(19) tzz¥ z t - patentimages.storage.googleapis.com · distributed processing as well as network...
TRANSCRIPT
Printed by Jouve, 75001 PARIS (FR)
(19)E
P3
101
581
A1
TEPZZ¥_Z_58_A_T(11) EP 3 101 581 A1
(12) EUROPEAN PATENT APPLICATION
(43) Date of publication: 07.12.2016 Bulletin 2016/49
(21) Application number: 16171606.3
(22) Date of filing: 27.05.2016
(51) Int Cl.:G06F 21/54 (2013.01) G06F 21/56 (2013.01)
(84) Designated Contracting States: AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TRDesignated Extension States: BA MEDesignated Validation States: MA MD
(30) Priority: 02.06.2015 US 201514728180
(71) Applicant: Rockwell Automation Technologies, Inc.Mayfield Heights, OH 44124 (US)
(72) Inventors: • CHAND, Sujeet
Brookfield, WI Wisconsin 53045 (US)• VASKO, David A.
Hartland, WI 53029 (US)
• BOPPRE, Timothy P.Jackson, WI Wisconsin 53037 (US)
• SNYDER, David A.Waukesha, WI Wisconsin 53189 (US)
• NICOLL, Alex LaurenceBrookfield, WI Wisconsin 53045 (US)
• MCMULLEN, Brian J.Cedarburg, WI Wisconsin 53012 (US)
• SEGER, Daniel B.Kennesaw, WI Wisconsin 30152 (US)
• DART, John B.Nashotah, WI Wisconsin 53058 (US)
(74) Representative: Grünecker Patent- und Rechtsanwälte PartG mbBLeopoldstraße 480802 München (DE)
(54) SECURITY SYSTEM FOR INDUSTRIAL CONTROL INFRASTRUCTURE USING DYNAMIC SIGNATURES
(57) An industrial control system hardened againstmalicious activity monitors highly dynamic control datato develop a dynamic thumbprint that can be evaluatedto detect deviations from normal behavior of a type that
suggest tampering or other attacks. Evaluation of the dy-namic thumbprint may employ a set of ranges definingnormal operation and reflecting known patterns of inter-relationship between dynamic variables.
EP 3 101 581 A1
2
5
10
15
20
25
30
35
40
45
50
55
Description
CROSS REFERENCE TO RELATED APPLICATION
BACKGROUND OF THE INVENTION
[0001] The present invention relates to industrial con-trollers controlling factory automation and/or industrialprocesses and in particular to a system providing en-hanced security for industrial control systems againstmalicious acts.[0002] Industrial control systems have traditionallybeen protected against tampering or malicious activityby the same safeguards used to protect the physicalequipment of the factory or the like, that is limiting phys-ical access to the industrial controller and its associatedequipment.[0003] Modern industrial control systems employingdistributed processing as well as network and Internetconnections have greater exposure to attack. While suchsystems may be physically secured, more points of se-curity must be established for distributed systems, andnetwork connections to the Internet can render physicalsecurity irrelevant. Recent evidence is that access to in-dustrial control systems through the Internet is being ex-ploited by sophisticated and well-funded foreign nationsor organizations. In one example, the United States In-dustrial Control System Cyber Emergency ResponseTeam (ICS-CERT) has provided a warning related to mal-ware (Black Energy) attacking the human machine inter-faces (HMI) of programmable logic controllers used tomanage and control industrial equipment. There is an-ecdotal evidence of successful Internet-based attacks di-rectly on industrial control systems.[0004] Unlike attacks on standard computer equip-ment and servers, attacks on industrial control systemscan conceivably produce damage to physical propertyand risk to human life.
SUMMARY OF THE INVENTION
[0005] The present invention provides a system for in-creasing the security of industrial control systems bymonitoring possible tampering that may only be evidentin dynamically changing patterns of operation of the in-dustrial control system.[0006] In one embodiment, the invention is directedtoward an industrial control system having multiple inter-communicating industrial control devices coordinated ac-cording to a control program. Each of multiple controldevices may have one or more device network ports forcommunicating with other elements of the industrial con-trol system and electrical connectors for accepting elec-trical conductors communicating with industrial equip-ment to receive or transmit electrical signals from or tothat industrial equipment for the control of an industrialprocess.[0007] The control devices also provide a control de-
vice processor communicating with an electronic mem-ory system holding: operating software describing oper-ation of the control device, a data table holding represen-tations of the electrical signals of the electrical connectorsand a diagnostic program providing outputs monitoringthe operation of the control device. The data table andthe outputs of the diagnostic program together define adynamic device state.[0008] The operating software executes to (i) read atleast a portion of the dynamic device state to generate adynamic signature, encrypt the dynamic signature, andtransmit the dynamic signature over the network port.[0009] The control system also provides a security con-troller having a controller network port for communicatingwith other elements of the industrial control system, asecurity controller processor communicating with thecontroller network port and a controller electronic mem-ory system accessible by the security controller proces-sor and holding a security program.[0010] The security program executes to receive a dy-namic signature from a given control device through thenetwork port, decrypt the dynamic signature, analyze thedynamic signature against rules establishing a multi-val-ue range of acceptable dynamic signature values, andprovide an output indicating whether the received dynam-ic signature is outside the multi-value range of acceptabledynamic signature values.[0011] It is thus a feature of at least one embodimentof the invention to provide a security-hardened dynamicthumbprint that can be used to detect malicious activityinterfering with operation of the control system.[0012] The portion of the dynamic device state mayinclude data indicating electrical signals of the electricalconnectors.[0013] It is thus a feature of at least one embodimentof the invention to deduce possible tampering with boththe control devices and the machinery to which they areattached by using an analysis of I/O signals from the con-trol device.[0014] The security program may execute to receive adynamic signature from a multiple of given control devic-es through the network port and analyze the dynamicsignature against integrated rules relating to the com-bined dynamic signatures and establishing a multi-valuerange of acceptable dynamic signature values.[0015] It is thus a feature of at least one embodimentof the invention to provide the ability to detect maliciousactivity through the global analysis of disparate portionsof the control system.[0016] The dynamic signature may include multipletime varying quantities wherein the rules establish multi-value ranges for each quantity.[0017] It is thus a feature of at least one embodimentof the invention to detect tampering from dynamic varia-bles which do not conform to a static thumbprint throughthe use of ranges encompassing multiple values of thedynamic signature.[0018] The multi-value ranges may vary as a function
1 2
EP 3 101 581 A1
3
5
10
15
20
25
30
35
40
45
50
55
of other varying quantities.[0019] It is thus a feature of at least one embodimentof the invention to provide a set of sophisticated rulesthat may recognize correlations or interrelations amongdifferent variables.[0020] The rules may be applied by a supervised ma-chine learning system trained with dynamic signaturesfrom a properly operating industrial control system.[0021] It is thus a feature of at least one embodimentof the invention to provide a system that can manage thecomplexity of multiple dimensions of variables for an ar-bitrary control system providing insight into possible tam-pering.[0022] The properly operating industrial control systemmay be determined at least in part by historical operationof the industrial control system.[0023] It is thus a feature of at least one embodimentof the invention to provide a system that continues tolearn during operation of the industrial control system.[0024] The dynamic device state may include at leastone of a timestamp, a digital signature, a device identifi-cation number, and a changing random code.[0025] It is thus a feature of at least one embodimentof the invention to provide a method of reducing the riskof tampering with the transmitted dynamic device stateduring transmission.[0026] The dynamic signature may include outputsfrom a diagnostic program monitoring operation of thecontrol device.[0027] It is thus a feature of at least one embodimentof the invention to monitor operating parameters such asCPU utilization, free memory, stack depth, port trafficover a predetermined interval and change in average porttraffic that may indicate malicious activity of the natureof a denial of service attack overloading the control de-vice.[0028] The rules may be at least in part a function ofcalendar data indicating schedule changes in the indus-trial control system. Alternatively or in addition, the dy-namic signature may include an operating mode of thecontrol device selected from a run state indicating thatthe control device is running to execute a control programand a programming state indicating that the control de-vice is being programmed with respect to a control pro-gram.[0029] It is thus a feature of at least one embodimentof the invention to inform the rules with scheduled main-tenance or changes during programming to reduce falsepositive alarms.[0030] A first control device may produce a first dynam-ic signature and a second control device may receive thefirst dynamic signature and produce a second dynamicsignature based on a dynamic device state of the secondcontrol device and the first dynamic signature and trans-mit the second dynamic signature over a control systemcommunication port of the second control device.[0031] It is thus a feature of at least one embodimentof the invention to permit a distributed processing of dy-
namic security data that can provide insight into analysisof the data and reduce the amount of data that needs tobe transmitted.[0032] These particular objects and advantages mayapply to only some embodiments falling within the claimsand thus do not define the scope of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
[0033]
Fig. 1 is a simplified industrial control system show-ing multiple controllers, distributed control modules,connections to the Internet and supervisory systemssuitable for use with the present invention;Fig. 2 is a functional diagram of an example controldevice showing various functional componentswhose data may be incorporated into a thumbprintrevealing the security state of those components;Fig. 3 is a functional diagram of a security deviceand a security template used in managing the secu-rity signatures generated by the control devices;Fig. 4 is a flowchart depicting the steps of populatingthe security template of Fig. 3 from various devicefiles;Fig. 5 is a flow chart of a configuration tool executedby the controller of Fig. 3 or other security device inconfiguring a security system of the present inven-tion and the operation of a security-processing pro-gram;Fig. 6 is a flowchart of the steps executed by thesecurity-processing program after configuration inexecuting a response script;Fig. 7 is a logical representation of the significancematrix for analyzing the significance of detected er-rors;Fig. 8 is a logical representation of the notificationtree providing different notifications depending ontheir significance levels and responses from notifiedindividuals;Fig. 9 is a figure similar to that of Fig. 2 showing thedevelopment of a dynamic thumbprint;Fig. 10 is a logical representation of the hierarchy ofthe industrial control system of Fig. 1 showing thepassing of context information upward through thehierarchy for the processing of dynamic thumbprintdata;Fig. 11 is a translation table for translating local var-iable names into the template variable names;Fig. 12 is a process diagram of the training of thesupervised machine learning system for analyzingdynamic thumbprints;Fig. 13 is a flowchart of an authorization protocolused to prevent unauthorized changes in the controlhardware; andFig. 14 is a simplified depiction of a global display ofsecurity status.
