 3 shows two individual sensors 7 and the additional module 1, with the additional module in Fig. 2 is trained as a local operating unit 11 and is in Fig. 3 is configured as a remote control unit 12. The additional module 1 is one of the two sensors 7 (in Fig. 2 and Fig. 3 are each assigned to the left sensor 7), which corresponds to the sensor 10 predetermined for the additional module 1. The additional module 1 is in contact with the sensor 10 via sliding contacts, which serve both for communication with the sensor 10 and for supplying power to the additional module 1.
[0029] With reference to Fig. 2, the additional module 1 is designed as a local control unit 11 and can, as shown here by way of example, have a display 13, such as a screen, and control panels 14, such as pushbuttons. With reference to Fig. 3 is the additional module 1 as a remote control unit 13 in contact via a radio connection 15 with a cloud 16, which in turn is accessed by the control system 20 (see Fig. 4) or from the terminal devices 21 (see Fig. 4) can be accessed from. The add-on module 1, as a remote control unit 13, has a software module that can be located or stored either in the add-on module 1 itself or in the cloud 16. The software module enables the add-on module to be controlled via the radio connection 15 using other devices, provided access is authorized. Thus, the add-on module can be operated remotely from the control system 20 or a stationary and / or mobile device 21 via the cloud 16.
[0030] If the additional module 1 is assigned to a sensor 7 that does not correspond to the predetermined sensor 10 (in Fig. 2 and Fig. 3 (each the right sensor 7), the validation unit 3 of the additional module 1 detects unauthorized access, and sensor 7 is placed in a tamper-proof state in which it is locked against further operation and access to data processing. In this tamper-proof state, sensor 7 can still acquire measurement data; only external access to this data, i.e., communication between sensor 7 and, for example, the control system 20 (see Fig. 4) or a stationary and / or mobile device 21 (see Fig. 4) is prevented.
[0031] Fig. Figure 4 shows a sensor unit 9 configured as a sensor array 8, where the array 8 here exemplarily comprises five sensors 7. In general, a sensor array 8 can comprise at least two sensors 7. The sensors 7 within the sensor array 8 are communicatively connected to each other via wireless links, e.g., LoRaWAN, NB-IoT, Bluetooth, etc. Within the sensor array 8, one sensor 7 is assigned to the auxiliary module 1 and thus corresponds to the predetermined sensor 10. If the auxiliary module 1 is assigned to the correct sensor 10 in the sensor array 8, access to the data processing and / or parameterization of all sensors 7 in the array is enabled, and they can be parameterized via various communication channels, e.g., via the control system 20, a mobile device 21, or the cloud 16. Within the array 8, the auxiliary module 1 can access the other sensors 7 in the array 8 via the predetermined sensor 10 and its wireless connection.Alternatively, the additional module 1 can also be used via its own radio module 2 (see . Fig. 1) Communicate directly with the respective sensors 7 in the network 8 as long as it is assigned to the predetermined sensor 10. As soon as the assignment to the predetermined sensor is interrupted, access to all sensors 7 in the network 8 is blocked.
[0032] Fig. Figure 5 shows a schematic and functional representation of data transmission using the additional module 1, which also includes an encryption unit 17. The encryption unit 17 operates on the principle of blockchain technology. Using blockchain technology, the data received from the sensor, or optionally the data already recorded by the sensor, is encrypted and provided with a tamper-proof digital signature. The encrypted data set is then sent to another location, such as an end device 21 or a control unit 22, which is configured to verify that the data has not been manipulated and to decrypt the data again. This ensures that the data is protected from manipulation during data transmission, even if access is recognized as authorized.