3 4
EP 3 101 581 A1
4
5
10
15
20
25
30
35
40
45
50
55
DETAILED DESCRIPTION OF THE PREFERRED EM-BODIMENT
Example Control System
[0034] Referring now to Fig. 1, an industrial control sys-tem 10 suitable for application of the present inventionmay provide one or more controllers 12a, 12b, operatingto execute a control program for the control of an indus-trial process 14 as is generally understood in the art. Theindustrial process, for example, may coordinate a set ofmachines on an assembly line or the like, or interact withactuators and sensors of plant processing materials tocontrol that process, or conduct other similar control ap-plications.[0035] The industrial controllers 12 may communicatedownstream with one or more control devices 16a-16cproviding a direct interface to the elements of the indus-trial process 14. Such control devices 16 may include,by way of non-limiting example, one or more I/O modules16a providing input and output lines 18 to and from theindustrial process 14 allowing communication with sen-sors 20 and actuators 22. Other example control devices16 may be a motor controller 16b controlling power ap-plied to electric motor 23, or motor drives 16c providingmore sophisticated motor control, for example, by syn-thesizing power waveforms to a motor 23.[0036] The industrial controllers 12 may communicatewith the control devices 16 by means of an industrial con-trol network 24 such as the Common Industrial Protocol(CIP™), EtherNet/IP™, DeviceNet™, CompoNet™, andControlNet™ managed by the standards organization,ODVA, of Michigan, USA. Such networks provide for highreliability transmission of data in real time and may pro-vide features ensuring timely delivery, for example, bypre-scheduling communication resources such as net-work bandwidth, network buffers, and the like.[0037] The industrial controller 12 may also communi-cate upstream, through a data network 26 (which may,but need not be an industrial control network) via one ormore routers or switches 28, with a central computer sys-tem 30. This latter supervisory computer system 30 mayfurther communicate via the Internet 32 with remote de-vices 34 such as computer terminals, mobile wirelessdevices, and the like. Alternatively, there may be a directconnection between the industrial controller 12 and theInternet 32.[0038] As is generally understood in the art, each ofthe control devices 16, industrial controllers 12, switches28, computer systems 30 and remote devices 34 mayprovide one or more electronic processors and associ-ated electronic memory holding programs executable bythe processors, some of which are described below.[0039] Referring now to Figs. 1 and 2, a representativecontrol device 16 provides for I/O conductors 36, for ex-ample, wires communicating with sensors 20, actuators22, motors 23, or the like. These I/O conductors 36 maybe releasably connected to the control device 16 via one
or more terminal or connector systems 38, for example,screw terminals. The connector system 38 in turn maycommunicate with a connection management circuit 40which can detect, for example, the presence or absenceof a conductor 36 attached to the connector system 38,for example, by monitoring a current loop or by monitoringan applied voltage or the like, or a broken wire or "stuckat" fault by monitoring and absence of signal state changeover a predetermined time period or during applicationof a test signal.[0040] Signals from the conductors 36 pass throughthe connector system 38 and connection managementcircuit 40 and are acquired and stored in an I/O table 42being part of onboard computer memory 45 comprisedof volatile and nonvolatile memory structures. Signals tobe output from the control device 16 may be also storedin the I/O table 42 prior to transmission on the conductors36.[0041] A processor 44 within the control device 16 mayexecute a control program 46, for example, held in volatilememory, as mediated by operating system 48, for exam-ple, being firmware held in nonvolatile memory. The con-trol program 46 may process inputs received from con-ductors 36 as stored in I/O table 42. These inputs maybe transmitted to an industrial controller 12 via a networkinterface 54 allowing communication on the network 24for processing by a control program held in the industrialcontroller 12. The control program 46 and the operatingsystem 48 may be implemented as either firmware orsoftware or a combination of both.[0042] Conversely, the control program 46 of the con-trol device 16 may also execute to receive outputs fromthe industrial controller 12 through the network interface54 to generate output values written to the I/O table 42and ultimately output over conductors 36. The controlprogram 46 may also or alternatively execute some con-trol logic to generate its own outputs from received inputs.[0043] In one embodiment of the present invention, thecontrol device 16 also holds in memory 45 a securityprogram 58 that provides for generating a "thumbprint"according to a thumbprint table 62 and a defense script64, both of which will be discussed further below.
Static Signatures
[0044] The control device 16 may employ a variety ofdata structures that reflect the status of the control device,its configuration, and the authenticity of its programs.[0045] The control program 46 and the operating sys-tem 48 may include information such as a revisionnumber and digital signature 49, for example, the latterusing public-key or similar techniques such as asymmet-ric encryption and cryptographically secure hash func-tions, that allow determination that the associatedfirmware or software is from a trusted or valid source.[0046] Generally, the revision number need not be asingle revision number, but could include an aggregatedset of revision numbers representing a set of different
5 6
EP 3 101 581 A1
5
5
10
15
20
25
30
35
40
45
50
55
revision numbers, for example, from different compo-nents of the software or from affiliated software or a chainof sequential revisions. Revision numbers may also beassociated with firmware or hardware of the device, aswill be discussed below.[0047] In addition, the entire data set of the control pro-gram 46 and the operating system 48 may be hashed orotherwise digested to a reduced size sub-thumbprint aswill be described below. This digesting process is strictlydistinguishable from compression in that the latter antic-ipates a de-compression or recovery step, but as usedherein this digesting process will generally be referred toboth as a digesting and/or a compression with this dis-tinction understood.[0048] A hardware configuration register 50 (imple-mented in volatile or nonvolatile memory 45 and/or asphysical switch positions) may hold settings for control-ling the operation of the control device 16 and may ad-ditionally provide manufacturing data about the controldevice 16 including, for example, a serial number, mod-ule function type, manufacturer name, manufacture date,and the like. In addition, the hardware configuration reg-ister may provide for a read-only memory including anencrypted certification code embedded by the manufac-turer indicating authenticity of the hardware. The hard-ware configuration registers may further provide a stor-age location for output data from one or more diagnosticprograms implemented by the operating system 48, forexample, those that indicate memory or other faults, in-struction execution speed, memory capacity or check-sum results. In one embodiment, the diagnostic programoutputs CPU utilization, free memory, and stack depth.The diagnostic program may also monitor network com-munication including port traffic over a predetermined in-terval and/or change in average port traffic such as mayindicate a denial of service type attack.[0049] A transaction log 52 also held in memory 45may record certain activities affecting the control device16, for example, the act of uploading of new control pro-gram 46 and/or operating system 48 or changes in switchsettings stored in the hardware registers 50, and mayrecord these activities and the time at which they oc-curred in the source of the change, for example, includingidentity of an authorized individual.[0050] Referring still to Fig. 2, during operation of thecontrol device 16, under the control of the security pro-gram 58, a digital operating thumbprint 70 may be peri-odically generated and transmitted to a security device31, for example, one of the industrial controllers 12 orthe computer system 30. This operating thumbprint 70ideally captures portions of the data structure describedabove that can be used to determine whether they havebeen tampered with or corrupted in some fashion. Formaximum flexibility, the contents of the digital operatingthumbprint 70 may vary according to a thumbprint table62 which provides for various transmission modes 72each associated with different digital thumbprints 70 hav-ing different amounts of information and thus represent-
ing different degrees of size reduction of the state dataof the control device 16. As such, these different digitaloperating thumbprints 70 provide a trade-off betweenthumbprint detail and computational and transmissionburden.[0051] Generally, the operating thumbprint 70 for eachmode 72 of the thumbprint table 62 designates a specificset of thumbprint source data 74, for example, the controlprogram 46, the firmware operating system 48, the con-figuration register 50, and environmental data held in var-ious components of the control device 16 including thewire connection states of the connection managementcircuit 40, its address and/or location in the factory envi-ronment (for example held in communication or memorymodules), operating temperature and the like from dis-tributed internal sensors. In one example mode 72, theentire data set from each of the sources is reduced to adigest, for example, using a cyclic redundancy code orhash compression and these compressed representa-tions are assembled to generate one or more digital op-erating thumbprint 70. The compression process may beloss-less or lossy but need not allow reconstruction ofthe digested data.[0052] This digital operating thumbprint 70 is thentransmitted to the remote security-monitoring devicewhere it is compared with a corresponding stored thumb-print to establish within a reasonable probability accord-ing to the digest scheme that the source data 74 of thecontrol device 16 has not been modified or tampered with.[0053] In different modes 72, the amount of data sizereduction provided in the thumbprint table 62 may bereduced or each of the source data 74 compressed sep-arately so that an analysis of the operating thumbprint70 may reveal the particular source data 74 that haschanged or been corrupted. Thus, for example, each ofthe control program 46 and operating system 48 may beseparately compressed into a sub-thumbprint 78. Mis-matches in the comparison of the sub-thumbprint 78 andits corresponding copy at the security device 31 allow fordetermination of which of the structures of a control pro-gram 46 and operating system 48 have changed as op-posed to their being simply a change in one of the twoprograms. The importance of this will be explained belowwith respect to determining the significance of any mis-match in the thumbprints. Similarly, the wire-off informa-tion of the connection management circuit 40 and hard-ware registers 50 may be transmitted without compres-sion (e.g., as uncompressed sub-thumbprints 78) so anydetected change in the sub-thumbprint 78 immediatelyindicates which wire has been disconnected or whichhardware value has changed.[0054] The operating thumbprint 70 may also includedigital signature 82, allowing the detection of tamperingof the operating thumbprint 70 after it has been transmit-ted from the control device 16. In this respect the oper-ating thumbprint 70 may include a timestamp 79, a se-quence value or randomly generated value 83 that maybe synchronously developed at a receiving security de-
7 8
EP 3 101 581 A1
6
5
10
15
20
25
30
35
40
45
50
55
vice 31 (for example, by a clock or similar algorithm) sothat an operating thumbprint 70 may not be interceptedand replaced to spoof the security device 31 into believingthat an operating thumbprint 70 has been sent or differentoperating thumbprint 70 has been sent. The timestamp79 and the sequence value or randomly generated value83 encoded in the operating thumbprint 70 preventsready substitution of values in an intercepted operatingthumbprint 70. The operating thumbprint 70 may alsoinclude a device identification number 71 that allows theparticular control device 16 sourcing the thumbprint tobe positively determined.[0055] The operating thumbprint 70 has been de-scribed only with respect to control devices 16, but it willbe understood that every element of the control system10 may develop these thumbprints which may be passedupward to a security device 31. Thus the controllers 12may also generate thumbprints when the security device31 is computer system 30. The exact content and com-pression of the thumbprint 70 will be device-specific.[0056] Referring now to Fig. 3, the security device 31managing the analysis of the operating thumbprints 70will generally include a network interface card 84 com-municating with the network 24 to receive the operatingthumbprint 70 on a periodic basis, for example, as pushedfrom the control devices 16 or in response to a poll fromthe security device 31. In one embodiment, the pollingfrom the security device 31 is done on a periodic basis,for example, timed from the last transmitted messagefrom the control device 16. In this way, the control devices16 may also assess the health or security of the systemif necessary when a polling has not been performed aftera predetermined time. The polling may be done by em-ploying authentication certificate using a public-key en-cryption or the like to prevent spoofing of this polling proc-ess.[0057] Generally, the security device 31 also includesa processor system 86 and a memory 88 holding a se-curity-processing program 90, as will be described, anda populated security table 92 used for security analysis.[0058] The populated security table 92 may provide anentry for each control device 16 as indicated by entryfield 94. The populated security table 92 may also pro-vide, for each signature mode 72, thumbprint data 98including a stored thumbprint 100 for that signature mode72, previous valid thumbprints 108, and a thumbprint map110. A timestamp value 102 may be stored in the securitytable 92 or an associated data structure to indicate thereceived time of the latest copy of a valid operatingthumbprint 70 from a given control device 16, and a no-tification tree 104 may be provided which provides con-tact information for notifications of security issues as willbe discussed below.[0059] The thumbprint map 110 may generally identifyeach of the sub-thumbprints 78 by the function 112 ofthe source data 74 (for example: operating system 48,control program 46, hardware registers 50) and will givea weight 114 indicating the significance of a possible mis-
match between stored thumbprint 100 and receivedthumbprints 70 or sub-thumbprint 78. The thumbprintmap 110 may also provide a response script 118 indicat-ing possible responses to a detected mismatch betweenthe operating thumbprint 70 and the stored thumbprint100. Clearly the number of sub-thumbprints 78 andhence the number of thumbprint maps 110 will vary de-pending on the particular mode 72.[0060] Referring now to Fig. 4, the information of thepopulated security table 92 may be rapidly generated byselecting from a number of standard security templates120 being generally defined for different generic types ofcontrol systems 10. For example, a given packaging lineproviding for relatively standard control devices 16 mayprovide a standardized template 120.[0061] Each template 120 may provide for generic pro-grams 121 for each of the components of the industrialcontrol system 10 including a generic control program123 for one or more controllers 12 and generic deviceprograms 125 and security programs 131 for one or moreassociated control devices 16. The generic programs 121will define generic I/O points that allow for electrical com-munication to sensors or actuators of an industrial proc-ess 14 using generic names. As will be discussed below,these generic I/O points may be modified by the user tolink them to actual physical I/O in a configured industrialcontrol system. Afterwards the modified generic controlprogram 123 and modified device programs 125 may beloaded into the associated physical components to pro-vide for a rapidly configured security system.[0062] The standardized template 120 may also be as-sociated with a security-monitoring program 129 that maybe uploaded into the supervisory computer system 30(shown in Fig. 1) for communicating with the security pro-grams 131 to coordinate the security process.[0063] Once a standardized template 120 is selected,the generation of a populated template may be performedby a template crafting program 126 executed, for exam-ple, on the computer system 30 or a controller 12 duringthe commissioning of the control system 10 as indicatedby process block 130. Each standardized template 120will have pre-populated elements 122 based on the as-sumed underlying process, and will also require addition-al information for the particular industrial process 14. Forexample, some of the pre-populated elements 122 mayidentify general functional blocks needed for the controlsystem 10 of the type assumed by the template 120. Theuser, may then select among specific device files 124representing a particular control device 16, for example,a given model number of motor controller that meets afunctional block requirement (e.g., generic motor control-ler) of the standardized template 120 but provides spe-cifics with respect to the particular device. Incorporationof device files 124 into the standardized template 120 isindicated by process block 132. In some embodiments,the specific device files 124 may provide their own ver-sions or modifications or patches to the generic deviceprograms 125 or security programs 131. Generally hard-