[0033] Fig.Figure 6 shows a method 30 for controlling a sensor unit 9. As long as no additional module 1 is connected to the predetermined sensor 10, the sensor unit 9 operates normally. This means that all sensors 7 included in the sensor unit 9 acquire measured values and transmit them to the relevant locations, such as the control system 20, end devices 21, etc. (step S1). Furthermore, the method can be used to regularly check whether an additional module has been connected (step S2). As soon as an additional module 1 is connected, it is checked whether the additional module 1 is assigned to the sensor 7 to which it is connected (step S3). If it is determined that the additional module has been assigned to the predetermined sensor 10 among the sensors 7—that is, that the assignment is correct (y in S4)—parameterization of the sensors 7 can be enabled (step S5).During parameterization release, the system regularly checks whether the connection to add-on module 1 is still active (step S6). As long as this is the case (y in S6), the parameterization of sensors 7 remains enabled. If, in step S6, it is determined that the connection to add-on module 1 is interrupted (n in step S6), the parameterization of sensors 7 is locked (step S7), and sensors 7 are optionally placed in a tamper-proof state, with an error message optionally being output to the relevant points.
[0034] In the event that step S4 reveals that the assignment of the additional module 1 is incorrect, i.e., access is not authorized (n in step S4), the sensors 7 are put into a tamper-proof state and an error message is sent to the relevant locations, such as the control system 20, end devices 21, etc. (step S8).
[0035] It should be further noted that "comprehensive" and "comprising" do not exclude other elements or steps, and the indefinite articles "a" or "an" do not exclude a plurality. It should also be noted that features or steps described with reference to one of the above embodiments may also be used in combination with other features or steps of other embodiments described above. Reference numerals in the claims are not to be considered limitations.
Claims
[1] Additional module (1) for a sensor (7), such as a fill and / or level sensor, comprising: a coupling unit (6) which is configured to be communicatively coupled with at least one predetermined sensor (10), and a control unit (4) which is configured to enable and / or disable data processing of at least one predetermined sensor (10). [2] Additional module (1) according to claim 1, wherein the control unit (4) is further configured to enable and / or disable operation and / or parameterization of the sensor (7, 10). [3] Additional module (1) according to claim 1 or 2, further comprising a validation unit (3) which is configured to check a coupling to the at least one predetermined sensor (10). [4] Additional module (1) according to one of claims 1 to 3, further comprising an encryption unit (17) which is configured to encrypt the data received from the sensor (7, 10) and / or to provide it with a digital tamper-proof signature. [5] Additional module (1) according to one of claims 1 to 4, wherein the control unit (4) is configured to enable and / or disable the data processing of several sensors (7). [6] Additional module (1) according to one of claims 1 to 5, further comprising a power supply unit (5). [7] Sensor unit (9) for detecting a fill level and / or limit level, comprising: at least one sensor (7), and an additional module (1) according to any one of claims 1 to 6, wherein the additional module (1) is configured to enable and / or disable the data processing of at least one predetermined sensor (7). [8] Sensor unit (9) according to claim 7, wherein the additional module (1) is configured as a local control unit (11) or as a remote control unit (12). [9] Sensor unit (9) according to claim 7 or 8, wherein the additional module (1) and / or the sensor (7) has a visual display (13) for indicating a sensor protection status. [10] Sensor unit (9) according to one of claims 7 to 9, further comprising several sensors (7) which are configured to communicate with at least one predetermined sensor (10). [11] Sensor unit (9) according to claim 10, wherein the one additional module (1) is further configured to enable and / or disable the data processing of the multiple sensors (7). [12] Sensor unit (9) according to claim 10 or 11, wherein the control unit (4) is configured to change a control assignment of the additional module (1) to one of the several sensors (7) and of the at least one predetermined sensor (10) at freely definable time intervals and / or on demand. [13] Method (30) for controlling a sensor unit (9) according to any one of claims 7 to 12, wherein the method comprises the following steps: Operating at least one predetermined sensor (10) in normal operation, Pairing the additional module (1) with the at least one predetermined sensor (10), checking whether the additional module (1) and the sensor (10) are assigned to each other, and Enabling sensor settings and / or data processing of the sensor (10) when the add-on module (1) and the sensor (10) are assigned to each other, and / or Activating a tamper-proof state of the sensor (10), whereby at least the transmission of data received from the sensor (10) is prevented.