9 10
EP 3 101 581 A1
7
5
10
15
20
25
30
35
40
45
50
55
ware manufacturers may supply the necessary devicefiles 124.[0064] Standardized template 120 will also include theelements of the security table 92 as discussed abovewhich may be used by the security-monitoring program129. Generic elements of the security table 92 may besupplemented by data manually added or edited by theuser within the framework provided, for example, to cre-ate the notification tree 104, indicating people to be no-tified in the event of the thumbprint mismatch. Some pre-populated elements, for example, weights 114 that areascribed to a particular control device 16 or sub-thumb-print 78, may be modified or may assume a default valuefrom the standardized template 120. These editingchanges are indicated by process block 134.[0065] Referring to Figs. 4 and 11, as noted above or-der for the pre-established security templates 120 to pro-vide for rules that work not only with the generic processof the security template 120 but also with an actual controlprocess, the process of populating the template valuesper process block 134 may employ a template translationtable 208 which links standardized template devicenames 220 for generic control devices to actual devicenames 219 for the actual control devices 16 of the indus-trial control system 10. This linking may be performed ata time of commissioning per process block 136 guidedby corresponding functions 217 describing the functionsof the generic control devices associated with the stand-ardized device names 220. The standardized templatedevice names 220 built into predefined rules associatedwith the security templates 120, as described below, maythen be mapped to the actual device names 219 so thatthe predefined security roles of the security templates120 may apply to the devices of the particular applicationwithout the need to develop the rules for each differentapplication.[0066] Also at process block 136, particular genericfunctions implemented by various input or output varia-bles maybe identified by particular tag names used in agiven control program 46, for example, so that the secu-rity device 31 may interpret the function implemented bya particular conductor 36 should it become disconnectedfrom connector system 38, so that a generated report toa user can indicate the function that was lost not simplyan arbitrary wire number. The standardized security tem-plates 120 allow the benefits of a detailed vulnerabilityanalysis of the given types of control systems, identifyinglikely failures, the significance of those failures and theresponse to those failures indicated by mismatch thumb-prints 70, to be leveraged among many installations andmany users. When the standardized template 120 is fullypopulated at process block 137, it may be uploaded tothe security device 31 and the security-processing pro-gram 90 activated.[0067] Referring now to Fig. 5, before the industrialcontrol system 10 is put into use, the control system 10may be configured, as indicated by process block 140,during which the various components may be intercon-
nected by the network 24 and the necessary control pro-gram 46 loaded into control devices 16 and hardwareregister values 50 and other components initialized in theloaded populated security table 92 installed.[0068] At process block 142 public keys or similar se-curity keys such as asymmetric encryption may be cre-ated and distributed to the components of the industrialcontrol system 10 (e.g., the control devices 16, the con-trollers 12, etc.) to allow for the attachment of digital sig-natures in the exchange data described above with re-spect to the thumbprints 70. At process block 144, thepopulated device templates 120 generated for the secu-rity device 31 are loaded with stored thumbprint 100 ofeach of the components of the system 10.[0069] During general operation of the control system10, thumbprints 70 are solicited from or pushed by thecontrol device 16 to the security device 31, as indicatedby process block 146, where they are compared as indi-cated by decision block 148 with the stored thumbprint100 for the proper mode 72. This comparison is accordingto the particular control device 16 from which the oper-ating thumbprint 70 is received. If the operating thumb-print 70 matches the stored thumbprint 100, then after adelay indicated by process block 150 this process is re-peated so that any potential tampering or failure of thecontrol devices 16 may be identified in near real-time. Inthe event that there is a mismatch between the receivedthumbprints 70 and the corresponding stored thumbprint100 in the populated security table 92, then the security-processing program 90, at decision block 148, proceedsto process block 154 and one of a number of differentresponses from response script 118 may be implement-ed. This detection may be in real time or may occur ona regularly or randomly scheduled basis.[0070] It is contemplated that the stored thumbprints100 may also be subject to periodic comparison to otherstored values, for example their values at an earlier time,as held in a second storage location to detect possibletampering with the stored thumbprint 100. That is, a track-ing of the history of the security thumbprints 100 may beperformed and any mismatch detected in this trackingmay also invoke a response according to process block154.[0071] Referring now to Fig. 6, in the event of a mis-match at decision block 148, the security-processing pro-gram 90 will generally implement the response script 118that may be stored in the populated security table 92.This response script 118 may perform a number of dif-ferent tasks including: generating notification reports perprocess block 156, performing additional data collectionper process block 158, assessing a significance of themismatch at process block 160, and taking mitigating ordefensive actions at process block 162. Each particularstep is optional and whether it will be performed is deter-mined by the particular response script 118. Each of theprocess blocks 156-162 may be repeated in a loop sothat the response and analysis constantly evolves withadditional information and possibly other changes in the
11 12
EP 3 101 581 A1
8
5
10
15
20
25
30
35
40
45
50
55
system.[0072] The reporting of process block 156 may providefor notifications to individuals or groups in a notificationtree 104 of Fig. 3 per process block 164. Referring mo-mentarily to Fig. 8, in one embodiment, notification tree104 may provide multiple entries each associated with asignificance level 166 of the mismatch. Each significancelevel is linked to an acknowledgment level 169 and con-tact information 175. The acknowledgment level 169 mayindicate whether a contact individual has acknowledgedreceipt of that contact. Generally, the contact information175 may be a network address, a human machine inter-face, and e-mail address, a mobile device contactnumber, or any of a variety of different methods of com-municating a problem to individuals or groups of individ-uals and/or other devices including controllers 12 or fac-tory indicators such as lights and beacons.[0073] The notifications, when to individuals, may be,for example, via e-mail messages or served as a webpage and may provide, for example, a graphical display(shown in Fig. 14) that indicates each of the functionalelements 300 of the industrial control system 10 and itsstatus with respect to errors in thumbprints 70, severityof errors, the timing or sequence of errors, and mitigatingactions, for example, by color. This information may alsobe displayed locally on a human machine interface or thelike to provide an immediate snapshot of system securityin the vicinity of the controlled equipment.[0074] For a first mismatch, at a first iteration of theloop of process blocks 156-162, the significance level166 will be zero because significance has not yet beendetermined at process block 160. The context for this lowsignificance level may be limited to individuals in chargeof routine maintenance or the like or simply to a log file.For example, minor mismatches in thumbprints or sub-thumbprints may be reported only to technical individualsin charge of maintaining the system and may be indicatedto be low priority whereas more significant mismatchesmay provide reports with urgent designations to fast re-sponders and supervisors. As additional mismatches oc-cur and as the loop is executed multiple times, the sig-nificance level 166 may rise and the particular contactinformation 175 identifying individuals to be contactedwill change according to the significance of the mismatchand whether or not one or more parties has respondedor acknowledged receipt of the notification. In one re-sponse script 118, if no parties acknowledge receipt ofthe notification in a given period of time, the significancelevel 166 will rise so that additional contacts may be add-ed or different people may be notified pending on theseverity of the potential problem as will be discussed be-low.[0075] The reporting of process block 156 may alsoprovide a system alert update being a globally availablesystem security value that may be read by other securitydevices 31 to allow coordinated effort. This system alertupdate, indicated by process block 167 may provide in-formation about the mismatch, including any detailed in-
formation of the mismatch components, it significancelevel 166 and possible additional steps being taken. Aswill be discussed below, the system alert status from oth-er security devices 31 or generated by other control de-vices 16 in different response script 118 may also beconsidered with respect to setting the significance level166 of a particular mismatch. By understanding multipledisparate mismatches, a more nuanced view of the sig-nificance of the local mismatch can be determined.[0076] At data collection process block 158, additionaldata may be collected with respect to the mismatch sig-nature typically driven by the significance level 166 butalso driven by the type of mismatch. Most notably a finer-grained operating thumbprint 70 may be obtained (e.g.,more sub-thumbprints 78), as indicated by process block168, based on identification of the coarse operatingthumbprint 70. Thus, for example, if the operating thumb-print 70 has very low granularity indicating only a mis-match in data of a collective group of data structures, thefine-grained data collection of process block 168 will pro-vide for a more partitioned sub-thumbprint 78 so that thelocation of the particular mismatch may be better identi-fied, for example, to a particular data structure or device.This escalation of the detail provided by the thumbprintallows a trade-off between knowledge about the specificproblem and network overhead necessary to communi-cate the thumbprints to be flexibly set.[0077] At process block 170 of data collection processblock 158, transaction logs 52 may be collected to pre-vent loss or damage of those transaction logs 52 and toallow analysis of the transaction logs 52 such as mayindicate a source of the error (for example, a given humanoperator making changes to the system). The transactionlogs 52 may also inform possible mitigating steps, as willbe discussed below, for example, locking out certain per-sonnel from changing the software of the control devices16. At process block 173, system significance level 166may be read in order to gain an understanding of all pos-sible control devices 16 experiencing signature mis-matches (that have uploaded system alerts at processblocks 167) and to adjust the data collection level.[0078] The invention contemplates that some re-sponse scripts will operate in a "stealth" mode in whichdata is collected and possibly stored for a long period oftime on activities that do not justify alarms or other noti-fications. This stealth mode satisfies the trade-off be-tween avoiding frequent false alarms and notifications,while ensuring that long-term trends and minor deviationsare nevertheless fully assessed and treated. Minorchanges in system security may be automatically imple-mented in the stealth mode as well, of types provided bythe discussed response scripts, but without necessarynotifications.[0079] The data collected during the stealth mode maybe separately analyzed, for example, over a longer timeperiod so that a long-term, lower level of alert may even-tually be escalated to a higher level simply because ofthe long-term nature of the detected anomaly, or because
13 14
EP 3 101 581 A1
9
5
10
15
20
25
30
35
40
45
50
55
of additional information that can be evaluated from long-term data collection. For example, long-term trends orcorrelations (e.g., security issues associated with the par-ticular individual’s access to the equipment or in anotherpattern) can then be aggregated and reported or used totrigger higher level responses.[0080] The assessment of the significance of the mis-match is determined at process block 160 and allowstailoring of any response to mismatches in the thumb-prints 70 to a derived severity. By assigning severity lev-els to any mismatch, false alarms may be reduced whilerapidly escalating response, even for minor mismatches,when the type of mismatches indicates possible tamper-ing or interference with operation of the control system10. Generally, the significance level 166 will derive froma number of factors that may be investigated at processblock 160. For example, at process block 174, the loca-tion of the mismatch (for example, to a particular com-ponent of the control device 16) may be used to obtaina weight 114 described above indicating the abstract sig-nificance of the error. Thus for example, a disconnectionof a wire conductor 36 providing information from a re-dundant sensor or to a actuator not critical for operationof the industrial control system 10 may have a low weightwhereas substantial errors in the control program 46 oroperating system 48 may be given higher weight.[0081] At process block 176, the change in the systemstatus (for example, derived from system alert update ofprocess block 167 for multiple control devices 16) maybe analyzed to see if the particular mismatch is part of apattern of mismatches throughout the control system 10and to analyze any trending of those mismatches so thatmismatches that are part of a rising number of mismatch-es are given greater weight. The weight may be affectedby the number of mismatches or the number of differentstructures exhibiting mismatches. Analysis of patterns ofmismatches among different separated control devices16 may be incorporated into the response script to identifyparticular changes that may individually look benign buttogether suggest more significance and a higher signifi-cance level 166.[0082] At process block 178, mitigation options are as-sessed to see if particular mismatches may be easilymitigated, for example, using redundant control devices16 or using backup information that may be put into placeby command from the security device 31. If the mismatchmay be mitigated, lower significance level 166 may beassigned.[0083] At process block 180, the mismatches in currentthumbprints 70 and stored thumbprint 100 are comparedagainst any scheduled changes that have been prereg-istered with the security device 31, for example, in a cal-endar-type application. The significance of mismatchesthat relate to changes that have been preregistered isgenerally assigned to a lower significance level 166. Sim-ilarly unscheduled changes that occur while the controldevice 16 is in a configuration or maintenance mode (asset from the control panel of the control device 16) may
be registered as less severe than when the same con-figuration changes are detected during runtime. In thisway false positives may be reduced.[0084] Referring now also to Fig. 7, process block 160of assessing the significance level 166 of a mismatch ofcurrent thumbprints 70 and stored thumbprint 100 maybe implemented by simply summing the weights 114 ofthe thumbprint map 110 associated with each mismatch.Alternatively a calculation of significance level 166 maybe implemented by a set of rules that provides for moresophisticated Boolean combinations of weights and otherfactors. Most generally, a significance matrix 182 maybe developed to map multiple conditions 184 to particularsignificance levels 166. Thus, for example, low signifi-cance (e.g., 0) may be mapped to conditions such asmismatched control program 46 that is nevertheless in-dicated to be authentic or occurring during a scheduledmaintenance upgrades or a sub-thumbprint 78 thatmatches a previous thumbprint 108. Similarly, a wire lossindicated to be on a low importance function may garnera low significance level 166. A white list may be estab-lished indicating, for example, changes or change com-binations that are generally benign, for example, expect-ed patterns of changes in the hardware registers 50 maybe mapped to low significance level 166. Changes thatoccur during a low alert status of the system may be givena low significance level 166. A low alert status may resultfrom no or low numbers of mismatches or mismatcheshaving low significance levels 166 at different control de-vices 16 or that occur on hardware that is redundant andthus can be readily mitigated, or when the occurrence ofthe mismatch has been acknowledgment by the contactindividual with an indication that a high significance is notwarranted or should be overridden. In addition, particularinput or output points identified to be important or leadingindicators of a critical failure (or indicative of proper op-erations) may be received as inputs for the purpose ofestablishing an importance of other errors.[0085] Conversely mismatches caused by inauthenticcontrol programs 46 or operating systems 48, that alsomatch no previous thumbprint 108, that occur during un-scheduled times, or that are caused by wire-off signalsfor critical functions may be given a high significance.Just as a white list may be established, a blacklist ofconfiguration changes that are suspected, or have beenpredetermined to suggest tampering, may create a highsignificance level 166. Changes that are individually be-nign or low significant but where the changes occur dur-ing in an environment of other high significance levels166 or changes associated with a predetermined patternof mismatches in other similar control devices 16 mayalso be promoted to a high significance level 166. Clearlycases where there is no redundant hardware availableand no response from individuals contacted as part ofthe reporting process block 156 may be given greatersignificance.[0086] Referring momentarily to Fig. 13, each or anyone of the control devices 16 and controllers 12 may im-
15 16
EP 3 101 581 A1
10
5
10
15
20
25
30
35
40
45
50
55
plement in firmware or software of the operating system48 a change supervisor 190 that requires certain stepsin order for the industrial controller 12 or control device16 to be modified. These steps may be implemented onthe control device 16 itself or on a proxy device desig-nated as the gateway for such changes. The change su-pervisor 190 may monitor any request for a change inany of the components subject to the thumbprints 70(e.g., the control program 46, the firmware operating sys-tem 48, and the configuration register 50) at decisionblock 192. When a change is requested, an authorizationmay be requested of the individual seeking to make thechange as indicated by process block 194. This author-ization may be a password or a multifactor authorization,for example, requiring password information and a phys-ical key or the like. Ideally the authorization identifies aspecific responsible individual.[0087] The received authorization may be comparedagainst a list of authorized individuals and/or individualclearances at decision block 196. If the authorization lev-el is not sufficient as determined by decision block 196,a report may be generated as indicated by process block198 and this attempt recorded in the transaction log 52as indicated by process block 200. Otherwise the changemay be implemented as indicated by process block 202and again the change recorded in the logging process ofprocess block 200.[0088] The assessment of the significance level 166of the mismatch determined at process block 160 is usedto generate the reports at process block 156, potentiallysuppressing broad dissemination of reports for minormatters while escalating reports for matters of higher sig-nificance level 166 as has been discussed. The signifi-cance level 166 of the mismatch may also drive the mit-igation actions according to process block 162 as theprocess blocks 156-162 are looped through.[0089] Referring now to Fig. 6, the process block 162performing a mitigating action in the event of a mismatchbetween the received thumbprints 70 and a storedthumbprint 100 may modify the change supervisor 190as one possible mitigating action shown by process block204. Specifically, in the event of a mismatch, processblock 204 may change or increase security levels neededfor particular operations. For example, security levels forchanges in the control program 46 or operating system48 may be increased particularly in a situation where itappears that widescale tampering may be occurring. Par-ticular individuals identified from the transaction logs 52associated with a mismatch, as collected at processblock 170, may have their authorization revoked. Pass-word values used for authentication may be reset requir-ing new passwords that may be issued under controlledcircumstances.[0090] The mitigation step of process block 162 mayalso perform other actions. As indicated by process block206, operating modes of the control device 16 (e.g., runstate versus programming state) may be locked down toprevent pending program changes from being imple-
mented.[0091] Some types of mismatches may provoke in-structions being sent, from the security device 31 to thecontrol device 16 having a mismatch, where the instruc-tions cause the control device 16 to move to a safe stateand remain there. A safe state is a predetermined set ofinput and output values that are likely to be safe, that isto create no or minimized risk of harm to the equipmentor users, and to minimize propagation of failure to othercomponents of the control system 10. The safety statesmay be predetermined defined in the standard securitytemplates 120 discussed above. Such safe states may,for example, move equipment and the like into safe po-sitions and may deactivate certain activities.[0092] Additional processes of the mitigation step ofprocess block 162 may instruct the control device 16 torun the defense script 64 mentioned above which enliststhe various sensors 20 and actuators 22 for defensivepurpose. In one example, the defense script 64 maycause cameras associated with various control devices16 to be activated to begin logging possibly suspiciousactivity in the area. Lighting control by control devices 16may be turned on to reveal intrusions and the like andaccess gates intended for user safety, controlled by con-trol devices 16, may be locked to prevent access to theequipment or devices.[0093] As indicated by process block 209, the mitiga-tion step of process block 162 may also instruct the ac-tivation of redundant equipment that can serve the func-tion of the compromised control devices 16. Alternativelyor in addition, the mitigation step may instruct the controldevices 16 to prevent software updating or to providelocal signals to operators in the area of the control device16, for example, through human machine interface ele-ments such as panel lights, beacons, audio annunciators,or the like.[0094] Again each of these mitigation activities of proc-ess block 162 may be driven by a set of specifically draft-ed rules or more generally by the significance levels 166determined above with respect to process block 160.
Dynamic Data
[0095] Referring now to Fig. 9, the above descriptioninvolves obtaining signatures of data that is largely "stat-ic" (that is changing slowly or changing not at all duringnormal operation) or "quasi-static"(that is changing buthaving a state characterization that is largely static), forexample, a dynamic variable that nevertheless typicallystays within a predefined range. It is contemplated thatthe present invention may be expanded to "dynamic" da-ta, for example, current I/O data from I/O table 42 whichchanges rapidly with operation of the control device 16,network data from the network interface 55 including portnumbers, packet counts, and the like as well as actualreceived packets, and processor data from the processor44, for example, processor utilization percentage, proc-essor fault flags and the like. Again this data may be
17 18
EP 3 101 581 A1
11
5
10
15
20
25
30
35
40
45
50
55
linked with a timestamp 79, a digital signature 80, a de-vice identification number 71, and/or a changing randomcode 83 to provide security in the transmission of a dy-namic operating thumbprint 70’.[0096] This dynamic operating thumbprint 70’ cannotbe easily compared against a static stored thumbprintbut may nevertheless be compared against rules that,for example, establish ranges of values within which theoperating thumbprint 70’ or the underlying data shouldvary, or correlations between values of the underlyingdata that can be used to detect a deviation from the nor-mal pattern and excursions of these dynamic values. Inthis case, the stored thumbprint 100 described abovemay be replaced by more sophisticated dynamic signa-tures to otherwise provide the detection of mismatchesused as has been described above. Referring now to Fig.12, one method of implementing a dynamic storedthumbprint 100’ makes use of a machine learning system201 or the like. This machine learning system 201 maybe trained, as is understood in this art, using a teachingset 205 of normal dynamic operating thumbprints 70’ to-gether with an intentional corruption of those normal dy-namic thumbprints 70’ or intentionally manufacturedthumbprints implementing hypothetical tampering sce-narios. After the machine learning system 201 is trainedusing the teaching set 205, it then receives the actualdynamic thumbprints 70’ to produce an output 203 thatmay be used by decision block 148 of Fig. 5.[0097] The dynamic stored thumbprint 100’ comprisingeither set of rules or a machine learning system may alsobe used for the analysis of static thumbprints 70, for ex-ample, to analyze minor evolution in the otherwise staticoperating state that would be expected with an industrialcontrol system (otherwise accommodated as upgradingor the like).[0098] At times, the rules of the dynamic stored thumb-prints 100’ may be allowed to evolve within certain rangesso as to eliminate false positives caused by natural ev-olution of the state of the control system. This evolutionmay be provided, for example, by using historical datato create new training sets that are used to constantlyupdate the dynamic stored thumbprints 100’. In this case,a second level of analysis of the dynamic stored thumb-prints 100’ may be performed, for example, with a longertime frame, to evaluate that evolution of the dynamicstored thumbprints 100’ for possible underlying problemsthat may be detected to trigger a response script of proc-ess block 154 described above.[0099] The implicit rules of the dynamic stored thumb-prints 100’ may also be randomly perturbed at the rangethresholds to change the precise thresholds at which aresponse script of process block 154 is invoked. Thisrandomization can help defeat "probing" of the dynamicstored thumbprints 100’, for example, on a separate in-dustrial control system 10, where the probing is used tocollect information to defeat other industrial control sys-tems 10. The randomization may be performed, for ex-ample, by randomly selecting among different elements
of a teaching set to provide slightly different teachingrules generated by a machine learning system 201, orby randomly adjusting the thresholds of ranges of rulesused to evaluate dynamic stored thumbprint 100’ by mi-nor amounts that still ensure that the function of the rang-es to test for out of range conditions are still substantiallymet.[0100] Referring to Fig. 10, the potentially large com-binatorial space occupied by many dynamic variablescan be managed in the present invention by providing adistributed security device 31 in which a mismatch perdecision block 148 (of Fig. 5) is analyzed for downstreamdevices by the next upstream device, limiting the propa-gation of the dynamic thumbprints 70’. To the extent thatthese dynamic thumbprints 70’ cannot be otherwise com-pressed, this distribution to local analysis of the dynamicvalues, for example, range checking or the use of a localsupervised machine learning system, may be used toconvert the dynamic thumbprints 70’ into static or quasi-static thumbprints 70’ for conventional analysis at a se-curity device 31 using the methods described above. Theability to accurately detect complex patterns in the dataof the dynamic thumbprints 70’ can be promoted by trans-mitting the dynamic thumbprints 70’ together with contextdata, for example, a particular control task or local clockvalue related to the dynamic thumbprints 70’ that allowsclustering of dynamic operating thumbprint 70’ into lim-ited subsets that can be analyzed separately, for exam-ple, subsets related to temporal proximity, or subsets re-lated to particular control tasks.[0101] Accordingly, a dynamic operating thumbprint70a’ and a dynamic operating thumbprint 70b’ generatedby control devices 16a and 16b, respectively, associatedwith a given control task may be linked by a context es-tablished by context envelope 211 (C) encapsulating thedynamic thumbprints 70a’ and 70b’ and transmitted withthe thumbprints 70a’ and 70b’. The context envelope 211may link the thumbprints 70a’ and 70b’ as relating to acommon control task or similar local clock occurrences.This context envelope may be augmented as additionalthumbprints 70c’ are passed up to the security device 31so that eventually a dynamic operating thumbprint 70d’with a context envelope 213 is received, this context en-velope 213 collecting dynamic thumbprints 70a’ and 70b’together in context envelope 211 (C) and connecting con-text envelope 211 (C) with operating thumbprint 70c’ bycontext envelope 213 (E). This hierarchy of context en-velope 211 and 213 allows specialized rules to be appliedto each separate context minimizing the complexity ofthe analysis process[0102] A similar approach may be used with staticthumbprints 70 where upstream devices 215b (e.g. acontroller 12) may aggregate static state thumbprints 70from downstream devices 215a (e.g. 16) with the up-stream devices 215b generating its own static thumb-prints 70 being a digest of the received thumbprints 70from the downstream devices 215a. These new staticthumbprints 70 are then forwarded further upstream to
19 20
EP 3 101 581 A1
12
5
10
15
20
25
30
35
40
45
50
55
further upstream devices 215c and this process may berepeated. Preliminary matching of the thumbprint 72 tostored thumbprints 100 may occur at intermediary up-stream devices 215b with only the results of those match-es (per decision block 148 of Fig. 5) being sent upstreamto devices 215c with the provision that in the event of amismatch or at any time, a higher-level security device31 may request that the raw received thumbprints 70 maybe passed through the intermediary devices 215b and215c without digesting for analysis at a higher-level. Thislatter procedure helps prevent tampering with the secu-rity mechanism through attacks at intermediary devices215b and 215c..
Safety Monitoring
[0103] The above description has been provided in acontext of monitoring an industrial control system againstmalicious attacks. It will be appreciated that elements ofthe above system can also be used to detect irregularitiesin the operation of an industrial control system that donot necessarily result from malicious intent but that maynevertheless affect the integrity or safety of operation ofthe industrial control system.[0104] "Safety" as used herein refers to the operationof specialized industrial control systems ("safety sys-tems") used in environments where the safety of humansrequires proper functioning of the control system. Safetysystems may include the electronics associated withemergency-stop buttons, light curtains, and other ma-chine lockouts. Traditionally, safety systems have beenimplemented by a set of redundant circuits separate fromthe industrial control system used to control the industrialprocess with which the safety system is associated. Suchsafety systems were "hardwired" from switches and re-lays including specialized "safety relays" which providecomparison of redundant signals and internal checkingof fault conditions such as welded or stuck contacts.[0105] Current safety systems may be implementedusing specialized computer hardware and network pro-tocols for example as taught by US patents 6,631,476;6,701,198; 6,721,900; 6,891,850; and 6,909,923 allhereby incorporated by reference. United States patent7,027,880, also hereby incorporated by reference andassigned to the assignees of the present invention, de-scribes a safety system that uses a "signature" of thesoftware executed by the safety system that can be com-pared to a signature of a previously certified version ofthe same software. This comparison process allows rapidre-certification (or determination of proper certification)of the safety system. The present invention may expandupon this concept by using the security signatures de-scribed above as safety signatures that provide a com-plete indication of changes in the industrial control sys-tem beyond merely changes in the operating software toalso include changes in configuration data and environ-mental data which together a define control state of theindustrial controller. In addition or alternatively, the ag-
gregation of safety signatures from multiple elements ofthe control device allows for more comprehensive assur-ance of the integrity of a safety system comprised of mul-tiple elements. As is also described above, the safetysystem may provide for diagnostics not normally presentwith safety systems by zeroing in on the cause of thefault to help correct this fault. This zeroing in is accom-plished by obtaining increasingly detailed safety signa-tures in the manner discussed above.[0106] A failure of the safety signal from any elementto match a corresponding stored signature associatedwith a safety certified state of the industrial control systemmay cause the system to send alerts to the appropriatepersonnel in the manner discussed above and also tomove the system to a safe state as is also discussedabove.[0107] Certain terminology is used herein for purposesof reference only, and thus is not intended to be limiting.For example, terms such as "upper", "lower", "above",and "below" refer to directions in the drawings to whichreference is made. Terms such as "front", "back", "rear","bottom" and "side", describe the orientation of portionsof the component within a consistent but arbitrary frameof reference which is made clear by reference to the textand the associated drawings describing the componentunder discussion. Such terminology may include thewords specifically mentioned above, derivatives thereof,and words of similar import. Similarly, the terms "first","second" and other such numerical terms referring tostructures do not imply a sequence or order unless clearlyindicated by the context.[0108] When introducing elements or features of thepresent disclosure and the exemplary embodiments, thearticles "a", "an", "the" and "said" are intended to meanthat there are one or more of such elements or features.The terms "comprising", "including" and "having" are in-tended to be inclusive and mean that there may be ad-ditional elements or features other than those specificallynoted. It is further to be understood that the method steps,processes, and operations described herein are not tobe construed as necessarily requiring their performancein the particular order discussed or illustrated, unlessspecifically identified as an order of performance. It isalso to be understood that additional or alternative stepsmay be employed.[0109] References to "a controller", "an industrial con-troller", and "a computer", should be understood to in-clude any general computing device suitable for the re-cited function including workstations, industrial control-lers, personal or desktop computers, servers, cloud com-puters and the like operating locally or remotely to otherelements of the invention.[0110] References to "a microprocessor" and "a proc-essor" or "the microprocessor" and "the processor,"should be understood to include one or more microproc-essors that can communicate in a stand-alone and/or adistributed environment(s), and can thus be configuredto communicate via wired or wireless communications
21 22
EP 3 101 581 A1
13
5
10
15
20
25
30
35
40
45
50
55
with other processors, where such one or more processorcan be configured to operate on one or more processor-controlled devices that can be similar or different devices.Furthermore, references to memory, unless otherwisespecified, can include one or more processor-readableand accessible memory elements and/or componentsthat can be internal to the processor-controlled device,external to the processor-controlled device, and can beaccessed via a wired or wireless network.[0111] The term "network port" should not be con-strued as limited to particular types of networks or portsbut is intended to broadly cover communications viawired and wireless ports, ports connecting to separatemedia such as cables and optical fibers as well as back-planes, and a variety of protocols including but not limitedto RS-232/422, USB, IEEE1394, and 1756-EN2T proto-cols.[0112] It is specifically intended that the present inven-tion not be limited to the embodiments and illustrationscontained herein and the claims should be understoodto include modified forms of those embodiments includ-ing portions of the embodiments and combinations of el-ements of different embodiments as come within thescope of the following claims. All of the publications de-scribed herein, including patents and non-patent publi-cations, are hereby incorporated herein by reference intheir entireties.
The following is a list of further preferred embodi-ments of the invention:
[0113]
Embodiment 1. An industrial control system compris-ing multiple inter-communicating industrial controldevices coordinated according to a control program,the industrial control system comprising:
(1) multiple control devices each providing:
(a) a device network port for communicatingwith other elements of the industrial controlsystem;(b) electrical connectors for accepting elec-trical conductors communicating with in-dustrial equipment to receive or transmitelectrical signals from or to that industrialequipment for the control of an industrialprocess;(c) a control device processor communicat-ing with the device network port and elec-trical connectors;(d) a device electronic memory system ac-cessible by the control device processorand holding: operating software describingoperation of control device, a data tableholding representations of the electrical sig-nals of the electrical connectors, a diagnos-
tic program providing outputs monitoringthe operation of the control device; the datatable and the outputs of the diagnostic pro-gram together defining a dynamic devicestate wherein the operating software is ex-ecutable by the control device processor to:
(i) read at least a portion of the dynamicdevice state to generate a dynamic sig-nature;(ii) encrypt the dynamic signature; and(iii) transmit the dynamic signature overthe network port; and
(2) a security controller providing:
(a) a controller network port for communi-cating with other elements of the industrialcontrol system;(b) a security controller processor commu-nicating with the controller network port; and(c) a controller electronic memory systemaccessible by the security controller proc-essor and holding: a security program;
wherein the security program is executable by thesecurity controller processor to:
(i) receive a dynamic signature from a given con-trol device through the network port and decryptthe dynamic signature;(ii) analyze the dynamic signature against rulesestablishing a multi-value range of acceptabledynamic signature values; and(iii) provide an output indicating whether the re-ceived dynamic signature is outside the multi-value range of acceptable dynamic signaturevalues.
Embodiment 2. The industrial control system of em-bodiment 1 wherein the portion of the dynamic de-vice state includes data indicating electrical signalsof the electrical connectors.
Embodiment 3. The industrial control system of em-bodiment 1 wherein the security program executesto receive dynamic signatures from a multiple of giv-en control devices through the network port and an-alyze the dynamic signatures against integratedrules relating to the combined dynamic signaturesand establishing a multi-value range of acceptabledynamic signature values
Embodiment 4. The industrial control system of em-bodiment 1 wherein the dynamic signature includesmultiple time varying quantities and wherein the rulesestablish multi-value ranges for each quantity.
23 24
EP 3 101 581 A1
14
5
10
15
20
25
30
35
40
45
50
55
Embodiment 5. The industrial control system of em-bodiment 4 wherein the multi-value ranges vary asa function of other varying quantities.
Embodiment 6. Industrial control system of embod-iment 5 wherein the multi-value ranges vary as afunction of a random value.
Embodiment 7. The industrial control system of em-bodiment 5 wherein the rules are applied by a su-pervised machine learning system trained with dy-namic signatures from a properly operating industrialcontrol system.
Embodiment 8. The industrial control system of em-bodiment 5 wherein the properly operating industrialcontrol system is determined at least in part by his-torical operation of the industrial control system.
Embodiment 9. The industrial control system of em-bodiment 1 wherein the dynamic device state in-cludes at least one of a timestamp, a digital signa-ture, a device identification number, and a changingrandom code.
Embodiment 10. The industrial control system of em-bodiment 1 wherein the device electronic memorysystem holds a diagnostic program monitoring op-eration of the control device and wherein the dynam-ic signature includes outputs from the diagnostic pro-gram.
Embodiment 11. The industrial control system of em-bodiment 10 wherein the operation of the control de-vice is selected from the group consisting of: CPUutilization, free memory, and stack depth.
Embodiment 12. The industrial control system of em-bodiment 1 wherein rules are at least in part a func-tion of calendar data indicating schedule changes inthe industrial control system.
Embodiment 13. The industrial control system of em-bodiment 10 wherein the operation of the control de-vice is selected from the group consisting of: porttraffic over a predetermined interval and change inaverage port traffic.
Embodiment 14. The industrial control system of em-bodiment 1 wherein the device electronic memorysystem holds a transaction log recording individualaccess to the control device programs or settingsand the diagnostic program analyzes the operatinglog for at least one of a pattern of access to settingsof the control.
Embodiment 15. The industrial control system of em-bodiment 1 wherein the dynamic signature includes
an operating mode of the control device selectedfrom a run state indicating that the control device isrunning to execute a control program and a program-ming state indicating that the control device is beingprogrammed with respect to a control program.
Embodiment 16. The industrial control system of em-bodiment 1 wherein a first control device producesa first dynamic signature and a second control devicereceives the first dynamic signature and produces asecond dynamic signature based on a dynamic de-vice state of the second control device and the firstdynamic signature and transmits the second dynam-ic signature over a network port of the second controldevice.
Embodiment 17. The industrial control system of em-bodiment 16 wherein the second dynamic signatureprovides a lossy compression of the first dynamicsignature.
Embodiment 18. The industrial control device of em-bodiment 1 wherein the operating software providesprogramming for operating the control device as atleast one of an input module providing interface forcommunication from two-state electrical sensorsproviding a digital input, an input module providinginterface for communications from sensors providingan analog signal, an output module providing an in-terface for communication to two-state actuators,and a motor drive for synthesizing voltage wave-forms for controlling a motor.
Embodiment 19. A method of establishing securityin an industrial control system comprising multipleinter-communicating industrial control devices coor-dinated according to a control program, the methodincluding:
(1) at each control device:
(a) generating a dynamic device state at theindustrial control devices from a data tableholding representations of electrical signalsof the electrical connectors of each controldevice and outputs from a diagnostic pro-gram monitoring the operation of the controldevice;(b) reading at least a portion of the dynamicdevice state to generate a dynamic signa-ture;(c) encrypting the dynamic signature with apublic key encryption; and(d) transmitting the dynamic signature overa network port;
(2) at a security controller:
25 26
EP 3 101 581 A1
15
5
10
15
20
25
30
35
40
45
50
55
(a) receiving a dynamic signature from atleast one given control device through thenetwork port and decrypting the dynamicsignature;(b) analyzing the dynamic signature againstrules establishing a multi-value range of ac-ceptable dynamic signature values; and(c) providing an output indicating whetherthe received dynamic signature is outsidethe multi-value range of acceptable dynam-ic signature values.
Embodiment 20. The method of embodiment 19wherein the portion of the dynamic device state in-cludes data indicating electrical signals of the elec-trical connectors.
Claims
1. An industrial control system comprising multiple in-ter-communicating industrial control devices coordi-nated according to a control program, the industrialcontrol system comprising:
(1) multiple control devices each providing:
(a) a device network port for communicatingwith other elements of the industrial controlsystem;(b) electrical connectors for accepting elec-trical conductors communicating with in-dustrial equipment to receive or transmitelectrical signals from or to that industrialequipment for the control of an industrialprocess;(c) a control device processor communicat-ing with the device network port and elec-trical connectors;(d) a device electronic memory system ac-cessible by the control device processorand holding: operating software describingoperation of control device, a data tableholding representations of the electrical sig-nals of the electrical connectors, a diagnos-tic program providing outputs monitoringthe operation of the control device; the datatable and the outputs of the diagnostic pro-gram together defining a dynamic devicestate
wherein the operating software is executable bythe control device processor to:
(i) read at least a portion of the dynamic de-vice state to generate a dynamic signature;(ii) encrypt the dynamic signature; and(iii) transmit the dynamic signature over the
network port; and
(2) a security controller providing:
(a) a controller network port for communi-cating with other elements of the industrialcontrol system;(b) a security controller processor commu-nicating with the controller network port; and(c) a controller electronic memory systemaccessible by the security controller proc-essor and holding: a security program;
wherein the security program is executable bythe security controller processor to:
(i) receive a dynamic signature from a givencontrol device through the network port anddecrypt the dynamic signature;(ii) analyze the dynamic signature againstrules establishing a multi-value range of ac-ceptable dynamic signature values; and(iii) provide an output indicating whether thereceived dynamic signature is outside themulti-value range of acceptable dynamicsignature values.
2. The industrial control system of claim 1 wherein theportion of the dynamic device state includes dataindicating electrical signals of the electrical connec-tors.
3. The industrial control system of claim 1 or 2 whereinthe security program executes to receive dynamicsignatures from a multiple of given control devicesthrough the network port and analyze the dynamicsignatures against integrated rules relating to thecombined dynamic signatures and establishing amulti-value range of acceptable dynamic signaturevalues
4. The industrial control system of one of claims 1 to 3wherein the dynamic signature includes multipletime varying quantities and wherein the rules estab-lish multi-value ranges for each quantity.
5. The industrial control system of claim 4 wherein themulti-value ranges vary as a function of other varyingquantities.
6. Industrial control system of claim 5 wherein:
the multi-value ranges vary as a function of arandom value; orthe rules are applied by a supervised machinelearning system trained with dynamic signaturesfrom a properly operating industrial control sys-tem; or
27 28
EP 3 101 581 A1
16
5
10
15
20
25
30
35
40
45
50
55
the properly operating industrial control systemis determined at least in part by historical oper-ation of the industrial control system.
7. The industrial control system of one of claims 1 to 6wherein the dynamic device state includes at leastone of a timestamp, a digital signature, a device iden-tification number, and a changing random code.
8. The industrial control system of one of claims 1 to 7wherein the device electronic memory system holdsa diagnostic program monitoring operation of thecontrol device and wherein the dynamic signatureincludes outputs from the diagnostic program.
9. The industrial control system of claim 8 wherein theoperation of the control device is selected from thegroup consisting of CPU utilization, free memory,and stack depth; or wherein the operation of the con-trol device is selected from the group consisting ofport traffic over a predetermined interval and changein average port traffic.
10. The industrial control system of one of claims 1 to 9wherein rules are at least in part a function of calen-dar data indicating schedule changes in the industrialcontrol system.
11. The industrial control system of claim 1 wherein:
the device electronic memory system holds atransaction log recording individual access tothe control device programs or settings and thediagnostic program analyzes the operating logfor at least one of a pattern of access to settingsof the control; and/orthe dynamic signature includes an operatingmode of the control device selected from a runstate indicating that the control device is runningto execute a control program and a program-ming state indicating that the control device isbeing programmed with respect to a control pro-gram.
12. The industrial control system of one of claims 1 to11 wherein a first control device produces a first dy-namic signature and a second control device re-ceives the first dynamic signature and produces asecond dynamic signature based on a dynamic de-vice state of the second control device and the firstdynamic signature and transmits the second dynam-ic signature over a network port of the second controldevice, wherein the second dynamic signature pro-vides a lossy compression of the first dynamic sig-nature.
13. The industrial control device of one of claims 1 to 12wherein the operating software provides program-
ming for operating the control device as at least oneof an input module providing interface for communi-cation from two-state electrical sensors providing adigital input, an input module providing interface forcommunications from sensors providing an analogsignal, an output module providing an interface forcommunication to two-state actuators, and a motordrive for synthesizing voltage waveforms for control-ling a motor.
14. A method of establishing security in an industrial con-trol system comprising multiple inter-communicatingindustrial control devices coordinated according toa control program, the method including:
(1) at each control device:
(a) generating a dynamic device state at theindustrial control devices from a data tableholding representations of electrical signalsof the electrical connectors of each controldevice and outputs from a diagnostic pro-gram monitoring the operation of the controldevice;(b) reading at least a portion of the dynamicdevice state to generate a dynamic signa-ture;(c) encrypting the dynamic signature with apublic key encryption; and(d) transmitting the dynamic signature overa network port;
(2) at a security controller:
(a) receiving a dynamic signature from atleast one given control device through thenetwork port and decrypting the dynamicsignature;(b) analyzing the dynamic signature againstrules establishing a multi-value range of ac-ceptable dynamic signature values; and(c) providing an output indicating whetherthe received dynamic signature is outsidethe multi-value range of acceptable dynam-ic signature values.
15. The method of claim 14 wherein the portion of thedynamic device state includes data indicating elec-trical signals of the electrical connectors.
29 30
EP 3 101 581 A1
17
EP 3 101 581 A1
18
EP 3 101 581 A1
19
EP 3 101 581 A1
20
EP 3 101 581 A1
21
EP 3 101 581 A1
22
EP 3 101 581 A1
23
EP 3 101 581 A1
24
5
10
15
20
25
30
35
40
45
50
55
EP 3 101 581 A1
25
5
10
15
20
25
30
35
40
45
50
55
EP 3 101 581 A1
26
REFERENCES CITED IN THE DESCRIPTION
This list of references cited by the applicant is for the reader’s convenience only. It does not form part of the Europeanpatent document. Even though great care has been taken in compiling the references, errors or omissions cannot beexcluded and the EPO disclaims all liability in this regard.
Patent documents cited in the description
• US 6631476 B [0105]• US 6701198 B [0105]• US 6721900 B [0105]
• US 6891850 B [0105]• US 6909923 B [0105]• US 7027880 B [0105]